IPSec scale config script over Cisco Router

最新推荐文章于 2024-07-12 16:16:27 发布
最新推荐文章于 2024-07-12 16:16:27 发布
阅读量711 收藏
点赞数 1
分类专栏: Python 文章标签: python Cisco ipsec
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wunderup/article/details/51482670
版权

该脚本支持了SVTI模式的config scale


from xml.dom import minidom
from ftplib import FTP
import telnetlib
import sys
import time
import logging
import os
import re
import platform
import string

class IPSecConfigScale:
    def __init__(self, tunnel, mode):
        self.__tunnel_number__ = int(tunnel)
        self.__mode__ = mode
        
        self.__vlan_start__ = 2000
        
        self.__ip_wan_A__ = '50.1.'
        self.__ip_wan_B__ = self.__ip_wan_A__
        self.__ip_lan_A__ = '172.16.'
        self.__ip_lan_B__ = '172.17.'
        self.__netmask__ = '255.255.255.0'
        self.__wildcard__ = '0.0.0.255'
        self.__interface_lan_A__ = 'GigabitEthernet2.'
        self.__interface_wan_A__ = 'GigabitEthernet3.'
        self.__interface_lan_B__ = 'GigabitEthernet2.'
        self.__interface_wan_B__ = 'GigabitEthernet3.'
        
        self.__vlan_lan_A__ = 2000
        self.__vlan_wan__ = 3000
        self.__vlan_lan_B__ = 4000
        
        self.__eigrp_as__ = 1000
        
        return
        
    def run(self):
    	print 'tunnel is %s' % self.__tunnel_number__
    	print 'mode is %s' % self.__mode__
    	
    	if self.__tunnel_number__ >= 255:
    	    print 'ERROR, %s is not supported' % self.__tunnel_number__

    	if mode == 'ikev2':
    		self.__scale_ikev2_config__(ip_lan_local_in = self.__ip_lan_A__, 
    		    ip_wan = self.__ip_wan_A__, 
    		    ip_lan_remote_in=self.__ip_lan_B__, 
    		    interface_lan = self.__interface_lan_A__, 
    		    interface_wan = self.__interface_wan_A__, 
    		    vlan_lan_in=self.__vlan_lan_A__, 
    		    vlan_wan_in=self.__vlan_wan__, 
    		    role=1)
    		self.__scale_ikev2_config__(ip_lan_local_in = self.__ip_lan_B__, 
    		    ip_wan = self.__ip_wan_B__, 
    		    ip_lan_remote_in=self.__ip_lan_A__, 
    		    interface_lan = self.__interface_lan_B__, 
    		    interface_wan = self.__interface_wan_B__, 
    		    vlan_lan_in=self.__vlan_lan_B__, 
    		    vlan_wan_in=self.__vlan_wan__, 
    		    role=2)
    	elif mode == 'svti':
    		self.__scale_svti_config__()
    	else:
    		print '%s is not supported'
    		
    	return

    def __scale_svti_config__(self):
        self.__svti_wan_ip_A__ = '192.168.1.1'
        self.__svti_wan_ip_B__ = '192.168.1.2'
        self.__svti_wan_interface_A__ = 'GigabitEthernet2.880'
        self.__svti_wan_interface_B__ = 'GigabitEthernet0/0/0.880'
                
        self.__svti_interface_loopback__ = 1000
        
        self.__svti_loopback_ip_A__ = '10.1'
        self.__svti_loopback_ip_B__ = '10.2'
        
        self.__svti_tunnel_ip_A__ = '80.1'
        self.__svti_tunnel_ip_B__ = '80.1'
        
        self.__svti_network__ = '255.255.255.0'
        
        
    	print '###################################'
    	print '###################################'
    	print '# config for Cisco Router A:'
    	print 'configure terminal'
    	print 'interface %s' % self.__svti_wan_interface_A__
    	print '  ip address %s %s' % (self.__svti_wan_ip_A__, self.__svti_network__)
    	print 'crypto keyring KEYS'  
    	print '  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco'
    	print 'crypto isakmp policy 10'
    	print ' encr 3des'
    	print ' hash sha256'
    	print ' authentication pre-share'
    	print ' group 2'
    	print ' lifetime 600'
    	print 'crypto isakmp profile ISAKMPP'
    	print '   keyring KEYS'
    	print '   match identity address 0.0.0.0' 
    	print 'crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac'
    	print ' mode tunnel'
    	print 'crypto ipsec profile IPSECPP'
    	print ' set transform-set TS'
    	print ' set isakmp-profile ISAKMPP'
    	
