Scale IPSec config over cisco router

本文介绍了一种使用Python脚本自动生成Cisco路由器IPSec配置的方法,特别适用于需要创建大量站点到站点隧道的情况。该脚本支持IKEv2,并能为两台路由器A和B生成对应的配置。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >


Cisco Router 的IPSec配置很复杂,如果需要生成多条tunnel的配置的时候,需要很大的工作量


简单写了一个脚本来生成,看看结果如何把


Limitation:

1. 支持IKEv2

2. 只能在Cisco IOS router上运行

3. Topology: site to site


Benifit:

同时生成A和B两个router的配置,赞吧?


运行方法:

[asr@30_208 ~]$ python ikev2_config_scale.py 2 ikev2


from xml.dom import minidom
from ftplib import FTP
import telnetlib
import sys
import time
import logging
import os
import re
import platform
import string

class IPSecConfigScale:
    def __init__(self, tunnel, mode):
        self.__tunnel_number__ = int(tunnel)
        self.__mode__ = mode
        
        self.__vlan_start__ = 2000
        
        self.__ip_wan_A__ = '50.1.'
        self.__ip_wan_B__ = self.__ip_wan_A__
        self.__ip_lan_A__ = '172.16.'
        self.__ip_lan_B__ = '172.17.'
        self.__netmask__ = '255.255.255.0'
        self.__wildcard__ = '0.0.0.255'
        self.__interface_lan_A__ = 'GigabitEthernet2.'
        self.__interface_wan_A__ = 'GigabitEthernet3.'
        self.__interface_lan_B__ = 'GigabitEthernet2.'
        self.__interface_wan_B__ = 'GigabitEthernet3.'
        
        self.__vlan_lan_A__ = 2000
        self.__vlan_wan__ = 3000
        self.__vlan_lan_B__ = 4000
        
        self.__eigrp_as__ = 1000
        
        return
        
    def run(self):
    	print 'tunnel is %s' % self.__tunnel_number__
    	print 'mode is %s' % self.__mode__
    	
    	if self.__tunnel_number__ >= 255:
    	    print 'ERROR, %s is not supported' % self.__tunnel_number__

    	if mode == 'ikev2':
    		self.__scale_ikev2_config__(ip_lan_local_in = self.__ip_lan_A__, 
    		    ip_wan = self.__ip_wan_A__, 
    		    ip_lan_remote_in=self.__ip_lan_B__, 
    		    interface_lan = self.__interface_lan_A__, 
    		    interface_wan = self.__interface_wan_A__, 
    		    vlan_lan_in=self.__vlan_lan_A__, 
    		    vlan_wan_in=self.__vlan_wan__, 
    		    role=1)
    		self.__scale_ikev2_config__(ip_lan_local_in = self.__ip_lan_B__, 
    		    ip_wan = self.__ip_wan_B__, 
    		    ip_lan_remote_in=self.__ip_lan_A__, 
    		    interface_lan = self.__interface_lan_B__, 
    		    interface_wan = self.__interface_wan_B__, 
    		    vlan_lan_in=self.__vlan_lan_B__, 
    		    vlan_wan_in=self.__vlan_wan__, 
    		    role=2)
    	else:
    		print '%s is not supported'
    		
    	return
    	    	
    def __scale_ikev2_config__(self, ip_lan_local_in='172.16.', 
            ip_wan='50.1.', 
            ip_lan_remote_in='60.1.', 
            interface_lan='GigabitEthernet2.', 
            interface_wan='GigabitEthernet3.', 
            vlan_lan_in=2000, 
            vlan_wan_in=3000, 
            role=1):
    	
    	print '###################################'
    	print '###################################'
    	print '# config for Cisco Router(role: %s):' % role
    	print 'configure terminal'
    	for it in range(0, self.__tunnel_number__):
    	    proposal = 'IKEv2Proposal%s' % it
    	    policy = 'IKEv2Policy%s' % it
    	    key = 'KEY%s' % it
    	    peer = 'PEER%s' % it
    	    profile = 'IKEv2Profile%s' % it
    	    transform_set = 'TS%s' % it
    	    map = 'CMAP%s' % it

