CISCO IPsec VPN配置大全.docx
《CISCO IPsec VPN配置大全.docx》由会员分享,可在线阅读,更多相关《CISCO IPsec VPN配置大全.docx(14页珍藏版)》请在冰点文库上搜索。
![CISCO IPsec VPN配置大全.docx](https://file1.bingdoc.com/fileroot1/2023-5/6/57b76616-3b2e-45a7-8efa-bdb11c29cae8/57b76616-3b2e-45a7-8efa-bdb11c29cae81.gif)
CISCOIPsecVPN配置大全
CISCOIPsecVPN配置大全
红头发(akaCCIE#15101),?
3x*x/?
6i7r.91lab.%F/G,i:
{5i2F5_.91lab.4K:
R/c H:
r+B(G7!
e.91lab.一.基于PSK的IPsecVPN配置 Z2U+n8?
v*R'y首先IOS带k的就可以了,支持加密特性,拓扑如下:
6h:
r4?
O0g%n/m纽爱科网络实验室社区
topo.jpg(57.02KB)
2008-10-1120:
14
7]/D'b+S x"g+_,p1.R1基本配置:
3r#k,!
[2u'^R1(config)#interfaceloopback0
/P$Q;w8V%b)`4w!
O.91lab.R1(config-if)#ipaddress10.1.1.1255.255.255.0
R1(config-if)#noshutdown
R1(config-if)#interfaceserial0/0
#s,l"a3]!
d1P%_*n#i _.91lab.R1(config-if)#ipaddress 192.168.1.1255.255.255.252
R1(config-if)#clockrate56000
H2w6x/q4n)mR1(config-if)#noshutdown
R1(config-if)#exit8}&}+R)y2Y.`/q#g*W2.定义感兴趣流量与路由协议:
R7r#.p't;f-CR1(config)#access-list100permitip10.1.1.00.0.0.25510.2.2.00.0.0.255
8S-M'X-A-[#D/lR1(config)#iproute0.0.0.00.0.0.0serial0/0
5J3w.i3R1(q3.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):
R1(config)#cryptoisakmpenable
R1(config)#cryptoisakmpkey91labaddress192.168.1.2
't6Y ?
;z!
[0A(V!
J#l4.定义IKE策略:
9h4n/e/N"g(k7g!
{0O.91lab.R1(config)#cryptoisakmppolicy10
R1(config-isakmp)#encryptionaes128 /---默认是DES加密---/
R1(config-isakmp)#hashsha /---默认是SHA-1---/
)s(^-m/r%X1w7H纽爱科网络实验室社区R1(config-isakmp)#authenticationpre-share
R1(config-isakmp)#group2 /---默认是768位的DH1---/
)J"a9z0U9W9h'{ yR1(config-isakmp)#lifetime3600 /---默认是86400秒---/
R1(config-isakmp)#exit0x:
G4P.b5X-_!
].91lab.5.定义IPSec转换集(transformset):
R1(config)#cryptoipsectransform-setttesp-aes128esp-sha-hmac
$y1~6i!
];[+b+PR1(cfg-crypto-trans)#modetunnel
6x'O([6F/`"gR1(cfg-crypto-trans)#exit*O0v!
n1|2n$F"-{%n纽爱科网络实验室社区6.定义cryptomap并应用在接口上:
3C H Q#m+P!
a:
`%W2q*CR1(config)#cryptomapcisco10ipsec-isakmp
9N$?
2p#R,Q6J;DR1(config-crypto-map)#matchaddress100
'X+w8p*Z(a3}7u%uR1(config-crypto-map)#setpeer192.168.1.2 /---定义要应用cryptomap的对等体地址---/
;Y+o%D:
X+?
#O9M1?
#sR1(config-crypto-map)#settransform-settt /---定义cryptomap要应用的IPsec转换集---/
2F!
_9s7z-o.HR1(config-crypto-map)#exit
#t+j:
v1e$A.b0M+z.91lab.R1(config)#interfaceserial0/0
R1(config-if)#cryptomapcisco
/S'O4\9d&u"W&D(_3F.m4W&t4T*?
