Site-site VPNipsec实验报告
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://dongwei.blog.51cto.com/319848/62969 |
Site-site VPNipsec实验报告
1.实验拓扑:
 2.实验目的:2.1按要求正确连接路由器
2.2GZ办事处需要用VPN方式连入BJ总部
3.操作详细步骤
Setp 1. 按要求配置相应的接口 IP
路由器BJ配置如下
Router>en
Router#conf t
Router(config)#ho BJ
BJ(config)#int f0/0
BJ(config-if)#ip add
BJ(config-if)#no shut
BJ(config-if)#exit
BJ(config)#int s1/0
BJ(config-if)#ip add 202.113.105.1 255.255.255.0
BJ(config-if)#no shut
BJ(config-if)#
*Mar 1 00:05:02.587: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Mar 1 00:05:03.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0,
changed state to up
BJ(config-if)#exit
路由器GZ配置如下:
Router>en
Router#conf t
Router(config)#ho GZ
GZ(config)#int f0/0
GZ(config-if)#ip add
GZ(config-if)#no shut
GZ(config-if)#exit
GZ(config)#int s1/0
GZ(config-if)#ip add 202.113.105.2 255.255.255.0
GZ(config-if)#no shut
GZ(config-if)#exit
GZ(config)#
PC1配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho pc2
pc2(config)#no ip routing
pc1(config)#int f0/0
pc1(config-if)#ip add
pc1(config-if)#no shut
pc1(config)#ip default-gateway
pc1(config)#exit
pc1#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
U.U.U
Success rate is 0 percent (0/5)
PC2配置如下:
Router(config)#ho pc2
pc2(config)#no ip routing
pc2(config)#int f0/0
pc2(config-if)#ip add
pc2(config-if)#no shut
pc2(config-if)# exit
pc2(config)#ip default-gateway
pc2(config)#exit
pc2#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
U.U.U
Success rate is 0 percent (0/5)
配置默认路由是全网互通
路由器BJ配置如下
BJ(config)#ip route
BJ(config)#exit
BJ#show ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is
C 202.113.105.0/24 is directly connected, Serial1/0
C
S*
路由器GZ配置如下:
GZ(config)#ip route
验证:
Pc1#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/198/340 ms
pc2#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/198/340 ms
Step 2 组建VPN
配置IKE协商
路由器BJ配置如下
BJ(config)#crypto isakmp policy 1 // 建立IKE协商策略
BJ(config-isakmp)#hash md5 // 建立密钥验证所用的算法
BJ(config-isakmp)#authentication pre-share //设置路由器要使用预先共享的密钥
BJ(config-isakmp)#crypto isakmp key benet address 202.113.105.2 //设置共享密钥和对端地址
路由器GZ配置如下:
GZ(config)#crypto isakmp policy 1 / 建立IKE协商策略
GZ(config-isakmp)#hash md5
GZ(config-isakmp)#authentication pre-share
GZ(config-isakmp)#crypto isakmp key benet address 202.113.105.1
配置Ipsec 相关参数:
路由器BJ配置如下
//配置IPSec的传输模式
BJ(config)#crypto ipsec transform-set cisco ah-md5-hmac esp-des
BJ(cfg-crypto-trans)#exit
//指定Crypto访问列表
BJ(config)#$ 101 permit i
路由器GZ配置如下
GZ(config)#crypto ipsec transform-set cisco ah-md5-hmac esp-des
GZ(cfg-crypto-trans)#exit
GZ(config)#$ 101 permit i
配置端口的应用:
路由器BJ配置如下
BJ(config)#crypto map benetmap 1 ipsec-isakmp //创建Crypto Map
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
BJ(config-crypto-map)#set peer 202.113.105.2 //指定VPN对端的IP地址
BJ(config-crypto-map)#set transform-set cisco //指定Crypto Map所使用的传输模式
BJ(config-crypto-map)#match address 101 // 指定Crypto Map使用的访问控制列表
BJ(config-crypto-map)#exit
BJ(config)# int s1/0 // 应用Crypto Map到端口
BJ(config-if)#crypto map benetmap
BJ(config-if)#
*Mar 1 00:17:46.251: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
BJ(config-if)#exit
BJ(config)#exit
BJ#
*Mar 1 00:18:01.571: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:18:14.755: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p
acket.
(ip) vrf/dest_addr= /
Pc1#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
.....
