收藏
下载资源下载资源 加入VIP,免费下载

实验2 Ipsec VPN设计与应用.docx

上传人:b****5 文档编号:7273144 上传时间:2023-01-22 格式:DOCX 页数:17 大小:31.45KB
下载 相关 举报
实验2 Ipsec VPN设计与应用.docx_第1页
第1页 / 共17页
实验2 Ipsec VPN设计与应用.docx_第2页
第2页 / 共17页
实验2 Ipsec VPN设计与应用.docx_第3页
第3页 / 共17页
实验2 Ipsec VPN设计与应用.docx_第4页
第4页 / 共17页
实验2 Ipsec VPN设计与应用.docx_第5页
第5页 / 共17页
点击查看更多>>
下载资源
资源描述

实验2 Ipsec VPN设计与应用.docx

《实验2 Ipsec VPN设计与应用.docx》由会员分享,可在线阅读,更多相关《实验2 Ipsec VPN设计与应用.docx(17页珍藏版)》请在冰豆网上搜索。

实验2 Ipsec VPN设计与应用.docx

实验2IpsecVPN设计与应用

实验二IpsecVPN设计与应用

一、实验目的:

1.掌握IPsec隧道配置。

2.深刻理解IKE阶段1与阶段2的协商过程。

二、实验拓扑图:

实验步骤及要求:

1.配置各台路由器的IP地址,并且使用Ping命令确认各路由器的直连口的互通。

2.在R1和R2上配置静态路由。

确保Internet网络骨干可以相互通信。

R1(config)#iproute0.0.0.00.0.0.0f0/0

R2(config)#iproute0.0.0.00.0.0.0f0/0

3.在R1路由器上配置IKE阶段一需要使用策略。

R1(config)#cryptoisakmpenable

4.配置预共享密钥,在两台对等体路由器上密钥必须一致。

R1(config)#cryptoisakmpkey6testkeyaddress200.1.1.2

5.为IKE阶段一的协商,配置ISAKMP的策略。

可以在本地配置多个ISAKMP的策略,在与对等体协商,会选择一个匹配策略,而不管策略的编号。

R1(config)#

R1(config)#cryptoisakmppolicy1

R1(config-isakmp)#hashmd5

R1(config-isakmp)#encryptiondes

R1(config-isakmp)#authenticationpre-share

R1(config-isakmp)#lifetime86400

R1(config-isakmp)#group1

R1(config-isakmp)#exit

R1(config)#

6.配置IPsec变换集,其用于IKE阶段二的IPsec的SA协商。

指定协商的加密参数。

其包含了安全和压缩协议、散列算法和加密算法。

本配置使用了esp与des的协作的认证加密算法,实现对数据的保护。

并且指定其用于隧道模式。

R1(config)#cryptoipsectransform-setTRANesp-desesp-md5-hmac

R1(cfg-crypto-trans)#modetunnel

R1(cfg-crypto-trans)#exit

R1(config)#

7.配置加密访问控制列表,用于指出那些数据流是需要加密的,有时也被称为定义IPsec的感兴趣流。

R1(config)#access-list100permitip192.168.0.00.0.0.255192.168.1.00.0.0.255

R1(config)#

8.配置加密映射表,用于关联相关的变换集。

R1(config)#cryptomapvpn_to_R210ipsec-isakmp

%NOTE:

Thisnewcryptomapwillremaindisableduntilapeer

andavalidaccesslisthavebeenconfigured.

