cisco-ipsec-vpn-实验

实验二：ipsecsite-to-siteVPN配置环境：两台路由器串口相连，接口配置如图要求：用两个LOOP口模拟VPN感兴趣流来建立IPSECVPN,IKE1阶段用预共享密钥，IKE2阶段哈希算法用sha,加密算法用DES.步骤一：接口基本配置，并测试连通性R1(config)#ints0R1(config-if)#ipadd10.1.1.1255.255.255.0R1(config-if)#clockrate64000R1(config-if)#noshR1(config)#intloop0R1(config-if)#ipadd1.1.1.1255.255.255.0R2(config)#ints1R2(config-if)#ipadd10.1.1.2255.255.255.0R2(config-if)#noshR2(config)#intloop0R2(config-if)#ipadd1.1.2.1255.255.255.0R1#ping10.1.1.2测试连通性，再做IPSEC!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=28/31/32msR2#ping10.1.1.1!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=32/32/32ms配置二：配置IKE1和IKE2两个阶段，并应用到接口R1(config)#cryptoisakmppolicy10IKE1阶段策略R1(config-isakmp)#authenpre-share将验证修改为预共享R1(config)#cryptoisakmpkeyciscoaddress10.1.1.2定义预共享密钥R1(config)#cryptoipsectransformmysetesp-sha-hmacesp-des定义2阶段的转换集R1(config)#access-list100permitip1.1.1.00.0.0.2551.1.2.00.0.0.255定义加密感兴趣流R1(config)#cryptomapmymap10ipsec-isakmp定义2阶段加密图%NOTE:Thisnewcryptomapwillremaindisableduntilapeerandavalidaccesslisthavebeenconfigured.R1(config-crypto-map)#matchaddress100将列表应用到加密图R1(config-crypto-map)#setpeer10.1.1.2指定对等体R1(config-crypto-map)#settransform-setmyset将转换集映射到加密图R1(config)#ints0R1(config-if)#cryptomapmymap将加密图应用到接口R1(config)#iproute1.1.2.0255.255.255.020.1.1.2指定隧道感兴趣流的路由走向R2(config)#cryptoisakmppolicy10R2与R1端策略要匹配R2(config-isakmp)#authenticationpre-shareR2(config-isakmp)#exitR2(config)#cryptoisakmpkeyciscoaddress10.1.1.1密钥一致，地址相互指R2(config)#cryptoipsectransform-setmysetesp-desesp-sha-hmacR2(cfg-crypto-trans)#exit两端必须匹配，默认即为tunnel模式R2(config)#access-list102permitip1.1.2.00.0.0.2551.1.1.00.0.0.255感兴趣流，两端互指R2(config)#cryptomapmymap10ipsec-isakmp加密图%NOTE:Thisnewcryptomapwillremaindisableduntilapeerandavalidaccesslisthavebeenconfigured.R2(config-crypto-map)#setpeer10.1.1.1对端的物理地址R2(config-crypto-map)#settransform-setmysetR2(config-crypto-map)#matchaddress102R2(config-crypto-map)#exitR2(config)#iproute1.1.1.0255.255.255.010.1.1.1加密图感兴趣流的路由R2(config)#ints1R2(config-if)#cryptomapmymap加密映射应用到接口下步骤三：测试流是否加密，直接用接口ping出R1#ping1.1.2.1!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=32/33/36msR2#ping1.1.1.1!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=32/33/36ms分别在R1和R2上查看两个阶段的关联R1#showcryptoisakmpsa没有任何关联dstsrcstateconn-idslotR2#showcryptoisakmpsadstsrcstateconn-idslotR1#showcryptoipsecsa没有任何加密包，关联也没有建立interface:Serial0Cryptomaptag:mymap,localaddr.10.1.1.1localident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)remoteident(addr/mask/prot/port):(1.1.2.0/255.255.255.0/0/0)current_peer:10.1.1.2PERMIT,flags={origin_is_acl,}#pktsencaps:0,#pktsencrypt:0,#pktsdigest0#pktsdecaps:0,#pktsdecrypt:0,#pktsverify0#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.failed:0,#pktsdecompressfailed:0#senderrors0,#recverrors0localcryptoendpt.:10.1.1.1,remotecryptoendpt.:10.1.1.2pathmtu1500,mediamtu1500currentoutboundspi:0inboundespsas:inboundahsas:inboundpcpsas:outboundespsas:outboundahsas:outboundpcpsas:R2#showcryptoipsecsainterface:Serial1Cryptomaptag:mymap,localaddr.10.1.1.2localident(addr/mask/prot/port):(1.1.2.0/255.255.255.0/0/0)remoteident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)current_peer:10.1.1.1PERMIT,flags={origin_is_acl,}#pktsencaps:0,#pktsencrypt:0,#pktsdigest0#pktsdecaps:0,#pktsdecrypt:0,#pktsverify0#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.failed:0,#pktsdecompressfailed:0#senderrors0,#recverrors0localcryptoendpt.:10.1.1.2,remotecryptoendpt.:10.1.1.1pathmtu1500,mediamtu1500currentoutboundspi:0inboundespsas:inboundahsas:inboundpcpsas:outboundespsas:outboundahsas:outboundpcpsas:步骤四：用扩展ping来触发感兴趣流量R1#pingipTargetIPaddress:1.1.2.1Repeatcount[5]:10将包调为10个，否则一个ping看不到效果Extendedcommands[n]:ySourceaddressorinterface:1.1.1.1Sending10,100-byteICMPEchosto1.1.2.1,timeoutis2seconds:....!!!!!!已经触发了感兴趣流，并且ping通Successrateis60percent(6/10),round-tripmin/avg/max=84/84/84ms步骤五：再次查看两个阶段的关联，以及加密情况R1#showcryptoisasaIKE1阶段关联已建立为快速模式dstsrcstateconn-idslot10.1.1.210.1.1.1QM_IDLE10R1#showcryptoipsecsaIKE2阶段关联建立，并加密了流量，隧道也已成功建立interface:Serial0Cryptomaptag:mymap,localaddr.10.1.1.1localident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)remoteident(addr/mask/prot/port):(1.1.2.0/255.255.255.0/0/0)current_peer:10.1.1.2PERMIT,flags={origin_is_acl,}#pktsencaps:6,#pktsencrypt:6,#pktsdigest6#pktsdecaps:6,#pktsdecrypt:6,#pktsverify6#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:0,#pktscompr.failed:0,#pktsdecompressfailed:0#senderrors14,#recverrors0localcryptoendpt.:10.1.1.1,remotecryptoendpt.:10.1.1.2pathmtu1500,mediamtu1500currentoutboundspi:84AEB2E6inboundespsas:spi:0x1E44AB1D(507816733)transform:esp-desesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:2000,flow_id:1,cryptomap:mymapsatiming:remainingkeylifetime(k/sec):(4607999/3520)IVsize:8bytesreplaydetectionsupport:Yinboundahsas:inboundpcpsas:outboundespsas:spi:0x84AEB2E6(2226041574)transform:esp-desesp-sha-hmac,inusesettings={Tunnel,}slot:0,connid:2001,flow_id:2,cryptomap:mymapsatiming:remainingkeylifetim