Success rate is 0 percent (0/5)
pc2#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
.....
Success rate is 0 percent (0/5)
路由器GZ配置如下
GZ(config)#crypto map benetmap 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
GZ(config-crypto-map)#set peer 202.113.105.1
GZ(config-crypto-map)#set transform-set cisco
GZ(config-crypto-map)#match address 101
GZ(config-crypto-map)#exit
GZ(config)#int s1/0
GZ(config-if)#crypto map benetmap
GZ(config-if)#exit
*Mar 1 00:19:47.523: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
GZ(config)#exit
Pc1#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 200/308/448 ms
pc2#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/348/876 ms
Setp3.检查VPN配置
显示所有尝试协商的策略以及最后的默认策略设置
BJ#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
显示在路由器上设置的transform-set
BJ#show crypto ipsec transform-set
Transform set cisco: { ah-md5-hmac }
will negotiate = { Tunnel, },
{ esp-des }
will negotiate = { Tunnel, },
显示当前安全联盟使用的设置
BJ#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: benetmap, local addr 202.113.105.1
protected vrf: (none)
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer 202.113.105.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 8, #recv errors 0
local crypto endpt.: 202.113.105.1, remote crypto endpt.: 202.113.105.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x812173DD(2166453213)
inbound esp sas:
spi: 0xC
transform: esp-des ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: benetmap
sa timing: remaining key lifetime (k/sec): (4546831/3474)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
spi: 0xD
transform: ah-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: benetmap
sa timing: remaining key lifetime (k/sec): (4546831/3472)
replay detection support: Y
Status: ACTIVE
inbound pcp sas:
outbound esp sas:
spi: 0x812173DD(2166453213)
transform: esp-des ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: benetmap
sa timing: remaining key lifetime (k/sec): (4546831/3472)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
spi: 0xE3081833(3808958515)
transform: ah-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: benetmap
sa timing: remaining key lifetime (k/sec): (4546831/3471)
replay detection support: Y
Status: ACTIVE
outbound pcp sas:
显示所有配置在路由器上的crypto map
BJ#show crypto map
Crypto Map "benetmap" 1 ipsec-isakmp
Peer = 202.113.105.2
Extended IP access list 101
access-list 101 permit i
255
Current peer: 202.113.105.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
cisco,
}
Interfaces using crypto map benetmap:
Serial1/0
BJ#show crypto isakmp sa
dst src state conn-id slot status
202.113.105.2 202.113.105.1 QM_IDLE 1 0 ACTIVE
试验总结:
IPSec VPN的配置:
启动IKE:
Router(config)#crypto isakmp enable
建立IKE协商策略:
Router(config)#crypto isakmp policy priority
*priority:取值范围1~1000,数值越小,优先级越高
配置IKE协商策略:
Router(config-isakmp)#authentication pre-share //使用预定义密钥
Router(config-isakmp)#encryption {des | 3des} //加密算法
Router(config-isakmp)#hash {md5 | sha1} //认证算法
Router(config-isakmp)#lifetime seconds //SA活动时间
设置共享密钥和对端地址:
Router(config)#crypto isakmp key keystring address peer-address
*keystring:密钥;peer-address:对端IP
设置传输模式集:
Router(config)#crypto ipsec transform-set transform-set-name transform1 [transform 2 [transform3]]
*transform:定义了使用AH还是ESP协议,以及相应协议所用的算法
配置保护访问控制列表:
Router(config)#access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard
*用来定义哪些报文需要经过IPSec加密后发送,哪些报文直接发送
创建端口Crypto Maps:
Router(config)#crypto map map-name seq-num ipsec-isakmp
*seq-num:Map优先级,取值范围1~65535,值越小,优先级越高
配置Crypto Maps:
Router(config-crypto-map)#match address access-list-number
Router(config-crypto-map)#set peer ip_address //对端IP地址
Router(config-crypto-map)#set transform-set name //传输模式的名称
应用Crypto Maps到端口:
Router(config-if)#crypto map map-name
检查IPSec配置:
查看IKE策略:
Router#show crypto isakmp policy
查看IPSec策略:
Router#show crypto ipsec transform-set
查看SA信息:
Router#show crypto ipsec sa
查看加密映射:
Router#show crypto map 本文出自 “Dongwei→工作室” 博客,请务必保留此出处http://dongwei.blog.51cto.com/319848/62969 本文出自 51CTO.COM技术博客 |