该脚本支持了SVTI模式的config scale
from xml.dom import minidom
from ftplib import FTP
import telnetlib
import sys
import time
import logging
import os
import re
import platform
import string
class IPSecConfigScale:
def __init__(self, tunnel, mode):
self.__tunnel_number__ = int(tunnel)
self.__mode__ = mode
self.__vlan_start__ = 2000
self.__ip_wan_A__ = '50.1.'
self.__ip_wan_B__ = self.__ip_wan_A__
self.__ip_lan_A__ = '172.16.'
self.__ip_lan_B__ = '172.17.'
self.__netmask__ = '255.255.255.0'
self.__wildcard__ = '0.0.0.255'
self.__interface_lan_A__ = 'GigabitEthernet2.'
self.__interface_wan_A__ = 'GigabitEthernet3.'
self.__interface_lan_B__ = 'GigabitEthernet2.'
self.__interface_wan_B__ = 'GigabitEthernet3.'
self.__vlan_lan_A__ = 2000
self.__vlan_wan__ = 3000
self.__vlan_lan_B__ = 4000
self.__eigrp_as__ = 1000
return
def run(self):
print 'tunnel is %s' % self.__tunnel_number__
print 'mode is %s' % self.__mode__
if self.__tunnel_number__ >= 255:
print 'ERROR, %s is not supported' % self.__tunnel_number__
if mode == 'ikev2':
self.__scale_ikev2_config__(ip_lan_local_in = self.__ip_lan_A__,
ip_wan = self.__ip_wan_A__,
ip_lan_remote_in=self.__ip_lan_B__,
interface_lan = self.__interface_lan_A__,
interface_wan = self.__interface_wan_A__,
vlan_lan_in=self.__vlan_lan_A__,
vlan_wan_in=self.__vlan_wan__,
role=1)
self.__scale_ikev2_config__(ip_lan_local_in = self.__ip_lan_B__,
ip_wan = self.__ip_wan_B__,
ip_lan_remote_in=self.__ip_lan_A__,
interface_lan = self.__interface_lan_B__,
interface_wan = self.__interface_wan_B__,
vlan_lan_in=self.__vlan_lan_B__,
vlan_wan_in=self.__vlan_wan__,
role=2)
elif mode == 'svti':
self.__scale_svti_config__()
else:
print '%s is not supported'
return
def __scale_svti_config__(self):
self.__svti_wan_ip_A__ = '192.168.1.1'
self.__svti_wan_ip_B__ = '192.168.1.2'
self.__svti_wan_interface_A__ = 'GigabitEthernet2.880'
self.__svti_wan_interface_B__ = 'GigabitEthernet0/0/0.880'
self.__svti_interface_loopback__ = 1000
self.__svti_loopback_ip_A__ = '10.1'
self.__svti_loopback_ip_B__ = '10.2'
self.__svti_tunnel_ip_A__ = '80.1'
self.__svti_tunnel_ip_B__ = '80.1'
self.__svti_network__ = '255.255.255.0'
print '###################################'
print '###################################'
print '# config for Cisco Router A:'
print 'configure terminal'
print 'interface %s' % self.__svti_wan_interface_A__
print ' ip address %s %s' % (self.__svti_wan_ip_A__, self.__svti_network__)
print 'crypto keyring KEYS'
print ' pre-shared-key address 0.0.0.0 0.0.0.0 key cisco'
print 'crypto isakmp policy 10'
print ' encr 3des'
print ' hash sha256'
print ' authentication pre-share'
print ' group 2'
print ' lifetime 600'
print 'crypto isakmp profile ISAKMPP'
print ' keyring KEYS'
print ' match identity address 0.0.0.0'
print 'crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac'
print ' mode tunnel'
print 'crypto ipsec profile IPSECPP'
print ' set transform-set TS'
print ' set isakmp-profile ISAKMPP'
for it in range(0, self.__tunnel_number__):
number = self.__svti_interface_loopback__ + it
svti_loopback_ip_A = '%s.%s.1' % (self.__svti_loopback_ip_A__, it)
svti_loopback_ip_B = '%s.%s.1' % (self.__svti_loopback_ip_B__, it)
svti_tunnel_ip_A = '%s.%s.1' % (self.__svti_tunnel_ip_A__, it)
print 'interface loopback %s' % number
print ' ip address %s %s' % (svti_loopback_ip_A, self.__svti_network__)
print 'interface tunnel %s' % number
print ' ip address %s %s' % (svti_tunnel_ip_A, self.__svti_network__)
print ' tunnel source loopback %s' % number
print ' tunnel mode ipsec ipv4'
print ' tunnel destination %s' % svti_loopback_ip_B
print ' tunnel protection ipsec profile IPSECPP'
print 'end'
print '###################################'
print '###################################'
print '# config for Cisco Router B:'
print 'configure terminal'
print 'interface %s' % self.__svti_wan_interface_B__
print ' ip address %s %s' % (self.__svti_wan_ip_B__, self.__svti_network__)
