實驗環境(模擬多站點***)
R1和R3 , R4建立***
R3和R1 , R4建立***
R4和R1 , R3建立***
一,基本配置
1.R1的基本配置
R1(config)#int loopback 0
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#no sh
R1(config-if)#int f0/0
R1(config-if)#ip add 10.0.0.1 255.255.255.0
R1(config-if)#no sh
R1(config)#line console 0
R1(config-line)#logging synchronous
R1(config-line)#exit
R1(config)#no ip domain-lookup
R1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.2
R1(config)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.0.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
Loopback0 1.1.1.1 YES manual up up
2.R2的基本配置
R2(config)#no ip domain-lookup
R2(config)#line console 0
R2(config-line)#logg syn
R2(config-line)#exit
R2(config)#int f0/0
R2(config-if)#ip add 10.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int f1/0
R2(config-if)#ip add 20.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config)#int f2/0
R2(config-if)#ip add 30.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.0.2 YES manual up up
FastEthernet1/0 20.0.0.2 YES manual up up
FastEthernet2/0 30.0.0.2 YES manual up up
3.R3的基本配置
R3(config)#int loopback 0
R3(config-if)#ip add 2.2.2.2 255.255.255.255
R3(config-if)#int f0/0
R3(config-if)#ip add 20.0.0.1 255.255.255.0
R3(config-if)#no sh
R3(config-if)#ip route 0.0.0.0 0.0.0.0 20.0.0.2
R3(config)#line console 0
R3(config-line)#logging synchronous
R3(config-line)#exit
R3(config)#no ip domain-lookup
R3(config)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 20.0.0.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
Loopback0 2.2.2.2 YES manual up up
4.R4的基本配置
R4(config)#no ip domain-lookup
R4(config)#line console 0
R4(config-line)#logging syn
R4(config-line)#exit
R4(config)#int loopback 0
R4(config-if)#ip add 3.3.3.3 255.255.255.255
R4(config-if)#no sh
R4(config-if)#int f0/0
R4(config-if)#ip add 30.0.0.1 255.255.255.0
R4(config-if)#no sh
R4(config-if)#ip route 0.0.0.0 0.0.0.0 30.0.0.2
R4(config)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 30.0.0.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
Loopback0 3.3.3.3 YES manual up up
二,ipsec ***配置
1.R1和R3之間的***(R1和R3之間的策略要相同,設置相同的密鑰爲***R1-R3)
R1上的配置
R1(config)#crypto isakmp policy 1 配置安全策略
R1(config-isakmp)#encryption 3des 採用何種加密
R1(config-isakmp)#hash sha 驗證
R1(config-isakmp)#authentication pre-share 身份驗證預共享
R1(config-isakmp)#group 2 DH組爲2 組號越大,算法越安全,佔用設備資源越多,路由支持1,2,5
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 ***R1-R3 address 20.0.0.1 配置預共享密鑰(兩臺設備的密鑰要相同)0表示爲明文,1表示密鑰被加密。
R1(config)#access-list 111 permit ip 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0 配置acl(指定需要保護的流量)注意兩端對等體上的acl互爲鏡像,否則階段2建立會失敗
R1(config)#crypto ipsec transform-set *** esp-des esp-sha-hmac 定義傳輸集 此處有兩種協議AH協議(只能驗證),ESP協議(支持驗證和加密)AH對整個數據都驗證(包括ip頭),所以不能和NAT共存,esp只驗證有效載荷(不包括ip頭)可以和NAT共存)
R1(cfg-crypto-trans)#exit
R1(config)#crypto map ***-map 1 ipsec-isakmp 定義map,路由的一個接口只能應用一個MAP,所以配置多站點***時,通過map序號區分
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 20.0.0.1 指定對等體
R1(config-crypto-map)#set transform-set *** 指定傳輸集
R1(config-crypto-map)#match address 111 需要保護的流量
R1(config-crypto-map)#exit
R1(config)#int f0/0
R1(config-if)#crypto map ***-map把map應用到接口
R1(config-if)#
*Mar 1 00:28:06.035: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#
R3上的配置
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#en 3des
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 0 ***R1-R3 address 10.0.0.1
R3(config)#access-list 111 permit ip 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0
R3(config)#crypto ipsec transform-set *** esp-des esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto map ***-map 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 10.0.0.1
R3(config-crypto-map)#set transform-set ***
R3(config-crypto-map)#match address 111
R3(config-crypto-map)#exit
R3(config)#int f0/0
R3(config-if)#crypto map ***-map
R3(config-if)#
*Mar 1 00:52:47.967: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