E*M'k*j*Mar 100:
08:
31.131:
%CRYPTO-6-ISAKMP_ON_OFF:
ISAKMPisON,W.?
/f,N v2A5l
R1(config-if)#end
R1#
R1配置完成.
2U.v&Y-x \(N(E"d3Y3k.91lab.0j(S3?
%B7z.r同理,R2相关配置如下:
!
;[*W&D5} I(纽爱科网络实验室社区!
cryptoisakmppolicy10
encraes
authenticationpre-share
group2
z$Y%X0H-v*pcryptoisakmpkey91labaddress192.168.1.1
!
!
cryptoipsectransform-setttesp-aesesp-sha-hmac
&~:
d9^!
N/|0Z*J7r9H!
cryptomapcisco10ipsec-isakmp
setpeer192.168.1.1
settransform-settt
%q'N+P!
?
"F;M*x-xmatchaddress100
!
!
!
!
interfaceLoopback0
8q$Q$t/A'q.i/a1Z ]纽爱科网络实验室社区ipaddress10.2.2.1255.255.255.0
2_8](g+r,t+m;n+h#x#u.91lab.!
interfaceSerial0/0
*k6J)d&q9s-k3?
6^4Q"Z)Uipaddress192.168.1.2255.255.255.252
-R.V8h T0\1[cryptomapcisco
!
(]0U6p#G4i3Niproute0.0.0.00.0.0.0Serial0/0
9S;\9T*h-q,Q(F#r1T!
*U:
^$c,I6S!
I纽爱科网络实验室社区access-list100permitip10.2.2.00.0.0.25510.1.1.00.0.0.255
!
二.采用积极模式并PSK的IPsecVPN配置3|9h6W8h7Y7{9u Z)k!
P3}/X4c4$?
纽爱科网络实验室社区
1.R1基本配置:
R1(config)#interfaceloopback0
R1(config-if)#ipaddress10.1.1.1255.255.255.0
R1(config-if)#noshutdown
R1(config-if)#interfaceserial0/0
3a0?
4d/K5D']#L6~;u&s,_R1(config-if)#ipaddress 192.168.1.1255.255.255.252
R1(config-if)#clockrate56000
*K,R4P;?
#?
8F3IR1(config-if)#noshutdown
.V$]!
I(`7f#B.O-\R1(config-if)#exit
9{"p"V!
a*Q;d5f(`/_2`2b3X,}+Q8r2.定义感兴趣流量与路由协议:
(\3C'^ ;a1p$Z$E3v+c&vR1(config)#access-list100permitip10.1.1.00.0.0.25510.2.2.00.0.0.255
/]0_$z)g8i'S#BR1(config)#iproute0.0.0.00.0.0.0serial0/0
0a.m/h-d f'u7F纽爱科网络实验室社区;u/H,Z1Y5n7I4v9Y纽爱科网络实验室社区3.全局启用ISAKMP并定义对等体及其PSK(预共享密钥),采用积极模式:
&G.O(D2i+F)}.91lab.R1(config)#cryptoisakmpenable
R1(config)#cryptoisakmppeeraddress192.168.1.2
7#n1v"`%G$K4t3FR1(config-isakmp-peer)#setaggressive-modeclient-endpointipv4-address192.168.1.1
(F0C*k7b8H!
}+t.91lab.R1(config-isakmp-peer)#setaggressive-modepassword91lab
5J2p.^"t4k%k8k)Y1c,w7r*G4.定义IKE策略:
;D&A-b4f:
N)f-?
