1、IPsecVPN配置过程IPsec_VPN配置过程(供参考学习交流使用)一.基于PSK的IPsec VPN配置首先IOS带k的就可以了,支持加密特性,拓扑如下:topo.jpg (57.02 KB)2008-10-11 20:141.R1基本配置:R1(config)#interface loopback0R1(config-if)#ip address 10.1.1.1 255.255.255.0R1(config-if)#no shutdownR1(config-if)#interface serial0/0R1(config-if)#ip address192.168.1.1 255.2
2、55.255.252R1(config-if)#clock rate 56000R1(config-if)#no shutdownR1(config-if)#exit2.定义感兴趣流量与路由协议:R1(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/03.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):R1(config)#crypto isakmp enable R1(config)#crypto is
3、akmp key 91lab address 192.168.1.24.定义IKE策略:R1(config)#crypto isakmp policy 10R1(config-isakmp)#encryption aes 128 /-默认是DES加密-/R1(config-isakmp)#hash sha /-默认是SHA-1-/R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 /-默认是768位的DH1-/R1(config-isakmp)#lifetime 3600 /-默认是86400秒-/R1(co
4、nfig-isakmp)#exit5.定义IPSec转换集(transform set):R1(config)#crypto ipsec transform-set tt esp-aes 128 esp-sha-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit6.定义crypto map并应用在接口上:R1(config)#crypto map cisco 10 ipsec-isakmp R1(config-crypto-map)#match address 100 R1(config-crypto-map)#set
5、 peer 192.168.1.2 /-定义要应用crypto map的对等体地址-/R1(config-crypto-map)#set transform-set tt /-定义crypto map要应用的IPsec转换集-/R1(config-crypto-map)#exitR1(config)#interface serial0/0R1(config-if)#crypto map cisco*Mar1 00:08:31.131: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONR1(config-if)#endR1#R1配置完成.同理,R2相关配置如下:! !c
6、rypto isakmp policy 10encr aesauthentication pre-sharegroup 2crypto isakmp key 91lab address 192.168.1.1!crypto ipsec transform-set tt esp-aes esp-sha-hmac !crypto map cisco 10 ipsec-isakmp set peer 192.168.1.1set transform-set tt match address 100!interface Loopback0ip address 10.2.2.1 255.255.255.
7、0!interface Serial0/0ip address 192.168.1.2 255.255.255.252crypto map cisco!ip route 0.0.0.0 0.0.0.0 Serial0/0!access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255二.采用积极模式并PSK的IPsec VPN配置1.R1基本配置:R1(config)#interface loopback0R1(config-if)#ip address 10.1.1.1 255.255.255.0R1(config-if)#no
8、 shutdownR1(config-if)#interface serial0/0R1(config-if)#ip address192.168.1.1 255.255.255.252R1(config-if)#clock rate 56000R1(config-if)#no shutdownR1(config-if)#exit2.定义感兴趣流量与路由协议:R1(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0
9、3.全局启用ISAKMP并定义对等体及其PSK(预共享密钥),采用积极模式:R1(config)#crypto isakmp enable R1(config)#crypto isakmp peer address 192.168.1.2R1(config-isakmp-peer)#set aggressive-mode client-endpoint ipv4-address 192.168.1.1 R1(config-isakmp-peer)#set aggressive-mode password 91lab4.定义IKE策略:R1(config)#crypto isakmp polic
10、y 10R1(config-isakmp)#encryption aes 128 /-默认是DES加密-/R1(config-isakmp)#hash sha /-默认是SHA-1-/R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 /-默认是768位的DH1-/R1(config-isakmp)#lifetime 3600 /-默认是86400秒-/R1(config-isakmp)#exit5.定义IPSec转换集(transform set):R1(config)#crypto ipsec trans
