×××篇之ISAKMP Profile ×××
|
|
R1---------------------------R5
.1 200.100.1.0/24 .2
R2---------------------------R5 其中R5模拟ISP
.1 200.100.2.0/24 .2
R3---------------------------R5
.1 200.100.3.0/24 .2
优势:在一个企业当中,如果分部比较多的情况,单纯的IPSEC-×××就无法满足现有需求,因为IPSEC-×××一条命令把Peer给写死了,ISAKMP Profile ×××可以帮助公司总部与多个分部联系起来,既节省成本,又提高安全!
详细配置:
R1:
Building configuration...
Current configuration : 1930 bytes
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ip subnet-zero ip cef ! ! crypto keyring cisco pre-shared-key address 200.100.2.1 key 6 cisco crypto keyring cisco1 pre-shared-key address 200.100.3.1 key 6 cisco ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp profile cisco keyring cisco keyring cisco1 match identity address 200.100.2.1 255.255.255.255 match identity address 200.100.3.1 255.255.255.255 ! ! crypto ipsec transform-set cisco esp-3des esp-md5-hmac ! ! crypto map tor2 1 ipsec-isakmp set peer 200.100.2.1 set peer 200.100.3.1 set transform-set cisco set isakmp-profile cisco match address 100 ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 ip address 200.100.1.1 255.255.255.0 serial restart-delay 0 no dce-terminal-timing-enable crypto map tor2 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/2 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/3 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! ip classless ip route 0.0.0.0 0.0.0.0 200.100.1.2 ! ! ip http server no ip http secure-server ! access-list 100 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 access-list 100 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255 ! control-plane ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! end
R2:
Building configuration...
Current configuration : 1548 bytes
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ip subnet-zero ip cef no ip domain lookup ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 6 cisco address 200.100.1.1 ! ! crypto ipsec transform-set cisco esp-3des esp-md5-hmac ! crypto map tor1 1 ipsec-isakmp set peer 200.100.1.1 set transform-set cisco match address 100 ! ! interface Loopback0 ip address 2.2.2.2 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 ip address 200.100.2.1 255.255.255.0 serial restart-delay 0 no dce-terminal-timing-enable crypto map tor1 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/2 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/3 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! ip classless ip route 0.0.0.0 0.0.0.0 200.100.2.2 ! ! ip http server no ip http secure-server ! access-list 100 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! ! end
R3:
Current configuration : 1546 bytes
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ip subnet-zero ip cef ! ! no ip domain lookup ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key 6 cisco address 200.100.1.1 ! ! crypto ipsec transform-set tor1 esp-3des esp-md5-hmac ! crypto map tor1 1 ipsec-isakmp set peer 200.100.1.1 set transform-set tor1 match address 100 ! ! interface Loopback0 ip address 3.3.3.3 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 ip address 200.100.3.1 255.255.255.0 serial restart-delay 0 no dce-terminal-timing-enable crypto map tor1 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/2 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! interface Serial1/3 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! ip classless ip route 0.0.0.0 0.0.0.0 200.100.3.2 ! ! ip http server no ip http secure-server ! access-list 100 permit ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255 ! ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! ! end
R5:(模拟ISP)
Current configuration : 1168 bytes
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ISP ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ip subnet-zero ip cef ! no ip domain lookup ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 ip address 200.100.1.2 255.255.255.0 serial restart-delay 0 clock rate 64000 no dce-terminal-timing-enable ! interface Serial1/1 ip address 200.100.2.2 255.255.255.0 serial restart-delay 0 clock rate 64000 no dce-terminal-timing-enable ! interface Serial1/2 ip address 200.100.3.2 255.255.255.0 serial restart-delay 0 clock rate 64000 no dce-terminal-timing-enable ! interface Serial1/3 no ip address shutdown serial restart-delay 0 no dce-terminal-timing-enable ! ip classless ! ! ip http server no ip http secure-server ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! ! end
验证:
R2拼R1:
R2#ping 1.1.1.1 source 2.2.2.2 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 2.2.2.2 !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 112/249/436 ms
R3拼R1:
R3#ping 1.1.1.1 source 3.3.3.3 r 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 3.3.3.3 !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 20/228/352 ms
注:两家分公司不能拼通,如要实现,需用动态多点×××。
|