Site-Site Ipsec ×××配置和验证_第1张图片

 r2:此路由器代表公司总部,连接ISP和内部网络,nat转换和***都在此路由器上做

 

r2#show runn

Building configuration...

 

Current configuration : 1337 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 1   ##确定***策略

encryption des  ##加密使用对称加密算法des

group 1   ##密钥交换使用group 1

 hash md5           ##认证用md5算法

 authentication pre-share  ##使用预共享密钥进行认证,此处由于默认使用加密算法为des和密钥交换为group 1,所以在show runn中看不到,但是必须配置

crypto isakmp key 6 cisco address 192.168.5.2   ##进行预共享的对等体和密钥

!

!

crypto ipsec transform-set ccnp ah-md5-hmac  ##定义一个ipsec转换集名为ccnp,使用ah,未使用esp进行数据加密

!

crypto map mymap 1 ipsec-isakmp   ##定义一个map名为mymap,此map引用acl110和刚定义的转换集ccnp,设置对等体地址

 set peer 192.168.5.2   ##设置对等体地址

 set transform-set ccnp  ##引用刚定义的转换集ccnp

 match address 110     ##引用acl 110

!

!

!

!

interface Ethernet0/0

 no ip address

 shutdown

 half-duplex

!

interface Ethernet0/1

 ip address 192.168.1.1 255.255.255.0

 ip nat inside  ##此接口为内网接口,启用nat转换

 ip virtual-reassembly

 half-duplex

!

interface Ethernet0/2

 ip address 192.168.4.1 255.255.255.0

 ip nat outside   ##此接口为接ISP的公网口,启用nat转换,私有地址将被转换为此接口上的共有地址访问互联网

 ip virtual-reassembly

 half-duplex

 crypto map mymap

!

interface Ethernet0/3

 no ip address

 shutdown

 half-duplex

!

ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.4.2  ##默认路由到ISP,下一跳地址为与ISP相连的地址

!

!

ip nat inside source list 100 interface Ethernet0/2 overload  ##启用nat转换,引用acl 100,符合acl 100的地址将被转换

!

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255  ##此acl定义nat需要转换的私有地址,先将需要***转换的地址拒绝掉

access-list 100 permit ip 192.168.1.0 0.0.0.255 any     ##这是需要nat转换的私有地址

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255  ##此acl定义***需要转换的地址,当192.168.1.0网段访问192.168.2.0网段时执行定义的isakmp和ipsec进行加密等

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

 

r2#

 

 

 

 

r1:此路由器充当公司总部pc

 

r1#ping 192.168.2.2  ##能够ping通代表公司分部的pc地址,说明***成功了

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 120/194/232 ms

r1#ping 192.168.2.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 124/138/160 ms

r1#ping 192.168.2.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 104/164/216 ms

r1#ping 192.168.3.2 ##能够ping通代表互联网地址的3.2说明nat转换成功

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/151/220 ms

r1#show runn

Building configuration...

 

Current configuration : 806 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

no ip routing

!

!

no ip cef

no ip domain lookup

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Ethernet0/0

 no ip address

 no ip route-cache

 shutdown

 half-duplex

!

interface Ethernet0/1

 ip address 192.168.1.2 255.255.255.0

 no ip route-cache

 half-duplex

!

interface Ethernet0/2

 no ip address

 no ip route-cache

 shutdown

 half-duplex

!

interface Ethernet0/3

 no ip address

 no ip route-cache

 shutdown

 half-duplex

!

ip default-gateway 192.168.1.1

ip http server

no ip http secure-server

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

 

r1#

 

 

 

 

r3:此路由器充当ISP路由器,连接了三个网络,一个3.0网段,4.0网段代表公司总部,5.0代表公司分部,此路由器配置简单,直接配3个地址就ok了

 

r3>en

r3#show runn

Building configuration...

 

Current configuration : 708 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r3

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Ethernet0/0

 ip address 192.168.3.1 255.255.255.0  ##与代表互联网地址的3.0网段相连

 half-duplex

!

interface Ethernet0/1

 ip address 192.168.4.2 255.255.255.0  ##与代表公司总部的路由器相连

 half-duplex

!

interface Ethernet0/2

 ip address 192.168.5.1 255.255.255.0   ##与代表公司分部的路由器相连

 half-duplex

!

interface Ethernet0/3

 no ip address

 shutdown

 half-duplex

!

ip http server

no ip http secure-server

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

 

r3#

 

 

 

 

r4:与公司分部相连的路由器,此路由器的配置和r2相似,不再单独介绍,只说不同点

2, changed state to up

r4(config-if)#

r4(config-if)#

r4(config-if)#

r4(config-if)#

r4(config-if)#ex

r4(config)#in e0/1

r4(config-if)#ip nat ou

r4(config-if)#ip nat outside

r4(config-if)#

*Mar  1 00:12:48.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to upex

r4(config)#in e0/2

r4(config-if)#ip nat ins

r4(config-if)#ex

r4(config)#acc

r4(config)#access-list 100 den

r4(config)#$ 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

r4(config)#acc

r4(config)#access-list 100 per

r4(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 any

r4(config)#ip nat inside sourc list 100 in

r4(config)#ip nat inside sourc list 100 interface e0/1 ove

r4(config)#ip route 0.0.0.0 0.0.0.0 192.168.5.1

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#acc

r4(config)#access-list 110 per

r4(config)#$ 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

r4(config)#cry

r4(config)#crypto is

r4(config)#crypto isakmp po

r4(config)#crypto isakmp policy ?

