LAN to LAN IPSEC ××× 的配置报告
这次实验报告以配置和查看现象为主,原理部分后续会在原理篇中,敬请关注。
【实验拓扑】
【实验要求】
1. 虚拟PC1 所连接的内网(192.168.12.0)通过 IPSEC-××× 方式访问 R3 所连接的内网(192.168.23.0);
2.在第一步骤的基础上,实现 R1 所连接的内网(192.168.12.0)和 R3 所连接的内网(192.168.23.0)能通过 NAT 转换访问外网,而 R1 所连接的内网(192.168.12.0)仍然通过 IPSEC-××× 方式访问 R3 所连接的内网(192.168.23.0)。
【实验配置】
要求1配置:
1)PC1上配置ip地址和网关。
2)R1上的主要配置:
crypto isakmp policy 10 先定义IKE策略集
hash md5 定义散列算法
authentication pre-share 定义认证算法
encryption des 定义加密方式
crypto isakmp key speedfull address 23.23.23.3 指定协商密钥和对等体ip
crypto ipsec transform-set sf esp-des esp-md5-hmac 再定义ipsec策略(esp为封装类型)
crypto map sf 10 ipsec-isakmp
match address 120 定义需要加密的数据流
set peer 23.23.23.3
set transform-set sf
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
int s1/0
crypto map sf (将加密图应用到接口)
hash md5 定义散列算法
authentication pre-share 定义认证算法
encryption des 定义加密方式
crypto isakmp key speedfull address 23.23.23.3 指定协商密钥和对等体ip
crypto ipsec transform-set sf esp-des esp-md5-hmac 再定义ipsec策略(esp为封装类型)
crypto map sf 10 ipsec-isakmp
match address 120 定义需要加密的数据流
set peer 23.23.23.3
set transform-set sf
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
int s1/0
crypto map sf (将加密图应用到接口)
R1上还要配置一条默认路由,ip route 0.0.0.0 0.0.0.0 s1/0 使得能与外网连通。
3)同理R3上的配置类似。
几个查看命令可以看你配置的是否正确:
*********isakmp相关内容********
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp peers
Peer: 23.23.23.3 Port: 500 Local: 12.12.12.1
Phase1 id: 23.23.23.3
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp sa
dst src state conn-id slot status
12.12.12.1 23.23.23.3 QM_IDLE 1 0 ACTIVE
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp peers
Peer: 23.23.23.3 Port: 500 Local: 12.12.12.1
Phase1 id: 23.23.23.3
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp sa
dst src state conn-id slot status
12.12.12.1 23.23.23.3 QM_IDLE 1 0 ACTIVE
*********ipsec相关内容************
R1#show crypto ipsec client ez***
Easy ××× Remote Phase: 4 ---这个是什么意思 ,还不是很清楚。
R1#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: sf, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 23.23.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xC1E4CEB7(3252997815)
inbound esp sas:
spi: 0x9F566494(2673239188)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540031/1720)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC1E4CEB7(3252997815)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540032/1719)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1# show crypto ipsec transform-set
Transform set sf: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
Easy ××× Remote Phase: 4 ---这个是什么意思 ,还不是很清楚。
R1#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: sf, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 23.23.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xC1E4CEB7(3252997815)
inbound esp sas:
spi: 0x9F566494(2673239188)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540031/1720)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC1E4CEB7(3252997815)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540032/1719)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1# show crypto ipsec transform-set
Transform set sf: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
********map的相关内容*************
R1#show crypto map
Crypto Map "sf" 10 ipsec-isakmp
Peer = 23.23.23.3
Extended IP access list 120
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
Current peer: 23.23.23.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
sf,
}
Interfaces using crypto map sf:
Serial1/0
Crypto Map "sf" 10 ipsec-isakmp
Peer = 23.23.23.3
Extended IP access list 120
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
Current peer: 23.23.23.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
sf,
}
Interfaces using crypto map sf:
Serial1/0
现在用测试一下:
如果没有设置***,虚拟pc是不能ping到pc2的。
pc2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/166/264 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/166/264 ms
通过查看命令和ping测试,证明***已经连通。第一步要求完成。
要求2配置:
如果使用了NAT,那么在出口处,ip的源地址将被修改,如果不设置,数据包将被丢弃,因为***是不允许数据包被修改的。使用访问控制列表实现:
nat的配置这里不再说明。
如果这样配置,将出现ping不通情况,因为源地址被改了。
看以下debug说明:
ip nat inside source list 1 interface Serial1/0 overload
!
access-list 1 permit any
d via RIB
*Mar 1 01:33:10.183: IP: s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), len 100, sending
*Mar 1 01:33:10.403: IP: s=23.23.23.2 (FastEthernet0/0), d=192.168.23.2, len 56, rcvd 1
*Mar 1 01:33:10.407: IP: tableid=0, s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), route
!
access-list 1 permit any
d via RIB
*Mar 1 01:33:10.183: IP: s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), len 100, sending
*Mar 1 01:33:10.403: IP: s=23.23.23.2 (FastEthernet0/0), d=192.168.23.2, len 56, rcvd 1
*Mar 1 01:33:10.407: IP: tableid=0, s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), route
源地址被修改成了23.23.23.2
pc2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
所以应该这样配置,建个访问控制列表,让端到断的网段出去的时候不进行nat转换。
ip nat inside source list 101 interface Serial1/0 overload
!
access-list 101 deny ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
!
access-list 101 deny ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
这样就可以ping通了。
【实验总结】
实验配置比较多,但是只要了解了大概的思路就不难。
首先要建一条安全的通信信道,通过isakmp,设定相关参数就可以(两边要一样,如果不一样,它会自动寻找一样的策略集)。
然后就是选择ipsec的加密方式,esp或是ah,设定相关参数即可。
最后就是注意nat的问题。
由于是初学,理解没那么深,有什么错误的地方,还请大家指出。