0J._.j-q.91lab.R1(config)#cryptoisakmppolicy10
R1(config-isakmp)#encryptionaes128 /---默认是DES加密---/
6K1B&Q#e'g)Y-r8z'A7S9RR1(config-isakmp)#hashsha /---默认是SHA-1---/
+K$w:
N.L9b1kR1(config-isakmp)#authenticationpre-share
R1(config-isakmp)#group2 /---默认是768位的DH1---/
:
p.P:
y'U:
r)A,E)C yR1(config-isakmp)#lifetime3600 /---默认是86400秒---/
7Q0y6]4X/R2|1RR1(config-isakmp)#exit5.定义IPSec转换集(transformset):
7T/T!
?
!
B6n+r3N%T纽爱科网络实验室社区R1(config)#cryptoipsectransform-setttesp-aes128esp-sha-hmac
R1(cfg-crypto-trans)#modetunnel
.x3O&H#L1e"F-tR1(cfg-crypto-trans)#exit
67G)i+[9v+u9q!
D6?
6.定义cryptomap并应用在接口上:
/J6Z)i$c$h-i%N3i'H纽爱科网络实验室社区R1(config)#cryptomapcisco10ipsec-isakmp
"J;H5z:
f1D'q'q+ER1(config-crypto-map)#matchaddress100
R1(config-crypto-map)#setpeer192.168.1.2 /---定义要应用cryptomap的对等体地址---/
!
|*~,p&G$d)C(U!
d-SR1(config-crypto-map)#settransform-settt /---定义cryptomap要应用的IPsec转换集---/
R1(config-crypto-map)#exit
4]7t0N-`$z纽爱科网络实验室社区R1(config)#interfaceserial0/0
R1(config-if)#cryptomapcisco
']/W;W*R3}/S/?
5Z*Mar 100:
08:
31.131:
%CRYPTO-6-ISAKMP_ON_OFF:
ISAKMPisON
R1(config-if)#end
R1#
-m2f,M$T2q,n纽爱科网络实验室社区R1配置完成. d9I)R/d2d.91lab.同理,R2配置如下:
!
!
cryptoisakmppolicy10
.C#_'j7p8O0T6{+}-eencraes
authenticationpre-share
group2
!
;N'E+_'?
8E(Bcryptoisakmppeeraddress192.168.1.1
setaggressive-modepassword91lab
;k6u3S4w:
r+esetaggressive-modeclient-endpointipv4-address192.168.1.1
!
!
cryptoipsectransform-setttesp-aesesp-sha-hmac
!
cryptomapcisco10ipsec-isakmp
setpeer192.168.1.1
9k:
h8Z.z8|(_-F1u.U%fsettransform-settt
)n2?
*G9V:
k |8m%Cmatchaddress100
9U#G+q$Y+x/?
)C7]9C5|!
!
!
!
interfaceLoopback0
ipaddress10.2.2.1255.255.255.0
't*G6j5[.R1h/v!
7x*d'J"{&R;^interfaceSerial0/0
/e%j5f!
R6z!
A ripaddress192.168.1.2255.255.255.252
cryptomapcisco
3y)~'v1c.?
!
h7d#X!
iproute0.0.0.00.0.0.0Serial0/0
%n%r5O9M8k,s#m2G(v!
&N3F J3P0A:
U3C2Q;]-u纽爱科网络实验室社区access-list100permitip10.2.2.00.0.0.25510.1.1.00.0.0.255
!
三.GRE隧道与IPsec的结合
GRE隧道本身不带安全特性,可以通过结合基于PSK的IPsec来实现安全功能.拓扑如下:
5X"} }%M8n5b;n&_(u.J+D$n1}%q,X(r"J1w.91lab.1.R1基本配置:
R1(config)#interfaceloopback0
R1(config-if)#ipaddress10.1.1.1255.255.255.0
R1(config-if)#noshutdown
$]$_8~-?
'p%i9j/VR1(config-if)#interfaceserial0/0
0s,e.S3R6V8s6s3U.91lab.R1(config-if)#ipaddress 192.168.1.1255.255.255.252
R1(config-if)#clockrate56000
R1(config-if)#noshutdown
%|/h/g*\-FR1(config)#interfacetunnel0
R1(config-if)#ipunnumberedserial0/0
R1(config-if)#tunnelsourceserial0/0
R1(config-if)#tunneldestination192.168.1.1
#b5`#D/O%`R1(config-if)#tunnelmodegreip /---可以不打,默认即为GRE---/
"I&\'A%S.n(T$P'G5^.91lab.R1(config-if)#noshutdown
&N+b&d/}#K#Q.91lab.R1(config-if)#exit+z"a!
i5C*b8E+{0u2.定义感兴趣流量与路由协议:
R1(config)#access-list100permitgrehost192.168.1.1host192.168.1.2
!
s!
u#Y/d%t)I(WR1(config)#iproute0.0.0.00.0.0.0serial0/0
(z/o2H3c4n.S:
bR1(config)#iproute10.2.2.0255.255.255.0serial0/0
:
|9-H9`9R'A7?
$P$C;F.W G4`%`#{.91lab.3.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):
R1(config)#cryptoisakmpenable
R1(config)#cryptoisakmpkey91labaddress192.168.1.2
1[9v&|2p1k3}&w4.定义IKE策略:
%d )M/H(P1t3B.P"g纽爱科网络实验室社区R1(config)#cryptoisakmppolicy10
R1(config-isakmp)#encryptionaes128 /---默认是DES加密---/
:
q*w(F,|,Y(X/q;r纽爱科网络实验室社区R1(config-isakmp)#hashsha /---默认是SHA-1---/
)| B4?
$t"{ O"f#eR1(config-isakmp)#authenticationpre-share
R1(config-isakmp)#group2 /---默认是768位的DH1---/
/j"E44d:
\${"|)L2].91lab.R1(config-isakmp)#lifetime3600 /---默认是86400秒---/
R1(config-isakmp)#exit
(n&t%q(m(O;x%g-e4T8N,k+]$c!
c'I.91lab.5.定义IPSec转换集(transformset):
R1(config)#cryptoipsectransform-setttesp-aes128esp-sha-hmac
/Z,I2f;`'`$^R1(cfg-crypto-trans)#modetunnel
R1(cfg-crypto-trans)#exit5K9S.?
+g#h8d*~ r6.定义cryptomap并应用在接口上:
R1(config)#cryptomapcisco10ipsec-isakmp
R1(config-crypto-map)#matchaddress100
R1(config-crypto-map)#setpeer192.168.1.2 /---定义要应用cryptomap的对等体地址---/
R1(config-crypto-map)#settransform-settt /---定义cryptomap要应用的IPsec转换集---/
!
U+D8["[;o"p&z1MR1(config-crypto-map)#exit
R1(config)#interfaceserial0/0
:
g0C$Q!
I+P$P3h0mR1(config-if)#cryptomapcisco.B-B+`$r4l-a"z#v1`7?
*Mar 100:
08:
31.131:
%CRYPTO-6-ISAKMP_ON_OFF:
ISAKMPisON2w(T-H4H(K7_9} x*|/X7I0jR1(config-if)#end
7e4Q8r!
4b;K)i-JR1#
/C/Q$z7I;P,h#\R1配置完成..~6r#X'y!
m2A3U.91lab.同理,R2相关配置如下:
;I0e+R/O:
U+L6~/S9P5M纽爱科网络实验室社区!
!
.L5R/G/F%L5z7d4p'L纽爱科网络实验室社区cryptoisakmppolicy10
1P&y#y5t"i2d!
z'gencraes
authenticationpre-share
group2
0T:
H$U8D7H%P.91lab.cryptoisakmpkey91labaddress192.168.1.1
6N+G4_#r!
{*k2c){!
"E(R!
F!
x9_8Q!
y*W!
cryptoipsectransform-setttesp-aesesp-sha-hmac
!
5s;N9~(n%q*k#\3zcryptomapcisco10ipsec-isakmp
$e1K;?
)n%P(l9| A0Asetpeer192.168.1.1
!
S&s0C3~*?
:
c7esettransform-settt
matchaddress100
!
f.x%h4