  <1-10000>  Priority of protection suite

 

r4(config)#crypto isakmp policy 1 ?

 

 

r4(config)#crypto isakmp policy 1

r4(config-isakmp)#en

r4(config-isakmp)#encryption des

r4(config-isakmp)#hash mdt

                         ^

% Invalid input detected at '^' marker.

 

r4(config-isakmp)#hash md5

r4(config-isakmp)#auth

r4(config-isakmp)#authentication pre

r4(config-isakmp)#authentication pre-share

r4(config-isakmp)#gr

r4(config-isakmp)#group 1

r4(config-isakmp)#ex

r4(config)#cry

r4(config)#crypto is

r4(config)#crypto isakmp key 6 cisco add ?

  A.B.C.D  Peer IP address

 

r4(config)#crypto isakmp key 6 cisco add 192.168.4.1 ?

  A.B.C.D   Peer IP subnet mask

  no-xauth  Bypasses XAuth for this peer

 

 

r4(config)#crypto isakmp key 6 cisco add 192.168.4.1

r4(config)#cry ip

r4(config)#cry ipsec tran

r4(config)#cry ipsec transform-set ccnp ?

  ah-md5-hmac   AH-HMAC-MD5 transform

  ah-sha-hmac   AH-HMAC-SHA transform

  comp-lzs      IP Compression using the LZS compression algorithm

  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)

  esp-aes       ESP transform using AES cipher

  esp-des       ESP transform using DES cipher (56 bits)

  esp-md5-hmac  ESP transform using HMAC-MD5 auth

  esp-null      ESP transform w/o cipher

  esp-seal      ESP transform using SEAL cipher (160 bits)

  esp-sha-hmac  ESP transform using HMAC-SHA auth

 

r4(config)#cry ipsec transform-set ccnp ah

r4(config)#cry ipsec transform-set ccnp ah-m

r4(config)#cry ipsec transform-set ccnp ah-md5-hmac

r4(cfg-crypto-trans)#exit

r4(config)#cry

r4(config)#crypto map mymap 1 ips

r4(config)#crypto map mymap 1 ipsec-is

r4(config)#crypto map mymap 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

r4(config-crypto-map)#mat

r4(config-crypto-map)#match add 110

r4(config-crypto-map)#set tr

r4(config-crypto-map)#set transform-set ccnp

r4(config-crypto-map)#set peer 192.168.4.1

r4(config-crypto-map)#ex

r4(config)#in e0/1

r4(config-if)#cry map mymap

r4(config-if)#ex

*Mar  1 00:18:34.063: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

r4(config)#end

r4#show ru

*Mar  1 00:19:44.447: %SYS-5-CONFIG_I: Configured from console by consolenn

Building configuration...

 

Current configuration : 1337 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r4

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 1  ##与r2配置必须相同,只是对等体地址换成r2公网接口地址

 hash md5

 authentication pre-share

crypto isakmp key 6 cisco address 192.168.4.1

!

!

crypto ipsec transform-set ccnp ah-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

 set peer 192.168.4.1

 set transform-set ccnp

 match address 110

!

!

!

!

interface Ethernet0/0

 no ip address

 shutdown

 half-duplex

!

interface Ethernet0/1

 ip address 192.168.5.2 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 half-duplex

 crypto map mymap

!

interface Ethernet0/2

 ip address 192.168.2.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 half-duplex

!

interface Ethernet0/3

 no ip address

 shutdown

 half-duplex

!

ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.5.1

!

!

ip nat inside source list 100 interface Ethernet0/1 overload

!

access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

 

r4#

 

 

 

 

r5:此路由器为公司分部的pc,需要访问公司总部的1.0网段

r5>en

r5#show runn

Building configuration...

 

Current configuration : 806 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r5

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

no ip routing

!

!

no ip cef

no ip domain lookup

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Ethernet0/0

 no ip address

 no ip route-cache

 shutdown

 half-duplex

!

interface Ethernet0/1

 ip address 192.168.2.2 255.255.255.0

 no ip route-cache

 half-duplex

!

interface Ethernet0/2

 no ip address

 no ip route-cache

 shutdown

 half-duplex

!

interface Ethernet0/3

 no ip address

 no ip route-cache

 shutdown

 half-duplex

!

ip default-gateway 192.168.2.1

ip http server

no ip http secure-server

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

 

r5#ping 192.168.1.2  ##与代表公司总部的pc能够ping通,代表***成功

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 124/135/144 ms

r5#

 

 

 

r6:此路由器代表互联网上的服务器资源

 

 

r6>en

r6#show runn

Building configuration...

 

Current configuration : 806 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r6

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

no ip routing

!

!

no ip cef

no ip domain lookup

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Ethernet0/0

 no ip address

 no ip route-cache

 shutdown

 half-duplex

!

interface Ethernet0/1

 ip address 192.168.3.2 255.255.255.0

 no ip route-cache

 half-duplex

!

interface Ethernet0/2

 no ip address

 no ip route-cache

 shutdown

 half-duplex

!

interface Ethernet0/3

 no ip address

 no ip route-cache

 shutdown

 half-duplex

!

ip default-gateway 192.168.3.1

ip http server

no ip http secure-server

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

 

r6#