《IPSecl2lVPN配置实验详解》由会员分享,可在线阅读,更多相关《IPSecl2lVPN配置实验详解(10页珍藏版)》请在金锄头文库上搜索。
1、IPSec l2l VPN配置实验实验拓扑实验需求:配置最传统的IPSec L2L VPN,并且分析过程!分析:实验拓扑如上,Site1和Site2已经实现公网IP可达,身后各自有一个私网1.1.1.0/24和2.2.2.0/24,因为Internet没有相应私网的路由,所以两个私网无法正常通信,现在的任务是通过IPSec VPN将它们搞通!准备:必须保证Site1和Site2是公网可达的,Site1和Site2的IP配置如下:Site1#show ip int brief Interface IP-Address OK? Method Status ProtocolSerial0/0 202
2、.100.1.1 YES NVRAM up up /公网接口IP Serial0/1 unassigned YES NVRAM administratively down down Serial0/2 unassigned YES NVRAM administratively down down Serial0/3 unassigned YES NVRAM administratively down down Loopback0 1.1.1.1 YES NVRAM up up/身后私网 -Site2#show ip int brief Interface IP-Address OK? Meth
3、od Status ProtocolSerial0/0 unassigned YES NVRAM up down Serial0/1 61.128.1.1 YES NVRAM up up /公网接口IP Serial0/2 unassigned YES NVRAM administratively down down Serial0/3 unassigned YES NVRAM administratively down down Loopback0 2.2.2.2 YES NVRAM up up /身后私网 -Internet#show ip int brief Interface IP-A
4、ddress OK? Method Status ProtocolSerial0/0 202.100.1.10 YES NVRAM up up Serial0/1 61.128.1.10 YES NVRAM up up Serial0/2 unassigned YES NVRAM administratively down down Serial0/3 unassigned YES NVRAM administratively down down 注:Site1必须要有通往Site2加密点和通信点的路由,千万不要遗漏通信点路由,要不然VPN肯定不通,这是因为流量撞击静态map时候匹配上感兴趣流
5、会被加密,但是此时路由器会进行二次路由查询,此时查询的正是通信点路由;Site2也是一样的道理,我这里配置的是默认路由,也可以配置明细!Site1(config)#ip route 0.0.0.0 0.0.0.0 202.100.1.10Site2(config)#ip route 0.0.0.0 0.0.0.0 61.128.1.10注:个人对IPSec VPN的理解是它就是路由的拓展,做IPSec VPN之前必须把路由问题给解决掉!测试:两个Site的加密点可以互通:Site1#ping 61.128.1.1Type escape sequence to abort.Sending 5,
6、100-byte ICMP Echos to 61.128.1.1, timeout is 2 seconds:!此时两个通信点肯定是不通的:(也许有人会说那直接在Internet加上私网路由不就行了吗,每次听到这个我都想笑)Site1#ping 2.2.2.2 sou loo 0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1 .下面开始配置IPSec VPNSite
7、1(config)#crypto isakmp policy 10Site1(config-isakmp)#authentication pre-share Site1(config-isakmp)#hash md5 Site1(config-isakmp)#encryption 3des Site1(config-isakmp)#group 2注:必须要配置的就是认证方式,因为认证方式默认是rsa-encr(证书认证),现在没有CA server,这一点实现不了,认证方式必须改成pre-share(域共享密钥),其它的都可以继承系统默认的,双方站点的所有policy下的配置必须一样,当然po
8、licy ID可以不一样,以上是第一阶段的策略!Site1(config)#crypto isakmp key 6 cisco address 61.128.1.1注:配置第一阶段isakmp SA的域共享秘密,这个秘密的名字叫做cisco,只有双方站点的域共享秘密的名字一样才可以继续第二阶段IPSec SA!Site1(config)#ip access-list extended VPN-ACLSite1(config-ext-nacl)#per ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255注:配置感兴趣流,只有被感兴趣流匹配上才会进行加密,在Site1自然
9、就是1.1.1.0/24到2.2.2.0/24的流量啦!Site1(config)#crypto ipsec transform-set VPN-TR esp-des esp-md5-hmac Site1(cfg-crypto-trans)#moSite1(cfg-crypto-trans)#mode ? transport transport (payload encapsulation) mode tunnel tunnel (datagram encapsulation) mode注:配置第二阶段IPSec SA的策略,也叫转换级esp封装des加密,esp封装md5做hmac,第二阶段
10、的策略双方站点必须一致,里面可以配置esp封装的模式,默认是tunnel!Site1(config)#crypto map VPN-MAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.Site1(config-crypto-map)#mat address VPN-ACLSite1(config-crypto-map)#set peer 61.128.1.1Site1(config-crypto
11、-map)#set transform-set VPN-TR注:现在是配置静态map,这种配置方法是最传统的IPSec l2l VPN的配置,也是不够好的配置;所谓的高级IPSec VPN配置主要是差别在这里,可以采用动态map然后静态map调用动态map;或者更加高级的isakmp profile 结合ipsec profile,当然现在只是最简单的配置,高级的那些暂且不说!静态map里面必须配置peer,match感兴趣流,set转换级!Site1(config-if)#crypto map VPN-MAP*Jun 3 14:41:42.155: %CRYPTO-6-ISAKMP_ON_O
12、FF: ISAKMP is ON注:记住一句话,静态map肯定是调用在公网接口的,看到ISAKMP is ON就对啦!Site2基本是一样的配置,注意感兴趣流要反过来!Site1#ping 2.2.2.2 sou loo 0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1 .!Success rate is 80 percent (4/5), round-trip min/avg/max = 24/26/28 ms注:期待已久的最终结果终于出来了,两个私网终于通起来了!此时可以show一些信息:Site1#show crypto engine conn active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt IP-Address 1 IPsec DES+MD5 0 4 202.100.1.1 2 IPsec DES+MD5 4 0 202.