11、form-set tt esp-aes 128 esp-sha-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit6.定义crypto map并应用在接口上:R1(config)#crypto map cisco 10 ipsec-isakmp R1(config-crypto-map)#match address 100 R1(config-crypto-map)#set peer 192.168.1.2 /-定义要应用crypto map的对等体地址-/R1(config-crypto-map)#set trans
12、form-set tt /-定义crypto map要应用的IPsec转换集-/R1(config-crypto-map)#exitR1(config)#interface serial0/0R1(config-if)#crypto map cisco*Mar1 00:08:31.131: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONR1(config-if)#endR1#R1配置完成.同理,R2配置如下:! !crypto isakmp policy 10encr aesauthentication pre-sharegroup 2!crypto isakmp
13、peer address 192.168.1.1set aggressive-mode password 91labset aggressive-mode client-endpoint ipv4-address 192.168.1.1 !crypto ipsec transform-set tt esp-aes esp-sha-hmac !crypto map cisco 10 ipsec-isakmp set peer 192.168.1.1set transform-set tt match address 100!interface Loopback0ip address 10.2.2
14、.1 255.255.255.0!interface Serial0/0ip address 192.168.1.2 255.255.255.252crypto map cisco!ip route 0.0.0.0 0.0.0.0 Serial0/0!access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255!三.GRE隧道与IPsec的结合GRE隧道本身不带安全特性,可以通过结合基于PSK的IPsec来实现安全功能.拓扑如下:1.R1基本配置:R1(config)#interface loopback0R1(config-i
15、f)#ip address 10.1.1.1 255.255.255.0R1(config-if)#no shutdownR1(config-if)#interface serial0/0R1(config-if)#ip address192.168.1.1 255.255.255.252R1(config-if)#clock rate 56000R1(config-if)#no shutdownR1(config)#interface tunnel 0R1(config-if)#ip unnumbered serial0/0R1(config-if)#tunnel source serial
16、0/0R1(config-if)#tunnel destination 192.168.1.1R1(config-if)#tunnel mode gre ip /-可以不打,默认即为GRE-/R1(config-if)#no shutdownR1(config-if)#exit2.定义感兴趣流量与路由协议:R1(config)#access-list 100 permit gre host 192.168.1.1 host 192.168.1.2R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0R1(config)#ip route 10.2.2.0 2
17、55.255.255.0 serial0/03.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):R1(config)#crypto isakmp enable R1(config)#crypto isakmp key 91lab address 192.168.1.24.定义IKE策略:R1(config)#crypto isakmp policy 10R1(config-isakmp)#encryption aes 128 /-默认是DES加密-/R1(config-isakmp)#hash sha /-默认是SHA-1-/R1(config-isakmp)#authenticat
18、ion pre-share R1(config-isakmp)#group 2 /-默认是768位的DH1-/R1(config-isakmp)#lifetime 3600 /-默认是86400秒-/R1(config-isakmp)#exit5.定义IPSec转换集(transform set):R1(config)#crypto ipsec transform-set tt esp-aes 128 esp-sha-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit6.定义crypto map并应用在接口上:R1(c
19、onfig)#crypto map cisco 10 ipsec-isakmp R1(config-crypto-map)#match address 100 R1(config-crypto-map)#set peer 192.168.1.2 /-定义要应用crypto map的对等体地址-/R1(config-crypto-map)#set transform-set tt /-定义crypto map要应用的IPsec转换集-/R1(config-crypto-map)#exitR1(config)#interface serial0/0R1(config-if)#crypto map
20、cisco*Mar1 00:08:31.131: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONR1(config-if)#endR1#R1配置完成.同理,R2相关配置如下:! !crypto isakmp policy 10encr aesauthentication pre-sharegroup 2crypto isakmp key 91lab address 192.168.1.1!crypto ipsec transform-set tt esp-aes esp-sha-hmac !crypto map cisco 10 ipsec-isakmp set p
