ISCW系列实验二：IPSec ×××配置

实验二：ipsec site-to-site×××配置<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 

环境：两台路由器串口相连，接口配置如图

要求：用两个LOOP口模拟×××感兴趣流来建立IPSEC ×××,IKE1阶段用预共享密钥，IKE2阶段哈希算法用sha,加密算法用DES.

 

<?xml:namespace prefix = v ns = "urn:schemas-microsoft-com:vml" />

 

 

步骤一：接口基本配置，并测试连通性

 

R1(config)#int s0

R1(config-if)#ip add <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />10.1.1.1 255.255.255.0

R1(config-if)#clock rate 64000

R1(config-if)#no sh

R1(config)#int loop 0

R1(config-if)#ip add 1.1.1.1 255.255.255.0

 

R2(config)#int s1

R2(config-if)#ip add 10.1.1.2 255.255.255.0

R2(config-if)#no sh

R2(config)#int loop 0

R2(config-if)#ip add 1.1.2.1 255.255.255.0

 

R1#ping 10.1.1.2 à测试连通性，再做IPSEC

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms

 

R2#ping 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms

 

配置二：配置IKE1和IKE2两个阶段，并应用到接口

 

R1(config)#crypto isakmp policy 10  àIKE1阶段策略

R1(config-isakmp)#authen pre-share  à将验证修改为预共享

R1(config)#crypto isakmp key cisco address 10.1.1.2 à定义预共享密钥

 

R1(config)#crypto ipsec transform myset esp-sha-hmac esp-des

à定义2阶段的转换集

R1(config)#access-list 100 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255

                                       à定义加密感兴趣流

R1(config)#crypto map mymap 10 ipsec-isakmp  à定义2阶段加密图

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

R1(config-crypto-map)#match address 100  à将列表应用到加密图

R1(config-crypto-map)#set peer 10.1.1.2    à指定对等体

R1(config-crypto-map)#set transform-set myset  à将转换集映射到加密图

R1(config)#int s0

R1(config-if)#crypto map mymap  à将加密图应用到接口

R1(config)#ip route 1.1.2.0 255.255.255.0 20.1.1.2 

à指定隧道感兴趣流的路由走向

 

R2(config)#crypto isakmp policy 10  àR2与R1端策略要匹配

R2(config-isakmp)#authentication pre-share

R2(config-isakmp)#exit

R2(config)#crypto isakmp key cisco address 10.1.1.1  à密钥一致，地址相互指

R2(config)#crypto ipsec transform-set myset esp-des esp-sha-hmac 

R2(cfg-crypto-trans)#exit             à两端必须匹配，默认即为tunnel模式

R2(config)#access-list 102 permit ip 1.1.2.0 0.0.0.255 1.1.1.0 0.0.0.255

à感兴趣流，两端互指

R2(config)#crypto map mymap 10 ipsec-isakmp  à加密图

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

R2(config-crypto-map)#set peer 10.1.1.1  à对端的物理地址

R2(config-crypto-map)#set transform-set myset

R2(config-crypto-map)#match address 102

R2(config-crypto-map)#exit

R2(config)#ip route 1.1.1.0 255.255.255.0 10.1.1.1  à加密图感兴趣流的路由

R2(config)#int s1

R2(config-if)#crypto map mymap  à加密映射应用到接口下

 

步骤三：测试流是否加密，直接用接口ping出

R1#ping 1.1.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/33/36 ms

R2#ping 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/33/36 ms

 

分别在R1和R2上查看两个阶段的关联

R1#show crypto isakmp sa  à没有任何关联

    dst           src          state        conn-id   slot

 

R2#show crypto isakmp sa

dst           src          state        conn-id   slot

 

R1#show crypto ipsec sa  à没有任何加密包，关联也没有建立

 

interface: Serial0

    Crypto map tag: mymap, local addr. 10.1.1.1

 

   local  ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (1.1.2.0/255.255.255.0/0/0)

   current_peer: 10.1.1.2

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2

     path mtu 1500, media mtu 1500

     current outbound spi: 0

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:

 

R2#show crypto ipsec sa

 

interface: Serial1

    Crypto map tag: mymap, local addr. 10.1.1.2

 

   local  ident (addr/mask/prot/port): (1.1.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)

   current_peer: 10.1.1.1

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.1.1.1

     path mtu 1500, media mtu 1500

     current outbound spi: 0

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:

 

步骤四：用扩展ping来触发感兴趣流量

 

R1#ping ip

Target IP address: 1.1.2.1

Repeat count [5]: 10  à将包调为10个，否则一个ping看不到效果

Extended commands [n]: y

Source address or interface: 1.1.1.1

Sending 10, 100-byte ICMP Echos to 1.1.2.1, timeout is 2 seconds:

....!!!!!!   à已经触发了感兴趣流，并且ping通

Success rate is 60 percent (6/10), round-trip min/avg/max = 84/84/84 ms

 

步骤五：再次查看两个阶段的关联，以及加密情况

 

R1#show crypto isa sa  àIKE1阶段关联已建立为快速模式

    dst           src          state        conn-id   slot

10.1.1.2       10.1.1.1       QM_IDLE           1       0

 

R1#show crypto ipsec sa

àIKE2阶段关联建立，并加密了流量，隧道也已成功建立

interface: Serial0

    Crypto map tag: mymap, local addr. 10.1.1.1

 

   local  ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (1.1.2.0/255.255.255.0/0/0)

   current_peer: 10.1.1.2

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 6, #pkts encrypt: 6, #pkts digest 6

    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify 6

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 14, #recv errors 0

 

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2

     path mtu 1500, media mtu 1500

     current outbound spi: 84AEB2E6

 

     inbound esp sas:

      spi: 0x1E44AB1D(507816733)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

        sa timing: remaining key lifetime (k/sec): (4607999/3520)

        IV size: 8 bytes

        replay detection support: Y

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0x84AEB2E6(2226041574)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

        sa timing: remaining key lifetime (k/sec): (4607999/3520)

        IV size: 8 bytes

        replay detection support: Y

 

     outbound ah sas:

 

     outbound pcp sas:

 

 

R2#show crypto isa sa

    dst           src          state        conn-id   slot

10.1.1.2       10.1.1.1       QM_IDLE           1       0

 

R2#show crypto ipsec sa

 

interface: Serial1

    Crypto map tag: mymap, local addr. 10.1.1.2

 

   local  ident (addr/mask/prot/port): (1.1.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)

   current_peer: 10.1.1.1

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 6, #pkts encrypt: 6, #pkts digest 6

    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify 6

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.1.1.1

     path mtu 1500, media mtu 1500

     current outbound spi: 1E44AB1D

 

     inbound esp sas:  à进站流已经产生

      spi: 0x84AEB2E6(2226041574)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

        sa timing: remaining key lifetime (k/sec): (4607999/3502)

        IV size: 8 bytes

        replay detection support: Y

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:  à出站流已经产生

      spi: 0x1E44AB1D(507816733)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

        sa timing: remaining key lifetime (k/sec): (4607999/3502)

        IV size: 8 bytes

        replay detection support: Y

 

     outbound ah sas:

 

     outbound pcp sas:

 

配置五：查看当前的配置

 

R1#show run

hostname R1

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 10.1.1.2

!

crypto ipsec transform-set myset esp-des esp-sha-hmac

!

crypto map mymap 10 ipsec-isakmp

 set peer 10.1.1.2

 set transform-set myset

 match address 102

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface Serial0

 ip address 10.1.1.1 255.255.255.0

 clockrate 64000

 crypto map mymap

!

ip route 1.1.2.0 255.255.255.0 10.1.1.2

!

access-list 102 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255

!

end

 

R2#show run

hostname R2

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 10.1.1.1

!

crypto ipsec transform-set myset esp-des esp-sha-hmac

!

crypto map mymap 10 ipsec-isakmp

 set peer 10.1.1.1

 set transform-set myset

 match address 102

!

interface Loopback0

 ip address 1.1.2.1 255.255.255.0

!

interface Serial1

 ip address 10.1.1.2 255.255.255.0

 crypto map mymap

!

ip route 1.1.1.0 255.255.255.0 10.1.1.1

!

access-list 102 permit ip 1.1.2.0 0.0.0.255 1.1.1.0 0.0.0.255

!

end

转载于:https://blog.51cto.com/xghe110/98429