R1(config-crypto-map)#setpeer200.1.1.2

R1(config-crypto-map)#settransform-setTRAN

R1(config-crypto-map)#matchaddress100

R1(config-crypto-map)#exit

R1(config)#exit

R1#

9.将加密映射表应用到需要建立隧道接口。

R1(config)#interfacef0/0

R1(config-if)#cryptomapvpn_to_R2

R1(config-if)#exit

R1(config)#

10.在R2采用如上配置进行配置IKE阶段1和阶段2。

R2(config)#cryptoisakmpenable

R2(config)#

R2(config)#cryptoisakmpkey6testkeyaddress200.1.1.1

R2(config)#

R2(config)#cryptoisakmppolicy2

R2(config-isakmp)#hashmd5

R2(config-isakmp)#encryptiondes

R2(config-isakmp)#authenticationpre-share

R2(config-isakmp)#lifetime86400

R2(config-isakmp)#group1

R2(config-isakmp)#exit

R2(config)#

R2(config)#cryptoipsectransform-setTRANesp-desesp-md5-hmac

R2(cfg-crypto-trans)#modetunnel

R2(cfg-crypto-trans)#exit

R2(config)#

R2(config)#access-list100permitip192.168.1.00.0.0.255192.168.0.00.0.0.255

R2(config)#

R2(config)#cryptomapvpn_to_R110ipsec-isakmp

%NOTE:

Thisnewcryptomapwillremaindisableduntilapeer

andavalidaccesslisthavebeenconfigured.

R2(config-crypto-map)#setpeer200.1.1.1

R2(config-crypto-map)#settransform-setTRAN

R2(config-crypto-map)#matchaddress100

R2(config-crypto-map)#exit

R2(config)#interfacef0/0

R2(config-if)#cryptomapvpn_to_R1

R2(config-if)#exit

R2(config)#

11.在R1路由器打开ISAKMP的调试。

R1#

R1#debugcryptoisakmp

CryptoISAKMPdebuggingison

R1#

R1#debugcryptoipsec

CryptoIPSECdebuggingison

R1#

12.确认R1和R2的ISAKMP的策略。

R1#showcryptoisakmppolicy

GlobalIKEpolicy

Protectionsuiteofpriority1

encryptionalgorithm:

DES-DataEncryptionStandard(56bitkeys).

hashalgorithm:

MessageDigest5

authenticationmethod:

Pre-SharedKey

Diffie-Hellmangroup:

#1(768bit)

lifetime:

86400seconds,novolumelimit

Defaultprotectionsuite

encryptionalgorithm:

DES-DataEncryptionStandard(56bitkeys).

hashalgorithm:

SecureHashStandard

authenticationmethod:

Rivest-Shamir-AdlemanSignature

Diffie-Hellmangroup:

#1(768bit)

lifetime:

86400seconds,novolumelimit

R1#

R2#showcryptoisakmppolicy

GlobalIKEpolicy

Protectionsuiteofpriority2

encryptionalgorithm:

DES-DataEncryptionStandard(56bitkeys).

hashalgorithm:

MessageDigest5

authenticationmethod:

Pre-SharedKey

Diffie-Hellmangroup:

#1(768bit)

lifetime:

86400seconds,novolumelimit

Defaultprotectionsuite

encryptionalgorithm:

DES-DataEncryptionStandard(56bitkeys).

hashalgorithm:

SecureHashStandard

authenticationmethod:

Rivest-Shamir-AdlemanSignature

Diffie-Hellmangroup:

#1(768bit)

lifetime:

86400seconds,novolumelimit

R2#

13.在R1与R2上查看ISAKMP的预共享密钥配置,并确认双方配置一致。

R1#showcryptoisakmpkey

KeyringHostname/AddressPresharedKey

default200.1.1.2testkey

R1#

R2#showcryptoisakmpkey

KeyringHostname/AddressPresharedKey

default200.1.1.1testkey

R2#

14.在R1与R2上查看IPsec的变换集。

R1#showcryptoipsectransform-set

TransformsetTRAN:

{esp-des}

willnegotiate={Tunnel,},

R1#

R2#showcryptoipsectransform-set

TransformsetTRAN:

{esp-des}

willnegotiate={Tunnel,},

R2#

15.在R1上使用扩展命令去ping路由器R2回环口的私有地址。

R1#ping

Protocol[ip]:

TargetIPaddress:

192.168.1.254

Repeatcount[5]:

Datagramsize[100]:

Timeoutinseconds[2]:

Extendedcommands[n]:

y

Sourceaddressorinterface:

192.168.0.254

Typeofservice[0]:

SetDFbitinIPheader?

