Site-to-Site *** 配置实例(共享密钥)

最新推荐文章于 2022-03-28 21:53:24 发布
最新推荐文章于 2022-03-28 21:53:24 发布
阅读量166 收藏
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_34197488/article/details/85189306
版权
Site-to-Site *** 配置实例(共享密钥)
 
1、具体配置如下:<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

R1#show running-config

*Dec 11 21:49:22.595: %SYS-5-CONFIG_I: Configured from console by console

Building configuration...

 

Current configuration : 1243 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

ip cef

!

!        

!

crypto isakmp policy 110

 encr 3des

 hash md5

 authentication pre-share

 group 2 

crypto isakmp key cisco address 99.1.1.2

!

!

crypto ipsec transform-set *** ah-md5-hmac esp-des esp-sha-hmac

!

crypto map site*** 10 ipsec-isakmp

 set peer 99.1.1.2

 set transform-set ***

 match address 110

!

!

!

!

interface Loopback0

 ip address 172.16.1.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 99.1.1.1 255.255.255.252

 duplex half

!

interface Ethernet1/0

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/1

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/2

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/3

 no ip address

 shutdown

 duplex half

!

ip classless

ip route 0.0.0.0 0.0.0.0 99.1.1.2

!

no ip http server

no ip http secure-server

!        

!

access-list 110 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

!

!

!

!

control-plane

!

!

!

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 stopbits 1

line aux 0

line vty 0 4

!

!        

end

 

R2#show running-config

Building configuration...

 

Current configuration : 1263 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

ip cef

!

!        

!

!

crypto isakmp policy 110

 encr 3des

 hash md5

 authentication pre-share

 group 2 

crypto isakmp key cisco address 99.1.1.1

!

!

crypto ipsec transform-set *** ah-md5-hmac esp-des esp-sha-hmac

!

crypto map site*** 10 ipsec-isakmp

 set peer 99.1.1.1

 set transform-set ***

 match address 110

!

!

!

!

interface Loopback0

 ip address 172.16.2.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 99.1.1.2 255.255.255.252

 duplex half

 crypto map site***

!

interface Ethernet1/0

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/1

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/2

 no ip address

 shutdown

 duplex half

!

interface Ethernet1/3

 no ip address

 shutdown

 duplex half

!

ip classless

ip route 0.0.0.0 0.0.0.0 99.1.1.1

!

no ip http server

no ip http secure-server

!

!

access-list 110 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

!

!

!

!

control-plane

!

!

!

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 stopbits 1

line aux 0

line vty 0 4

!        

!

end

 

2、验证配置

 

R2#debug crypto ipsec

Crypto IPSEC debugging is on

 

R2#ping 172.16.1.1 source 172.16.2.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.2.1

 

*Dec 11 21:52:54.995: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 99.1.1.2, remote= 99.1.1.1,

    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

    protocol= AH, transform= ah-md5-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0xC34D28FA(3276613882), conn_id= 0, keysize= 0, flags= 0x400A

*Dec 11 21:52:54.999: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 99.1.1.2, remote= 99.1.1.1,

    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x397AFB16(964360982), conn_id= 0, keysize= 0, flags= 0x400A

*Dec 11 21:52:56.339: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 99.1.1.2, remote= 99.1.1.1,

    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

    protocol= AH, transform= ah-md5-hmac  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Dec 11 21:52:56.347: IPSEC(validate_proposal_request): proposal part #2,

  (key eng. msg.) INBOUND local= 99.1.1.2, remote= 99.1.1.1,

    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Dec 11 21:52:56.351: Crypto mapdb : proxy_match

        src addr     : 172.16.2.0

        dst addr     : 172.16.1.0

        protocol     : 0

        src port     : 0

        dst port     : 0

*Dec 11 21:52:56.367: IPSEC(key_engine): got a queue event with 4 kei messages

*Dec 11 21:52:56.367: IPSEC(initialize_sas): ,

  (key eng. msg.) INBOUND local= 99.1.1.2, remote= 99.1.1.1,

    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

    protocol= AH, transform= ah-md5-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0xC34D28FA(3276613882), conn_id= 0, keysize= 0, flags= 0x2