已成功建立
R3#ping 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
*Mar 1 00:58:08.667: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 10.0.0.1:500 Id: 10.0.0.1.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/69/84 ms
R3#sh cry isa sa
dst src state conn-id slot
10.0.0.1 20.0.0.1 QM_IDLE 1 0
R1#sh cry isa sa
dst src state conn-id slot
10.0.0.1 20.0.0.1 QM_IDLE 1 0
R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/48/60 ms
2,R1和R4之間建立***(共享密鑰爲***R1-R4)
R1上配置
由於之前已配置了安全策略,就用上面配置的策略
只配置預共享密鑰,ACl,map(定義不同的序號,應爲一個接口只能應用一個map)
R1(config)#crypto isakmp key 0 ***R1-R4 address 30.0.0.1 R1和R4的密鑰
R1(config)#access-list 115 permit ip 1.1.1.1 0.0.0.0 3.3.3.3 0.0.0.0
R1(config)#crypto map ***-map 2 ipsec-isakmp 更改map序號
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 30.0.0.1
R1(config-crypto-map)#set transform-set ***
R1(config-crypto-map)#match address 115
這裏無需把map應用接口,因爲做R1和R3時已經在R1上應用了,這裏通過序號區分的。
R4上配置
R4(config)#crypto isakmp policy 1
R4(config-isakmp)#en 3des
R4(config-isakmp)#hash sha
R4(config-isakmp)#auth pre-share
R4(config-isakmp)#group 2
R4(config-isakmp)#exit
R4(config)#crypto isakmp key 0 ***R1-R4 address 10.0.0.1
R4(config)#access-list 111 permit ip 3.3.3.3 0.0.0.0 1.1.1.1 0.0.0.0
R4(config)#crypto ipsec transform-set *** esp-des esp-sha-hmac
R4(cfg-crypto-trans)#exit
R4(config)#crypto map ***-map 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R4(config-crypto-map)#set peer 10.0.0.1
R4(config-crypto-map)#set transform-set ***
R4(config-crypto-map)#match address 111
R4(config-crypto-map)#exit
R4(config)#int f0/0
R4(config-if)#crypto map ***-map
R4(config-if)#
*Mar 1 01:14:43.259: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
驗證
R4#ping 1.1.1.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.!!
*Mar 1 01:17:05.183: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 10.0.0.1:500 Id: 10.0.0.1!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 40/60/76 ms
R4#sh cry isa sa
dst src state conn-id slot
10.0.0.1 30.0.0.1 QM_IDLE 1 0
R4#sh cry isa key
Keyring Hostname/Address Preshared Key
default 10.0.0.1 ***R1-R4 密鑰
R1上的查詢
R1(config)#do sh cry isa sa
dst src state conn-id slot
10.0.0.1 20.0.0.1 QM_IDLE 1 0
30.0.0.1 10.0.0.1 QM_IDLE 2 0
R1(config)#do sh cry isa key
Keyring Hostname/Address Preshared Key
default 20.0.0.1 ***R1-R3
30.0.0.1 ***R1-R4
3.R3和R4搭建***
R3的配置
由於之前已配置了安全策略,就用上面配置的策略
只配置預共享密鑰,ACl,map(定義不同的序號,應爲一個接口只能應用一個map)
R3(config)#crypto isa key 0 ***R3-R4 address 30.0.0.1
R3(config)#access-list 115 permit ip 2.2.2.2 0.0.0.0 3.3.3.3 0.0.0.0
R3(config)#crypto map ***-map 2 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 30.0.0.1
R3(config-crypto-map)#set transform-set benet
R3(config-crypto-map)#match address 115
R4的配置
R4(config)#crypto isakmp key 0 ***R3-R4 address 20.0.0.1
R4(config)#access-list 115 permit ip 3.3.3.3 0.0.0.0 2.2.2.2 0.0.0.0
R4(config)#crypto map ***-map 2 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R4(config-crypto-map)#set peer 20.0.0.1
R4(config-crypto-map)#set transform-set benet
R4(config-crypto-map)#match address 115
驗證
R4
R4(config-crypto-map)#do ping 2.2.2.2 so 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/51/96 ms
R4(config-crypto-map)#
*Mar 1 00:39:11.607: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 20.0.0.1:500 Id: 20.0.0.1
R4(config-crypto-map)#do sh cry isa sa
dst src state conn-id slot
20.0.0.1 30.0.0.1 QM_IDLE 2 0
30.0.0.1 10.0.0.1 QM_IDLE 1 0
R4(config-crypto-map)#do sh cry isa key
Keyring Hostname/Address Preshared Key
default 10.0.0.1 ***R1-R4
20.0.0.1 ***R3-R4
R3
R3(config)#do ping 3.3.3.3 so 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/37/64 ms
R3(config)#do sh cry
R3(config)#do sh cry isa sa
dst src state conn-id slot
10.0.0.1 20.0.0.1 QM_IDLE 1 0
20.0.0.1 30.0.0.1 QM_IDLE 2 0
R3(config)#do sh cry isa key
Keyring Hostname/Address Preshared Key
default 10.0.0.1 ***R1-R3
30.0.0.1 ***R3-R4