全系列VPN技术集锦第二卷第3章(Site-to-SiteIPsecVPN)

全系列VPN技术集锦第二卷第3章(Site-to-SiteIPsecVPN)作者：论坛整理zdnet网络安全CNETNews.com.cn2008-01-1913:29:21关键词：安全防护防火墙VPN例子:配置TED-Initiator路由器:TED-Initiator#showrunning-configBuildingconfiguration...Currentconfiguration:version12.0servicetimestampsdebuguptimeservicetimestampsloguptimehostnameTED-Initiatorenablesecret5removedenablepasswordremovedipsubnet-zerocryptoisakmppolicy10authenticationpre-shareOneoftheissueswithusingapresharedkeywithTEDistheneedtouseawildcardpresharedkeybecausethepeersaddressisnotknownbeforehand.Aresolutiontothisistousedigitalcertificate-baseddigitalsignaturesastheauthenticationmethod.cryptoisakmpkeyabc123address0.0.0.0cryptoipsectransform-setted-transformsesp-desesp-md5-hmacNotethatnopeeraddresshasbeenconfiguredinthecryptomapbelow.cryptodynamic-mapted-map10settransform-setted-transformsmatchaddress101ThekeyworddiscoverinthecryptomapbelowtriggerstheuseofTEDcryptomaptedtag10ipsec-isakmpdynamicted-mapdiscoverinterfaceEthernet0/0ipaddress13.13.13.13255.255.255.0noipdirected-broadcastnomopenabledinterfaceEthernet0/1ipaddress11.11.11.1255.255.255.0cryptomaptedtagipclasslessiproute0.0.0.00.0.0.011.11.11.2noiphttpserveraccess-list101permitip13.13.13.00.0.0.25512.12.12.00.0.0.255access-list101permiticmp13.13.13.00.0.0.25512.12.12.00.0.0.255linecon0transportinputnonelineaux0linevty04passwordwwloginend配置TED-Responder路由器:TED-Responder#showrunning-configBuildingconfiguration...Currentconfiguration:version12.0servicetimestampsdebuguptimeservicetimestampsloguptimehostnameTED-Responderenablesecret5removedenablepasswordremovedcryptoisakmppolicy10authenticationpre-sharecryptoisakmpkeyabc123address0.0.0.0cryptoipsectransform-setted-transformsesp-desesp-md5-hmaccryptodynamic-mapted-map10settransform-setted-transformsmatchaddress101cryptomaptedtag10ipsec-isakmpdynamicted-mapdiscoverinterfaceEthernet0/0ipaddress12.12.12.12255.255.255.0noipdirected-broadcastnomopenabledinterfaceEthernet0/1ipaddress11.11.11.2255.255.255.0cryptomaptedtagipclasslessiproute0.0.0.00.0.0.011.11.11.1noiphttpserveraccess-list101permitip12.12.12.00.0.0.25513.13.13.00.0.0.255access-list101permiticmp12.12.12.00.0.0.25513.13.13.00.0.0.255linecon0transportinputnonelineaux0linevty04passwordwwloginnoschedulerallocateend在TED-Initiator路由器中的debug:TED-Initiator#showdebugCryptographicSubsystem:CryptoISAKMPdebuggingisonCryptoEnginedebuggingisonCryptoIPSECdebuggingisonTED-Initiator#TheTEDprocesshasstarted.TheproxyIDsareshowninthemessagebelow.01:33:56:IPSEC(tunneldiscoverrequest):,(keyeng.msg.)src=13.13.13.14,dest=12.12.12.13,src_proxy=13.13.13.0/255.255.255.0/0/0(type=4),dest_proxy=11.11.11.1/255.255.255.255/0/0(type=1),protocol=ESP,transform=esp-desesp-md5-hmac,lifedur=3600sand4608000kb,spi=0x0(0),conn_id=0,keysize=0,flags=0x404401:33:56:GOTAPEERDISCOVERYMESSAGEFROMTHESAMANAGER!!!01:33:56:src=13.13.13.14to12.12.12.13,protocol3,transform2,hmac1TheTEDprocessbelowdetermineswhichaddressisthesourceaddressintheTEDpacketandwhichaddressesaretheproxyIDs.01:33:56:proxysourceis13.13.13.0/255.255.255.0andmyaddress(notusednow)is11.11.11.101:33:56:ISAKMP(1):IDpayloadnext-payload:5type:1protocol:17port:500length:801:33:56:ISAKMP(1):Totalpayloadlength:12TheinitiatordeterminesbelowthatthefirstIDpayloadwillbeitsownIPaddress,11.11.11.1,andthesecondpayloadcontainsitssourceIPsecproxy:13.13.13.0/2401:33:56:1stIDis11.11.11.101:33:56:2ndIDis13.13.13.0/255.255.255.001:33:56:ISAKMP(0:1):beginningpeerdiscoveryexchangeTheTEDprobeisbeingsenttothedestinationIPaddressfoundintheoriginalpacketthatwasreceivedontheinitiatorandthatmatchedtheIPsecinterestingtrafficaccesslist.01:33:56:ISAKMP(1):sendingpacketto12.12.12.13(I)PEER_DISCOVERYThepeerhasbeendiscoveredtobe12.12.12.13,anditrespondsasshownbelow01:33:56:ISAKMP(1):receivedpacketfrom12.12.12.13(I)PEER_DISCOVERYUponprocessingthevendorIDpayload,theinitiatorascertainsthattheresponderdoesindeedunderstandwhatwassenttoit.01:33:56:ISAKMP(0:1):processingvendoridpayload01:33:56:ISAKMP(0:1):speakingtoanotherIOSbox!01:33:56:ISAKMP(0:1):processingIDpayload.messageID=0TherespondersIPaddressisencodedintheIDpayload.Itisequalto11.11.11.201:33:56:ISAKMP(0:1):processingIDpayload.messageID=1168952014UponlookingattheIDpayloadsentbytheresponder,theinitiatorfindsthattherespondersproxyIDindeedmatchestheproxyconfiguredonitself.01:33:56:ISAKMP(1):ID_IPV4_ADDR_SUBNETdst12.12.12.0/255.255.255.0prot0port001:33:56:ISAKMP(1):receivedresponsetomypeerdiscoveryprobe!NormalIKEprocessingstartsatthispointtotheIPaddressdiscoveredthroughTED01:33:56ISAKMP:initiatingIKEto11.11.11.2inresponsetoprobe.01:33:56:ISAKMP(2):sendingpacketto11.11.11.2(I)MM_NO_STATE01:33:56:ISAKMP(0:1):deletingSA01:33:56:ISAKMP(2):receivedpacketfrom11.11.11.2(I)MM_NO_STATE01:33:56:ISAKMP(0:2):processingSApayload.messageID=001:33:56:ISAKMP(0:2):CheckingISAKMPtransform1againstpriority10policy01:33:56:ISAKMP:encryptionDES-CBC01:33:56:ISAKMP:hashSHA01:33:56:ISAKMP:defaultgroup101:33:56:ISAKMP:authpre-share01:33:56:ISAKMP(0:2):attsareacceptable.Nextpayloadis001:33:56:CryptoEngine0:generatealgparameter01:33:56