一.概述:
思科15.2的IOS支持IKEV2的IPSEC ***,安全性较IKEV1有所增强,第一阶段认证方式也有多种方式,支持本地与远程采用不同的认证方式,这次测试为两端本地和远程都采用预共享密钥的方式。
二.基本思路:
A.***对等体一边采用Static VTI方式配置,一边采用Dynamic VTI方式配置
B.实际测试的时候发现VTI接口不能敲tunnel mode ipsec ipv4,如果敲了之后会导致IKEV2 ***加密点身后的网络之间无法通讯(数据包无法被加密点加密送出)
C.另外动态路由协议如果采用OSPF,不知是什么缘故,Static VTI一侧不能通过OSPF学习到对方发布的内网路由;如果采用EIGRP则两侧都能学习到对方发布的内网路由。
三.测试拓扑:
四.基本配置:
A.R1:
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1
B.R2:
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
no shut!
interface FastEthernet0/1
ip address 202.100.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.10
C.R3:
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
D.R4:
interface Loopback0
ip address 4.4.4.4 255.255.255.240
interface Loopback1
ip address 10.1.1.4 255.255.255.0
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.10
E:R5:
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.1
五.路由器PAT配置:
A.R2:
interface FastEthernet0/0
ip nat inside
interface FastEthernet0/1
ip nat outside
ip access-list extended PAT
deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 any
ip nat inside source list PAT interface FastEthernet0/1 overload
B.R4:
interface FastEthernet0/0
ip nat inside
interface FastEthernet0/1
ip nat outside
ip access-list extended PAT
deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list PAT interface FastEthernet0/1 overload
六.IKEV2 ***配置:
A.R2:
①配置IKEV2 proposal和keyring,并配置profile引用它们:
crypto ikev2 proposal IKEV2Proposal
encryption aes-cbc-256
integrity sha512
group 14
crypto ikev2 keyring KeyRing
peer R4
address 202.100.2.1
pre-shared-key cisco
crypto ikev2 profile IKEV2_Profile
match identity remote address 202.100.2.1 255.255.255.255
identity local address 202.100.1.1
authentication remote pre-share
authentication local pre-share
keyring local KeyRing
②第二阶段转换集:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
mode tunnel
③配置ipsec profile,调用IKEV2_Profile和第二阶段转换集:
crypto ipsec profile IPSec_Profile
set transform-set transet
set ikev2-profile IKEV2_Profile
④配置static VTI,并调用ipsec profile:
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 202.100.2.1
tunnel protection ipsec profile IPSec_Profile
⑤配置动态路由协议:
router eigrp 100
network 10.0.0.0
network 172.16.0.0
B.R4:
①配置IKEV2 proposal和keyring,并配置profile引用它们:
crypto ikev2 proposal IKEV2Proposal
encryption aes-cbc-256
integrity sha512
group 14
crypto ikev2 keyring KeyRing
peer R4
address 202.100.1.1
pre-shared-key cisco
crypto ikev2 profile IKEV2_Profile
match identity remote address 202.100.1.1 255.255.255.255
identity local address 202.100.2.1
authentication remote pre-share
authentication local pre-share
keyring local KeyRing
virtual-template 1
②第二阶段转换集:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
mode tunnel
③配置ipsec profile,调用IKEV2_Profile和第二阶段转换集:
crypto ipsec profile IPSec_Profile
set transform-set transet
set ikev2-profile IKEV2_Profile
④配置Dynamic VTI,并调用ipsec profile:
interface Loopback1
ip address 10.1.1.4 255.255.255.0
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel source FastEthernet0/1
tunnel protection ipsec profile IPSec_Profile
⑤配置动态路由协议:
router eigrp 100
network 10.0.0.0
network 192.168.1.0
七.验证:
R2#show crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:8, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
2 202.100.1.1/500 202.100.2.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/235 sec
Child sa: local selector 202.100.1.1/0 - 202.100.1.1/65535
remote selector 202.100.2.1/0 - 202.100.2.1/65535
ESP spi in/out: 0x6013C32/0x827ABC3A
IPv6 Crypto IKEv2 Session
R4#show crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:11, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 202.100.2.1/500 202.100.1.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/312 sec
Child sa: local selector 202.100.2.1/0 - 202.100.2.1/65535
remote selector 202.100.1.1/0 - 202.100.1.1/65535
ESP spi in/out: 0x827ABC3A/0x6013C32
IPv6 Crypto IKEv2 Session
R2#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
23 IPsec 3DES+MD5 87 0 0 202.100.1.1
24 IPsec 3DES+MD5 0 88 88 202.100.1.1
1011 IKEv2 SHA512+AES256 0 0 0 202.100.1.1
R4#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
23 IPsec 3DES+MD5 0 93 93 202.100.2.1
24 IPsec 3DES+MD5 93 0 0 202.100.2.1
1020 IKEv2 SHA512+AES256 0 0 0 202.100.2.1
R1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 328/372/432 ms
R1#
*Jul 12 22:50:39.681: ICMP: echo reply rcvd, src 192.168.1.2, dst 172.16.1.2, topology BASE, dscp 0 topoid 0
*Jul 12 22:50:40.025: ICMP: echo reply rcvd, src 192.168.1.2, dst 172.16.1.2, topology BASE, dscp 0 topoid 0
*Jul 12 22:50:40.461: ICMP: echo reply rcvd, src 192.168.1.2, dst 172.16.1.2, topology BASE, dscp 0 topoid 0
R1#
*Jul 12 22:50:40.793: ICMP: echo reply rcvd, src 192.168.1.2, dst 172.16.1.2, topology BASE, dscp 0 topoid 0
*Jul 12 22:50:41.169: ICMP: echo reply rcvd, src 192.168.1.2, dst 172.16.1.2, topology BASE, dscp 0 topoid 0
R1#
R5#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 300/375/492 ms
R5#
*Jul 12 22:52:00.350: ICMP: echo reply rcvd, src 172.16.1.2, dst 192.168.1.2, topology BASE, dscp 0 topoid 0
*Jul 12 22:52:00.678: ICMP: echo reply rcvd, src 172.16.1.2, dst 192.168.1.2, topology BASE, dscp 0 topoid 0
*Jul 12 22:52:01.138: ICMP: echo reply rcvd, src 172.16.1.2, dst 192.168.1.2, topology BASE, dscp 0 topoid 0
R5#
*Jul 12 22:52:01.442: ICMP: echo reply rcvd, src 172.16.1.2, dst 192.168.1.2, topology BASE, dscp 0 topoid 0
*Jul 12 22:52:01.942: ICMP: echo reply rcvd, src 172.16.1.2, dst 192.168.1.2, topology BASE, dscp 0 topoid 0
R5#