*Dec 11 21:52:56.371: IPSEC(initialize_sas): ,

  (key eng. msg.) OUTBOUND local= 99.1.1.2, remote= 99.1.1.1,

    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

    protocol= AH, transform= .!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 32/68/112 ms

R2#ah-md5-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x303B33D8(809186264), conn_id= 0, keysize= 0, flags= 0xA

*Dec 11 21:52:56.375: IPSEC(initialize_sas): ,

  (key eng. msg.) INBOUND local= 99.1.1.2, remote= 99.1.1.1,

    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x397AFB16(964360982), conn_id= 0, keysize= 0, flags= 0x2

*Dec 11 21:52:56.379: IPSEC(initialize_sas): ,

  (key eng. msg.) OUTBOUND local= 99.1.1.2, remote= 99.1.1.1,

    local_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x6D84A16(114838038), conn_id= 0, keysize= 0, flags= 0xA

*Dec 11 21:52:56.383: Crypto mapdb : proxy_match

        src addr     : 172.16.2.0

        dst addr     : 172.16.1.0

        protocol     : 0

        src port     : 0

        dst port     : 0

*Dec 11 21:52:56.387: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 99.1.1.1

*Dec 11 21:52:56.391: IPSec: Flow_switching Allocated flow for sibling 80000002

*Dec 11 21:52:56.391: IPSEC(policy_db_add_ident): src 172.16.2.0, dest 172.16.1.0, dest_port 0

 

*Dec 11 21:52:56.395: IPSEC(create_sa): sa created,

  (sa) sa_dest= 99.1.1.2, sa_proto= 51,

    sa_spi= 0xC34D28FA(3276613882),

    sa_trans= ah-md5-hmac , sa_conn_id= 2001

*Dec 11 21:52:56.395: IPSEC(create_sa): sa created,

  (sa) sa_dest= 99.1.1.1, sa_proto= 51,

    sa_spi= 0x303B33D8(809186264),

    sa_trans= ah-md5-hmac , sa_conn_id= 2002

*Dec 11 21:52:56.399: IPSEC(create_sa): sa created,

  (sa) sa_dest= 99.1.1.2, sa_proto= 50,

    sa_spi= 0x397AFB16(964360982),

    sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2001

*Dec 11 21:52:56.403: IPSEC(create_sa): sa created,

  (sa) sa_dest= 99.1.1.1, sa_proto= 50,

    sa_spi= 0x6D84A16(114838038),

sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2002

 

R2#ping 172.16.1.1 source 172.16.2.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/36/108 ms

 

 

R2#sh crypto ipsec sa

 

interface: FastEthernet0/0

    Crypto map tag: site***, local addr 99.1.1.2

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)

   current_peer 99.1.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

 

     local crypto endpt.: 99.1.1.2, remote crypto endpt.: 99.1.1.1

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x6D84A16(114838038)

 

     inbound esp sas:

      spi: 0x397AFB16(964360982)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2001, flow_id: SW:1, crypto map: site***

        sa timing: remaining key lifetime (k/sec): (4497696/3536)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     inbound ah sas:

      spi: 0xC34D28FA(3276613882)

        transform: ah-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2001, flow_id: SW:1, crypto map: site***

        sa timing: remaining key lifetime (k/sec): (4497696/3535)

        replay detection support: Y

        Status: ACTIVE

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0x6D84A16(114838038)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2002, flow_id: SW:2, crypto map: site***

        sa timing: remaining key lifetime (k/sec): (4497696/3535)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     outbound ah sas:

      spi: 0x303B33D8(809186264)

        transform: ah-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2002, flow_id: SW:2, crypto map: site***

        sa timing: remaining key lifetime (k/sec): (4497696/3535)

        replay detection support: Y

        Status: ACTIVE

 

     outbound pcp sas:

 

R2#sh crypto isakmp sa

dst             src             state          conn-id slot status

99.1.1.1        99.1.1.2        QM_IDLE              1    0 ACTIVE

 
weixin_34197488
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
BTC-私钥到地址
02-22
BTC-私钥到地址
Site-to-Site VPN配置和调试实践:构建安全的远程网络连接
傻傻的心动的博客
06-15 2638
Site-to-Site VPN配置和调试实践:构建安全的远程网络连接 Site-to-Site VPN:该实验旨在理解和掌握Site-to-Site VPN的配置和工作原理,Site-to-Site VPN用于连接不同地理位置的网络,通过加密和隧道技术实现安全的数据传输。 网络拓扑:实验中给出了一个网络拓扑图,包括多个路由器和互联网连接,理解拓扑图中设备的连接方式和接口配置是必要的。 基础配置:实验开始时进行了基础配置,包括给设备设置主机名、配置接口的IP地址和子网掩码、开启接口等。 IP地址和路由配置
构建AWS Site-to-Site IPsec实现内网互联
xuxingzhuang的博客
03-28 4613
通过与AWS搭建Site-to-Site IPsec实现内网互联
PHPCMS常用标签及变量
smxalong的博客
11-29 573
系统常量,全局可用 CACHE_PATH 缓存文件夹地址 SITE_PROTOCOL 主机协议 SITE_URL 当前访问的主机名 HTTP_REFERER 来源 SYS_START_TIME 系统开始时间 CHARSET 页面字符集 SYS_TIME 当前时间戳 WEB_PATH 网站根路径 JS_PATH JS路径 CSS_PATH CSS路径 IMG_PATH 图片路径...
JAVA生成BTC地址以及私钥,公钥和助记词
冷十一的博客
05-18 2836
JAVA生成BTC地址以及私钥,公钥和助记词 有用的话,回来给我点个赞,谢谢了。有问题留言,我会尽快回复。 maven依赖 <!-- https://mvnrepository.com/artifact/org.bitcoinj/bitcoinj-core --> <dependency> <groupId>org.bitcoinj</groupId> <artifactId>bitcoinj-core</artifactId
Hadoop分布式配置文件core-site.xml
最新发布
06-21
Hadoop分布式配置文件core-site.xml,用于在搭建Hadoop分布式集群时,设置集群规划所用,集群中虚拟机都需要修改该配置文件,除此之外,还需要修改其他配置文件,包括hdfs-site.xml、mapred-site.xml和yarn-site.xml...
site-1.6.18.zip
08-13
本文将围绕"site-1.6.18.zip"这个压缩包,详细介绍Eclipse SVN插件在团队协作和模块化开发中的应用,以及如何有效地利用它。 1. **什么是SVN和Eclipse SVN插件** SVN全称为Subversion,是一款开源的版本控制系统...
配置core-site.xml.png
05-28
配置core-site.xml.png
site-1.8.22 site-1.6.18.rar
08-14
标题中的"site-1.8.22 site-1.6.18.rar"表明这是一个包含两个不同版本(1.8.22和1.6.18)的"site"项目的压缩文件,可能是某个软件或者框架的站点配置或资源集合。在IT行业中,"site"通常指的是项目或产品的网站、...
apple-app-site-association文件
03-27
iOS开发Universal Links功能配置的文件格式,直接更改id内容就可以使用,文件名称为apple-app-site-association,配置过程:https://blog.csdn.net/ljc_563812704/article/details/105042215
IPSec ×××(site to site)配置
weixin_34127717的博客
09-19 266
网络拓扑如下说明实现两个网关之间IPSec×××通道。配置需要以下6步1.配置两端路由能够保证两端互通2.设置感兴趣流量,两端的ACL需要对称3.IKE1即ISAKMPSA配置4.IKE2即IPSecSA配置5.MAP需要结合2346.MAP应用到接口上具体配置如下R1的主要配置cryptoisakmppolicy10encr3deshashmd5authentication...