    	for it in range(0, self.__tunnel_number__):
    	    number = self.__svti_interface_loopback__ + it
    	    svti_loopback_ip_A = '%s.%s.1' % (self.__svti_loopback_ip_A__, it)
    	    svti_loopback_ip_B = '%s.%s.1' % (self.__svti_loopback_ip_B__, it)
    	    svti_tunnel_ip_A = '%s.%s.1' % (self.__svti_tunnel_ip_A__, it)
    	    
    	    print 'interface loopback %s' % number
    	    print '  ip address %s %s' % (svti_loopback_ip_A, self.__svti_network__)
    	    
    	    print 'interface tunnel %s' % number
    	    print '  ip address %s %s' % (svti_tunnel_ip_A, self.__svti_network__)
    	    print '  tunnel source loopback %s' % number
    	    print '  tunnel mode ipsec ipv4'
    	    print '  tunnel destination %s' % svti_loopback_ip_B
    	    print '  tunnel protection ipsec profile IPSECPP'

    	print 'end'
    	    	
        print '###################################'
    	print '###################################'
    	print '# config for Cisco Router B:'
    	print 'configure terminal'
    	print 'interface %s' % self.__svti_wan_interface_B__
    	print '  ip address %s %s' % (self.__svti_wan_ip_B__, self.__svti_network__)
    	print 'crypto keyring KEYS'  
    	print '  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco'
    	print 'crypto isakmp policy 10'
    	print ' encr 3des'
    	print ' hash sha256'
    	print ' authentication pre-share'
    	print ' group 2'
    	print ' lifetime 600'
    	print 'crypto isakmp profile ISAKMPP'
    	print '   keyring KEYS'
    	print '   match identity address 0.0.0.0' 
    	print 'crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac'
    	print ' mode tunnel'
    	print 'crypto ipsec profile IPSECPP'
    	print ' set transform-set TS'
    	print ' set isakmp-profile ISAKMPP'
    	
    	for it in range(0, self.__tunnel_number__):
    	    number = self.__svti_interface_loopback__ + it
    	    svti_loopback_ip_A = '%s.%s.1' % (self.__svti_loopback_ip_A__, it)
    	    svti_loopback_ip_B = '%s.%s.1' % (self.__svti_loopback_ip_B__, it)
    	    svti_tunnel_ip_B = '%s.%s.1' % (self.__svti_tunnel_ip_B__, it)
    	    
    	    print 'interface loopback %s' % number
    	    print '  ip address %s %s' % (svti_loopback_ip_B, self.__svti_network__)
    	    
    	    print 'interface tunnel %s' % number
    	    print '  ip address %s %s' % (svti_tunnel_ip_B, self.__svti_network__)
    	    print '  tunnel source loopback %s' % number
    	    print '  tunnel mode ipsec ipv4'
    	    print '  tunnel destination %s' % svti_loopback_ip_A
    	    print '  tunnel protection ipsec profile IPSECPP'

    	print 'end'
    	
    	print '###################################'
    	print '###################################'
    	print '# unconfig for Cisco Router A and B:'
    	print 'configure terminal'
    	
    	for it in range(0, self.__tunnel_number__):
    	    number = self.__svti_interface_loopback__ + it
            print 'no interface tunnel %s' % number
    	    print 'no interface loopback %s' % number

        print 'no crypto ipsec profile IPSECPP'
        print 'no crypto isakmp profile ISAKMPP'
        print 'no crypto keyring KEYS'
        print 'no crypto isakmp policy 10'
        print 'no crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac'

    	print 'end'
        
        return 
    	    	
    def __scale_ikev2_config__(self, ip_lan_local_in='172.16.', 
            ip_wan='50.1.', 
            ip_lan_remote_in='60.1.', 
            interface_lan='GigabitEthernet2.', 
            interface_wan='GigabitEthernet3.', 
            vlan_lan_in=2000, 
            vlan_wan_in=3000, 
            role=1):
    	
