3G+IPsec配置Word文档下载推荐.docx
《3G+IPsec配置Word文档下载推荐.docx》由会员分享,可在线阅读,更多相关《3G+IPsec配置Word文档下载推荐.docx(11页珍藏版)》请在冰豆网上搜索。
85VTY3-3N-
86VTY4-3N-
UI(s)notinasyncmode-or-withnohardwaresupport:
1-1214-80
+:
CurrentUIisactive.
F:
CurrentUIisactiveandworkinasyncmode.
Idx:
AbsoluteindexofUIs.
Type:
TypeandrelativeindexofUIs.
Privi:
TheprivilegeofUIs.
Auth:
TheauthenticationmodeofUIs.
Int:
ThephysicallocationofUIs.
A:
AuthenticationuseAAA.
L:
Authenticationuselocaldatabase.
N:
CurrentUIneednotauthentication.
P:
AuthenticationusecurrentUI'
spassword.
[111-MSR2021]
第2阶段IPsec发起端(使用3G-Modem的设备)配置
[111-MSR2021]discur
#
//使能DNS解析能力
dnsresolve
//ACL3000用于NAT,先把需要IPsec的目的网段过滤掉
aclnumber3000
rule0denyipdestination10.0.0.00.255.255.255
rule5denyipdestination172.16.0.00.15.255.255
rule10denyipdestination192.168.0.00.0.255.255
rule15permitip
//ACL3001用于发起IPsec
aclnumber3001
rule0permitipsource192.168.111.00.0.0.255destination192.168.11.00.0.0.255
//IKEPeer设置,对端地址必须固定,对端如果也是3G接入那么IPsec有可能会突然中断
ikepeernavigator
pre-shared-keysimpleh3c
remote-address60.191.99.140
//默认的IPsec安全提议
ipsecproposaldef
//IPsec策略配置
ipsecpolicymypolicy1isakmp
securityacl3001
ike-peernavigator
proposaldef
//进入到USB3GModem接口视图配置dialercircular-group0即绑定dialer0接口,接口其余配置会自动添加
interfaceCellular0/0
asyncmodeprotocol
link-protocolppp
dialerenable-circular
dialer-group4
dialercircular-group0
dialertimeridle0
//Dialer0接口配置
interfaceDialer0
//配置NAT
natoutbound3000
//指定PPPCHAP和PAP认证用户名密码都为card,可和运营商确认,电信一般使用card
pppchapusercard
pppchappasswordsimplecard
ppppaplocal-usercardpasswordsimplecard
//接收对端分配的DNS
pppipcpdnsadmit-any
//主动向对方请求DNS
pppipcpdnsrequest
//IP地址由对端分配
ipaddressppp-negotiate
//使能轮询DCC
//使用dialer-rule4ippermit
//拨号成功后不主动断开连接
//拨号串#777,可和运营商确认,电信一般使用#777
dialernumber#777
//接口配置IPsec策略
ipsecpolicymypolicy
//连接内网接口
interfaceEthernet0/1
portlink-moderoute
//接口网段192.168.111.0/24
ipaddress192.168.111.1255.255.255.0
//默认路由指向Dialer0接口
iproute-static0.0.0.00.0.0.0Dialer0
//dialer-rule配置
dialer-rule4ippermit
//用户接口,tty13可由一开始displayuser-interface确认
user-interfacetty13
//使能该接口的双向modem能力
modemboth
[111-MSR2021]
第3阶段IPsec响应端(中心端,使用固定地址)配置
//用于NAT的ACL3000,要把IPsec的流量先deny掉
rule0denyipdestination192.168.0.00.0.255.255
rule5denyipdestination10.0.0.00.255.255.255
rule10denyipdestination172.16.0.00.15.255.255
rule15permitipsource192.168.1.00.0.0.255
rule20permitipsource192.168.2.00.0.0.255
rule25permitipsource192.168.10.00.0.0.255
rule30permitipsource192.168.11.00.0.0.255
rule35permitipsource192.168.111.00.0.0.255
rule40denyip
//响应端IKEPeer的配置,只配置pre-shared-key即可
ikepeer2021
//IPsec安全提议,和发起端保持一致
//IPsec策略模板配置,不需要配置安全ACL
ipsecpolicy-templatept1
ike-peer2021
//使用模板方式的IPsec策略mypolicy
ipsecpolicymypolicy1isakmptemplatept
//在设备连接互联网的接口设置NAT、IP地址和IPsec策略
interfaceEthernet0/0
ipaddress60.191.99.140255.255.255.0
//连接内网的VLAN接口
interfaceVlan-interface11
ipaddress192.168.11.1255.255.255.0
第4阶段触发拨号并查看是否成功
[111-MSR2021-Dialer0]ping1.1.1.1
PING1.1.1.1:
56databytes,pressCTRL_Ctobreak
Requesttimeout
---1.1.1.1pingstatistics---
5packet(s)transmitted
0packet(s)received
100.00%packetloss
[111-MSR2021-Dialer0]disipintb
*down:
administrativelydown
(s):
spoofing
InterfacePhysicalProtocolIPAddressDescription
Aux0downdownunassignedAux0Inte...