phpcms标签使用 —— 系统常量
weixin_34266504的博客
06-16 85
以下系统常量全局可用12345678910111213CACHE_PATH 缓存文件夹地址SITE_PROTOCOL 主机协议SITE_URL 当前访问的主机名HTTP_REFERER 来源SYS_START_TIME 系统开始时间CHARSET 页面字符集SYS_TIME 当前时间戳WEB_PATH 网站根路径JS_PATH JS路径CSS_PATH CSS路径IMG_PATH 图片路...
Cisco Site-to-Site IPsec配置
游离态De猫
05-10 580
环境说明: CompanyA-Router为A公司的出口路由器,上联至ISP,e0/1做nat CompanyB-Router为B公司的出口路由器,上联至ISP,e0/0做nat 两边公司内网需要互通,该环境中使用Site-to-Site IPsec来实现 路由器版本: CompanyA-Router#show version Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(1
思科路由器***配置--site-to-site *** (上)
weixin_34191734的博客
11-11 191
  公司总部和分部分别位于广东和香港,要求总部的部分子网可以和香港的部分子网进行直接通信,但是私网地址是不能够在公网上路由的,那么如何实现用户需求呢? 我们使用 site-to-sit *** 来解决这个问题 实验准备阶段: 实现私网地址可以和公网上的任何一个地址进行通信 比如总部地址 172.16.1.2 可以ping通 ISP的f0/0接口 环回接口1.1.1.1 和 R2的f0...
在NAT环境中实现Site-to-Site ×××
weixin_33768481的博客
06-08 184
拓扑如下 网络环境介绍: site1和site2通过NAT的方式连接到ISP,现在要求通过使用site-to-site ×××来实现site1和site2内网之间的通信。IP地址规划如图所示。 Site1的配置 首先在site1上做好PAT的配置,这里有一点要注意的是要deny掉site1内网到site2内网的流量,否则在site1接收到192.168....
Site-to-Site ××× 配置详解
weixin_34260991的博客
09-22 399
具体配置详见附件 转载于:https://blog.51cto.com/ltyluck/204247
公钥与私钥
心陨如雨
05-20 316
引自 [url]http://blog.sina.com.cn/s/blog_4b359d2d010097bi.html[/url] 一,公钥私钥 1,公钥和私钥成对出现 2,公开的密钥叫公钥,只有自己知道的叫私钥 3,用公钥加密的数据只有对应的私钥可以解密 4,用私钥加密的数据只有对应的公钥可以解密 5,如果可以用公钥解密,则必然是对应的私钥加的密 ...
Site-to-Site *** 配置实例(RSA-ENCR)
weixin_33810006的博客
12-11 218
Site-to-Site *** 配置实例(RSA-ENCR)     1、路由配置   R1#show running-config Building configuration...   Current configuration : 1554 bytes ! version 12.4 service timestamps debug datetime msec ...
思科路由器***配置--site-to-site *** (下)
weixin_34248023的博客
11-13 187
  我们知道私有IP地址是不能在公网上进行路由的,现在用户需求是位于总公司的某一个VLAN想要和分部的某一个vlan进行直接的通信。 那么此时我们就通过 site-to-site ***来解决这个问题 配置 IPsec site-to-site *** 的几个重要步骤,我们以后的实验过程就按照这几个流程来做 1.配置 IKE 策略   定义IKE 的策略包括加密算法 hash 认证方式...
"Hbase-site.xml详解及默认配置参数值分析
在HBase中,通过hbase-site.xml配置文件来定义不同的参数和选项。本文将详细解读hbase-site.xml的配置,并描述了默认的配置情况。 首先,hbase-site.xml中的配置参数主要分为以下几个方面: 1. 临时文件目录:...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值