加密点不等于通讯点为Tunnel Mode
IKEv1 配置实例
×××触发的过程:
1.包进入×××设备,检查远端通讯点的路由,路由引导流量出适当的接口
2.包在出接口过程中撞击上MAP
3.流量匹配上MAP的ACL(感兴趣流),触发加密
4.发起和PEER的IKE协商,×××设备检查去忘PEER(远端加密点)的路由
1.设备配置基础配置
BR1#show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.1.2 YES manual up up
Loopback0 192.168.1.1 YES manual up up
静态路由:ip route 192.168.2.0 255.255.255.0 172.16.1.1
------------------------------------------------
Branch#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 162.106.1.1 YES manual up up
FastEthernet1/0 172.16.1.1 YES manual up up
静态路由
ip route 192.168.1.0 255.255.255.0 172.16.1.2
ip route 192.168.2.0 255.255.255.0 162.106.1.254
ip route 202.100.1.0 255.255.255.0 162.106.1.254
-------------------------------------------------
Internet#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 162.106.1.254 YES manual up up
FastEthernet1/0 202.100.1.254 YES manual up up
------------------------------------------------------
ciscoasa(config)# show int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.1.1.10 YES manual up up
GigabitEthernet0/1 202.100.1.10 YES manual up up
route outside 0.0.0.0 0.0.0.0 202.100.1.254 1
route inside 192.168.2.0 255.255.255.0 10.1.1.1 1
route inside 0.0.0.0 0.0.0.0 10.1.1.1 tunneled
------------------------------------------------------
Inside#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
Loopback0 192.168.2.1 YES manual up
静态路由:ip route 192.168.1.0 255.255.255.0 10.1.1.10
-----------------------------------------------------------------------
2.激活ISAKMP
IOS:crypto isakmp enable
ASA:crypto ikev1 enable outside
3.配置ISAKMP策略:
crypto isakmp policy 10
encryption 3des
hash md5
authentication Pre-Share
group 2
-----------------------------------------
ciscoasa(config)# crypto ikev1 policy 10
ciscoasa(config-ikev1-policy)# encryption 3des
ciscoasa(config-ikev1-policy)# hash md5
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# group 2
4.配置ISAKMP预共享密码
crypto isakmp key ***key address 202.100.1.10
-----------------
ciscoasa(config)# tunnel-group 162.106.1.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 162.106.1.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key ***key
5.配置感兴趣流
ip access-list extended ***
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
--------------
access-list *** extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
6.配置IPSec策略(转换集)
crypto ipsec transform-set trans*** esp-des esp-md5-hmac
----------------------------------------------
crypto ipsec ikev1 transform-set tran*** esp-des esp-md5-hmac
7.配置crypto map(第二阶段)
crypto map cry-map 10 ipsec-isakmp
set peer 202.100.1.10
set transform-set trans***
match address ***
--------------------------------------------
ciscoasa(config)# crypto map cry-map 10 match address ***
ciscoasa(config)# crypto map cry-map 10 set peer 162.106.1.1
ciscoasa(config)# crypto map cry-map 10 set ikev1 transform-set trans***
8.调用crypto map
interface FastEthernet0/0
ip address 162.106.1.1 255.255.255.0
crypto map cry-map
-----------------------------------------------------
ciscoasa(config)# crypto map cry-map interface outside
9.ping测试
BR1#ping 192.168.2.1 so 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/43/60 ms
10.查看IKE SA
Branch#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
202.100.1.10 162.106.1.1 QM_IDLE 1001 ACTIVE
10.查看IPSec SA
show crypto ipsec sa
11.
Branch#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec DES+MD5 0 110 110 162.106.1.1
2 IPsec DES+MD5 114 0 0 162.106.1.1
1001 IKE MD5+3DES 0 0 0 162.106.1.1转载于:https://blog.51cto.com/adamcrab/1950627
774
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
