102实验指导Site To Site RSAVPNshen.docx
《102实验指导Site To Site RSAVPNshen.docx》由会员分享,可在线阅读,更多相关《102实验指导Site To Site RSAVPNshen.docx(17页珍藏版)》请在冰豆网上搜索。
102实验指导SiteToSiteRSAVPNshen
实验指导(SiteToSiteRSA-
VPN)
一、实验任务
任务:
两地已经度连上了internet,现要把两个的网络通过Internet进行互联。
数据在Internet传输时要保证安全性,使用SiteToSiteVPN。
二、实验步骤
1、R1、R2、R3上如图配置IP地址,打开接口,配置路由:
RouterA(R1):
ints0/0
noshutdown
clockrate128000
ipadd12.12.12.1255.255.255.0
intloopback0
ipadd10.1.1.1255.255.255.0
iproute0.0.0.00.0.0.0s0/0
Internet(R2):
ints0/0
noshutdown
clockrate128000
ipadd12.12.12.2255.255.255.0
ints0/1
noshutdown
clockrate128000
ipadd23.23.23.2255.255.255.0
RouterB(R3):
ints0/1
noshutdown
clockrate128000
ipadd23.23.23.3255.255.255.0
intloopback0
ipadd10.3.3.3255.255.255.0
iproute0.0.0.00.0.0.0s0/1
2、R1产生publickey:
!
ipdomainname
crykeygeneratersageneral-keys
r1#showcrykeymypubkeyrsa
%Keypairwasgeneratedat:
01:
15:
46UTCMar12002
Keyname:
Usage:
GeneralPurposeKey
Keyisnotexportable.
KeyData:
305C300D06092A864886F70D0101010500034B003048024100D76D8CC3441343
C35E9680548CFD4C9BCB1D09A4FF938DD1E3CF01924577E40673590E338CAACA
1AFFDF2CFD41CB829B2B240458ED46F82038D014618B6BC5650203010001
3、R3产生publickey:
ipdomainname
crykeygeneratersageneral-keys
r3#showcrykeymypubkeyrsa
%Keypairwasgeneratedat:
01:
27:
02UTCMar12002
Keyname:
Usage:
GeneralPurposeKey
Keyisnotexportable.
KeyData:
305C300D06092A864886F70D0101010500034B003048024100EB4D74CD5CFF80
433BA01FF904932A692BD61858519D900B58C513DFED8A94F29812151AA43EEF
D995FF7B79E07B50513FE373D3622021C216DAFE950230905D0203010001
4、配置R1,使用peerR3的publickey
cryptokeypubkey-chainrsa
addressed-key23.23.23.3
address23.23.23.3
key-string
305C300D06092A864886F70D0101010500034B003048024100EB4D74CD5CFF80
433BA01FF904932A692BD61858519D900B58C513DFED8A94F29812151AA43EEF
D995FF7B79E07B50513FE373D3622021C216DAFE950230905D0203010001
5、配置R3,使用peerR1的publickey:
cryptokeypubkey-chainrsa
addressed-key12.12.12.1
address12.12.12.1
key-string
305C300D06092A864886F70D0101010500034B003048024100D76D8CC3441343
C35E9680548CFD4C9BCB1D09A4FF938DD1E3CF01924577E40673590E338CAACA
1AFFDF2CFD41CB829B2B240458ED46F82038D014618B6BC5650203010001
配置IPSECVPN
R1:
cryptoisakmpenable
cryptoisakmppolicy10!
阶段一
authenticationrsa-encr
cryptoipsectransform-setTRAN-SETesp-desesp-md5-hmac!
配置变换集
cryptomapSTATIC-MAP10ipsec-isakmp!
配置加密图
setpeer23.23.23.3
settransform-setTRAN-SET
matchaddress110!
定义访问控制列表
access-list110permitip10.1.1.00.0.0.25510.3.3.00.0.0.255
!
interfaceSerial0/0
cryptomapSTATIC-MAP!
把加密应用到接口
R3
cryptoisakmpenable!
阶段一
cryptoisakmppolicy10
authenticationrsa-encr
cryptoipsectransform-setTRAN-SETesp-desesp-md5-hmac!
配置变换集
cryptomapSTATIC-MAP10ipsec-isakmp!
配置加密图
setpeer12.12.12.1
settransform-setTRAN-SET
matchaddress110!
