实验四十四VPNIPSec的配置.docx
《实验四十四VPNIPSec的配置.docx》由会员分享,可在线阅读,更多相关《实验四十四VPNIPSec的配置.docx(16页珍藏版)》请在冰豆网上搜索。
实验四十四VPNIPSec的配置
实验四十四、VPN(IPSec)的配置
一、实验目的
1.掌握手工配置密钥建立VPN的配置
2.理解密钥在隧道建立过程中的作用
二、应用环境
IPSec实现了在网络上的数据机密性、完整性和源认证的功能,有效的保护了数据。
手工配置密钥减少了密钥交换的开销,提高了效率
三、实验设备
1.DCR-1751
2.PC机
四、实验拓扑
五、实验要求
配置表
Router-A
两台
两台
Router-B
F0/0
192.168.0.1/24
F0/0192.168.2.1/24
S1/1(DCE)192.168.1.1/24
PC
IP192.168.0.10/24
S1/0192.168.1.2/24
SERVER
192.168.2.2/24
网关
结果:
192.168.0.1
192.168.2.1
在路由器A与B之间建立VPN,保护从PC到SERVER的数据
六、实验步骤
第一步:
路由器A的配置
Router-A#conf
Router-A_config#ipaccess-listextended101
!
确定要经过VPN保护的数据流
Router-A_config_ext_nacl#permiip192.168.0.0255.255.255.0192.168.2.0255.255.255.0
Router-A_config_ext_nacl#exit
Router-A_config#iproute0.0.0.00.0.0.0192.168.1.2
Router-A_config#cryptoipsectransform-setone
!
配置静态路由
!
设置变换集
Router-A_config_crypto_trans#transform-typeesp-desesp-md5-hmac!
ESP加密和验证
Router-A_config_crypto_trans#exit
Router-A_config#cryptomapmy10ipsec-manu
Router-A_config_crypto_map#settransform-setone
Router-A_config_crypto_map#setpeer192.168.1.2
Router-A_config_crypto_map#matchaddress101
!
配置IPSec加密映射
!
关联变换集
!
设置对等体地址
!
关联需要加密的数据流
Router-A_config_crypto_map#setsecurity-associationinboundesp2001cipher
ffeeddccbbaa001122334455667788999988776655443322
Router-A_config_crypto_map#set
ffeeddccbbaa00112233445566778899
security-associationinbound
ah
2000
Router-A_config_crypto_map#setsecurity-associationoutboundesp1001cipher
aabbccddeeff001122334455667788999988776655443322
Router-A_config_crypto_map#set
aabbccddeeff00112233445566778899
security-association
outbound
ah
1000
Router-A_config_crypto_map#exit
Router-A_config#ints1/1
Router-A_config_s1/1#cryptomapmy
Router-A_config_s1/1#^Z
第二步:
查看配置(两端VPN建议成功以后的显示)
!
手工配置密钥
!
进入VPN的接口
!
绑定IPSec加密映射
Router-A#shcryptoipsecsa
Interface:
Serial1/1
Cryptomapname:
my,localaddr.192.168.1.1
!
查看IPSec关联
localident(addr/mask/prot/port):
(192.168.0.0/255.255.255.0/0/0)
remoteident(addr/mask/prot/port):
(192.168.2.0/255.255.255.0/0/0)
localcryptoendpt.:
192.168.1.1,remotecryptoendpt.:
192.168.1.2
inboundespsas:
spi:
0x7d1(2001)
transform:
esp-3des
inusesettings={Tunnel}
nosatiming
inboundahsas:
spi:
0x7d0(2000)
transform:
ah-md5-hmac
inusesettings={Tunnel}
nosatiming
outboundespsas:
spi:
0x3e9(1001)
transform:
esp-3des
inusesettings={Tunnel}
nosatiming
outboundahsas:
spi:
0x3e8(1000)
transform:
ah-md5-hmac
inusesettings={Tunnel}
nosatiming
Router-A#shcryptomap
CryptoMapmy10ipsec-manual
ExtendedIPaccesslist101
!
