IP sce ××× 实验

        

   IP sce ×××  实验

 

如图：四个回环接口分别模拟总部和3个分部，中间模拟Internet，使用OSPF协议， 要求在路由器上做***配置，实验总部和分公司之间能够通信。

 

R1配置：

R1#sh run

Building configuration...

Current configuration : 1866 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

！

crypto isakmp policy 10   //创建IKE策略，序号为10

 authentication pre-share //配置验证方法采用共享**方式

!

crypto isakmp policy 20  //创建IKE策略，序号为20

 hash md5    //配置散列算法为md5

 authentication pre-share  //采用共享**方式

 group 2  //换**D-H算法**强度为GROUP2

!        

crypto isakmp policy 30  //创建IKE策略，序号为30

 encr 3des   //配置加密算法

 authentication pre-share  //配置验证方法采用共享**方式

 group 5    //换**D-H算法**强度为GROUP5

crypto isakmp key 6 cq address 201.1.1.2   //配置ＩＳＡＫＭＰ预共享**（意思是与对等体201.1.1.2共享的预共享**配置位cq，并且是加密的。其中ＫＥＹ后面的数字有２个：０－－－代表不加密，６－－－代表加密)

crypto isakmp key 6 nj address 202.1.1.2 //与对等体202.1.1.2共享的预共享**配置位cq，并且是加密的。

crypto isakmp key 6 sh address 203.1.1.2 //与对等体203.1.1.2共享的预共享**配置位cq，并且是加密的。

!

crypto ipsec transform-set cq esp-des  //定义变换集，保护用户数据所使用的安全协议、模式及加密和认证算法。

crypto ipsec transform-set nj esp-des esp-md5-hmac

crypto ipsec transform-set sh ah-sha-hmac esp-3des

!

crypto map cisco 1 ipsec-isakmp  //定义安全策略，创建cisco的加密映射表，并配置了序号位１的条目

 set peer 201.1.1.2  //指定对等体的ＩＰ地址

 set transform-set cq  指定ＩＰＳＥＣ的变换集CQ

 set pfs group1     //换**D-H算法**强度为GROUP1

 match address 110  //指定加密列表为命名的访问控制列表号为110

crypto map cisco 2 ipsec-isakmp

 set peer 202.1.1.2

 set transform-set nj

 set pfs group2

 match address 120

crypto map cisco 3 ipsec-isakmp

 set peer 203.1.1.2

 set transform-set sh

 set pfs group5

 match address 130

!

!

interface Loopback0

 ip address 10.1.1.1 255.255.255.0

!

interface Serial0/0

 ip address 199.1.1.1 255.255.255.0

 serial restart-delay 0

 crypto map cisco  //将cisco策略应用到s0/0接口

!

interface Serial0/1

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/3

 no ip address

 shutdown

 serial restart-delay 0

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 199.1.1.2

!

access-list 110 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 //定义使用×××隧道的数据流，

access-list 120 permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255

access-list 130 permit ip 10.1.1.0 0.0.0.255 172.16.3.0 0.0.0.255

!

control-plane

!         !

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

!

End

R2配置：

R2#sh run

Building configuration...

 

Current configuration : 916 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R2

boot-start-marker

boot-end-marke

!

no aaa new-model

memory-size iomem 5

!

ip cef

no ip domain lookup

interface Serial0/0

 ip address 199.1.1.2 255.255.255.0

 serial restart-delay 0

 clock rate 64000

interface Serial0/1

 no ip address

 shutdown

 serial restart-delay 0

interface Serial0/2

 no ip address

 shutdown

 serial restart-delay 0

interface Serial0/3

 ip address 200.1.1.1 255.255.255.0

 serial restart-delay 0

 clock rate 64000

!

router ospf 1 //运行OSPF协议

 log-adjacency-changes

 network 199.1.1.0 0.0.0.255 area 1

 network 200.1.1.0 0.0.0.255 area 0

no ip http server

no ip http secure-server

control-plane

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

  

End

R3配置：

R3#sh run

Building configuration...