Cellular0/0upup(s)unassignedCellular0...
Dialer0upup(s)115.171.251.239Dialer0I...
Ethernet0/0upup10.153.49.79Ethernet0...
Ethernet0/1upup192.168.111.1Ethernet0...
LoopBack0upup(s)202.38.1.1LoopBack0...
Serial1/0downdownunassignedSerial1/0...
Tunnel0updownunassignedTunnel0I...
[111-MSR2021-Dialer0]disintd0
Dialer0currentstate:
UP
Lineprotocolcurrentstate:
UP(spoofing)
Description:
Dialer0Interface
TheMaximumTransmitUnitis1448,Holdtimeris10(sec)
InternetAddressisnegotiated,115.171.251.239/32
LinklayerprotocolisPPP
LCPinitial
PhysicalisDialer,baudrate:
64000bps
Outputqueue:
(Urgentqueuing:
Length)100
(Protocolqueuing:
Length)500
(FIFOqueuing:
Length)75
Lastclearingofcounters:
Never
Last5secondsinputrate:
233bytes/sec,1864bits/sec,0packets/sec
Last5secondsoutputrate:
128bytes/sec,1024bits/sec,1packets/sec
7216packetsinput,6298820bytes,0drops
6053packetsoutput,928710bytes,12drops
[111-MSR2021-Dialer0]disintc0/0
Cellular0/0currentstate:
Cellular0/0Interface
TheMaximumTransmitUnitis1500,Holdtimeris10(sec)
Internetprotocolprocessing:
disabled
LinklayerprotocolisPPP
PrimaryDNSaddressis219.141.136.10,SecondaryDNSaddressis219.141.140.10
LCPopened,IPCPopened
Size/Length/Discards)0/100/0
Size/Length/Discards)0/500/0
Size/Length/Discards)0/75/0
Transfertime:
00:
49:
33
Last5secondsinputrate62787.60bytes/sec,502300bits/sec,80.00packets/sec
Last5secondsoutputrate15027.20bytes/sec,120217bits/sec,75.80packets/sec
Input:
6439packets,5173108bytes
0broadcasts,0multicasts
0errors,0runts,0giants
0CRC,0alignerrors,0overruns
0dribbles,0aborts,0nobuffers
0frameerrors
Output:
5428packets,831579bytes
0errors,0underruns,0collisions
0deferred
<
111-MSR2021>
第5阶段触发IPSec并检查
ping-a192.168.111.1192.168.11.1
PING192.168.11.1:
Replyfrom192.168.11.1:
bytes=56Sequence=2ttl=255time=138ms
bytes=56Sequence=3ttl=255time=133ms
bytes=56Sequence=4ttl=255time=140ms
bytes=56Sequence=5ttl=255time=135ms
---192.168.11.1pingstatistics---
4packet(s)received
20.00%packetloss
round-tripmin/avg/max=133/136/140ms
disikesa
totalphase-1SAs:
1
connection-idpeerflagphasedoi
----------------------------------------------------------
560.191.99.140RD|ST1IPSEC
660.191.99.140RD|ST2IPSEC
flagmeaning
RD--READYST--STAYALIVERL--REPLACEDFD--FADINGTO--TIMEOUT
disipsecsa
===============================
Interface:
Dialer0
pathMTU:
1448
-----------------------------
IPsecpolicyname:
"
mypolicy"
sequencenumber:
mode:
isakmp
connectionid:
4
encapsulationmode:
tunnel
perfectforwardsecrecy:
None
tunnel:
localaddress:
115.171.251.239
remoteaddress:
60.191.99.140
Flow:
souraddr:
192.168.111.0/255.255.255.0port:
0protocol:
IP
destaddr:
192.168.11.0/255.255.255.0port:
[inboundESPSAs]
spi:
2839623968(0xa9413920)
proposal:
ESP-ENCRYPT-DESESP-AUTH-MD5
saduration(kilobytes/sec):
1843200/3600
saremainingduration(kilobytes/sec):
1843199/3593
maxreceivedsequence-number:
anti-replaycheckenable:
Y
anti-replaywindowsize:
32
udpencapsulationusedfornattraversal:
N
[outboundESPSAs]
2954648694(0xb01c5c76)
maxsentsequence-number:
5
第6阶段PC上验证
C:
\DocumentsandSettings\Administrator>
ipconfig
WindowsIPConfiguration
Ethernetadapter{8B4396B8-A01B-4C0B-B7A3-FA715A2DED48}:
MediaState...........:
Mediadisconnected
EthernetadapterGigabitEthernet0:
Connection-specificDNSSuffix.:
IPAddress............:
192.168.111.250
SubnetMask...........:
255.255.255.0
DefaultGateway.........:
192.168.111.1
ping192.168.11.1
Pinging192.168.11.1with32bytesofdata:
Replyfrom192.168.11.1:
bytes=32time=192msTTL=254
bytes=32time=154msTTL=254
bytes=32time=146msTTL=254
bytes=32time=173msTTL=254
Pingstatisticsfor192.168.11.1:
Packets:
Sent=4,Received=4,Lost=0(0%loss),
Approximateroundtriptimesinmilli-seconds:
Minimum=146ms,Maximu