print 'crypto keyring KEYS'
print ' pre-shared-key address 0.0.0.0 0.0.0.0 key cisco'
print 'crypto isakmp policy 10'
print ' encr 3des'
print ' hash sha256'
print ' authentication pre-share'
print ' group 2'
print ' lifetime 600'
print 'crypto isakmp profile ISAKMPP'
print ' keyring KEYS'
print ' match identity address 0.0.0.0'
print 'crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac'
print ' mode tunnel'
print 'crypto ipsec profile IPSECPP'
print ' set transform-set TS'
print ' set isakmp-profile ISAKMPP'
for it in range(0, self.__tunnel_number__):
number = self.__svti_interface_loopback__ + it
svti_loopback_ip_A = '%s.%s.1' % (self.__svti_loopback_ip_A__, it)
svti_loopback_ip_B = '%s.%s.1' % (self.__svti_loopback_ip_B__, it)
svti_tunnel_ip_B = '%s.%s.1' % (self.__svti_tunnel_ip_B__, it)
print 'interface loopback %s' % number
print ' ip address %s %s' % (svti_loopback_ip_B, self.__svti_network__)
print 'interface tunnel %s' % number
print ' ip address %s %s' % (svti_tunnel_ip_B, self.__svti_network__)
print ' tunnel source loopback %s' % number
print ' tunnel mode ipsec ipv4'
print ' tunnel destination %s' % svti_loopback_ip_A
print ' tunnel protection ipsec profile IPSECPP'
print 'end'
print '###################################'
print '###################################'
print '# unconfig for Cisco Router A and B:'
print 'configure terminal'
for it in range(0, self.__tunnel_number__):
number = self.__svti_interface_loopback__ + it
print 'no interface tunnel %s' % number
print 'no interface loopback %s' % number
print 'no crypto ipsec profile IPSECPP'
print 'no crypto isakmp profile ISAKMPP'
print 'no crypto keyring KEYS'
print 'no crypto isakmp policy 10'
print 'no crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac'
print 'end'
return
def __scale_ikev2_config__(self, ip_lan_local_in='172.16.',
ip_wan='50.1.',
ip_lan_remote_in='60.1.',
interface_lan='GigabitEthernet2.',
interface_wan='GigabitEthernet3.',
vlan_lan_in=2000,
vlan_wan_in=3000,
role=1):
print '###################################'
print '###################################'
print '# config for Cisco Router(role: %s):' % role
print 'configure terminal'
for it in range(0, self.__tunnel_number__):
proposal = 'IKEv2Proposal%s' % it
policy = 'IKEv2Policy%s' % it
key = 'KEY%s' % it
peer = 'PEER%s' % it
profile = 'IKEv2Profile%s' % it
transform_set = 'TS%s' % it
map = 'CMAP%s' % it
vlan_lan = vlan_lan_in + it
vlan_wan = vlan_wan_in + it
if role == 1:
ip_wan_local = '%s%s.1' % (ip_wan, it)
ip_wan_remote = '%s%s.2' % (ip_wan, it)
else:
ip_wan_local = '%s%s.2' % (ip_wan, it)
ip_wan_remote = '%s%s.1' % (ip_wan, it)
ip_lan_local = '%s%s.%s' % (ip_lan_local_in, it, 1)
ip_lan_remote = '%s%s.%s' % (ip_lan_remote_in, it, 1)
subinterface_lan = '%s%s' % (interface_lan, vlan_lan)
subinterface_wan = '%s%s' % (interface_wan, vlan_wan)
traffic_acl = 'traffic_acl_%s' % it
eigrp_as = 1000 +it
# traffic acl
print '# traffic ACL'
print 'ip access-list extended %s' % traffic_acl
print ' permit ip host %s any' % ip_lan_local
print ' permit ip host %s any' % ip_lan_remote
# ikev2 proposal
print '# IKEv2 proposal'
print 'crypto ikev2 proposal %s' % proposal
print ' encryption 3des'
print ' integrity sha512'
print ' group 2'
# ikev2 policy
print '# IKEv2 policy'
print 'crypto ikev2 policy %s' % policy
print ' proposal %s' % proposal
# ikev2 keyring
print '# IKEv2 keyring'
print 'crypto ikev2 keyring %s' % key
print ' peer %s' % peer
print ' address %s' % ip_wan_remote
print ' pre-shared-key local cisco123'
print ' pre-shared-key remote cisco123'
# ikev2 profile
print '# IKEv2 profile'
print 'crypto ikev2 profile %s' % profile
print ' match identity remote address %s 255.255.255.255' % ip_wan_remote
print ' identity local address %s' % ip_wan_local
print ' authentication local pre-share'
print ' authentication remote pre-share'
print ' keyring local %s' % key
