1.Router-to-Router LAN-toLAN ***
1.1拓撲
1.2配置
1.基本連通性路由配置:
R5(config)#int f0/0
R5(config-if)#ip add 15.15.15.5 255.255.255.0
R5(config-if)#no sh
R5(config-if)#ex
R5(config)#ip route 0.0.0.0 0.0.0.0 15.15.15.1
R5(config)#int lo0
R5(config-if)#ip add 5.5.5.5 255.255.255.0
R5(config-if)#
R1(config)#int f0/0
R1(config-if)#ip add 15.15.15.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int f1/0
R1(config-if)#ip add 16.16.16.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#ex
R1(config)#ip route 0.0.0.0 0.0.0.0 16.16.16.6
R1(config)#ip route 5.5.5.5 255.255.255.255 15.15.15.5
R1(config)#
R6(config)#int f1/0
R6(config-if)#ip add 16.16.16.6 255.255.255.0
R6(config-if)#no sh
R6(config-if)#int f0/0
R6(config-if)#ip add 26.26.26.6 255.255.255.0
R6(config-if)#no sh
R2(config)#int f0/0
R2(config-if)#ip add 26.26.26.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int f1/0
R2(config-if)#ip add 23.23.23.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#ex
R2(config)#ip route 0.0.0.0 0.0.0.0 26.26.26.6
R2(config)#
R3(config)#int f1/0
R3(config-if)#ip add 23.23.23.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#ex
R3(config)#ip route 0.0.0.0 0.0.0.0 23.23.23.2
R3(config)#
2.配置LAN-toLAN ***
2.1在R1上配置IKE(ISAKMP)策略:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 2
R1(config-isakmp)#ex
2.2在R1上定義認證標識:
R1(config)#crypto isakmp key 0 cisco123 address 26.26.26.2
2.3在R1上配置IPSec transform-set:
R1(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#mode ?
transport transport (payload encapsulation) mode
tunnel tunnel (datagram encapsulation) mode
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#ex
R1(config)#
2.4在R1上定義感興趣流量:
R1(config)#access-list 100 permit ip 15.15.15.0 0.0.0.255 23.23.23.0 0.0.0.255
R1(config)#
2.5在R1上創建crypto map:
R1(config)#crypto map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 26.26.26.2
R1(config-crypto-map)#set transform-set myset
R1(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#ex
2.6在R1上將crypto map 應用於外部接口:
R1(config)#int f1/0
R1(config-if)#crypto map l2l
R1(config-if)#
*Mar 1 00:30:38.199: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#ex
3.使用同樣的方式配置R2的LAN-to-LAN ***
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#hash sh
R2(config-isakmp)#group 2
R2(config-isakmp)#ex
R2(config)#crypto isakmp key 0 cisco123 address 16.16.16.1
R2(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#ex
R2(config)#access-list 100 permit ip 23.23.23.0 0.0.0.255 15.15.15.0 0.0.0.255
R2(config)#crypto map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 16.16.16.1
R2(config-crypto-map)#set transform-set myset
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#ex
R2(config)#int f0/0
R2(config-if)#crypto map l2l
R2(config-if)#
*Mar 1 00:46:37.707: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#
1.3驗證
1.查看IKE(ISAKMP)策略:
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#
2.查看Phase One 時的認證密碼:
R1#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 26.26.26.2 cisco123
3.查看IKE SA(ISAKMP SA):
R1#show crypto isakmp sa
dst src state conn-id slot status
R1#
說明:雖然R1與R2之間已經配置足夠的***命令,但IKE SA仍然沒有建立,因爲在滅有用戶流量的傳輸來初始化的情況下,IKE SA通常是無法自動建立的。
4.查看R1上的IKE SA的peer:
R1#show crypto isakmp peers
R1#
說明:可以看見目前沒有任何IKE SA peer。
5.查看R1上的IPSec Transform:
R1#show crypto ipsec transform-set
Transform set myset: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },
R1#
說明:IPSec transform顯示了數據封裝使用esp加3des加密,並且使用esp結合sha做hash運算,默認沒有指定IPSec mode,默認的mode爲tunnel.
