Ipsec用于在数据传输过程中的加密协议
1. 搭建环境拓扑
拓扑2. 配置第一阶段:isakmp协商
需要配置的有isakmp协商的加密算法、验证算法、验证方式和共享密钥及可选的group值和生存时间Lifetime
R1配置:
R1(config)#crypto isakmp policy 1 定义策略
R1(config-isakmp)#encryption 3des 加密算法为3des
R1(config-isakmp)#hash md5 验证算法为md5
R1(config-isakmp)#authentication pre-share 验证方式为预共享密钥
R1(config-isakmp)#group 5 组值
R1(config-isakmp)#lifetime 120 生存时间
R1(config)#crypto isakmp key 0 ruijie address 172.16.50.2 配置共享密钥ruijie
R2配置:
R2的isakmp配置与R1完全一致。
R2(config)#crypto isakmp key 0 ruijie address 172.16.50.1 配置共享密钥ruijie
3. 第二阶段:ipsec配置
R1配置:
定义IP数据的保护策略,主要是ESP还是AH、加密算法、验证算法、传输模式还是隧道模式,定义需要被Ipsec保护的数据,即感兴趣流
R1(config)#crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac 定义策略的名称为IPSEC,加密算法为esp-3des,验证算法为esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel 隧道模式
R1(config)#access-list 100 permit ip host 1.1.1.1 host 2.2.2.2 需要被保护的数据,即感兴趣流
R2配置:
此处配置与R1完全一致
R2(config)#access-list 100 permit ip host 2.2.2.2 host 1.1.1.1 需要被保护的数据,即感兴趣流
4. 定义crypto map
定义IPsec SA对段通信实体,调用配置的第二阶段IPsec SA策略、感兴趣流
R1配置:
R1(config)#crypto map MAP 1 ipsec-isakmp 定义map
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 172.16.50.2 对端体ip
R1(config-crypto-map)#set transform-set IPSEC 调用第二阶段的ipsec策略
R1(config-crypto-map)#match address 100 匹配感兴趣流
R2配置:
与R1配置完全一致
R2(config-crypto-map)#set peer 172.16.50.1 对端体ip
5. 将map应用在接口上
使需要被保护的数据流通过出口接口出去,则需要配置路由
R1配置:
R1(config)#ip route 2.2.2.2 255.255.255.255 172.16.50.2
R1(config)#int f0/0
R1(config-if)#crypto map MAP
R2配置:
R2(config)#ip route 1.1.1.1 255.255.255.255 172.16.50.1
R2(config)#int f0/0
R2(config-if)#crypto map MAP
6. 验证
使用扩展ping,分别查看isakmp sa和ipsec sa是否正常
show crypto isakmp sa
show crypto ipsec sa
R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/32 m
R1#show crypto isakmp sa 协商正常
dst src state conn-id slot status
172.16.50.2 172.16.50.1 QM_IDLE 1 0 ACTIVE
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MAP, local addr 172.16.50.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 172.16.50.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 172.16.50.1, remote crypto endpt.: 172.16.50.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xEB9A4D72(3952758130)
inbound esp sas:
spi: 0xEE99A619(4003046937)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4467890/3527)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEB9A4D72(3952758130)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4467890/3526)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
网友评论