查看IPSec映射
permitip192.168.0.0255.255.255.0192.168.2.0255.255.255.0
peer=192.168.1.2
Inboundespspi:
2001,
cipherkey:
ffeeddccbbaa001122334455667788999988776655443322,
authkey,
Inboundahspi:
2000,
key:
ffeeddccbbaa00112233445566778899,
Outboundespspi:
1001,
cipherkey:
aabbccddeeff001122334455667788999988776655443322,
authkey,
Outboundahspi:
1000,
key:
aabbccddeeff00112233445566778899
Transformsets={one}
Router-A#shcryptoipsectransform-set
Transformsetone:
{ah-md5-hmacesp-3des}
willnegotiate={Tunnel}
第三步:
路由器B的配置
Router-B>ena
Router-B#conf
!
查看转换集
Router-B_config#ipaccess-listextended101
Router-B_config_ext_nacl#permitip192.168.2.0255.255.255.0192.168.0.0255.255.255.0
Router-B_config_ext_nacl#exit
Router-B_config#iproute192.168.0.0255.255.255.0192.168.1.1
Router-B_config#cryptoipsectransform-setone
Router-B_config_crypto_trans#transform-typeesp-desesp-md5-hmac!
注意与A要一致
Router-B_config_crypto_trans#exit
Router-B_config#cryptomapmy10ipsec-manu
Router-B_config_crypto_map#settransform-setone
Router-B_config_crypto_map#setpeer192.168.1.1
Router-B_config_crypto_map#matchaddress101
!
注意密钥与A要对应
Router-B_config_crypto_map#setsecurity-associationinboundesp1001cipher
aabbccddeeff001122334455667788999988776655443322
Router-B_config_crypto_map#set
aabbccddeeff00112233445566778899
security-association
inbound
ah
1000
Router-B_config_crypto_map#setsecurity-associationoutboundesp2001cipher
ffeeddccbbaa001122334455667788999988776655443322
Router-B_config_crypto_map#setsecurity-associationoutboundah2000
ffeeddccbbaa00112233445566778899
!
注意与A的对应,inbound与outbound交叉一致
Router-B_config_crypto_map#exit
Router-B_config#ints1/0
Router-B_config_s1/0#cryptomapmy
Router-B_config_s1/0#^Z
第四步:
查看配置
Router-B#shcryptoipsecsa
Interface:
Serial1/0
Cryptomapname:
my,localaddr.192.168.1.2
localident(addr/mask/prot/port):
(192.168.2.0/255.255.255.0/0/0)
remoteident(addr/mask/prot/port):
(192.168.0.0/255.255.255.0/0/0)
localcryptoendpt.:
192.168.1.2,remotecryptoendpt.:
192.168.1.1
inboundespsas:
spi:
0x3e9(1001)
transform:
esp-3des
inusesettings={Tunnel}
nosatiming
inboundahsas:
spi:
0x3e8(1000)
transform:
ah-md5-hmac
inusesettings={Tunnel}
nosatiming
outboundespsas:
spi:
0x7d1(2001)
transform:
esp-3des
inusesettings={Tunnel}
nosatiming
outboundahsas:
spi:
0x7d0(2000)
transform:
ah-md5-hmac
inusesettings={Tunnel}
nosatiming
Router-B#shcryptoipsectransform-set
Transformsetone:
{ah-md5-hmacesp-3des}
willnegotiate={Tunnel}
Router-B#shcryptomap
CryptoMapmy10ipsec-manual
ExtendedIPaccesslist101
permitip192.168.2.0255.255.255.0192.168.0.0255.255.255.0
peer=192.168.1.1
Inboundespspi:
1001,
cipherkey:
aabbccddeeff001122334455667788999988776655443322,
authkey,
Inboundahspi:
1000,
key:
aabbccddeeff00112233445566778899,
Outboundespspi:
2001,
cipherkey:
ffeeddccbbaa001122334455667788999988776655443322,
authkey,
Outboundahspi:
2000,
key:
ffeeddccbbaa00112233445566778899
Transformsets={one}
第五步:
测试
七、注意事项和排错
1.注意两端参数要一致
2.ACL的作用是确定哪些数据需要经过VPN
3.密钥要交叉对应
八、配置序列
Router-A#shrun
Buildingconfiguration...
Currentconfiguration:
!
!
version1.3.2E
servicetimestampslogdate
servicetimestampsdebugdate
noservicepassword-encryption
!
hostnameRouter-A
!
!
!
!
