LAN to LAN IPSEC *** 的配置報告
這次實驗報告以配置和查看現象爲主,原理部分後續會在原理篇中,敬請關注。
【實驗拓撲】
【實驗要求】
1. 虛擬PC1 所連接的內網(192.168.12.0)通過 IPSEC-*** 方式訪問 R3 所連接的內網(192.168.23.0);
2.在第一步驟的基礎上,實現 R1 所連接的內網(192.168.12.0)和 R3 所連接的內網(192.168.23.0)能通過 NAT 轉換訪問外網,而 R1 所連接的內網(192.168.12.0)仍然通過 IPSEC-*** 方式訪問 R3 所連接的內網(192.168.23.0)。
【實驗配置】
要求1配置:
1)PC1上配置ip地址和網關。
2)R1上的主要配置:
crypto isakmp policy 10 先定義IKE策略集
hash md5 定義散列算法
authentication pre-share 定義認證算法
encryption des 定義加密方式
crypto isakmp key speedfull address 23.23.23.3 指定協商密鑰和對等體ip
crypto ipsec transform-set sf esp-des esp-md5-hmac 再定義ipsec策略(esp爲封裝類型)
crypto map sf 10 ipsec-isakmp
match address 120 定義需要加密的數據流
set peer 23.23.23.3
set transform-set sf
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
int s1/0
crypto map sf (將加密圖應用到接口)
hash md5 定義散列算法
authentication pre-share 定義認證算法
encryption des 定義加密方式
crypto isakmp key speedfull address 23.23.23.3 指定協商密鑰和對等體ip
crypto ipsec transform-set sf esp-des esp-md5-hmac 再定義ipsec策略(esp爲封裝類型)
crypto map sf 10 ipsec-isakmp
match address 120 定義需要加密的數據流
set peer 23.23.23.3
set transform-set sf
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
int s1/0
crypto map sf (將加密圖應用到接口)
R1上還要配置一條默認路由,ip route 0.0.0.0 0.0.0.0 s1/0 使得能與外網連通。
3)同理R3上的配置類似。
幾個查看命令可以看你配置的是否正確:
*********isakmp相關內容********
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp peers
Peer: 23.23.23.3 Port: 500 Local: 12.12.12.1
Phase1 id: 23.23.23.3
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp sa
dst src state conn-id slot status
12.12.12.1 23.23.23.3 QM_IDLE 1 0 ACTIVE
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp peers
Peer: 23.23.23.3 Port: 500 Local: 12.12.12.1
Phase1 id: 23.23.23.3
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp sa
dst src state conn-id slot status
12.12.12.1 23.23.23.3 QM_IDLE 1 0 ACTIVE
*********ipsec相關內容************
R1#show crypto ipsec client ez***
Easy *** Remote Phase: 4 ---這個是什麼意思 ,還不是很清楚。
R1#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: sf, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 23.23.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xC1E4CEB7(3252997815)
inbound esp sas:
spi: 0x9F566494(2673239188)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540031/1720)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC1E4CEB7(3252997815)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540032/1719)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1# show crypto ipsec transform-set
Transform set sf: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
Easy *** Remote Phase: 4 ---這個是什麼意思 ,還不是很清楚。
R1#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: sf, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 23.23.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xC1E4CEB7(3252997815)
inbound esp sas:
spi: 0x9F566494(2673239188)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540031/1720)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC1E4CEB7(3252997815)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540032/1719)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1# show crypto ipsec transform-set
Transform set sf: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
********map的相關內容*************
R1#show crypto map
Crypto Map "sf" 10 ipsec-isakmp
Peer = 23.23.23.3
Extended IP access list 120
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
Current peer: 23.23.23.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
sf,
}
Interfaces using crypto map sf:
Serial1/0
Crypto Map "sf" 10 ipsec-isakmp
Peer = 23.23.23.3
Extended IP access list 120
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
Current peer: 23.23.23.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
sf,
}
Interfaces using crypto map sf:
Serial1/0
現在用測試一下:
如果沒有設置***,虛擬pc是不能ping到pc2的。
pc2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/166/264 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/166/264 ms
通過查看命令和ping測試,證明***已經連通。第一步要求完成。
要求2配置:
如果使用了NAT,那麼在出口處,ip的源地址將被修改,如果不設置,數據包將被丟棄,因爲***是不允許數據包被修改的。使用訪問控制列表實現:
nat的配置這裏不再說明。
如果這樣配置,將出現ping不通情況,因爲源地址被改了。
看以下debug說明:
ip nat inside source list 1 interface Serial1/0 overload
!
access-list 1 permit any
d via RIB
*Mar 1 01:33:10.183: IP: s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), len 100, sending
*Mar 1 01:33:10.403: IP: s=23.23.23.2 (FastEthernet0/0), d=192.168.23.2, len 56, rcvd 1
*Mar 1 01:33:10.407: IP: tableid=0, s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), route
!
access-list 1 permit any
d via RIB
*Mar 1 01:33:10.183: IP: s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), len 100, sending
*Mar 1 01:33:10.403: IP: s=23.23.23.2 (FastEthernet0/0), d=192.168.23.2, len 56, rcvd 1
*Mar 1 01:33:10.407: IP: tableid=0, s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), route
源地址被修改成了23.23.23.2
pc2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
所以應該這樣配置,建個訪問控制列表,讓端到斷的網段出去的時候不進行nat轉換。
ip nat inside source list 101 interface Serial1/0 overload
!
access-list 101 deny ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
!
access-list 101 deny ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
這樣就可以ping通了。
【實驗總結】
實驗配置比較多,但是隻要了解了大概的思路就不難。
首先要建一條安全的通信信道,通過isakmp,設定相關參數就可以(兩邊要一樣,如果不一樣,它會自動尋找一樣的策略集)。
然後就是選擇ipsec的加密方式,esp或是ah,設定相關參數即可。
最後就是注意nat的問題。
由於是初學,理解沒那麼深,有什麼錯誤的地方,還請大家指出。