荣耀彩票代理

IT技术互动交流平台

Cisco路由器上配置L2L IPSec VPN实例

作者:银凯的博客  来源:IT165收集  发布日期:2016-06-20 22:16:14

实例一 Cisco路由器实现L2L IPSecVPN——自明教教主

 

拓扑图:

wKiom1dmQtXjesrOAAOqsZbfmuM636.png

描述:

荣耀彩票代理TONGXUNDIAN:PC1DE1.1.1.1HESite2DE2.2.2.2

JIAMIDIAN:Site1DE202.100.1.1HESite2DE61.128.1.1

YAOQIU:TONGXINDIANJIANTONGGUOIPSEC VPNSHIXIANANQUANTONGXIN

 

PC1:

基础配置:

en

config t

no ip domain-lookup

line vty 0 15

logging synchronous

exec-timeout 0 0

password cisco

exit

 

接口配置:

int f0/0

荣耀彩票代理ip add 10.1.1.10 255.255.255.0

no shut

int lo 0

ip add 1.1.1.1 255.255.255.0

end

 

路由配置:

config t

ip route 2.2.2.0 255.255.255.0 10.1.1.1 //ZHIXUPEIZHIQUWANGSite2TONGXUNDIANDELUYOU。JIANGQUWANGYUANDUANTONGXUNDIANDELUYOUSONGWANGBENDIJIAMISHEBEIDENEIBUDUANKOU。

 

Site1:

基础配置:

en

config t

荣耀彩票代理no ip domain-lookup

line vty 0 15

logging synchronous

荣耀彩票代理exec-timeout 0 0

荣耀彩票代理password cisco

exit

 

接口配置

int f0/0

ip add 10.1.1.1 255.255.255.0

no shut

int f1/0

荣耀彩票代理ip add 202.100.1.1 255.255.255.0

no shut

end

荣耀彩票代理ping 10.1.1.10

 

路由配置:

conf t

ip route 1.1.1.0 255.255.255.0 10.1.1.10 //JIEJUEQUWANGBENDITONGXUNDIANDELUYOU

ip route 61.128.1.1 255.255.255.255 202.100.1.10 //JIEJUEYUANDUANJIAMIDIANLUYOU

ip route 2.2.2.0 255.255.255.0 202.100.1.10 //远端通讯点路由。若不加此路由条目,路由器会直接丢弃去往远端通讯点的数据包。(1)当来自PC1的报文到达Site1的内部端口时首先会根据IP包头的源目地址查路由表(也就是该条路由)。(2)路由查到会企图通过外部端口送出。(3)因为该外部端口上配置有MAP,根据IP头信息匹配MAP的感兴趣流。(4)匹配上感兴趣流后会出发加密。(5)经过ESP封装,再次送往路由器查询路由表。(6)匹配上去往远端加密点的路由后再从外部接口送出,此时经过ESP封装的报文不匹配MAP的ACL,放行从外部端口送出。如下图:

wKioL1dmQrSzQkHSAAPebIMUjvA924.png

 

配置L2L IPSecVPN:

第一阶段,IKE(ISAKMP) SA:

JIHUOISAKMP:

荣耀彩票代理Site1(config)#crypto isakmp enable //LUYOUQIKEXUAN,MORENYIJINGJIHUO

荣耀彩票代理PEIZHIISAKMP SA:

荣耀彩票代理Site1(config)#crypto isakmp policy 10 //CICHURUGUOZHIJIEexitZEHUIJICHENGMORENPEIZHI

Site1(config-isakmp)#encryption 3des //ZHIDINGJIAMISUANFA

Site1(config-isakmp)#hash md5 //ZHIDINGhashSUANFA

荣耀彩票代理Site1(config-isakmp)#authentication pre-share //ZHIDINGRENZHENGFANGSHI

荣耀彩票代理Site1(config-isakmp)#group 2 //ZHIDINGDHSUANFAWEIgroup2

Site1(config-isakmp)#exit

荣耀彩票代理ZHIDINGYUANDUANJIAMIDIANHERENZHENGSHIYONGDEYUGONGXIANGKOULING:

Site1(config)#crypto isakmp key 0 L2Lkey address 61.128.1.1

 

第二阶段,IPSEC SA:

PEIZHIGANXINGQULIU:

Site1(config)#ip access-list extended vpn

荣耀彩票代理Site1(config-ext-nacl)#permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

荣耀彩票代理Site1(config-ext-nacl)#exit

PEIZHIIPSecCELVE:

Site1(config)#crypto ipsec transform-set Trans esp-des esp-md5-hmac //CICHUQUEDINGLEGANXINGQULIUSHIJIDEJIAMIHERENZHENGSUANFA

Site1(cfg-crypto-trans)#exit

 

配置Crypto map:

Site1(config)#crypto map cry-map 10 ipsec-isakmp //YIGEJIEKOUZHINENGDIAOYONGYIGEMAP,YIGEMAPKEYIYOUDUOGEID,YIGEIDBIAOSHIYIGEVPN

Site1(config-crypto-map)#set peer 61.128.1.1 //HESHEIJIANVPN

荣耀彩票代理Site1(config-crypto-map)#match address vpn //PIPEISHENMELIULIANG

荣耀彩票代理Site1(config-crypto-map)#set transform-set Trans //SHIYONGNAGEZHUANHUANJILAICHULI