    	print '###################################'
    	print '###################################'
    	print '# config for Cisco Router(role: %s):' % role
    	print 'configure terminal'
    	for it in range(0, self.__tunnel_number__):
    	    proposal = 'IKEv2Proposal%s' % it
    	    policy = 'IKEv2Policy%s' % it
    	    key = 'KEY%s' % it
    	    peer = 'PEER%s' % it
    	    profile = 'IKEv2Profile%s' % it
    	    transform_set = 'TS%s' % it
    	    map = 'CMAP%s' % it

    	    vlan_lan = vlan_lan_in + it
    	    vlan_wan = vlan_wan_in + it
    	        	    
    	    if role == 1:
    	        ip_wan_local =  '%s%s.1' % (ip_wan, it) 
    	        ip_wan_remote = '%s%s.2' % (ip_wan, it) 
    	    else:
    	        ip_wan_local =  '%s%s.2' % (ip_wan, it) 
    	        ip_wan_remote = '%s%s.1' % (ip_wan, it) 
    	        
    	    ip_lan_local = '%s%s.%s' % (ip_lan_local_in, it, 1)
    	    ip_lan_remote = '%s%s.%s' % (ip_lan_remote_in, it, 1)
    	        	        
    	    subinterface_lan = '%s%s' % (interface_lan, vlan_lan)
    	    subinterface_wan = '%s%s' % (interface_wan, vlan_wan)
    	    
    	    traffic_acl = 'traffic_acl_%s' % it
    	    
    	    eigrp_as = 1000 +it

    	    # traffic acl
    	    print '# traffic ACL'
            print 'ip access-list extended %s' % traffic_acl
            print ' permit ip host %s any' % ip_lan_local
            print ' permit ip host %s any' % ip_lan_remote
    	    
    	    # ikev2 proposal
    	    print '# IKEv2 proposal'
            print 'crypto ikev2 proposal %s' % proposal
            print '  encryption 3des'
            print '  integrity sha512'
            print '  group 2'
            
            # ikev2 policy
    	    print '# IKEv2 policy'
            print 'crypto ikev2 policy %s' % policy
            print '  proposal %s' % proposal
            
            # ikev2 keyring
    	    print '# IKEv2 keyring'
            print 'crypto ikev2 keyring %s' % key
            print '  peer %s' % peer
            print '    address %s' % ip_wan_remote
            print '    pre-shared-key local cisco123'
            print '    pre-shared-key remote cisco123'
            
            # ikev2 profile
    	    print '# IKEv2 profile'
            print 'crypto ikev2 profile %s' % profile
            print '  match identity remote address %s 255.255.255.255' % ip_wan_remote
            print '  identity local address %s' % ip_wan_local
            print '  authentication local pre-share'
            print '  authentication remote pre-share'
            print '  keyring local %s' % key
            
            # ipsec transform-set
    	    print '# IPSec transform-set'
            print 'crypto ipsec transform-set %s esp-aes 256 esp-sha256-hmac' % transform_set

            # crypto map
    	    print '# crypto map'
            print 'crypto map %s 10 ipsec-isakmp' % map
            print ' set peer %s' % ip_wan_remote
            print ' set transform-set %s' % transform_set
            print ' set ikev2-profile %s' % profile
            print ' match address %s' % traffic_acl
            
            # subinterface wan
    	    print '# wan subinterface'
            print 'interface %s' % subinterface_wan
            print '  encapsulation dot1q %s' % vlan_wan
            print '  ip address %s %s' % (ip_wan_local, self.__netmask__)
            print '  crypto map %s' % map

            # subinterface lan
    	    print '# lan subinterface'
            print 'interface %s' % subinterface_lan
            print '  encapsulation dot1q %s' % vlan_lan
            print '  ip address %s %s' % (ip_lan_local, self.__netmask__)
            
