Cisco Router 的IPSec配置很复杂,如果需要生成多条tunnel的配置的时候,需要很大的工作量
简单写了一个脚本来生成,看看结果如何把
Limitation:
1. 支持IKEv2
2. 只能在Cisco IOS router上运行
3. Topology: site to site
Benifit:
同时生成A和B两个router的配置,赞吧?
运行方法:
[asr@30_208 ~]$ python ikev2_config_scale.py 2 ikev2
from xml.dom import minidom
from ftplib import FTP
import telnetlib
import sys
import time
import logging
import os
import re
import platform
import string
class IPSecConfigScale:
def __init__(self, tunnel, mode):
self.__tunnel_number__ = int(tunnel)
self.__mode__ = mode
self.__vlan_start__ = 2000
self.__ip_wan_A__ = '50.1.'
self.__ip_wan_B__ = self.__ip_wan_A__
self.__ip_lan_A__ = '172.16.'
self.__ip_lan_B__ = '172.17.'
self.__netmask__ = '255.255.255.0'
self.__wildcard__ = '0.0.0.255'
self.__interface_lan_A__ = 'GigabitEthernet2.'
self.__interface_wan_A__ = 'GigabitEthernet3.'
self.__interface_lan_B__ = 'GigabitEthernet2.'
self.__interface_wan_B__ = 'GigabitEthernet3.'
self.__vlan_lan_A__ = 2000
self.__vlan_wan__ = 3000
self.__vlan_lan_B__ = 4000
self.__eigrp_as__ = 1000
return
def run(self):
print 'tunnel is %s' % self.__tunnel_number__
print 'mode is %s' % self.__mode__
if self.__tunnel_number__ >= 255:
print 'ERROR, %s is not supported' % self.__tunnel_number__
if mode == 'ikev2':
self.__scale_ikev2_config__(ip_lan_local_in = self.__ip_lan_A__,
ip_wan = self.__ip_wan_A__,
ip_lan_remote_in=self.__ip_lan_B__,
interface_lan = self.__interface_lan_A__,
interface_wan = self.__interface_wan_A__,
vlan_lan_in=self.__vlan_lan_A__,
vlan_wan_in=self.__vlan_wan__,
role=1)
self.__scale_ikev2_config__(ip_lan_local_in = self.__ip_lan_B__,
ip_wan = self.__ip_wan_B__,
ip_lan_remote_in=self.__ip_lan_A__,
interface_lan = self.__interface_lan_B__,
interface_wan = self.__interface_wan_B__,
vlan_lan_in=self.__vlan_lan_B__,
vlan_wan_in=self.__vlan_wan__,
role=2)
else:
print '%s is not supported'
return
def __scale_ikev2_config__(self, ip_lan_local_in='172.16.',
ip_wan='50.1.',
ip_lan_remote_in='60.1.',
interface_lan='GigabitEthernet2.',
interface_wan='GigabitEthernet3.',
vlan_lan_in=2000,
vlan_wan_in=3000,
role=1):
print '###################################'
print '###################################'
print '# config for Cisco Router(role: %s):' % role
print 'configure terminal'
for it in range(0, self.__tunnel_number__):
proposal = 'IKEv2Proposal%s' % it
policy = 'IKEv2Policy%s' % it
key = 'KEY%s' % it
peer = 'PEER%s' % it
profile = 'IKEv2Profile%s' % it
transform_set = 'TS%s' % it
map = 'CMAP%s' % it
vlan_lan = vlan_lan_in + it
vlan_wan = vlan_wan_in + it
if role == 1:
ip_wan_local = '%s%s.1' % (ip_wan, it)
ip_wan_remote = '%s%s.2' % (ip_wan, it)
else:
ip_wan_local = '%s%s.2' % (ip_wan, it)
ip_wan_remote = '%s%s.1' % (ip_wan, it)
ip_lan_local = '%s%s.%s' % (ip_lan_local_in, it, 1)
ip_lan_remote = '%s%s.%s' % (ip_lan_remote_in, it, 1)
subinterface_lan = '%s%s' % (interface_lan, vlan_lan)
subinterface_wan = '%s%s' % (interface_wan, vlan_wan)
traffic_acl = 'traffic_acl_%s' % it
eigrp_as = 1000 +it
# traffic acl
print '# traffic ACL'
print 'ip access-list extended %s' % traffic_acl
print ' permit ip host %s any' % ip_lan_local
print ' permit ip host %s any' % ip_lan_remote
# ikev2 proposal
print '# IKEv2 proposal'
print 'crypto ikev2 proposal %s' % proposal
print ' encryption 3des'
print ' integrity sha512'
print ' group 2'
# ikev2 policy
print '# IKEv2 policy'
print 'crypto ikev2 policy %s' % policy
print ' proposal %s' % proposal
# ikev2 keyring
print '# IKEv2 keyring'
print 'crypto ikev2 keyring %s' % key
print ' peer %s' % peer
print ' address %s' % ip_wan_remote
print ' pre-shared-key local cisco123'
print ' pre-shared-key remote cisco123'
# ikev2 profile
print '# IKEv2 profile'
print 'crypto ikev2 profile %s' % profile
print ' match identity remote address %s 255.255.255.255' % ip_wan_remote
print ' identity local address %s' % ip_wan_local
print ' authentication local pre-share'
print ' authentication remote pre-share'
print ' keyring local %s' % key
# ipsec transform-set
print '# IPSec transform-set'
print 'crypto ipsec transform-set %s esp-aes 256 esp-sha256-hmac' % transform_set
# crypto map
print '# crypto map'
print 'crypto map %s 10 ipsec-isakmp' % map
print ' set peer %s' % ip_wan_remote
print ' set transform-set %s' % transform_set
print ' set ikev2-profile %s' % profile
print ' match address %s' % traffic_acl
# subinterface wan
print '# wan subinterface'
print 'interface %s' % subinterface_wan
print ' encapsulation dot1q %s' % vlan_wan
print ' ip address %s %s' % (ip_wan_local, self.__netmask__)
print ' crypto map %s' % map
# subinterface lan
print '# lan subinterface'
print 'interface %s' % subinterface_lan
print ' encapsulation dot1q %s' % vlan_lan
print ' ip address %s %s' % (ip_lan_local, self.__netmask__)
# static route
print 'ip route %s 255.255.255.255 %s' % (ip_lan_remote, ip_wan_remote)
print 'end'
return
def printHelp():
print '\nError running command!\n\n'
print 'Please run it as following indication:'
print 'COMMAND <tunnel number> [mode]\n'
print 'For Example:'
print ' python IPSecConfigScale.py 10 ikev2\n\n'
return -1
if __name__ == "__main__":
numargs = len(sys.argv) - 1
if numargs == 0:
tunnel = 10
mode = 'ikev2'
elif numargs == 1:
tunnel = sys.argv[1]
mode = 'ikev2'
elif numargs == 2:
tunnel = sys.argv[1]
mode = sys.argv[2]
else:
printHelp()
sys.exit(1)
scale = IPSecConfigScale(tunnel, mode)
scale.run()