Ipsec *** site-to-site 实验详解
-------阿J
Ø 实验拓扑:
Ø 实验环境:
我们把R4的网络模拟成公司A的分部,R5的网络模拟成公司A的总部;现在我们要通过ipsec ***在互联网上面构建属于公司A的虚拟专用网络。
Ø 实验要求:
R4能ping 通R5
² 配置概览:
a) 底层地址的规划如拓扑所示。
b) 在R4和R5分别配置指向R1和R3的默认路由;R1和R3配置指向模拟的互联网公网地址2.2.2.2/24。
c) 在R1和R3上分别使用PAT技术
d) 最后一项是本实验中的精华:
uIPSEC的配置:
第一阶段:定义isakmp的策略集
定义协商时的几个参数
定义对等体地址和共享**
第二阶段:定义ipsec交换集
定义加密映射表
调用映射表到接口
Ø R1#show run
Building configuration...
Current configuration : 1570 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encrypti
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
ip subnet-zero
no ip domain lookup!
ip cef
第一阶段:
crypto isakmp policy 1 //创建策略集,名字为“1”
encr 3des//定义加密算法,实现ipsec的数据机密功能
authentication pre-share// 定义对等体验证,通过共享**
group 2//定义赫尔曼算法
lifetime 1000//定义SA(安全关联)的保持时间
crypto isakmp key cisco address 10.1.23.3//定义共享**和对等体地址
crypto isakmp keepalive 10//定义isakmp ***的保持时间
crypto ipsec security-association lifetime seconds 120//定义ipsec ***的保持时间
第二阶段:
crypto ipsec transform-set l2ltrans ah-sha-hmac esp-3des
定义ipsec的交换集,名称为l2ltrans 以esp-3des来封装加密,注意这里的名称区分大小写,交换集将在加密映射被调用
crypto map l2lmap 1 ipsec-isakmp
//定义加密映射表l2lmap ***为1-----可用来区分在同一物理接口上的不同逻辑ipsec ***链路
set peer 10.1.23.3//设置对等体地址
set transform-set l2ltrans//调用之前的ipsec交换集
match address l2lacl// 定义感兴趣的流量,通过l2lacl来抓取感兴趣流量
底层ip地址配置:
interface Loopback1
ip address 1.1.1.1 255.255.255.0
interface Serial0/0
ip address 10.1.12.1 255.255.255.0
ip nat outside
serial restart-delay 0
crypto map l2lmap//把加密映射应用于接口
interface Serial0/1
ip address 192.168.4.2 255.255.255.0
ip nat inside
serial restart-delay 0
PAT的配置:
ip nat inside source list natacl interface Serial0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.12.2
ACL的编写:
ip access-list extended l2lacl
permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended natacl
deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 any
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
R2:
R2#show run
Building configuration...
Current configuration : 798 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
interface Loopback1
ip address 2.2.2.2 255.255.255.0
!
interface Serial0/0
ip address 10.1.12.2 255.255.255.0
serial restart-delay 0
!
interface Serial0/1
ip address 10.1.23.2 255.255.255.0
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
ip http server
no ip http secure-server
ip classless
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
end
R4:R4#show run
Building configuration..
Current configuration : 770 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
interface Serial0/0
ip address 192.168.4.1 255.255.255.0
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.4.2
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
end
(R3和R5大同小异……)
Ø 抓包验证:
通过在gns3上面通过命令capture R2 s0/0 ipsec.cap hdlc然后让R4pingR5,则可得到加密后的数据包,解密可得:
可以看出通过esp协议封装的数据抓包后无法看到真实的ip及上的服务,这边是ipsec就直观的作用----加密!
在看其他一些协议的数据包:isakmp快速模式时的包结构
Isakmp主要模式时的包结构:
Ø 排错命令:
a) Show crypto iskamp sa/policy
b) Show crypro ipsec sa/policy
c) Debug crypto iskmp/ipsec
d) Debug ip nat
e) Show ip nat translations/stastic
f) Clear crpto sa/iskmp/ipsec
转载于:https://blog.51cto.com/jaxy123/361196