定义访问控制列表
!
access-list110permitip10.3.3.00.0.0.25510.1.1.00.0.0.255
!
interfaceSerial0/1
cryptomapSTATIC-MAP!
把加密应用到接口
6、测试:
从RouterA的loopback0接口pingRouterB的loopback0
RouterA:
ping10.3.3.3source10.1.1.1
RouterB:
ping10.1.1.1source10.3.3.3
◆showcryptoisakmppolicy
◆showcryipsectransform-set
◆showcryptomap
◆showcryptoisakmpsa
◆showcryptoipsecsa
◆showcryptoengineconnectionsactive:
看加密、解密数据包数量
◆clearcryptosa
◆clearcryptoisakmp
三、完整配置
===============================R1===============================
hostnamer1
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
noipdomainlookup
ipdomainname
!
!
!
!
!
!
!
cryptokeypubkey-chainrsa
addressed-key23.23.23.3
address23.23.23.3
key-string
305C300D06092A864886F70D0101010500034B003048024100EB4D74CD5CFF80
433BA01FF904932A692BD61858519D900B58C513DFED8A94F29812151AA43EEF
D995FF7B79E07B50513FE373D3622021C216DAFE950230905D0203010001
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
cryptoisakmppolicy10
hashmd5
authenticationrsa-encr
!
!
cryptoipsectransform-setTRAN-SETesp-desesp-md5-hmac
!
cryptomapSTATIC-MAP10ipsec-isakmp
setpeer23.23.23.3
settransform-setTRAN-SET
matchaddress110
!
!
!
!
interfaceLoopback0
ipaddress10.1.1.1255.255.255.0
!
interfaceSerial0/0
ipaddress12.12.12.1255.255.255.0
serialrestart-delay0
clockrate128000
cryptomapSTATIC-MAP
!
interfaceSerial0/1
noipaddress
serialrestart-delay0
!
interfaceSerial0/2
noipaddress
serialrestart-delay0
!
interfaceSerial0/3
noipaddress
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute0.0.0.00.0.0.0Serial0/0
!
!
access-list110permitip10.1.1.00.0.0.25510.3.3.00.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
exec-timeout00
loggingsynchronous
lineaux0
linevty04
login
!
!
end
===============================R2===============================
!
hostnamer2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
noipdomainlookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceSerial0/0
ipaddress12.12.12.2255.255.255.0
serialrestart-delay0
clockrate128000
!
interfaceSerial0/1
ipaddress23.23.23.2255.255.255.0
serialrestart-delay0
clockrate128000
!
interfaceSerial0/2
noipaddress
serialrestart-delay0
!
interfaceSerial0/3
noipaddress
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
exec-timeout00
loggingsynchronous
lineaux0
linevty04
login
!
!
End
===============================R3===============================
!
!
hostnamer3
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
noipdomainlookup
ipdomainname
!
!
!
!
!
!
!
cryptokeypubkey-chainrsa
addressed-key12.12.12.1
address12.12.12.1
key-string
305C300D06092A864886F70D0101010500034B003048024100D76D8CC3441343
C35E9680548CFD4C9BCB1D09A4FF938DD1E3CF01924577E40673590E338CAACA
1AFFDF2CFD41CB829B2B240458ED46F82038D014618B6BC5650203010001
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
cryptoisakmppolicy10
authenticationrsa-encr
!
!
cryptoipsectransform-setTRAN-SETesp-desesp-md5-hmac
!
cryptomapSTATIC-MAP10ipsec-isakmp
setpeer12.12.12.1
settransform-setTRAN-SET
matchaddress110
!
!
!
!
interfaceLoopback0
ipaddress10.3.3.3255.255.255.0
!
interfaceSerial0/0
noipaddress
serialrestart-delay0
!
interfaceSerial0/1
ipaddress23.23.23.3255.255.255.0
serialrestart-delay0
clockrate128000
cryptomapSTATIC-MAP
!
interfaceSerial0/2
noipaddress
serialrestart-delay0
!
interfaceSerial0/3
noipaddress
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute0.0.0.00.0.0.0Serial0/1
!
!
access-list110permitip10.3.3.00.0.0.25510.1.1.00.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
exec-timeout00
loggingsynchronous
lineaux0
linevty04
login
!
!
end
升级会员 