    	    vlan_lan = vlan_lan_in + it
    	    vlan_wan = vlan_wan_in + it
    	        	    
    	    if role == 1:
    	        ip_wan_local =  '%s%s.1' % (ip_wan, it) 
    	        ip_wan_remote = '%s%s.2' % (ip_wan, it) 
    	    else:
    	        ip_wan_local =  '%s%s.2' % (ip_wan, it) 
    	        ip_wan_remote = '%s%s.1' % (ip_wan, it) 
    	        
    	    ip_lan_local = '%s%s.%s' % (ip_lan_local_in, it, 1)
    	    ip_lan_remote = '%s%s.%s' % (ip_lan_remote_in, it, 1)
    	        	        
    	    subinterface_lan = '%s%s' % (interface_lan, vlan_lan)
    	    subinterface_wan = '%s%s' % (interface_wan, vlan_wan)
    	    
    	    traffic_acl = 'traffic_acl_%s' % it
    	    
    	    eigrp_as = 1000 +it

    	    # traffic acl
    	    print '# traffic ACL'
            print 'ip access-list extended %s' % traffic_acl
            print ' permit ip host %s any' % ip_lan_local
            print ' permit ip host %s any' % ip_lan_remote
    	    
    	    # ikev2 proposal
    	    print '# IKEv2 proposal'
            print 'crypto ikev2 proposal %s' % proposal
            print '  encryption 3des'
            print '  integrity sha512'
            print '  group 2'
            
            # ikev2 policy
    	    print '# IKEv2 policy'
            print 'crypto ikev2 policy %s' % policy
            print '  proposal %s' % proposal
            
            # ikev2 keyring
    	    print '# IKEv2 keyring'
            print 'crypto ikev2 keyring %s' % key
            print '  peer %s' % peer
            print '    address %s' % ip_wan_remote
            print '    pre-shared-key local cisco123'
            print '    pre-shared-key remote cisco123'
            
            # ikev2 profile
    	    print '# IKEv2 profile'
            print 'crypto ikev2 profile %s' % profile
            print '  match identity remote address %s 255.255.255.255' % ip_wan_remote
            print '  identity local address %s' % ip_wan_local
            print '  authentication local pre-share'
            print '  authentication remote pre-share'
            print '  keyring local %s' % key
            
            # ipsec transform-set
    	    print '# IPSec transform-set'
            print 'crypto ipsec transform-set %s esp-aes 256 esp-sha256-hmac' % transform_set

            # crypto map
    	    print '# crypto map'
            print 'crypto map %s 10 ipsec-isakmp' % map
            print ' set peer %s' % ip_wan_remote
            print ' set transform-set %s' % transform_set
            print ' set ikev2-profile %s' % profile
            print ' match address %s' % traffic_acl
            
            # subinterface wan
    	    print '# wan subinterface'
            print 'interface %s' % subinterface_wan
            print '  encapsulation dot1q %s' % vlan_wan
            print '  ip address %s %s' % (ip_wan_local, self.__netmask__)
            print '  crypto map %s' % map

            # subinterface lan
    	    print '# lan subinterface'
            print 'interface %s' % subinterface_lan
            print '  encapsulation dot1q %s' % vlan_lan
            print '  ip address %s %s' % (ip_lan_local, self.__netmask__)
            
            # static route
            print 'ip route %s 255.255.255.255 %s' % (ip_lan_remote, ip_wan_remote)
            
            print 'end'
    	return
    	
    	
def printHelp():
    print '\nError running command!\n\n'
    print 'Please run it as following indication:'
    print 'COMMAND <tunnel number> [mode]\n'
    print 'For Example:'
    print '    python IPSecConfigScale.py 10 ikev2\n\n'
    
    return -1

if __name__ == "__main__":
    numargs = len(sys.argv) - 1

    if numargs == 0:
    	tunnel = 10
    	mode = 'ikev2'
    elif numargs == 1:
        tunnel = sys.argv[1]
        mode = 'ikev2'
    elif numargs == 2:
        tunnel = sys.argv[1]
        mode = sys.argv[2]
    else:
    	printHelp()
        sys.exit(1)
        
    scale = IPSecConfigScale(tunnel, mode)
    scale.run()



评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值