Site1(config-crypto-map)#exit

应用Crypto map至端口:

荣耀彩票代理Site1(config)#int f1/0

Site1(config-if)#crypto map cry-map

Site1(config-if)#end

 

Internet:

基础配置:

en

config t

荣耀彩票代理no ip domain-lookup

line vty 0 15

logging synchronous

荣耀彩票代理exec-timeout 0 0

password cisco

exit

 

接口配置:

int f1/0

ip add 202.100.1.10 255.255.255.0

no shut

int f0/0

ip add 61.128.1.10 255.255.255.0

no shut

end

ping 202.100.1.1

 

Site2:

基础配置:

en

config t

no ip domain-lookup

line vty 0 15

荣耀彩票代理logging synchronous

exec-timeout 0 0

password cisco

exit

 

接口配置:

int f0/0

ip add 61.128.1.1 255.255.255.0

no shut

int lo 0

ip add 2.2.2.2 255.255.255.0

no shut

exit

do ping 61.128.1.10

 

路由配置:

荣耀彩票代理ip route 202.100.1.1 255.255.255.255 61.128.1.10 //YUANDUANJIAMIDIAN;

ip route 1.1.1.0 255.255.255.0 61.128.1.10 //YUANDUANTONGXUNDIAN;

do ping 202.100.1.1

 

配置L2L IPSecVPN:

DIYIJIEDUAN,IKE(ISAKMP) SA:

荣耀彩票代理Site2(config)#crypto isakmp enable 

Site2(config)#crypto isakmp policy 10

荣耀彩票代理Site2(config-isakmp)#encryption 3des 

Site2(config-isakmp)#hash md5 

Site2(config-isakmp)#authentication pre-share 

Site2(config-isakmp)#group 2

荣耀彩票代理Site2(config-isakmp)#exit

 

荣耀彩票代理Site2(config)#crypto isakmp key 0 L2Lkey address 202.100.1.1

 

第二阶段,IPSEC SA:

PEIZHIGANXINGQULIU:

荣耀彩票代理Site2(config)#ip access-list extended vpn

Site2(config-ext-nacl)#permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

Site2(config-ext-nacl)#exit

PEIZHIIPSecCELVE:

Site2(config)#crypto ipsec transform-set cisco esp-des esp-md5-hmac 

Site2(cfg-crypto-trans)#exit

 

配置Crypto map:

Site2(config)#crypto map cry-map 10 ipsec-isakmp 

荣耀彩票代理Site2(config-crypto-map)#set peer 202.100.1.1

Site2(config-crypto-map)#match address vpn 

荣耀彩票代理Site2(config-crypto-map)#set transform-set cisco

荣耀彩票代理Site2(config-crypto-map)#exit

应用Crypto map至端口:

荣耀彩票代理Site2(config)#int f0/0

Site2(config-if)#crypto map cry-map

荣耀彩票代理Site2(config-if)#exit

 

验证:

 

荣耀彩票代理PC1#ping 2.2.2.2 source 1.1.1.1 repeat 100

ZHUABAOJIETU:

wKioL1dmQ8KhGl2gAABoUuew9-s086.png

 

 

查看ISAKMP SA:

Site1#show crypto isakmp sa

wKioL1dmREfSWUSyAAAj7M9cbWI479.png

 

 

查看IPSec SA:

Site1#show crypto ipsec sa

 

wKiom1dmRJ3Ty1ZqAAGJp_8MLvA958.png

wKiom1dmRJ7RoUVvAACH8usjtPs982.png

 

 

 

检查活动的SA:

Site1#show crypto engine connections active 

wKiom1dmRNjDvuaiAABemRvuHVA168.png

 

KEJIAN,YIGEZHENGCHANGDEIPSEC SABAOHANYIGESHUANGXIANGDEIKE SA(ISAKMP SA)HELIANGGEDANXIANGDEIPSEC SA,QIZHONGYIGEYONGYUJIAMIYIGEYONGYUJIEMI。

JIANCHAYIGEIPSEC VPNSHIFOUZHENGCHANG,YIBANQINGKUANGXIASHIYONGshow crypto engine connections activeMINGLING,NENGKANDAOSANGESA,BINGQIEJIAJIEMIDESHUJUBAOHEPINGTONGDESHUJUBAOSHULIANGYIZHI,JIBENSHANGJIUWUXUZAIJINYIBUYANZHENGLE。

 

查看crypto会话:

荣耀彩票代理Site1#show crypto session

wKioL1dmRSOyUgjHAAB2oNLp3VM765.png

 

 
荣耀彩票代理 可见:加密端口为f1/0,状态为ACTIVE;一个IKE SA,本地和对端的IP地址和端口(500/UDP);两个IPSEC SA的状态为ACTIVE,匹配的感兴流。

 

清除SAs:

清除IKE/ISAKMP SA

Site1#clear crypto isakmp       

 

清除IPSec SA:            

Site1#clear crypto sa

ZAICICHAKAN:

wKioL1dmRk3BQVGDAAAiFEmrgiU740.png

Tag标签:      
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规