[no]:

Validatereplydata?

[no]:

Datapattern[0xABCD]:

Loose,Strict,Record,Timestamp,Verbose[none]:

Sweeprangeofsizes[n]:

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto192.168.1.1,timeoutis2seconds:

Packetsentwithasourceaddressof172.16.1.1

*Jun517:

08:

59.519:

IPSEC(sa_request):

(keyeng.msg.)OUTBOUNDlocal=200.1.1.1,remote=200.1.1.2,

local_proxy=172.16.0.0/255.255.0.0/0/0(type=4),

remote_proxy=192.168.0.0/255.255.0.0/0/0(type=4),

protocol=ESP,transform=NONE(Tunnel),

lifedur=3600sand4608000kb,

spi=0x0(0),conn_id=0,keysize=0,flags=0x0

*Jun517:

08:

59.535:

ISAKMP:

(0):

SArequestprofileis(NULL)

*Jun517:

08:

59.539:

ISAKMP:

Createdapeerstructfor200.1.1.2,peerport500

*Jun517:

08:

59.539:

ISAKMP:

Newpeercreatedpeer=0x653F9630peer_handle=0x80000005

*Jun517:

08:

59.543:

ISAKMP:

Lockingpeerstruct0x653F9630,refcount1forisakmp_initiator

*Jun517:

08:

59.547:

ISAKMP:

localport500,remoteport500

*Jun517:

08:

59.547:

ISAKMP:

setnewnode0toQM_IDLE

*Jun517:

08:

59.551:

insertsasuccessfullysa=65D68724

*Jun517:

08:

59.555:

ISAKMP:

(0):

CannotstartAggressivemode,tryingMainmode.

*Jun517:

08:

59.555:

ISAKMP:

(0):

foundpeerpre-sharedkeymatching200.1.1.2

*Jun517:

08:

59.559:

ISAKMP:

(0):

constructedNAT-Tvendor-07ID

*Jun517:

08:

59.559:

ISAKMP:

(0):

constructedNAT-Tvendor-03ID

*Jun517:

08:

59.559:

ISAKMP:

(0):

constructedNAT-Tvendor-02ID

*Jun517:

08:

59.559:

ISAKMP:

(0):

Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MM

*Jun517:

08:

59.559:

ISAKMP:

(0):

OldState=IKE_READYNewState=IKE_I_MM1

*Jun517:

08:

59.559:

ISAKMP:

(0):

beginningMainModeexchange

*Jun517:

08:

59.559:

ISAKMP:

(0):

sendingpacketto200.1.1.2my_port500peer_port500(I)MM_NO_STATE

*Jun517:

08:

59.663:

ISAKMP(0:

0):

receivedpacketfrom200.1.1.2dport500sport500Global(I)MM_NO_STATE

*Jun517:

08:

59.671:

ISAKMP:

(0):

Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH

*Jun517:

08:

59.671:

ISAKMP:

(0):

OldState=IKE_I_MM1NewState=IKE_I_MM2

*Jun517:

08:

59.683:

ISAKMP:

(0):

processingSApayload.messageID=0

*Jun517:

08:

59.687:

ISAKMP:

(0):

processingvendoridpayload

*J.

Successrateis80percent(4/5),round-tripmin/avg/max=36/53/64ms

R1#un517:

08:

59.687:

ISAKMP:

(0):

vendorIDseemsUnity/DPDbutmajor245mismatch

*Jun517:

08:

59.691:

ISAKMP(0:

0):

vendorIDisNAT-Tv7

*Jun517:

08:

59.691:

ISAKMP:

(0):

foundpeerpre-sharedkeymatching200.1.1.2

*Jun517:

08:

59.695:

ISAKMP:

(0):

localpresharedkeyfound

*Jun517:

08:

59.695:

ISAKMP:

Scanningprofilesforxauth...

