Cisco IPSec简单的配置

IPSec VPN也可以实现隧道功能,相比较linux的openswan或者Open,cisco的IPSec VPN的配置算是相当简单的了以下展示在一个模拟的网络环境里面,通过IPSec加密传输私网的数据。

网络拓扑如下所示:

Cisco IPSec简单的配置_第1张图片

Site1和Site2分别模拟两个站点,这是一个Site-to-Site的IPSec VPN。R2相当于是一个中间路由器,上面没有配置任何路由。以下是三台路由器的配置:

Site1:

Site1#show run
Building configuration...

Current configuration : 1612 bytes
!
! Last configuration change at 18:13:08 UTC Thu May 1 2014
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
memory-size iomem 0
archive
 log config
  hidekeys
!
!IKE协商的第一阶段
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 10.1.1.1
!
!IPSec SA协商
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!策略汇总
crypto map mymap 100 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set trans
 set pfs group2
 match address 110
!
!
!         
ip tcp synwait-time 5
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!接口应用
interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 duplex auto
 speed auto
 crypto map mymap
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!默认路由配置
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.0.2
no ip http server
no ip http secure-server
!
!
!感兴趣六定义,注意这里是双向的
access-list 110 permit tcp 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
access-list 110 permit tcp 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
!
control-plane
!
mgcp fax t38 ecm
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end


Core#show run
Building configuration...

Current configuration : 1023 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!      
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
memory-size iomem 0
archive
 log config
  hidekeys
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.1.2 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
control-plane
!
!
!
mgcp fax t38 ecm
!
gatekeeper
 shutdown
!
!         
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end


Site2#show run
Building configuration...

*May  1 18:19:41.539: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 1550 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!         
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
memory-size iomem 0
archive
 log config
  hidekeys
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 10.0.0.1
!
!
crypto ipsec transform-set trans esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 10.0.0.1
 set transform-set trans
 set pfs group2
 match address 110
!
!
!
ip tcp synwait-time 5
!        
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map mymap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!        
access-list 110 permit tcp 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
access-list 110 permit tcp 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
!
control-plane
!
mgcp fax t38 ecm
!
gatekeeper
 shutdown
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

传输测试,IPsec需要在感兴趣流撞击的情况下才能够简历sa

Site1#telnet 3.3.3.3 /source-interface lo0
Trying 3.3.3.3 ... Open


Password required, but none set

[Connection to 3.3.3.3 closed by foreign host]

Site1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.1.1        10.0.0.1        QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

Site1#

可以看到IPSec隧道已经建立。

你可能感兴趣的:(Cisco,Network)