6.查看r1上的IPSec SA:
R1#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: l2l, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (23.23.23.0/255.255.255.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R1#
說明:可以看見當前R1上IPsec SA的信息,但目前的SA爲非活動狀態,並且SA顯示了正確的數據信息,即從本地15.15.15.0/24發往23.23.23.0/24的。
7.查看R1上的IPSec SA 的lifetime:
R1#show crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
R1#
8.查看R1上的crypto map:
R1#show crypto map
Crypto Map "l2l" 1 ipsec-isakmp
Peer = 26.26.26.2
Extended IP access list 100
access-list 100 permit ip 15.15.15.0 0.0.0.255 23.23.23.0 0.0.0.255
Current peer: 26.26.26.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
Interfaces using crypto map l2l:
FastEthernet1/0
R1#
測試***:
9.從R5向R3發送流量:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
別桑心,等一會再試試。
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 72/117/156 ms
R5#
10.再次查看R1上的IKE SA的peer:
R1#show crypto isakmp peers
Peer: 26.26.26.2 Port: 500 Local: 16.16.16.1
Phase1 id: 26.26.26.2
R1#
11.查看R1上的IKE SA(ISAKMP SA):
R1#show crypto isakmp sa
dst src state conn-id slot status
26.26.26.2 16.16.16.1 QM_IDLE 1 0 ACTIVE
R1#
12.再次查看R1上的IPSec SA:
R1#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: l2l, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (23.23.23.0/255.255.255.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x939BA21B(2476450331)
inbound esp sas:
spi: 0x9C6517EC(2623870956)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4409239/3319)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x939BA21B(2476450331)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4409239/3317)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
13.查看R5向R3發送數據包的路徑走向:
R5#traceroute 23.23.23.3
Type escape sequence to abort.
Tracing the route to 23.23.23.3
1 15.15.15.1 76 msec 40 msec 24 msec
2 * * *
3 23.23.23.3 92 msec * 140 msec
R5#
說明:可以看出中間只有一跳就到達了目的地,說明中間的“多跳”已經被隧道取代爲一跳了。
調試***中感興趣的流量
1.在R1上將ACL定義的感興趣的流量改爲任意流量,即any:
R1(config)#no access-list 100
R1(config)#access-list 100 permit ip any any
2.查看R1上的crypto map:
R1(config)#do show crypto map
Crypto Map "l2l" 1 ipsec-isakmp
Peer = 26.26.26.2
Extended IP access list 100
access-list 100 permit ip any any
Current peer: 26.26.26.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
Interfaces using crypto map l2l:
FastEthernet1/0
R1(config)#
說明:顯示了被IPSec保護的流量爲ACL100中的流量,即any。
3.查看R1上的IPSec SA:
R1(config)#do show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: l2l, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R1(config)#
4.從R5向R3發送流量:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
說明:這次R5向R3發送流量沒能激活IKE SA,所以需要將感興趣流量ACL中的any替換爲具體網段,並且源和目的都不能使用any來表示。
5.修改感興趣的流量的ACL:
R1(config)#no access-list 100
R1(config)#access-list 100 permit ip 15.15.15.0 0.0.0.255 23.23.23.0 0.0.0.255
6.再次從R5向R3發送流量:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/99/132 ms
R5#
測試NAT對LAN-to-LAN ***的影響:
1.在R2上配置NAT:
R2(config)#int f0/0
R2(config-if)#ip nat outside
*Mar 1 02:50:43.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R2(config-if)#exit
R2(config)#int f1/0
R2(config-if)#ip nat inside
R2(config-if)#ex
R2(config)#access-list 1 permit any
R2(config)#ip nat inside source list 1 interface f0/0 overload
2.從R3向R5發送流量:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#
說明:和預期一樣,IPSec流量是不能穿越NAT的。
3.查看NAT轉換信息:
R2(config)#do show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 26.26.26.2:1 23.23.23.3:1 15.15.15.5:1 15.15.15.5:1
R2(config)#
說明:轉換表顯示剛纔的流量被轉換,但轉換後的流量不會被IPSec認同了。
4.刪除R2上的NAT:
R2(config)#int f1/0
R2(config-if)#no ip nat inside
R2(config-if)#int f0/0
R2(config-if)#no ip nat outside
R2(config-if)#ex
5.再次從R3向R5發送流量,成功了:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/92/172 ms
R3#
6.剛剛發現了一個很現實對我來說也很麻煩的問題是:
假如一定要在R2上做NAT,同時將23.23.23.0/24發往15.15.15.0/24的流量不被NAT轉換,即保證***正常工作。
6.1我接着在R2上做過一下配置:
R2(config)#int f1/0
R2(config-if)#ip nat inside
R2(config-if)#int f0/0
R2(config-if)#ip nat outside
R2(config-if)#ex
R2(config)#access-list 1 deny 23.23.23.0 0.0.0.255
R2(config)#access-list 1 permit any
R2(config)#ip nat inside source list 1 interface f0/0 overload
R2(config)#
R2(config)#^Z
R2#clear ip nat translation *
R2#
R2#show ip nat translations
R2#
6.2再次從R3向R5發送流量:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#
這個NAT結果還是很糾結,請求高手指點迷津。