本次实验只是给出一个IPSec站点到站点 配置,并不给出具体解释。
本次实验由三台7200平台路由器完成,其中端口连接如上图所示,R1和R3上存在环回口1.1.1.1和3.3.3.3。全网运行EIGRP保证各个接口可达。
R1:
R1#conf t
R1(config)#int f0/0
R1(config-if)#ip add 10.10.12.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int loo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#no sh
R2:
R2#conf t
R2(config)#int f0/1
R2(config-if)#ip add 10.10.12.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int f0/0
R2(config-if)#ip add 10.10.23.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int loo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#no sh
R3:
R3#conf t
R3(config)#int f0/1
R3(config-if)#ip add 10.10.23.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int lo0
R3(config-if)#ip add 3.3.3.3 255.255.255.0
R3(config-if)#no sh
R1;
R1(config)#router eigrp 1
R1(config-router)#net 1.1.1.0
R1(config-router)#net 10.10.12.0
R2:
R2(config)#router eigrp 1
R2(config-router)#net 2.2.2.0
R2(config-router)#net 10.10.12.0
R2(config-router)#net 10.10.23.0
R3:
R3(config)#router eigrp 1
R3(config-router)#net 3.3.3.0
R3(config-router)#net 10.10.23.0
R1(config)#crypto isakmp policy 10 //定义阶段1SA的策略
R1(config-isakmp)#authentication pre-share //预共享密钥以及对端IP地址
R1(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
R1(config-isakmp)#encryption 3des //加密算法为3DES
R1(config-isakmp)#group 5
R1(config-isakmp)#hash sha //hash 算法为 sha
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco address 10.10.23.3 //定义预共享密钥以及对端IP地址
R1(config)#access-list 100 permit ip host 1.1.1.1 host 3.3.3.3 //定义加密ACL即选出需要加密的流量
R1(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac //定义变集
R1(cfg-crypto-trans)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 10.10.23.3
R1(config-crypto-map)#set transform-set myset
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exit
//上述命令定义是一个加密图
R1(config)#int f0/0
R1(config-if)#crypto map mymap //将加密图mymap使用在接口F0/0上
同样的,由于该IPSec 也是单向的,因此需要在R3上进行返回流量配置。
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#group 5
R3(config-isakmp)#hash sha
R3(config-isakmp)#exit
R3(config)#crypto isakmp key cisco address 10.10.12.1
R3(config)#access-list 100 permit ip host 3.3.3.3 host 1.1.1.1
R3(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 10.10.12.1
R3(config-crypto-map)#set transform-set myset
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#int f0/1
R3(config-if)#crypto map mymap
R3(config-if)#
*May 16 15:45:44.459: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#exit
配置完毕后,需要注意,两端的阶段一和阶段二的各种认证加密策略必须要一致。
在R1上验证去往R3的环回口3.3.3.3。
R1#ping 3.3.3.3 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/93/108 ms
R1#
上述命令是查看阶段一的 SA。
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr 10.10.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
current_peer 10.10.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.10.12.1, remote crypto endpt.: 10.10.23.3
path mtu 1500, ip mtu 1500
current outbound spi: 0x77DBD158(2010894680)
inbound esp sas:
spi: 0x58A96EBA(1487498938)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4552411/2905)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x77DBD158(2010894680)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4552411/2896)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
上述命令是查看阶段二的SA。