            # static route
            print 'ip route %s 255.255.255.255 %s' % (ip_lan_remote, ip_wan_remote)
            
            print 'end'
    	return
    	
    	
def printHelp():
    print '\nError running command!\n\n'
    print 'Please run it as following indication:'
    print 'COMMAND <tunnel number> [mode]\n'
    print 'For Example:'
    print '    python IPSecConfigScale.py 10 ikev2\n\n'
    
    return -1

if __name__ == "__main__":
    numargs = len(sys.argv) - 1

    if numargs == 0:
    	tunnel = 10
    	mode = 'ikev2'
    elif numargs == 1:
        tunnel = sys.argv[1]
        mode = 'ikev2'
    elif numargs == 2:
        tunnel = sys.argv[1]
        mode = sys.argv[2]
    else:
    	printHelp()
        sys.exit(1)
        
    scale = IPSecConfigScale(tunnel, mode)
    scale.run()


运行情况:


python ipsec_config_scale.py 2 svti
tunnel is 2
mode is svti
###################################
###################################
# config for Cisco Router A:
configure terminal
interface GigabitEthernet2.880
  ip address 192.168.1.1 255.255.255.0
crypto keyring KEYS
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
crypto isakmp policy 10
 encr 3des
 hash sha256
 authentication pre-share
 group 2
 lifetime 600
crypto isakmp profile ISAKMPP
   keyring KEYS
   match identity address 0.0.0.0
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
 mode tunnel
crypto ipsec profile IPSECPP
 set transform-set TS
 set isakmp-profile ISAKMPP
interface loopback 1000
  ip address 10.1.0.1 255.255.255.0
interface tunnel 1000
  ip address 80.1.0.1 255.255.255.0
  tunnel source loopback 1000
  tunnel mode ipsec ipv4
  tunnel destination 10.2.0.1
  tunnel protection ipsec profile IPSECPP
interface loopback 1001
  ip address 10.1.1.1 255.255.255.0
interface tunnel 1001
  ip address 80.1.1.1 255.255.255.0
  tunnel source loopback 1001
  tunnel mode ipsec ipv4
  tunnel destination 10.2.1.1
  tunnel protection ipsec profile IPSECPP
end
###################################
###################################
# config for Cisco Router B:
configure terminal
interface GigabitEthernet0/0/0.880
  ip address 192.168.1.2 255.255.255.0
crypto keyring KEYS
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
crypto isakmp policy 10
 encr 3des
 hash sha256
 authentication pre-share
 group 2
 lifetime 600
crypto isakmp profile ISAKMPP
   keyring KEYS
   match identity address 0.0.0.0
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
 mode tunnel
crypto ipsec profile IPSECPP
 set transform-set TS
 set isakmp-profile ISAKMPP
interface loopback 1000
  ip address 10.2.0.1 255.255.255.0
interface tunnel 1000
  ip address 80.1.0.1 255.255.255.0
  tunnel source loopback 1000
  tunnel mode ipsec ipv4
  tunnel destination 10.1.0.1
  tunnel protection ipsec profile IPSECPP
interface loopback 1001
  ip address 10.2.1.1 255.255.255.0
interface tunnel 1001
  ip address 80.1.1.1 255.255.255.0
  tunnel source loopback 1001
  tunnel mode ipsec ipv4
  tunnel destination 10.1.1.1
  tunnel protection ipsec profile IPSECPP
end
###################################
###################################
# unconfig for Cisco Router A and B:
configure terminal
no interface tunnel 1000
no interface loopback 1000
no interface tunnel 1001
no interface loopback 1001
no crypto ipsec profile IPSECPP
no crypto isakmp profile ISAKMPP
no crypto keyring KEYS
no crypto isakmp policy 10
no crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
end