!
cryptoipsectransform-setone
transform-typeah-md5-hmacesp-3des
!
cryptomapmy10ipsec-manual
setpeer192.168.1.2
setsecurity-associationinboundesp2001cipherffeeddccbbaa001122334455667788
999988776655443322
setsecurity-associationinboundah2000ffeeddccbbaa00112233445566778899
setsecurity-associationoutboundesp1001cipheraabbccddeeff00112233445566778
8999988776655443322
setsecurity-associationoutboundah1000aabbccddeeff00112233445566778899
settransform-setone
matchaddress101
!
!
!
!
interfaceFastEthernet0/0
ipaddress192.168.0.1255.255.255.0
noipdirected-broadcast
!
interfaceSerial1/0
noipaddress
noipdirected-broadcast
physical-layerspeed64000
!
interfaceSerial1/1
ipaddress192.168.1.1255.255.255.0
noipdirected-broadcast
cryptomapmy
physical-layerspeed64000
!
interfaceAsync0/0
noipaddress
noipdirected-broadcast
!
!
!
!
iproutedefault192.168.1.2
!
!
!
!
!
!
!
ipaccess-listextended101
permitip192.168.0.0255.255.255.0192.168.2.0255.255.255.0
!
!
!
Router-B#shrun
Buildingconfiguration...
Currentconfiguration:
!
!
version1.3.2E
servicetimestampslogdate
servicetimestampsdebugdate
noservicepassword-encryption
!
hostnameRouter-B
!
iphosta192.168.1.1
iphostc192.168.2.2
!
!
!
!
cryptoipsectransform-setone
transform-typeah-md5-hmacesp-3des
!
cryptomapmy10ipsec-manual
setpeer192.168.1.1
setsecurity-associationinboundesp1001cipheraabbccddeeff001122334455667788
999988776655443322
setsecurity-associationinboundah1000aabbccddeeff00112233445566778899
setsecurity-associationoutboundesp2001cipherffeeddccbbaa00112233445566778
8999988776655443322
setsecurity-associationoutboundah2000ffeeddccbbaa00112233445566778899
settransform-setone
matchaddress101
!
!
!
!
interfaceFastEthernet0/0
ipaddress192.168.2.1255.255.255.0
noipdirected-broadcast
!
interfaceSerial1/0
ipaddress192.168.1.2255.255.255.0
noipdirected-broadcast
cryptomapmy
!
interfaceAsync0/0
noipaddress
noipdirected-broadcast
!
!
!
!
iproute192.168.0.0255.255.255.0192.168.1.1
!
!
!
!
!
!
!
ipaccess-listextended101
permitip192.168.2.0255.255.255.0192.168.0.0255.255.255.0
!
!
!
!
九、共同思考
1.为什么要手工配置密钥?
2.MAP的作用是什么?
十、课后练习
请重复以上实验
十一、相关命令详解
cryptoipsectransform-set
要定义一个ipsec变换集合——安全协议和算法的一个可行组合,使用cryptoipsec
transform-set全局配置命令。
要删除一个变换集合,可以使用这条命令的no格式。
cryptoipsectransform-settransform-set-name
nocryptoipsectransform-settransform-set-name
参数
参数
参数说明
无
缺省
transform-set-name指定要创建(或修改)的变换集合的名称。
命令模式
全局配置态。
执行此命令将进入加密变换配置态。
使用说明
变换集合是安全协议、算法以及将用于受IPSec保护的通信的其它设置的组合。
可以配置多个变换集合,然后在加密映射表中指定这些变换集合中的一个或多个。
在加密映
射表中定义的变换集合用于协商IPSec安全联盟,以保护匹配加密映射表设定的访问列表的
那些报文。
在协商过程中,双方寻找一个在双方都有的相同变换集合。
当找到了一个这样的
变换集合时,此集合将被选中,并作为双方IPSec安全联盟的一部分被运用到受保护的通信
上。
如果不是使用IKE来建立安全联盟,那么必须指定唯一一个变换集合。
此集合无须进行协
商。
只有使用此命令对变换集合进行了定义后,此变换集合才能被设置在加密映射表中。
可使用transform-type命令来具体配置变换类型。
示例
以下例子定义了一个变换集合。
cryptoipsectransform-setone
transform-typeesp-desesp-sha-hmac
升级会员 