Current configuration : 974 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R3

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

ip cef

no ip domain lookup

interface Serial0/0

 ip address 201.1.1.1 255.255.255.0

 serial restart-delay 0

interface Serial0/1

 ip address 202.1.1.1 255.255.255.0

 serial restart-delay 0

interface Serial0/2

 ip address 203.1.1.1 255.255.255.0

 serial restart-delay 0

interface Serial0/3

 ip address 200.1.1.2 255.255.255.0

 serial restart-delay 0

router ospf 1

 log-adjacency-changes

 network 200.1.1.0 0.0.0.255 area 0

 network 201.1.1.0 0.0.0.255 area 2

 network 202.1.1.0 0.0.0.255 area 3

 network 203.1.1.0 0.0.0.255 area 4

no ip http server

no ip http secure-server

control-plane

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

end       

 

R4配置：

R4#sh run

Building configuration...

 

Current configuration : 1203 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R4

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

!

crypto isakmp policy 10   //创建IKE策略，序号为10

 authentication pre-share   //配置验证方法采用共享**方式

crypto isakmp key 6 cq address 199.1.1.1  //配置ＩＳＡＫＭＰ预共享**

!

!

crypto ipsec transform-set cq esp-des  //定义变换集，保护用户数据所使用的安全协议、模式及加密和认证算法。

!        

crypto map cisco 1 ipsec-isakmp  //定义安全策略，创建cisco的加密映射表，并配置了序号位１的条目

 set peer 199.1.1.1  //指定对等体的ＩＰ地址

 set transform-set cq  指定ＩＰＳＥＣ的变换集CQ

 set pfs group1  //换**D-H算法**强度为GROUP1

 match address 110  //指定加密列表为命名的访问控制列表号为110

interface Loopback0

 ip address 172.16.1.1 255.255.255.0

!

interface Serial0/0

 ip address 201.1.1.2 255.255.255.0

 serial restart-delay 0

 clock rate 64000

 crypto map cisco //应用策略cisco

!

interface Serial0/1

 no ip address

 shutdown

 serial restart-delay 0

!        

interface Serial0/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/3

 no ip address

 shutdown

 serial restart-delay 0

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 201.1.1.1

!

access-list 110 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 //定义使用×××隧道的数据流

!

control-plane!

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

End

 

R5配置：

R5#sh run

Building configuration...

 

Current configuration : 1235 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R5

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

no ip domain lookup

!

crypto isakmp policy 20

 hash md5

 authentication pre-share

 group 2

crypto isakmp key 6 nj address 199.1.1.1

!

!        

crypto ipsec transform-set nj esp-des esp-md5-hmac

!

crypto map cisco 2 ipsec-isakmp

 set peer 199.1.1.1

 set transform-set nj

 set pfs group2

 match address 120

!

interface Loopback0

 ip address 172.16.2.1 255.255.255.0

!

interface Serial0/0

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/1

 ip address 202.1.1.2 255.255.255.0

 serial restart-delay 0

 clock rate 64000

 crypto map cisco

!

interface Serial0/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/3

 no ip address

 shutdown

 serial restart-delay 0

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 202.1.1.1

!

access-list 120 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255

control-plane

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

!

!

End

 

 

R6配置：

R6#sh run

Building configuration...

 

Current configuration : 1236 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R6

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup    

!

crypto isakmp policy 30

 encr 3des

 authentication pre-share

 group 5

crypto isakmp key 6 sh address 199.1.1.1

       

crypto ipsec transform-set sh ah-sha-hmac esp-3des

!

crypto map cisco 3 ipsec-isakmp

 set peer 199.1.1.1

 set transform-set sh

 set pfs group5

 match address 130

!

interface Loopback0

 ip address 172.16.3.1 255.255.255.0

!

interface Serial0/0

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/1

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/2

 ip address 203.1.1.2 255.255.255.0

 serial restart-delay 0

 clock rate 64000

 crypto map cisco

!

interface Serial0/3

 no ip address

 shutdown

 serial restart-delay 0

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 203.1.1.1

access-list 130 permit ip 172.16.3.0 0.0.0.255 10.1.1.0 0.0.0.255

control-plane

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

!

!

End

 

 

测试实验结果

R1#ping 172.16.1.1 sou 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 52/83/100 ms

R1#ping 172.16.2.1 sou 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 76/92/100 ms

R1#ping 172.16.3.1 sou 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/65/92 ms

实验完成

总结：IP  SEC ×××配置主要有三大步骤

     1.定义IKE策略

     2.定义IP sec策略

     3.将策略应用到接口

 

转载于:https://blog.51cto.com/2841335/796091