路由器組網(wǎng)的Site-Site Ipsec VPN配置
這是一個(gè)使用六臺(tái)路由器進(jìn)行組網(wǎng)而完成的一個(gè)實(shí)驗(yàn),中間的R3代表ISP,R2代表公司總部,銜接ISP和內(nèi)部局域網(wǎng)。
R1等同于公司內(nèi)部的PC主機(jī)。此實(shí)驗(yàn)?zāi)康氖菫榱送瓿蒘ite-Site Ipsec VPN的配置和驗(yàn)證過程。下面是拓?fù)鋱D:
全部配置命令如下:
R2:
r2#show runn
Building configuration...
Current configuration : 1337 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
ip cef
no ip domain lookup
crypto isakmp policy 1 ##確定vpn策略
encryption des ##加密使用對(duì)稱加密算法des
group 1 ##密鑰交換使用group 1
hash md5 ##認(rèn)證用md5算法
authentication pre-share ##使用預(yù)共享密鑰進(jìn)行認(rèn)證,此處由于默認(rèn)使用加密算法為des和密鑰交換為group 1,所以在show runn中看不到,但是必須配置
crypto isakmp key 6 cisco address 192.168.5.2 ##進(jìn)行預(yù)共享的對(duì)等體和密鑰
crypto ipsec transform-set ccnp ah-md5-hmac ##定義一個(gè)ipsec轉(zhuǎn)換集名為ccnp,使用ah,未使用esp進(jìn)行數(shù)據(jù)加密
crypto map mymap 1 ipsec-isakmp ##定義一個(gè)map名為mymap,此map引用acl110和剛定義的轉(zhuǎn)換集ccnp,設(shè)置對(duì)等體地址
set peer 192.168.5.2 ##設(shè)置對(duì)等體地址
set transform-set ccnp ##引用剛定義的轉(zhuǎn)換集ccnp
match address 110 ##引用acl 110
interface Ethernet0/0
no ip address
shutdown
half-duplex
interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside ##此接口為內(nèi)網(wǎng)接口,啟用nat轉(zhuǎn)換
ip virtual-reassembly
half-duplex
interface Ethernet0/2
ip address 192.168.4.1 255.255.255.0
ip nat outside ##此接口為接ISP的公網(wǎng)口,啟用nat轉(zhuǎn)換,私有地址將被轉(zhuǎn)換為此接口上的共有地址訪問互聯(lián)網(wǎng)
ip virtual-reassembly
half-duplex
crypto map mymap
interface Ethernet0/3
no ip address
shutdown
half-duplex
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.4.2 ##默認(rèn)路由到ISP,下一跳地址為與ISP相連的地址
ip nat inside source list 100 interface Ethernet0/2 overload ##啟用nat轉(zhuǎn)換,引用acl 100,符合acl 100的地址將被轉(zhuǎn)換
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ##此acl定義nat需要轉(zhuǎn)換的私有地址,先將需要vpn轉(zhuǎn)換的地址拒絕掉
access-list 100 permit ip 192.168.1.0 0.0.0.255 any ##這是需要nat轉(zhuǎn)換的私有地址
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ##此acl定義vpn需要轉(zhuǎn)換的地址,當(dāng)192.168.1.0網(wǎng)段訪問192.168.2.0網(wǎng)段時(shí)執(zhí)行定義的isakmp和ipsec進(jìn)行加密等
control-plane
line con 0
line aux 0
line vty 0 4
end
r2#
r1:此路由器充當(dāng)公司總部pc
r1#ping 192.168.2.2 ##能夠ping通代表公司分部的pc地址,說(shuō)明vpn成功了
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/194/232 ms
r1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/138/160 ms
r1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/164/216 ms
r1#ping 192.168.3.2 ##能夠ping通代表互聯(lián)網(wǎng)地址的3.2說(shuō)明nat轉(zhuǎn)換成功
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/151/220 ms
r1#show runn
Building configuration...
Current configuration : 806 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip routing
no ip cef
no ip domain lookup
interface Ethernet0/0
no ip address
no ip route-cache
shutdown
half-duplex
interface Ethernet0/1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
half-duplex
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
control-plane
line con 0
line aux 0
line vty 0 4
end
r1#
r3:此路由器充當(dāng)ISP路由器,連接了三個(gè)網(wǎng)絡(luò),一個(gè)3.0網(wǎng)段,4.0網(wǎng)段代表公司總部,5.0代表公司分部,此路由器配置簡(jiǎn)單,直接配3個(gè)地址就ok了
r3>en
r3#show runn
Building configuration...
