实验2 Ipsec VPN设计与应用.docx

1、实验2 Ipsec VPN设计与应用实验二 Ipsec VPN设计与应用一、实验目的：1. 掌握IPsec隧道配置。2. 深刻理解IKE阶段1与阶段2的协商过程。二、实验拓扑图：实验步骤及要求：1. 配置各台路由器的IP地址，并且使用Ping命令确认各路由器的直连口的互通。2. 在R1和R2上配置静态路由。确保Internet网络骨干可以相互通信。R1(config)#ip route 0.0.0.0 0.0.0.0 f0/0R2(config)#ip route 0.0.0.0 0.0.0.0 f0/03. 在R1路由器上配置IKE阶段一需要使用策略。R1(config)#crypto is

2、akmp enable4. 配置预共享密钥,在两台对等体路由器上密钥必须一致。R1(config)#crypto isakmp key 6 testkey address 200.1.1.25. 为IKE阶段一的协商，配置ISAKMP的策略。可以在本地配置多个ISAKMP的策略，在与对等体协商，会选择一个匹配策略，而不管策略的编号。R1(config)#R1(config)#crypto isakmp policy 1 R1(config-isakmp)#hash md5 R1(config-isakmp)#encryption des R1(config-isakmp)#authentica

3、tion pre-share R1(config-isakmp)#lifetime 86400R1(config-isakmp)#group 1R1(config-isakmp)#exitR1(config)#6. 配置IPsec变换集,其用于IKE阶段二的IPsec的SA协商。指定协商的加密参数。其包含了安全和压缩协议、散列算法和加密算法。本配置使用了esp与des的协作的认证加密算法，实现对数据的保护。并且指定其用于隧道模式。R1(config)#crypto ipsec transform-set TRAN esp-des esp-md5-hmacR1(cfg-crypto-trans)

4、#mode tunnel R1(cfg-crypto-trans)#exitR1(config)#7. 配置加密访问控制列表，用于指出那些数据流是需要加密的，有时也被称为定义IPsec的感兴趣流。R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255R1(config)#8. 配置加密映射表，用于关联相关的变换集。R1(config)#crypto map vpn_to_R2 10 ipsec-isakmp % NOTE: This new crypto map will remain

5、disabled until a peer and a valid access list have been configured.R1(config-crypto-map)#set peer 200.1.1.2R1(config-crypto-map)#set transform-set TRAN R1(config-crypto-map)#match address 100R1(config-crypto-map)#exitR1(config)#exitR1#9. 将加密映射表应用到需要建立隧道接口。R1(config)#interface f0/0R1(config-if)#crypt

6、o map vpn_to_R2R1(config-if)#exitR1(config)#10. 在R2采用如上配置进行配置IKE阶段1和阶段2。R2(config)#crypto isakmp enableR2(config)#R2(config)#crypto isakmp key 6 testkey address 200.1.1.1R2(config)#R2(config)#crypto isakmp policy 2 R2(config-isakmp)#hash md5 R2(config-isakmp)#encryption des R2(config-isakmp)#authent

7、ication pre-share R2(config-isakmp)#lifetime 86400R2(config-isakmp)#group 1R2(config-isakmp)#exitR2(config)#R2(config)#crypto ipsec transform-set TRAN esp-des esp-md5-hmacR2(cfg-crypto-trans)#mode tunnel R2(cfg-crypto-trans)#exitR2(config)#R2(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255

8、192.168.0.0 0.0.0.255R2(config)#R2(config)#crypto map vpn_to_R1 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R2(config-crypto-map)#set peer 200.1.1.1R2(config-crypto-map)#set transform-set TRANR2(config-crypto-map)#match a

9、ddress 100R2(config-crypto-map)#exitR2(config)#interface f0/0R2(config-if)#crypto map vpn_to_R1 R2(config-if)#exitR2(config)#11. 在R1路由器打开ISAKMP的调试。R1#R1#debug crypto isakmp Crypto ISAKMP debugging is onR1#R1#debug crypto ipsec Crypto IPSEC debugging is onR1#12. 确认R1和R2的ISAKMP的策略。R1#show crypto isakm

10、p policy Global IKE policyProtection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encr

11、yption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitR1#R2#show crypto isakmp policy Global IKE policyProtection suite of

12、priority 2 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standa

13、rd (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitR2#13. 在R1与R2上查看ISAKMP的预共享密钥配置，并确认双方配置一致。R1#show crypto isakmp key Keyring Hostname/Address Preshared Keydefault 20

14、0.1.1.2 testkeyR1#R2#show crypto isakmp key Keyring Hostname/Address Preshared Keydefault 200.1.1.1 testkeyR2#14. 在R1与R2上查看IPsec的变换集。R1#show crypto ipsec transform-set Transform set TRAN: esp-des will negotiate = Tunnel, ,R1#R2#show crypto ipsec transform-set Transform set TRAN: esp-des will negotia

15、te = Tunnel, ,R2#15. 在R1上使用扩展命令去ping路由器R2回环口的私有地址。R1#pingProtocol ip: Target IP address: 192.168.1.254Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: 192.168.0.254Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data

