【安全系列】IPSECVPN配置例項
LAN to LAN IPSEC VPN 的配置報告
這次實驗報告以配置和檢視現象為主,原理部分後續會在原理篇中,敬請關注。
【實驗拓撲】
【實驗要求】
1. 虛擬PC1 所連線的內網(192.168.12.0)通過 IPSEC-VPN 方式訪問 R3 所連線的內網(192.168.23.0);
2.在第一步驟的基礎上,實現 R1 所連線的內網(192.168.12.0)和 R3 所連線的內網(192.168.23.0)能通過 NAT 轉換訪問外網,而 R1 所連線的內網(192.168.12.0)仍然通過 IPSEC-VPN 方式訪問 R3 所連線的內網(192.168.23.0)。
【實驗配置】
要求1配置:
1)PC1上配置ip地址和閘道器。
2)R1上的主要配置:
crypto isakmp policy 10 先定義IKE策略集
hash md5 定義雜湊演算法
authentication pre-share 定義認證演算法
encryption des 定義加密方式
crypto isakmp key speedfull address 23.23.23.3 指定協商金鑰和對等體ip
crypto ipsec transform-set sf esp-des esp-md5-hmac 再定義ipsec策略(esp為封裝型別)
crypto map sf 10 ipsec-isakmp
match address 120 定義需要加密的資料流
set peer 23.23.23.3
set transform-set sf
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
int s1/0
crypto map sf (將加密圖應用到介面)
hash md5 定義雜湊演算法
authentication pre-share 定義認證演算法
encryption des 定義加密方式
crypto isakmp key speedfull address 23.23.23.3 指定協商金鑰和對等體ip
crypto ipsec transform-set sf esp-des esp-md5-hmac 再定義ipsec策略(esp為封裝型別)
crypto map sf 10 ipsec-isakmp
match address 120 定義需要加密的資料流
set peer 23.23.23.3
set transform-set sf
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
int s1/0
crypto map sf (將加密圖應用到介面)
R1上還要配置一條預設路由,ip route 0.0.0.0 0.0.0.0 s1/0 使得能與外網連通。
3)同理R3上的配置類似。
幾個檢視命令可以看你配置的是否正確:
*********isakmp相關內容********
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp peers
Peer: 23.23.23.3 Port: 500 Local: 12.12.12.1
Phase1 id: 23.23.23.3
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp sa
dst src state conn-id slot status
12.12.12.1 23.23.23.3 QM_IDLE 1 0 ACTIVE
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp peers
Peer: 23.23.23.3 Port: 500 Local: 12.12.12.1
Phase1 id: 23.23.23.3
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#show crypto isakmp sa
dst src state conn-id slot status
12.12.12.1 23.23.23.3 QM_IDLE 1 0 ACTIVE
*********ipsec相關內容************
R1#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4 —這個是什麼意思 ,還不是很清楚。
R1#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: sf, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 23.23.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xC1E4CEB7(3252997815)
inbound esp sas:
spi: 0x9F566494(2673239188)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540031/1720)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC1E4CEB7(3252997815)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540032/1719)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1# show crypto ipsec transform-set
Transform set sf: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
Easy VPN Remote Phase: 4 —這個是什麼意思 ,還不是很清楚。
R1#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: sf, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 23.23.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0xC1E4CEB7(3252997815)
inbound esp sas:
spi: 0x9F566494(2673239188)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540031/1720)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC1E4CEB7(3252997815)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: sf
sa timing: remaining key lifetime (k/sec): (4540032/1719)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1# show crypto ipsec transform-set
Transform set sf: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
********map的相關內容*************
R1#show crypto map
Crypto Map “sf” 10 ipsec-isakmp
Peer = 23.23.23.3
Extended IP access list 120
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
Current peer: 23.23.23.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
sf,
}
Interfaces using crypto map sf:
Serial1/0
Crypto Map “sf” 10 ipsec-isakmp
Peer = 23.23.23.3
Extended IP access list 120
access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
Current peer: 23.23.23.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
sf,
}
Interfaces using crypto map sf:
Serial1/0
現在用測試一下:
如果沒有設定vpn,虛擬pc是不能ping到pc2的。
pc2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/166/264 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/166/264 ms
通過檢視命令和ping測試,證明vpn已經連通。第一步要求完成。
要求2配置:
如果使用了NAT,那麼在出口處,ip的源地址將被修改,如果不設定,資料包將被丟棄,因為vpn是不允許資料包被修改的。使用訪問控制列表實現:
nat的配置這裡不再說明。
如果這樣配置,將出現ping不通情況,因為源地址被改了。
看以下debug說明:
ip nat inside source list 1 interface Serial1/0 overload
!
