Topology:
配置第一阶段加密
ZB(config)#crypto isZB(config)#crypto isakmp po
ZB(config)#crypto isakmp policy 1
ZB(config-isakmp)#au
ZB(config-isakmp)#authentication p
#验证方式为预共享密钥
ZB(config-isakmp)#authentication pre-share
ZB(config-isakmp)#enc
ZB(config-isakmp)#encryption 3
#加密算法为3des
ZB(config-isakmp)#encryption 3des
ZB(config-isakmp)#ha
ZB(config-isakmp)#hash md
#完整性校验算法为md5
ZB(config-isakmp)#hash md5
ZB(config-isakmp)#gr
#DH组为2
ZB(config-isakmp)#group 2
#SA建立后,没有数据传输时的存活时间
ZB(config-isakmp)#li
ZB(config-isakmp)#lifetime 3600
ZB(config-isakmp)#
ZB(config)#crypto isakmp key admin add
ZB(config)#crypto isakmp key admin address 2.2.2.1
ZB(config)#
----------------------------------------------------------
配置第二阶段加密
ZB(config)#rypto ipsec transform-set vpn ah-sha-hmac esp-3des
ZB(config)#crypto map cisco 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
ZB(config-crypto-map)#set peer 2.2.2.1
ZB(config-crypto-map)#set transform-set vpn
ZB(config-crypto-map)#add
ZB(config-crypto-map)#ma
ZB(config-crypto-map)#match add
ZB(config-crypto-map)#match address 101
ZB(config-crypto-map)#
ZB(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.25
----------------------------------------------------------
将map应用在fa0/0接口
ZB(config)#inter fa0/0
ZB(config-if)#crypto map cisco
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
ZB(config-if)#
在另外一台(FB)上面配置按照ZB路由器配置既可。
其中ISP路由器中只需要配置接口IP,并在R1和R2上写一条静态路由,将数据抛给ISP。
随后在PC1上tracert 192.168.2.2
PC>tracert 192.168.2.2
Tracing route to 192.168.2.2 over a maximum of 30 hops:
1 0 ms 1 ms 0 ms 192.168.1.1
2 * * * Request timed out.
3 0 ms 0 ms 0 ms 192.168.2.2
Trace complete.
在ZB路由器上查看第一阶段SA建立过程
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
2.2.2.1 1.1.1.1 QM_IDLE 1028 0 ACTIVE
IPv6 Crypto ISAKMP SA
----------------------------------------------------------
第二阶段SA查看
ZB#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: cisco, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 2.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.:2.2.2.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x19EE6B60(435055456)
inbound esp sas:
spi: 0x05CF1BA1(97459105)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: FPGA:1, crypto map: cisco
sa timing: remaining key lifetime (k/sec): (4525504/3132)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
spi: 0x77772C45(2004298821)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: FPGA:1, crypto map: cisco
sa timing: remaining key lifetime (k/sec): (4525504/3132)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound pcp sas:
outbound esp sas:
spi: 0x19EE6B60(435055456)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:1, crypto map: cisco
sa timing: remaining key lifetime (k/sec): (4525504/3132)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
spi: 0x7D8B6D32(2106289458)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:1, crypto map: cisco
sa timing: remaining key lifetime (k/sec): (4525504/3132)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound pcp sas:
分隔线:因为博客中不能上传文件,只能将配置贴在下方
----------------------------------------------------------------------------------------------
ZB#sh run
Building configuration...
Current configuration : 915 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ZB
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key admin address 2.2.2.1
!
!
crypto ipsec transform-set vpn ah-sha-hmac esp-3des
!
crypto map cisco 1 ipsec-isakmp
set peer 2.2.2.1
set transform-set vpn
match address 101
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
----------------------------------------------------------------------------------------------
ISP#sh run
Building configuration...
Current configuration : 504 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
----------------------------------------------------------------------------------------------
FB#sh run
Building configuration...
Current configuration : 915 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname FB
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key admin address 1.1.1.1
!
!
crypto ipsec transform-set vpn ah-sha-hmac esp-3des
!
crypto map cisco 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set vpn
match address 101
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 2.2.2.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 2.2.2.2
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
----------------------------------------------------------------------------------------------