【CCIE實驗】IPSec 配置案例
1 案例配置拓撲
2 案例配置需求
1、 R1和PC1模擬福州分公司,R2和PC2模擬上海總公司,配置福州分公司和上海總公司通過IPSec VPN互聯。
2、 設備之間互聯的IP如圖所示;
3、 在R1和R2上分配配置NAT,允許內網用戶能夠通過NAT訪問Internet;
4、 在R1和R2上分別配置IPSec VPN,實現福州分公司和上海總公司互訪;
3 案例配置思路
1、 根據拓撲配置IP地址;
2、 在R1和R2上配置NAT;
3、 在R1、R2上配置IPSec VPN
4 案例檢驗結果
1、 驗證NAT:
PC1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/37/44 ms
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 13.1.1.1:8 192.168.1.2:8 3.3.3.3:8 3.3.3.3:8
PC2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/37/48 ms
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 23.1.1.2:3 192.168.2.2:3 3.3.3.3:3 3.3.3.3:3
2、 測試IPSec VPN連通性:
R1#clear ip nat translation *
R2#clear ip nat translation *
PC1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/80/88 ms
R1#show ip nat translations NAT轉換表項是空的,表面VPN流量沒有經過NAT轉換
3、 查看階段1的IKE策略
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
4、 查看管理連接,驗證階段1是否協商成功:
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
23.1.1.2 13.1.1.1 QM_IDLE 1001 0 ACTIVE
5、 查看階段2的IPSec傳輸集,數據連接的安全協議:
R1#show crypto ipsec transform-set
Transform set myset: { esp-3des }
will negotiate = { Tunnel, },
6、 查看數據連接SA的狀態:
R1#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: mymap, local addr 13.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 23.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 11, #recv errors 0
local crypto endpt.: 13.1.1.1, remote crypto endpt.: 23.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x9E798012(2658762770)
inbound esp sas:
spi: 0xED308BE6(3979381734)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4552518/1233)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9E798012(2658762770)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4552518/1232)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
7、 查看Crypto map
R1#show crypto map
Crypto Map "mymap" 1 ipsec-isakmp
Peer = 23.1.1.2
Extended IP access list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Current peer: 23.1.1.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
Interfaces using crypto map mymap:
Serial1/0
5 案例配置文件
6 案例總結及其它
1、 建立IPSec VPN連接需要3個步驟:
1) 流量觸發IPSec
2) 建立管理連接
3) 建立數據連接
2、 階段1的三個任務
1) 協商採用何種方式建立管理連接
2) 通過DH演算法共享密鑰信息
3) 對等體彼此進行身份驗證
3、 ISAKMP/IKE階段2需要完成的任務
1) 定義對等體間需要保護何種流量
2) 定義用來保護數據的安全協議
3) 定義傳輸模式
4) 定義數據連接的生存周期以及密鑰刷新的方式
推薦閱讀:
※用tracert命令追蹤路由,出現了相同的IP地址,怎麼解釋?
※想入行做網路工程師,求好心人解惑?
※網路工程師的HCNP數通認證要具備哪些專業能力?
※為什麼招一個靠譜的網路工程師這麼難?