access-list 1 permit any
d via RIB
*Mar 1 01:33:10.183: IP: s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), len 100, sending
*Mar 1 01:33:10.403: IP: s=23.23.23.2 (FastEthernet0/0), d=192.168.23.2, len 56, rcvd 1
*Mar 1 01:33:10.407: IP: tableid=0, s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), route
!
access-list 1 permit any
d via RIB
*Mar 1 01:33:10.183: IP: s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), len 100, sending
*Mar 1 01:33:10.403: IP: s=23.23.23.2 (FastEthernet0/0), d=192.168.23.2, len 56, rcvd 1
*Mar 1 01:33:10.407: IP: tableid=0, s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), route
源地址被修改成了23.23.23.2
pc2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
所以應該這樣配置,建個訪問控制列表,讓端到斷的網段出去的時候不進行nat轉換。
ip nat inside source list 101 interface Serial1/0 overload
!
access-list 101 deny ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
!
access-list 101 deny ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
這樣就可以ping通了。
【實驗總結】
實驗配置比較多,但是隻要了解了大概的思路就不難。
首先要建一條安全的通訊通道,通過isakmp,設定相關引數就可以(兩邊要一樣,如果不一樣,它會自動尋找一樣的策略集)。
然後就是選擇ipsec的加密方式,esp或是ah,設定相關引數即可。
最後就是注意nat的問題。
由於是初學,理解沒那麼深,有什麼錯誤的地方,還請大家指出。
本文轉自wzhj132 51CTO部落格,原文連結:http://blog.51cto.com/wzhj132/187560
相關文章
- CISCO交換機,埠安全配置例項。
- Cisco路由器的安全配置簡易例項(上)路由器
- Cisco路由器的安全配置簡易例項(中)路由器
- Cisco路由器的安全配置簡易例項(三)路由器
- 各種交換機埠安全總結(配置例項)(轉)
- Web安全之CSRF例項解析Web
- Docker容器配置Nginx例項分享DockerNginx
- OpenHarmony雙網路卡配置例項
- jQuery Validate全域性配置和例項配置jQuery
- SpringBoot基礎系列之自定義配置源使用姿勢例項演示Spring Boot
- ASM例項配置監聽和TNSASM
- 單機環境配置ASM例項ASM
- 配置單例項自動重啟單例
- 動態VLAN詳細配置例項
- CSS 例項系列 - 01 - Tab 滑動門CSS
- CSS 例項系列 - 03 - Rate 愛心評分CSS
- 系統配置的最佳化:例項的初始配置
- 無線路由器的配置例項路由器
- Tomcat JSP經典配置例項TomcatJS
- CSS 例項系列 - 05 - Photo Album 瀑布流相簿CSS
- PHP框架Yii系列教程(一):入門例項PHP框架
- SVN安裝配置及安全注意事項
- [非專業翻譯] Mapster - 配置例項
- 配置高效能動態網站(例項)網站
- spring整合quartz的叢集配置例項Springquartz
- rman catalog的配置及詳解例項
- Oracle 11g RAC 配置單例項 DataGuardOracle單例
- Qmail+LDAP安裝配置例項(一)(轉)AILDA
- 單機環境安裝配置ASM例項ASM
- linux下常用iptables配置例項總結Linux
- IPSECVPN技術淺談
- 重學c#系列——非託管例項(五)C#
- CSS 例項系列 - 02 - 2023 兔年祝福CSS
- SpringMVC 框架系列之初識與入門例項SpringMVC框架
- jafka安裝配置和啟動一個自帶例項和手寫一個例項
- Argo 安裝和 workflow 例項配置檔案解析Go
- React之配置元件的props(兩個例項)React元件
- 叢集例項:配置ISCSI客戶端(LINUX)客戶端Linux