說明:動態的crypto map 配置的IPSCE ***,通常用在中心站點爲固定IP地址,分支站點爲動態IP地址的場合,這種配置也通常用在一方爲思科設備,另一方爲非思科設備的情況。
一,Center中心站點配置說明:
Center#
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 #8個0指匹配任意IP地址。
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto dynamic-map dymap 10 #動態CRYPTO MAP 只需設置轉換集,任意PEER和感興趣流都可以被中心站點接受,中心站點也不用設備PEER和感興趣流
set transform-set cisco
!
crypto map To_branch 10000 ipsec-isakmp dynamic dymap #一般動態序號配置爲最大,是爲了序號小的明細的靜態crypto map 優先。
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
crypto map To_branch #crypto map 應用於接口。
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Center#
二,Branch分支機構配置:
Branch#
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map To_center 10 ipsec-isakmp
set peer 202.100.1.1 #設置爲中心站點的固定IP地址。
set transform-set cisco
match address ***
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address dhcp
duplex auto
speed auto
crypto map To_center #IPSEC crypto map 應用於接口。
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 61.128.1.10
!
ip access-list extended *** #分支站點需要定義感興趣流
permit ip host 2.2.2.2 host 1.1.1.1
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Branch#
三,配置測試:
Branch#ping 1.1.1.1 so 2.2.2.2 #動態Crypto map 只能由分支站點向中心站點先發起感興趣流。
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/59/112 ms
Branch#
四,配置信息查看:
Branch#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Branch#show crypto engine conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet1/0 61.128.1.12 set HMAC_MD5+3DES_56_C 0 0
2001 FastEthernet1/0 61.128.1.12 set DES+MD5 17 0
2002 FastEthernet1/0 61.128.1.12 set DES+MD5 0 17
Branch#show crypto isakmp sa
dst src state conn-id slot status
202.100.1.1 61.128.1.12 QM_IDLE 1 0 ACTIVE
Branch#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: To_center, local addr 61.128.1.12
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0) #感興趣流
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0) #感興趣流
current_peer 202.100.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36
#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 0
local crypto endpt.: 61.128.1.12, remote crypto endpt.: 202.100.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x37062F6B(923152235)
inbound esp sas:
spi: 0x5909C929(1493813545)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: To_center
sa timing: remaining key lifetime (k/sec): (4525079/2552)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x37062F6B(923152235)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, } #採用隧道模式
conn id: 2001, flow_id: SW:1, crypto map: To_center
sa timing: remaining key lifetime (k/sec): (4525079/2544)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Branch#