16、 pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:Packet sent with a source address of 172.16.1.1 *Jun 5 17:08:59.519: IPSEC(sa_request): , (key eng. msg.) OUTBOUND

17、 local= 200.1.1.1, remote= 200.1.1.2, local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4), remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0*Jun 5 17:08:59.535: ISAKMP:(0): SA reques

18、t profile is (NULL)*Jun 5 17:08:59.539: ISAKMP: Created a peer struct for 200.1.1.2, peer port 500*Jun 5 17:08:59.539: ISAKMP: New peer created peer = 0x653F9630 peer_handle = 0x80000005*Jun 5 17:08:59.543: ISAKMP: Locking peer struct 0x653F9630, refcount 1 for isakmp_initiator*Jun 5 17:08:59.547: I

19、SAKMP: local port 500, remote port 500*Jun 5 17:08:59.547: ISAKMP: set new node 0 to QM_IDLE *Jun 5 17:08:59.551: insert sa successfully sa = 65D68724*Jun 5 17:08:59.555: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.*Jun 5 17:08:59.555: ISAKMP:(0):found peer pre-shared key matching 200

20、.1.1.2*Jun 5 17:08:59.559: ISAKMP:(0): constructed NAT-T vendor-07 ID*Jun 5 17:08:59.559: ISAKMP:(0): constructed NAT-T vendor-03 ID*Jun 5 17:08:59.559: ISAKMP:(0): constructed NAT-T vendor-02 ID*Jun 5 17:08:59.559: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM*Jun 5 17:08:59.559: ISAKMP:(0)

21、:Old State = IKE_READY New State = IKE_I_MM1 *Jun 5 17:08:59.559: ISAKMP:(0): beginning Main Mode exchange*Jun 5 17:08:59.559: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE*Jun 5 17:08:59.663: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global

22、 (I) MM_NO_STATE*Jun 5 17:08:59.671: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Jun 5 17:08:59.671: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 *Jun 5 17:08:59.683: ISAKMP:(0): processing SA payload. message ID = 0*Jun 5 17:08:59.687: ISAKMP:(0): processing vendor id payload*J.Suc

23、cess rate is 80 percent (4/5), round-trip min/avg/max = 36/53/64 msR1#un 5 17:08:59.687: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch*Jun 5 17:08:59.691: ISAKMP (0:0): vendor ID is NAT-T v7*Jun 5 17:08:59.691: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2*Jun 5 17:08:59.695

24、: ISAKMP:(0): local preshared key found*Jun 5 17:08:59.695: ISAKMP : Scanning profiles for xauth .*Jun 5 17:08:59.699: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy*Jun 5 17:08:59.699: ISAKMP: encryption DES-CBC*Jun 5 17:08:59.703: ISAKMP: hash MD5*Jun 5 17:08:59.703: ISAKMP: defa

25、ult group 1*Jun 5 17:08:59.707: ISAKMP: auth pre-share*Jun 5 17:08:59.711: ISAKMP: life type in seconds*Jun 5 17:08:59.711: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Jun 5 17:08:59.719: ISAKMP:(0):atts are acceptable. Next payload is 0*Jun 5 17:08:59.723: ISAKMP:(0): processing vendor id pay

26、load*Jun 5 17:08:59.723: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch*Jun 5 17:08:59.727: ISAKMP (0:0): vendor ID is NAT-T v7*Jun 5 17:08:59.727: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE*Jun 5 17:08:59.727: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 *Ju

27、n 5 17:08:59.727: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP*Jun 5 17:08:59.727: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Jun 5 17:08:59.731: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Jun 5 17:08:59.951: ISAKMP (0:0): received pa

28、cket from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP*Jun 5 17:08:59.959: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Jun 5 17:08:59.959: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 *Jun 5 17:08:59.975: ISAKMP:(0): processing KE payload. message ID = 0*Jun 5 17:09:00.007:

29、ISAKMP:(0): processing NONCE payload. message ID = 0*Jun 5 17:09:00.007: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2*Jun 5 17:09:00.019: ISAKMP:(1001): processing vendor id payload*Jun 5 17:09:00.019: ISAKMP:(1001): vendor ID is Unity*Jun 5 17:09:00.023: ISAKMP:(1001): processing vendor

30、id payload*Jun 5 17:09:00.023: ISAKMP:(1001): vendor ID is DPD*Jun 5 17:09:00.027: ISAKMP:(1001): processing vendor id payload*Jun 5 17:09:00.031: ISAKMP:(1001): speaking to another IOS box!*Jun 5 17:09:00.031: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE*Jun 5 17:09:00.031: ISAKMP

31、:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4 *Jun 5 17:09:00.031: ISAKMP:(1001):Send initial contact*Jun 5 17:09:00.031: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR*Jun 5 17:09:00.031: ISAKMP (0:1001): ID payload next-payload : 8 type : 1 address : 200.1.1.1 protocol : 17 port : 500 length : 12*Jun 5 17:09:00.031: ISAKMP:(1001):Total payload length: 12*Jun 5 17:09:00.031: ISAKMP:(1001): sending packet