wunderup
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
CCIE重认证350-401
stqer的博客
01-04 1970
traffic policing: causes TCP retransmissions when traffic is dropped导致TCP重传时流量下降 introduces no delay and jitter引入无延迟和抖动 drops excessive traffic减少过多的流量 traffic shaping: buffers excessive traffic缓冲过多的流量 introduces delay and jitter引入延迟和抖动 applied on traffic t
CCIE重认证--350-401-补充题库-也是必须的哟
stqer的博客
12-14 2236
实验,选择,拖图题
Scale IPSec config over cisco router
跳着Samba的狮子
05-12 627
Cisco RouterIPSec配置很复杂,如果需要生成多条tunnel的配置的时候,需要很大的工作量 简单写了一个脚本来生成,看看结果如何把 Limitation: 1. 支持IKEv2 2. 只能在Cisco IOS router上运行 3. Topology: site to site Benifit: 同时生成A和B两个router的配置,赞吧?
CISCO技术(1.7万)
热门推荐
08-09 6万+
0 base|以零为基底\r\n 0 disturbed zero output signal|干扰0输出信号\r\n 0parallel communication cable|平行通讯传输缆线\r\n 1 binary operation|二进制运算\r\n 1 di
liunux 查看系统参数、网络参数的命令
哦,原来你也在这里。
10-29 2736
sudo sysctl -a sudo sysctl net.ipv4 具体的用法:sysctl --help 部分参数解析如下: ip_forward - BOOLEAN 0 - disabled (default) not 0 - enabled Forward Packets between interfaces. This variable is special, its change resets all configuration parameters to their default st
01.CCNA 200-301 题库_1-50
JonasWolfxin
08-29 3396
CCNA 考试题库
有史以来最全面最经典的网络技术资料合集
追风客的专栏
04-07 1万+
│ 子网划分工具.exe│ ├─CISCO│ ├─CCNP Lab│ │     AAA实验.pdf│ │     Backup Interface-v2.pdf│ │     BGP TroubleShooting.pdf│ │     BGP1.pdf│ │     BGP第二次实验(简版).pdf│ │
linux 下各个端口及他们的作用
kiwi的专栏
07-28 5万+
# /etc/services: # $Id: services,v 1.48 2009/11/11 14:32:31 ovasik Exp $ # # Network services, Internet style # IANA services version: last updated 2009-11-10 # # Note that it is presently the p
Linux Advanced Routing & Traffic Control HOWTO
I have a adream
09-05 1万+
http://lartc.org/lartc.html Linux Advanced Routing & Traffic Control HOWTO Bert Hubert Netherlabs BV bert.hubert@netherlabs.nl> Thomas Graf (Section Author) tgraf%suug.ch>
router.config.js
05-05
router.config.js
ciscorouter.rar_router
09-23
本手册“ciscorouter.doc”是针对Cisco路由器配置的一份详尽指南,旨在帮助网络管理员和IT专业人士更好地理解和操作Cisco路由器,以实现高效、安全的网络环境。 一、Cisco路由器基础 Cisco路由器是网络中的核心...
restify-router-config:路由您的Restify应用程序的最懒方法
04-28
Restify路由器配置 路由您的Restify应用程序的最懒方法。 这是为了最大程度地减少重新路由应用程序的延迟。 该工具包括对路由进行分组,对路由...import router from 'restify-router-config' import { getUserById ,
Cisco路由器IPsec配置.doc
07-12
以下为路由器A的配置,路由器B只需对相应配置作更改即可 1:配置IKE router(config)# crypto isakmp enable #启用IKE(默认是启动的) router(config)# crypto isakmp policy 100 #建立IKE策略,优先级为100 router...
3G-router config
02-14
3G-router configuration
cv2读取和保存图片
最新发布
m0_53291740的博客
07-12 98
cv2.imwrite('b\\img1.png',img)#b存在就可以保存进去。如果b存在,c不存在,程序不会报错,也不会保存图片。如果目录b不存在就会存到当前文件夹。
面试题 21:解释 Python 中的 help() 函数和 dir() 函数?
专注于全栈开发领域
07-10 739
Python中,help()和dir()是两个非常有用的内置函数,它们可以帮助开发者更好地了解Python对象和模块。
聊聊如何在内网下构建大模型微调环境
python1234567_的博客
07-12 639
LlamaFactory新版更新后,还是比较方便,只是说llamafactory-cli命令的确是有点蒙,踩个坑就好了。对于LlamaFactory微调来说,本身不难,毕竟都是配置;主要是在内网环境下的依赖包拉取安装是真麻烦,但其实也还好。走一遍的话,还是可以学到很多的。​。
已解决 javax.xml.transform.TransformerFactoryConfigurationError 异常的正确解决方法,亲测有效!!!
小明的Java问道之路
07-08 2313
已解决 javax.xml.transform.TransformerFactoryConfigurationError 异常的正确解决方法,亲测有效!!!
Router(config)router ospf 100
06-08
- Router(config):进入全局配置模式,表示要进行配置。 - router ospf:进入OSPF路由器配置模式,表示要对OSPF协议进行配置。 - 100:为创建的OSPF进程指定一个数字标识,这个数字必须在所有OSPF进程中唯一。 在...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值