实验四十一、×××（IPSec）的配置

实验四十一、×××（IPSec）的配置

一、 实验目的

1. 掌握手工配置**建立××× 的配置

2. 理解**在隧道建立过程中的作用

二、 应用环境

IPSec 实现了在网络上的数据机密性、完整性和源认证的功能，有效的保护了数据。

手工配置**减少了**交换的开销，提高了效率

三、 实验设备

1. DCR-1751 两台

2. PC 机 两台

四、 实验拓扑

五、 实验要求

配置表

Router-A Router-B

F0/0 192.168.0.1/24 F0/0 192.168.2.1/24

S1/1 (DCE) 192.168.1.1/24 S1/0 192.168.1.2/24

PC SERVER

IP 192.168.0.10/24 192.168.2.2/24

网关 192.168.0.1 192.168.2.1

结果：

在路由器A 与B 之间建立×××，保护从PC 到SERVER 的数据

六、 实验步骤

第一步：路由器A 的配置

Router-A#conf

Router-A_config#ip access-list extended 101 ！确定要经过××× 保护的数据流

Router-A_config_ext_nacl#permi ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

Router-A_config_ext_nacl#exit

Router-A_config#ip route 0.0.0.0 0.0.0.0 192.168.1.2 ！配置静态路由

Router-A_config#crypto ipsec transform-set one ！设置变换集

Router-A_config_crypto_trans#transform-type esp-des esp-md5-hmac ！ESP 加密和验证

Router-A_config_crypto_trans#exit

Router-A_config#crypto map my 10 ipsec-manu ！配置IPSec 加密映射

Router-A_config_crypto_map#set transform-set one ！关联变换集

Router-A_config_crypto_map#set peer 192.168.1.2 ！设置对等体地址

Router-A_config_crypto_map#match address 101 ！关联需要加密的数据流

Router-A_config_crypto_map#set security-association inbound esp 2001 cipher

ffeeddccbbaa001122334455667788999988776655443322

Router-A_config_crypto_map#set security-association inbound ah 2000

ffeeddccbbaa00112233445566778899

Router-A_config_crypto_map#set security-association outbound esp 1001 cipher

aabbccddeeff001122334455667788999988776655443322

Router-A_config_crypto_map#set security-association outbound ah 1000

aabbccddeeff00112233445566778899

！手工配置**

Router-A_config_crypto_map#exit

Router-A_config#int s1/1 ！进入××× 的接口

Router-A_config_s1/1#crypto map my ！绑定IPSec 加密映射

Router-A_config_s1/1#^Z

第二步：查看配置（两端××× 建议成功以后的显示）

Router-A#sh crypto ipsec sa ！查看IPSec 关联

Interface: Serial1/1

Crypto map name:my , local addr. 192.168.1.1

local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2

inbound esp sas:

spi:0x7d1(2001)

transform: esp-3des

in use settings ={ Tunnel }

no sa timing

inbound ah sas: spi:0x7d0(2000)

transform: ah-md5-hmac

in use settings ={ Tunnel }

no sa timing

outbound esp sas:

spi:0x3e9(1001)

transform: esp-3des

in use settings ={ Tunnel }

no sa timing

outbound ah sas:

spi:0x3e8(1000)

transform: ah-md5-hmac

in use settings ={ Tunnel }

no sa timing

Router-A#sh crypto map ！查看IPSec 映射

Crypto Map my 10 ipsec-manual

Extended IP access list 101

permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

peer = 192.168.1.2

Inbound esp spi: 2001 ,

cipher key: ffeeddccbbaa001122334455667788999988776655443322 ,

auth key ,

Inbound ah spi: 2000 ,

key: ffeeddccbbaa00112233445566778899 ,

Outbound esp spi: 1001 ,

cipher key: aabbccddeeff001122334455667788999988776655443322 ,

auth key ,

Outbound ah spi: 1000 ,

key: aabbccddeeff00112233445566778899

Transform sets={ one}

Router-A#sh crypto ipsec transform-set ！查看转换集

Transform set one: { ah-md5-hmac esp-3des }

will negotiate ={ Tunnel }

第三步：路由器B 的配置

Router-B>ena

Router-B#confRouter-B_config#ip access-list extended 101

Router-B_config_ext_nacl#permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

Router-B_config_ext_nacl#exit

Router-B_config#ip route 192.168.0.0 255.255.255.0 192.168.1.1

Router-B_config#crypto ipsec transform-set one

Router-B_config_crypto_trans#transform-type esp-des esp-md5-hmac ！注意与A 要一致

Router-B_config_crypto_trans#exit

Router-B_config#crypto map my 10 ipsec-manu ！注意**与A 要对应

Router-B_config_crypto_map#set transform-set one

Router-B_config_crypto_map#set peer 192.168.1.1

Router-B_config_crypto_map#match address 101

Router-B_config_crypto_map# set security-association inbound esp 1001 cipher

aabbccddeeff001122334455667788999988776655443322

Router-B_config_crypto_map# set security-association inbound ah 1000

aabbccddeeff00112233445566778899

Router-B_config_crypto_map# set security-association outbound esp 2001 cipher

ffeeddccbbaa001122334455667788999988776655443322

Router-B_config_crypto_map# set security-association outbound ah 2000

ffeeddccbbaa00112233445566778899

！注意与A 的对应，inbound 与outbound 交叉一致

Router-B_config_crypto_map#exit

Router-B_config#int s1/0

Router-B_config_s1/0#crypto map my

Router-B_config_s1/0#^Z

第四步：查看配置

Router-B#sh crypto ipsec sa

Interface: Serial1/0

Crypto map name:my , local addr. 192.168.1.2

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.1.1

inbound esp sas:

spi:0x3e9(1001)

transform: esp-3des

in use settings ={ Tunnel }

no sa timing

inbound ah sas:

spi:0x3e8(1000)

transform: ah-md5-hmac

in use settings ={ Tunnel }

no sa timingoutbound esp sas:

spi:0x7d1(2001)

transform: esp-3des

in use settings ={ Tunnel }

no sa timing

outbound ah sas:

spi:0x7d0(2000)

transform: ah-md5-hmac

in use settings ={ Tunnel }

no sa timing

Router-B#sh crypto ipsec transform-set

Transform set one: { ah-md5-hmac esp-3des }

will negotiate ={ Tunnel }

Router-B#sh crypto map

Crypto Map my 10 ipsec-manual

Extended IP access list 101

permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

peer = 192.168.1.1

Inbound esp spi: 1001 ,

cipher key: aabbccddeeff001122334455667788999988776655443322 ,

auth key ,

Inbound ah spi: 1000 ,

key: aabbccddeeff00112233445566778899 ,

Outbound esp spi: 2001 ,

cipher key: ffeeddccbbaa001122334455667788999988776655443322 ,

auth key ,

Outbound ah spi: 2000 ,

key: ffeeddccbbaa00112233445566778899

Transform sets={ one}

第五步：测试

转载于:https://blog.51cto.com/lorna8023/406576