21、eer 192.168.1.1set transform-set tt match address 100!interface Tunnel0ip unnumbered Serial0/0tunnel source Serial0/0tunnel destination 192.168.1.1!interface Loopback0ip address 10.2.2.1 255.255.255.0!interface Serial0/0ip address 192.168.1.2 255.255.255.252crypto map cisco!ip route 0.0.0.0 0.0.0.0
22、Serial0/0!access-list 100 permit gre host 10.2.2.1 host 10.1.1.1!四.IPsec VPN的高可用性通常情况下,我们希望IPsec VPN流量可以在主从路由器之间做到无缝切换,可以通过HSRP与SSO相结合的方式来达到此目的.HSRP用于保证接入流量的热备份.一旦主路由器down掉后,HSRP立即将IKE信息与SA传递给备份路由器;而SSO允许主从路由器之间共享IKE与SA信息.topo.jpg (66.28 KB)2008-10-15 19:48SPOKE配置如下:1.定义感兴趣流量与路由协议:SPOKE(config)#acce
23、ss-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255SPOKE(config)#ip route 0.0.0.0 0.0.0.0 serial0/02.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):SPOKE(config)#crypto isakmp enable SPOKE(config)#crypto isakmp key 91lab address 0.0.0.0 0.0.0.03.定义IKE策略:SPOKE(config)#crypto isakmp policy 10SPOKE(config-isakmp
24、)#encryption aes 128 /-默认是DES加密-/SPOKE(config-isakmp)#hash sha /-默认是SHA-1-/SPOKE(config-isakmp)#authentication pre-share SPOKE(config-isakmp)#group 2 /-默认是768位的DH1-/SPOKE(config-isakmp)#lifetime 3600 /-默认是86400秒-/SPOKE(config-isakmp)#exit4.定义IPSec转换集(transform set):SPOKE(config)#crypto ipsec transfo
25、rm-set nuaiko esp-aes 128 esp-sha-hmac SPOKE(cfg-crypto-trans)#exit5.定义crypto map并应用在接口上:SPOKE(config)#crypto map ccsp 10 ipsec-isakmp SPOKE(config-crypto-map)#match address 100 SPOKE(config-crypto-map)#set peer 16.1.1.254 /-定义crypto map的对等体地址,这里为对端HSRP的虚拟IP地址-/SPOKE(config-crypto-map)#set transform
26、-set nuaiko /-定义crypto map要应用的IPsec转换集-/SPOKE(config-crypto-map)#exitSPOKE(config)#interface serial0/0SPOKE(config-if)#crypto map ccsp*Mar1 00:08:31.131: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONSPOKE(config-if)#endSPOKE#SPOKE配置完成.HUB1配置如下:1.定义感兴趣流量与路由协议:HUB1(config)#access-list 100 permit ip 10.2.2.0 0
27、.0.0.255 10.1.1.0 0.0.0.255HUB1(config)#ip route 0.0.0.0 0.0.0.0 16.1.1.32.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):HUB1(config)#crypto isakmp enable HUB1(config)#crypto isakmp key 91lab address 0.0.0.0 0.0.0.03.定义IKE策略:HUB1(config)#crypto isakmp policy 10HUB1(config-isakmp)#encryption aes 128 /-默认是DES加密-/HUB1(
28、config-isakmp)#hash sha /-默认是SHA-1-/HUB1(config-isakmp)#authentication pre-share HUB1(config-isakmp)#group 2 /-默认是768位的DH1-/HUB1(config-isakmp)#lifetime 3600 /-默认是86400秒-/HUB1(config-isakmp)#exit4.定义IPSec转换集(transform set):HUB1(config)#crypto ipsec transform-set nuaiko esp-aes 128 esp-sha-hmac HUB1(
29、cfg-crypto-trans)#exit5.定义crypto map:HUB1(config)#crypto map ccsp 10 ipsec-isakmp HUB1(config-crypto-map)#match address 100 HUB1(config-crypto-map)#set peer 173.1.1.1 /-定义要应用crypto map的对等体地址-/HUB1(config-crypto-map)#set transform-set nuaiko /-定义crypto map要应用的IPsec转换集-/HUB1(config-crypto-map)#exit6.启用HSRP并应用crypto map:HUB1(config)#interface ethernet 0/0HUB1(config-if)#standby 1 ip 16.1.1.254 /-定义HSRP组1的虚拟IP地址-/HUB1(config-if)#standby 1 priority 105HUB1(config-if)#standby 1
copyright@ 2008-2023 冰点文库 网站版权所有
经营许可证编号:鄂ICP备19020893号-2