Cisco路由器配置IPSCE动态加密
实验环境:
A公司总部路由器A要和分支机构路由器B进行×××通信,采用三层IPSEC-×××,现由于分支机构采用DLINK ×××设备,无法设置IP,总部决定部署动态IPSEC加密,现拓扑如下:1.1.1.0/24模拟总部内部网络网段,2.2.2.0/24模拟分支机构内部网络网段。
1
、总部配置:
interface Loopback0
ip address 1.1.1.1 255.255.255.0
//设置通信点IP
interface Serial0/0
ip address 218.16.1.1 255.255.255.0
no shut
crypto map ccnp
ip route 0.0.0.0 0.0.0.0 218.16.1.2
//加密点之间必须要能相互通信
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 ciscoh3c address 0.0.0.0 0.0.0.0
//中心有固定的IP地址,而分支机构由于设备原因无固定IP,密钥必须匹配
crypto ipsec transform-set ccna esp-3des esp-md5-hmac
mode tunnel
crypto dynamic-map ccnp 10
//动态加密配置
set transform-set ccna
//中心不设置感兴趣流和PEER,而采取自动协商策略,后续测试网络必须从分支机构开始,否则无法测试成功。
crypto map ccnp 10 ipsec-isakmp dynamic ccnp
2
、互联网路由器配置:
int s0/0
ip add 218.16.1.2 255.255.255.0
no shut
int s0/1
ip add 222.16.1.2 255.255.255.0
no shut
3
、分支机构:
int loopback 0
ip add 2.2.2.2 255.255.255.0
int s0/1
ip add 222.16.1.1 255.255.255.0
no shut
crypto map ccnp
ip route 0.0.0.0 0.0.0.0 222.16.1.2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 ciscoh3c address 218.16.1.1
//分支机构必须有到总部的IP地址,不能像总部一样采取全0,否则两端无法协商
crypto ipsec transform-set ccna esp-3des esp-md5-hmac
mode tunnel
crypto map ccnp 10 ipsec-isakmp
//常规IPSEC的配置
set peer 218.16.1.1
set transform-set ccna
match address 101
access-list 101 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
//分支机构需配置感兴趣流
4
、测试:
(1)
总部PING
分支机构:
R1#ping 2.2.2.2 source 1.1.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
......................................................................
..............................
Success rate is 0 percent (0/100)
//因为总部不知道如何与分支机构协商,没有分支机构的IP
(2)
分支机构PING
总部:
R3#ping 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.!!!!
//可以PING通,因为之间已经协商好了策略
(3)
总部再PING
分支机构:
R1#ping 2.2.2.2 source 1.1.1.1 repeat 50
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//PING通了,因为策略已经协商完成
(4)
显示ISAKMP
关联协商:
R1#show crypto isakmp sa
dst
src state conn-id slot status
218.16.1.1
222.16.1.1 QM_IDLE 1 0 ACTIVE
(5)
显示IPSEC
关联协商:
R1#show crypto ipsec sa
interface: Serial0/0
Crypto map tag: ccnp, local addr 218.16.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
current_peer 222.16.1.1 port 500
PERMIT, flags={}
#pkts encaps: 139, #pkts encrypt: 139, #pkts digest: 139
#pkts decaps: 139, #pkts decrypt: 139, #pkts verify: 139
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 218.16.1.1, remote crypto endpt.: 222.16.1.1
path mtu 1500, ip mtu 1500
current outbound spi: 0x94AE7A86(2494462598)
inbound esp sas:
spi: 0xB64162(11944290)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: 1, crypto map: ccnp
sa timing: remaining key lifetime (k/sec): (4563637/3497)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x94AE7A86(2494462598)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: 2, crypto map: ccnp
sa timing: remaining key lifetime (k/sec): (4563637/3490)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
(6)
显示接口加解密情况:
R1# show crypto engine connections active
ID Interface
IP-Address State Algorithm Encrypt Decrypt 1 Serial0/0 218.16.1.1 set HMAC_MD5+3DES_56_C 0 0
2001 Serial0/0
218.16.1.1 set 3DES+MD5 0 139
2002 Serial0/0
218.16.1.1 set 3DES+MD5 139 0
转载于:https://blog.51cto.com/zxa09/1184817