3G+IPsec配置Word文档下载推荐.docx

上传人:b****6 文档编号:16206499 上传时间:2022-11-21 格式:DOCX 页数:11 大小:94.57KB
下载 相关 举报
3G+IPsec配置Word文档下载推荐.docx_第1页
第1页 / 共11页
3G+IPsec配置Word文档下载推荐.docx_第2页
第2页 / 共11页
3G+IPsec配置Word文档下载推荐.docx_第3页
第3页 / 共11页
3G+IPsec配置Word文档下载推荐.docx_第4页
第4页 / 共11页
3G+IPsec配置Word文档下载推荐.docx_第5页
第5页 / 共11页
点击查看更多>>
下载资源
资源描述

3G+IPsec配置Word文档下载推荐.docx

《3G+IPsec配置Word文档下载推荐.docx》由会员分享,可在线阅读,更多相关《3G+IPsec配置Word文档下载推荐.docx(11页珍藏版)》请在冰豆网上搜索。

3G+IPsec配置Word文档下载推荐.docx

85VTY3-3N-

86VTY4-3N-

UI(s)notinasyncmode-or-withnohardwaresupport:

1-1214-80

+:

CurrentUIisactive.

F:

CurrentUIisactiveandworkinasyncmode.

Idx:

AbsoluteindexofUIs.

Type:

TypeandrelativeindexofUIs.

Privi:

TheprivilegeofUIs.

Auth:

TheauthenticationmodeofUIs.

Int:

ThephysicallocationofUIs.

A:

AuthenticationuseAAA.

L:

Authenticationuselocaldatabase.

N:

CurrentUIneednotauthentication.

P:

AuthenticationusecurrentUI'

spassword.

[111-MSR2021]

第2阶段IPsec发起端(使用3G-Modem的设备)配置

[111-MSR2021]discur

#

//使能DNS解析能力

dnsresolve

//ACL3000用于NAT,先把需要IPsec的目的网段过滤掉

aclnumber3000

rule0denyipdestination10.0.0.00.255.255.255

rule5denyipdestination172.16.0.00.15.255.255

rule10denyipdestination192.168.0.00.0.255.255

rule15permitip

//ACL3001用于发起IPsec

aclnumber3001

rule0permitipsource192.168.111.00.0.0.255destination192.168.11.00.0.0.255

//IKEPeer设置,对端地址必须固定,对端如果也是3G接入那么IPsec有可能会突然中断

ikepeernavigator

pre-shared-keysimpleh3c

remote-address60.191.99.140

//默认的IPsec安全提议

ipsecproposaldef

//IPsec策略配置

ipsecpolicymypolicy1isakmp

securityacl3001

ike-peernavigator

proposaldef

//进入到USB3GModem接口视图配置dialercircular-group0即绑定dialer0接口,接口其余配置会自动添加

interfaceCellular0/0

asyncmodeprotocol

link-protocolppp

dialerenable-circular

dialer-group4

dialercircular-group0

dialertimeridle0

//Dialer0接口配置

interfaceDialer0

//配置NAT

natoutbound3000

//指定PPPCHAP和PAP认证用户名密码都为card,可和运营商确认,电信一般使用card

pppchapusercard

pppchappasswordsimplecard

ppppaplocal-usercardpasswordsimplecard

//接收对端分配的DNS

pppipcpdnsadmit-any

//主动向对方请求DNS

pppipcpdnsrequest

//IP地址由对端分配

ipaddressppp-negotiate

//使能轮询DCC

//使用dialer-rule4ippermit

//拨号成功后不主动断开连接

//拨号串#777,可和运营商确认,电信一般使用#777

dialernumber#777

//接口配置IPsec策略

ipsecpolicymypolicy

//连接内网接口

interfaceEthernet0/1

portlink-moderoute

//接口网段192.168.111.0/24

ipaddress192.168.111.1255.255.255.0

//默认路由指向Dialer0接口

iproute-static0.0.0.00.0.0.0Dialer0

//dialer-rule配置

dialer-rule4ippermit

//用户接口,tty13可由一开始displayuser-interface确认

user-interfacetty13

//使能该接口的双向modem能力

modemboth

[111-MSR2021]

第3阶段IPsec响应端(中心端,使用固定地址)配置

//用于NAT的ACL3000,要把IPsec的流量先deny掉

rule0denyipdestination192.168.0.00.0.255.255

rule5denyipdestination10.0.0.00.255.255.255

rule10denyipdestination172.16.0.00.15.255.255

rule15permitipsource192.168.1.00.0.0.255

rule20permitipsource192.168.2.00.0.0.255

rule25permitipsource192.168.10.00.0.0.255

rule30permitipsource192.168.11.00.0.0.255

rule35permitipsource192.168.111.00.0.0.255

rule40denyip

//响应端IKEPeer的配置,只配置pre-shared-key即可

ikepeer2021

//IPsec安全提议,和发起端保持一致

//IPsec策略模板配置,不需要配置安全ACL

ipsecpolicy-templatept1

ike-peer2021

//使用模板方式的IPsec策略mypolicy

ipsecpolicymypolicy1isakmptemplatept

//在设备连接互联网的接口设置NAT、IP地址和IPsec策略

interfaceEthernet0/0

ipaddress60.191.99.140255.255.255.0

//连接内网的VLAN接口

interfaceVlan-interface11

ipaddress192.168.11.1255.255.255.0

第4阶段触发拨号并查看是否成功

[111-MSR2021-Dialer0]ping1.1.1.1

PING1.1.1.1:

56databytes,pressCTRL_Ctobreak

Requesttimeout

---1.1.1.1pingstatistics---

5packet(s)transmitted

0packet(s)received

100.00%packetloss

[111-MSR2021-Dialer0]disipintb

*down:

administrativelydown

(s):

spoofing

InterfacePhysicalProtocolIPAddressDescription

Aux0downdownunassignedAux0Inte...