*Jun517:

08:

59.699:

ISAKMP:

(0):

CheckingISAKMPtransform1againstpriority1policy

*Jun517:

08:

59.699:

ISAKMP:

encryptionDES-CBC

*Jun517:

08:

59.703:

ISAKMP:

hashMD5

*Jun517:

08:

59.703:

ISAKMP:

defaultgroup1

*Jun517:

08:

59.707:

ISAKMP:

authpre-share

*Jun517:

08:

59.711:

ISAKMP:

lifetypeinseconds

*Jun517:

08:

59.711:

ISAKMP:

lifeduration(VPI)of0x00x10x510x80

*Jun517:

08:

59.719:

ISAKMP:

(0):

attsareacceptable.Nextpayloadis0

*Jun517:

08:

59.723:

ISAKMP:

(0):

processingvendoridpayload

*Jun517:

08:

59.723:

ISAKMP:

(0):

vendorIDseemsUnity/DPDbutmajor245mismatch

*Jun517:

08:

59.727:

ISAKMP(0:

0):

vendorIDisNAT-Tv7

*Jun517:

08:

59.727:

ISAKMP:

(0):

Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE

*Jun517:

08:

59.727:

ISAKMP:

(0):

OldState=IKE_I_MM2NewState=IKE_I_MM2

*Jun517:

08:

59.727:

ISAKMP:

(0):

sendingpacketto200.1.1.2my_port500peer_port500(I)MM_SA_SETUP

*Jun517:

08:

59.727:

ISAKMP:

(0):

Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE

*Jun517:

08:

59.731:

ISAKMP:

(0):

OldState=IKE_I_MM2NewState=IKE_I_MM3

*Jun517:

08:

59.951:

ISAKMP(0:

0):

receivedpacketfrom200.1.1.2dport500sport500Global(I)MM_SA_SETUP

*Jun517:

08:

59.959:

ISAKMP:

(0):

Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH

*Jun517:

08:

59.959:

ISAKMP:

(0):

OldState=IKE_I_MM3NewState=IKE_I_MM4

*Jun517:

08:

59.975:

ISAKMP:

(0):

processingKEpayload.messageID=0

*Jun517:

09:

00.007:

ISAKMP:

(0):

processingNONCEpayload.messageID=0

*Jun517:

09:

00.007:

ISAKMP:

(0):

foundpeerpre-sharedkeymatching200.1.1.2

*Jun517:

09:

00.019:

ISAKMP:

(1001):

processingvendoridpayload

*Jun517:

09:

00.019:

ISAKMP:

(1001):

vendorIDisUnity

*Jun517:

09:

00.023:

ISAKMP:

(1001):

processingvendoridpayload

*Jun517:

09:

00.023:

ISAKMP:

(1001):

vendorIDisDPD

*Jun517:

09:

00.027:

ISAKMP:

(1001):

processingvendoridpayload

*Jun517:

09:

00.031:

ISAKMP:

(1001):

speakingtoanotherIOSbox!

*Jun517:

09:

00.031:

ISAKMP:

(1001):

Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE

*Jun517:

09:

00.031:

ISAKMP:

(1001):

OldState=IKE_I_MM4NewState=IKE_I_MM4

*Jun517:

09:

00.031:

ISAKMP:

(1001):

Sendinitialcontact

*Jun517:

09:

00.031:

ISAKMP:

(1001):

SAisdoingpre-sharedkeyauthenticationusingidtypeID_IPV4_ADDR

*Jun517:

09:

00.031:

ISAKMP(0:

1001):

IDpayload

next-payload:

8

type:

1

address:

200.1.1.1

protocol:

17

port:

500

length:

12

*Jun517:

09:

00.031:

ISAKMP:

(1001):

Totalpayloadlength:

12

*Jun517:

09:

00.031:

ISAKMP:

(1001):

sendingpacket

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 农林牧渔 > 林学

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1