Current configuration : 708 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r3
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
ip cef
no ip domain lookup
interface Ethernet0/0
ip address 192.168.3.1 255.255.255.0 ##與代表互聯(lián)網(wǎng)地址的3.0網(wǎng)段相連
half-duplex
interface Ethernet0/1
ip address 192.168.4.2 255.255.255.0 ##與代表公司總部的路由器相連
half-duplex
interface Ethernet0/2
ip address 192.168.5.1 255.255.255.0 ##與代表公司分部的路由器相連
half-duplex
interface Ethernet0/3
no ip address
shutdown
half-duplex
ip http server
no ip http secure-server
control-plane
line con 0
line aux 0
line vty 0 4
end
r3#
r4:與公司分部相連的路由器,此路由器的配置和r2相似,不再單獨(dú)介紹,只說(shuō)不同點(diǎn)
2, changed state to up
r4(config-if)#
r4(config-if)#
r4(config-if)#
r4(config-if)#
r4(config-if)#ex
r4(config)#in e0/1
r4(config-if)#ip nat ou
r4(config-if)#ip nat outside
r4(config-if)#
*Mar 1 00:12:48.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to upex
r4(config)#in e0/2
r4(config-if)#ip nat ins
r4(config-if)#ex
r4(config)#acc
r4(config)#access-list 100 den
r4(config)#$ 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r4(config)#acc
r4(config)#access-list 100 per
r4(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 any
r4(config)#ip http://www.luyouqiwang.com/14539/ nat inside sourc list 100 in
r4(config)#ip nat inside sourc list 100 interface e0/1 ove
r4(config)#ip route 0.0.0.0 0.0.0.0 192.168.5.1
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#acc
r4(config)#access-list 110 per
r4(config)#$ 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r4(config)#cry
r4(config)#crypto is
r4(config)#crypto isakmp po
r4(config)#crypto isakmp policy ?
Priority of protection suite
r4(config)#crypto isakmp policy 1 ?
r4(config)#crypto isakmp policy 1
r4(config-isakmp)#en
r4(config-isakmp)#encryption des
r4(config-isakmp)#hash mdt
% Invalid input detected at "^" marker.
r4(config-isakmp)#hash md5
r4(config-isakmp)#auth
r4(config-isakmp)#authentication pre
r4(config-isakmp)#authentication pre-share
r4(config-isakmp)#gr
r4(config-isakmp)#group 1
r4(config-isakmp)#ex
r4(config)#cry
r4(config)#crypto is
r4(config)#crypto isakmp key 6 cisco add ?
A.B.C.D Peer IP address
r4(config)#crypto isakmp key 6 cisco add 192.168.4.1 ?
A.B.C.D Peer IP subnet mask
no-xauth Bypasses XAuth for this peer
r4(config)#crypto isakmp key 6 cisco add 192.168.4.1
r4(config)#cry ip
r4(config)#cry ipsec tran
r4(config)#cry ipsec transform-set ccnp ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
r4(config)#cry ipsec transform-set ccnp ah
r4(config)#cry ipsec transform-set ccnp ah-m
r4(config)#cry ipsec transform-set ccnp ah-md5-hmac
r4(cfg-crypto-trans)#exit
r4(config)#cry
r4(config)#crypto map mymap 1 ips
r4(config)#crypto map mymap 1 ipsec-is
r4(config)#crypto map mymap 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r4(config-crypto-map)#mat
r4(config-crypto-map)#match add 110
r4(config-crypto-map)#set tr
r4(config-crypto-map)#set transform-set ccnp
r4(config-crypto-map)#set peer 192.168.4.1
r4(config-crypto-map)#ex
r4(config)#in e0/1
r4(config-if)#cry map mymap
r4(config-if)#ex
*Mar 1 00:18:34.063: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
r4(config)#end
r4#show ru
*Mar 1 00:19:44.447: %SYS-5-CONFIG_I: Configured from console by consolenn
Building configuration...
Current configuration : 1337 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r4
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
ip cef
no ip domain lookup
crypto isakmp policy 1 ##與r2配置必須相同,只是對(duì)等體地址換成r2公網(wǎng)接口地址
hash md5
authentication pre-share
crypto isakmp key 6 cisco address 192.168.4.1
crypto ipsec transform-set ccnp ah-md5-hmac
crypto map mymap 1 ipsec-isakmp
set peer 192.168.4.1
set transform-set ccnp
match address 110
interface Ethernet0/0
no ip address
shutdown
half-duplex
interface Ethernet0/1
ip address 192.168.5.2 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map mymap
interface Ethernet0/2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex
interface Ethernet0/3
no ip address
shutdown
half-duplex
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip nat inside source list 100 interface Ethernet0/1 overload
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
end
r4#
r5:此路由器為公司分部的pc,需要訪問公司總部的1.0網(wǎng)段
r5>en
r5#show runn
Building configuration...
Current configuration : 806 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r5
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip routing
no ip cef
no ip domain lookup
interface Ethernet0/0
no ip address
no ip route-cache
shutdown
half-duplex
interface Ethernet0/1
ip address 192.168.2.2 255.255.255.0
no ip route-cache
half-duplex
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
ip default-gateway 192.168.2.1
ip http server
no ip http secure-server
control-plane
line con 0
line aux 0
line vty 0 4
end
r5#ping 192.168.1.2 ##與代表公司總部的pc能夠ping通,代表vpn成功
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/135/144 ms
r5#
r6:此路由器代表互聯(lián)網(wǎng)上的服務(wù)器資源
r6>en
r6#show runn
Building configuration...
Current configuration : 806 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r6
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip routing
no ip cef
no ip domain lookup
interface Ethernet0/0
no ip address
no ip route-cache
shutdown
half-duplex
interface Ethernet0/1
ip address 192.168.3.2 255.255.255.0
no ip route-cache
half-duplex
interface Ethernet0/2
no ip address
no ip route-cache
shutdown
half-duplex
interface Ethernet0/3
no ip address
no ip route-cache
shutdown
half-duplex
ip default-gateway 192.168.3.1
ip http server
no ip http secure-server
control-plane
line con 0
line aux 0
line vty 0 4
end
r6#
