防火牆之間用vpn通信
**理論知識請見:**上一篇關於IPsec的文章
實驗拓撲圖:
局域網1——ASA1配置:
ASA1> en
Password:
ASA1# conf t
ASA1(config)# int e0/0
ASA1(config-if)# ip add 192.168.1.1 255.255.255.0
ASA1(config-if)# no sh
ASA1(config-if)# nameif inside //劃分內網區域
ASA1(config-if)# security-level 100 //優先級爲·100
ASA1(config-if)# exit
ASA1(config)# int e0/1
ASA1(config-if)# ip add 1.0.0.1 255.255.255.0
ASA1(config-if)# no sh
ASA1(config-if)# nameif outside //劃分外網區域
ASA1(config-if)# security-level 0 //優先級爲0
ASA1(config-if)# exit
ASA1(config)# route outside 0.0.0.0 0.0.0.0 1.0.0.2 //宣告外網區域的外部路由
ASA1(config)# nat-control //開啓nat控制
//開啓後,不做nat的網絡是不可以進行通信的
ASA1(config)# nat (inside) 1 0 0 //nat轉換組爲1,轉換內部的所有網段
ASA1(config)# global (outside) 1 interface //將nat轉換組進行PAT轉換
INFO: outside interface address added to PAT pool
ASA1(config)# access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
//定義內網地址池
ASA1(config)# nat (inside) 0 access-list 100 //進行nat豁免,豁免acl 100內的IP
ASA1(config)# crypto isakmp enable outside //在外網區域開啓IKE
ASA1(config)# crypto isakmp policy 1 //創建IKE爲1的策略
ASA1(config-isakmp-policy)# authentication pre-share //開啓共享密鑰模式驗證
ASA1(config-isakmp-policy)# encryption des //數據加密算法選擇des
ASA1(config-isakmp-policy)# hash sha //摘要驗證算法選擇sha
ASA1(config-isakmp-policy)# lifetime 1600 //超時時間爲1600
ASA1(config-isakmp-policy)# group 2 //密碼組爲2
ASA1(config-isakmp-policy)# exit
ASA1(config)# crypto isakmp key 123.com address 1.0.0.1 //配置IKE的共享密鑰爲123.com,對等體IP
ASA1(config)# crypto ipsec transform-set name-set esp-des esp-sha-hmac //定義ipsec的數據加密爲des,摘要驗證算法爲sha
ASA1(config)# tunnel-group 1.0.0.1 ipsec-attributes // 定義隧道模式的屬性
ASA1(config-tunnel-ipsec)# pre-shared-key 123.com //驗證密鑰爲123.com
ASA1(config-tunnel-ipsec)# exit
ASA1(config)# crypto map name-map 1 match address 100 //創建映射表,匹配acl 100的地址
ASA1(config)# crypto map name-map 1 set transform-set name-set //創建映射表匹配加密算法
ASA1(config)# crypto map name-map 1 set peer 1.0.0.1 //定義對等體IP
ASA1(config)# crypto map name-map interface outside //將這個map應用到接口
ASA1(config)# exit
ASA1# show crypto isakmp sa //查看sa的狀態
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.0.0.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE //連接成功
ISP——R1配置:
R1#conf t
R1(config)#int e0/0
R1(config-if)#ip add 1.0.0.2 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int e0/1
R1(config-if)#ip add 2.0.0.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
局域網2——ASA2配置:
ASA2> en
Password:
ASA2# conf t
ASA2(config)# int e0/0
ASA2(config-if)# ip add 2.0.0.2 255.255.255.0
ASA2(config-if)# no sh
ASA2(config-if)# nameif outside
ASA2(config-if)# security-level 0
ASA2(config-if)# exit
ASA2(config)# int e0/1
ASA2(config-if)# ip add 192.168.2.1 255.255.255.0
ASA2(config-if)# no sh
ASA2(config-if)# nameif inside
ASA2(config-if)# security-level 100
ASA2(config)# route outside 0.0.0.0 0.0.0.0 2.0.0.1
ASA2(config)# nat-control
ASA2(config)# nat (inside) 1 0 0
ASA2(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ASA2(config)# access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA2(config)# nat (inside) 0 access-list 100
ASA2(config)# crypto isakmp enable outside
ASA2(config)# crypto isakmp policy 1
ASA2(config-isakmp-policy)# authentication pre-share
ASA2(config-isakmp-policy)# encryption des
ASA2(config-isakmp-policy)# hash sha
ASA2(config-isakmp-policy)# lifetime 1600
ASA2(config-isakmp-policy)# group 2
ASA2(config-isakmp-policy)# exit
ASA2(config)# crypto isakmp key 123.com address 1.0.0.1
ASA2(config)# crypto ipsec transform-set name-set esp-des esp-sha-hmac
ASA2(config)# tunnel-group 1.0.0.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# pre-shared-key 123.com
ASA2(config-tunnel-ipsec)# exit
ASA2(config)# crypto map name-map 1 match address 100
ASA2(config)# crypto map name-map 1 set transform-set name-set
ASA2(config)# crypto map name-map 1 set peer 1.0.0.1
ASA2(config)# crypto map name-map interface outside
ASA2(config)# exit
ASA2# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.0.0.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
驗證:
在ISP——R2沒有配置路由表的情況下用vpc1---->ping---->vpc2
結果: