VPN安全试验集合Word文件下载.docx
《VPN安全试验集合Word文件下载.docx》由会员分享,可在线阅读,更多相关《VPN安全试验集合Word文件下载.docx(24页珍藏版)》请在冰点文库上搜索。
1.对端加密点的路由202.101.53.0(r1而言)
2.感兴趣流目的的路由(也就是对端通讯点)192.168.3.0/24(r1而言)
s:
218.87.15.1
d:
202.101.53.3|esp|s:
192.168.1.1
192.168.3.1
|pyload|esp-trail|
r1:
en
conft
hostr1
noiprouting
iprouting
noipdomain-lookup
linecon0
loggsy
exit
defaints0
defaints1
defainte0
no
intloop0
intloop0
ipadd192.168.1.1255.255.255.0
ints0
ipadd218.87.15.1255.255.255.0
nosh
iproute202.101.53.0255.255.255.0218.87.15.5
end
cryptoisakmppolicy10
hashmd5
authenticationpre-share
group2
cryptoisakmpkeyciscoaddress202.101.53.3
cryptoipsectransform-settsesp-desesp-md5-hmac
cryptomapmymap10ipsec-isakmp
setpeer202.101.53.3
settransform-setts
matchaddressmyvpn
interfaceSerial0
ipaddress218.87.15.1255.255.255.0
cryptomapmymap
ipaccess-listextendedmyvpn
permitip192.168.1.00.0.0.255192.168.3.00.0.0.255
r5:
hostr5
defaints0/0
defaints0/1
defaints0/2
defaints0/3
defainte0/0
ints0/1
ipadd218.87.15.5255.255.255.0
clockr64000
ints0/3
ipadd202.101.53.5255.255.255.0
r3:
hostr3
ipadd192.168.3.1255.255.255.0
ipadd202.101.53.3255.255.255.0
iproute218.87.15.0255.255.255.0202.101.53.5
cryptoisakmppolicy20
cryptoisakmpkeyciscoaddress218.87.15.1
cryptoipsectransform-setmytsesp-desesp-md5-hmac
setpeer218.87.15.1
settransform-setmyts
matchaddressvpn
ipaddress202.101.53.3255.255.255.0
ipaccess-listextendedvpn
permitip192.168.3.00.0.0.255192.168.1.00.0.0.255
=======================================================================================================
实验二:
ISAKMPProfileVPN
ISAKMPProfile(拓展学习),IOS:
12.3(升级前为12.245T);
适应于总部与各种不同需求的分部做VPN,如总部r1需与分部一r3做L2L-VPN,同时r1又需与另一分部r4做拨号VPN,还可能与另一分部r6做DMVPN:
step1:
路由:
iproute0.0.0.00.0.0.0218.87.15.5
iproute0.0.0.00.0.0.0202.101.53.5
step2:
isakmp策略:
cryptoisakmppolicy10
hashmd5
authenticationpre-share
cryptokeyringcisco
pre-shared-keyaddress202.101.53.3key0cisco
cryptoisakmpprofilecisco
matchidentityaddress202.101.53.3
keyringcisco
pre-shared-keyaddress218.87.15.1key0cisco
matchidentityaddress218.87.15.1
step3:
IPSec策略:
cryptoipsectransform-settsesp-desesp-md5-hmac
step4:
感兴趣流:
step5:
定义并应用cryptomap
setisakmp-profilecisco
cryptomapmymap
-----------
安全VPN模拟器上效果:
defaints1/0
defaints1/1
ints1/0
iproute192.168.3.0
255.255.255.0218.87.15.5
cryptokeyringcisco
cryptoisakmpprofilecisco
interfaceSerial1/0
r2(r5):
defaints1/2
defaints1/3
ints1/1
iproute192.168.1.0255.255.255.0202.101.53.5
interfaceSerial1/1
---------------
GREOVERIPSEC-------L2L
==========================================================================================================
实验三:
IPSecProfileVPN
IPSecProfile(拓展学习)IOS:
12.4;
适用于VPN站点间要跑动态路由协议
cryptoipsecprofileipspro
settransform-setts
exit
inttunnel0
tunnelmodeipsecipv4
ipadd192.168.13.1255.255.255.0
tunnelsources0
tunneldestination202.101.53.3
tunnelprotectionipsecprofileipspro
settransform-setcisco
ipadd192.168.13.3255.255.255.0
tunneldestination218.87.15.1
-----------------------------------------------------------------------------------------------------
Cryptomap对密文或明文入方向的流量的处理:
====================================================================================
是否感兴趣流
是否加密
有无map
action
N/A
是
有
解密
不
drop
没有
forward
解密
---如r1通过s0口(有map)发包给r3的s0口,r3通过s1口(有map)回包给r1的s1口
建议每个接口都启cryptomap,因为启了cryptomap的接口对不配置的感兴趣流没有影响.
实验四:
动态DynamicVPN
DynamicVPN适用于中心站点IP固定,分支办事处VPNIP地址不固定(如都是CISCO产品建议使用EZVPN,如分支办事处非思科产品建议使用该方式),该方式分支办事处配置同实验一中的L2L分支办事处配置,中心站点配置区别如下:
cryptoisakmpkeyciscoaddress0.0.0.00.0.0.0
cryptodynamic-mapdmap10
matchadd
vpn---------------------------该行可省略
cryptomapsmap10ipsec-isakmpdynamicdmap
cryptomapsmap
------------------------------------该方式应为分支主动发起流量才行,中心站点被动建VPN。
动态VPN不安全
-------------------------------------------------------------------------------------------------------------------
实验五:
IPSecoverGRE(拓展学习)
该方式工作中使用较少,这里讲解方便大家理解数据包在被路由器加密前的处理过程,和cryptomap撞击的方式.
GRE在最外面。
该实验可以解决VPN中原来不能解决的动态路由问题,但12.4的IOS解决方式更好(参见前实验三)
GRE注意:
1.tunnel起来的前提是只要有路由到达destination地址则tunnel会up,但不一定能拼通该地址;
2.动态路由宣告时可以对tunnel宣告,也可以对tunnel后的内网如loopback口宣告,但不能对tunnelsource口宣告,否