Cellular0/0upup(s)unassignedCellular0...

Dialer0upup(s)115.171.251.239Dialer0I...

Ethernet0/0upup10.153.49.79Ethernet0...

Ethernet0/1upup192.168.111.1Ethernet0...

LoopBack0upup(s)202.38.1.1LoopBack0...

Serial1/0downdownunassignedSerial1/0...

Tunnel0updownunassignedTunnel0I...

[111-MSR2021-Dialer0]disintd0

Dialer0currentstate:

UP

Lineprotocolcurrentstate:

UP(spoofing)

Description:

Dialer0Interface

TheMaximumTransmitUnitis1448,Holdtimeris10(sec)

InternetAddressisnegotiated,115.171.251.239/32

LinklayerprotocolisPPP

LCPinitial

PhysicalisDialer,baudrate:

64000bps

Outputqueue:

(Urgentqueuing:

Length)100

(Protocolqueuing:

Length)500

(FIFOqueuing:

Length)75

Lastclearingofcounters:

Never

Last5secondsinputrate:

233bytes/sec,1864bits/sec,0packets/sec

Last5secondsoutputrate:

128bytes/sec,1024bits/sec,1packets/sec

7216packetsinput,6298820bytes,0drops

6053packetsoutput,928710bytes,12drops

[111-MSR2021-Dialer0]disintc0/0

Cellular0/0currentstate:

Cellular0/0Interface

TheMaximumTransmitUnitis1500,Holdtimeris10(sec)

Internetprotocolprocessing:

disabled

LinklayerprotocolisPPP

PrimaryDNSaddressis219.141.136.10,SecondaryDNSaddressis219.141.140.10

LCPopened,IPCPopened

Size/Length/Discards)0/100/0

Size/Length/Discards)0/500/0

Size/Length/Discards)0/75/0

Transfertime:

00:

49:

33

Last5secondsinputrate62787.60bytes/sec,502300bits/sec,80.00packets/sec

Last5secondsoutputrate15027.20bytes/sec,120217bits/sec,75.80packets/sec

Input:

6439packets,5173108bytes

0broadcasts,0multicasts

0errors,0runts,0giants

0CRC,0alignerrors,0overruns

0dribbles,0aborts,0nobuffers

0frameerrors

Output:

5428packets,831579bytes

0errors,0underruns,0collisions

0deferred

<

111-MSR2021>

第5阶段触发IPSec并检查

ping-a192.168.111.1192.168.11.1

PING192.168.11.1:

Replyfrom192.168.11.1:

bytes=56Sequence=2ttl=255time=138ms

bytes=56Sequence=3ttl=255time=133ms

bytes=56Sequence=4ttl=255time=140ms

bytes=56Sequence=5ttl=255time=135ms

---192.168.11.1pingstatistics---

4packet(s)received

20.00%packetloss

round-tripmin/avg/max=133/136/140ms

disikesa

totalphase-1SAs:

1

connection-idpeerflagphasedoi

----------------------------------------------------------

560.191.99.140RD|ST1IPSEC

660.191.99.140RD|ST2IPSEC

flagmeaning

RD--READYST--STAYALIVERL--REPLACEDFD--FADINGTO--TIMEOUT

disipsecsa

===============================

Interface:

Dialer0

pathMTU:

1448

-----------------------------

IPsecpolicyname:

"

mypolicy"

sequencenumber:

mode:

isakmp

connectionid:

4

encapsulationmode:

tunnel

perfectforwardsecrecy:

None

tunnel:

localaddress:

115.171.251.239

remoteaddress:

60.191.99.140

Flow:

souraddr:

192.168.111.0/255.255.255.0port:

0protocol:

IP

destaddr:

192.168.11.0/255.255.255.0port:

[inboundESPSAs]

spi:

2839623968(0xa9413920)

proposal:

ESP-ENCRYPT-DESESP-AUTH-MD5

saduration(kilobytes/sec):

1843200/3600

saremainingduration(kilobytes/sec):

1843199/3593

maxreceivedsequence-number:

anti-replaycheckenable:

Y

anti-replaywindowsize:

32

udpencapsulationusedfornattraversal:

N

[outboundESPSAs]

2954648694(0xb01c5c76)

maxsentsequence-number:

5

第6阶段PC上验证

C:

\DocumentsandSettings\Administrator>

ipconfig

WindowsIPConfiguration

 

Ethernetadapter{8B4396B8-A01B-4C0B-B7A3-FA715A2DED48}:

MediaState...........:

Mediadisconnected

EthernetadapterGigabitEthernet0:

Connection-specificDNSSuffix.:

IPAddress............:

192.168.111.250

SubnetMask...........:

255.255.255.0

DefaultGateway.........:

192.168.111.1

ping192.168.11.1

Pinging192.168.11.1with32bytesofdata:

Replyfrom192.168.11.1:

bytes=32time=192msTTL=254

bytes=32time=154msTTL=254

bytes=32time=146msTTL=254

bytes=32time=173msTTL=254

Pingstatisticsfor192.168.11.1:

Packets:

Sent=4,Received=4,Lost=0(0%loss),

Approximateroundtriptimesinmilli-seconds:

Minimum=146ms,Maximu

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 工程科技 > 能源化工

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1