# ipsec transform-set
print '# IPSec transform-set'
print 'crypto ipsec transform-set %s esp-aes 256 esp-sha256-hmac' % transform_set
# crypto map
print '# crypto map'
print 'crypto map %s 10 ipsec-isakmp' % map
print ' set peer %s' % ip_wan_remote
print ' set transform-set %s' % transform_set
print ' set ikev2-profile %s' % profile
print ' match address %s' % traffic_acl
# subinterface wan
print '# wan subinterface'
print 'interface %s' % subinterface_wan
print ' encapsulation dot1q %s' % vlan_wan
print ' ip address %s %s' % (ip_wan_local, self.__netmask__)
print ' crypto map %s' % map
# subinterface lan
print '# lan subinterface'
print 'interface %s' % subinterface_lan
print ' encapsulation dot1q %s' % vlan_lan
print ' ip address %s %s' % (ip_lan_local, self.__netmask__)
# static route
print 'ip route %s 255.255.255.255 %s' % (ip_lan_remote, ip_wan_remote)
print 'end'
return
def printHelp():
print '\nError running command!\n\n'
print 'Please run it as following indication:'
print 'COMMAND <tunnel number> [mode]\n'
print 'For Example:'
print ' python IPSecConfigScale.py 10 ikev2\n\n'
return -1
if __name__ == "__main__":
numargs = len(sys.argv) - 1
if numargs == 0:
tunnel = 10
mode = 'ikev2'
elif numargs == 1:
tunnel = sys.argv[1]
mode = 'ikev2'
elif numargs == 2:
tunnel = sys.argv[1]
mode = sys.argv[2]
else:
printHelp()
sys.exit(1)
scale = IPSecConfigScale(tunnel, mode)
scale.run()
运行情况:
python ipsec_config_scale.py 2 svti
tunnel is 2
mode is svti
###################################
###################################
# config for Cisco Router A:
configure terminal
interface GigabitEthernet2.880
ip address 192.168.1.1 255.255.255.0
crypto keyring KEYS
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
crypto isakmp policy 10
encr 3des
hash sha256
authentication pre-share
group 2
lifetime 600
crypto isakmp profile ISAKMPP
keyring KEYS
match identity address 0.0.0.0
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile IPSECPP
set transform-set TS
set isakmp-profile ISAKMPP
interface loopback 1000
ip address 10.1.0.1 255.255.255.0
interface tunnel 1000
ip address 80.1.0.1 255.255.255.0
tunnel source loopback 1000
tunnel mode ipsec ipv4
tunnel destination 10.2.0.1
tunnel protection ipsec profile IPSECPP
interface loopback 1001
ip address 10.1.1.1 255.255.255.0
interface tunnel 1001
ip address 80.1.1.1 255.255.255.0
tunnel source loopback 1001
tunnel mode ipsec ipv4
tunnel destination 10.2.1.1
tunnel protection ipsec profile IPSECPP
end
###################################
###################################
# config for Cisco Router B:
configure terminal
interface GigabitEthernet0/0/0.880
ip address 192.168.1.2 255.255.255.0
crypto keyring KEYS
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
crypto isakmp policy 10
encr 3des
hash sha256
authentication pre-share
group 2
lifetime 600
crypto isakmp profile ISAKMPP
keyring KEYS
match identity address 0.0.0.0
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile IPSECPP
set transform-set TS
set isakmp-profile ISAKMPP
interface loopback 1000
ip address 10.2.0.1 255.255.255.0
interface tunnel 1000
ip address 80.1.0.1 255.255.255.0
tunnel source loopback 1000
tunnel mode ipsec ipv4
tunnel destination 10.1.0.1
tunnel protection ipsec profile IPSECPP
interface loopback 1001
ip address 10.2.1.1 255.255.255.0
interface tunnel 1001
ip address 80.1.1.1 255.255.255.0
tunnel source loopback 1001
tunnel mode ipsec ipv4
tunnel destination 10.1.1.1
tunnel protection ipsec profile IPSECPP
end
###################################
###################################
# unconfig for Cisco Router A and B:
configure terminal
no interface tunnel 1000
no interface loopback 1000
no interface tunnel 1001
no interface loopback 1001
no crypto ipsec profile IPSECPP
no crypto isakmp profile ISAKMPP
no crypto keyring KEYS
no crypto isakmp policy 10
no crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
end