1.拓扑图:

参照:http://blog.sina.com.cn/s/blog_52ddfea30100o0d9.html

-----秦珂老师的DM*** + GET***实验

2.基本接口配置:
R1:
interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
R2:
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
no shut
R3:
interface Loopback0
ip address 192.168.3.3 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.3 255.255.255.0
no shut
R4:
interface Loopback0
ip address 192.168.4.4 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.4 255.255.255.0
no shut
3.mGRE隧道配置:
①R1(GM1-Hub):
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp redirect
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
②R3(GM2-Spoke1):
interface Tunnel0
ip address 172.16.1.3 255.255.255.0
 ip mtu 1400
ip nhrp map 172.16.1.1 202.100.1.1
ip nhrp map multicast 202.100.1.1
ip nhrp network-id 10
ip nhrp nhs 172.16.1.1
ip nhrp shortcut
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
③R4(GM3-Spoke2):
interface Tunnel0
ip address 172.16.1.4 255.255.255.0
ip mtu 1400
ip nhrp map 172.16.1.1 202.100.1.1
ip nhrp map multicast 202.100.1.1
ip nhrp network-id 10
ip nhrp nhs 172.16.1.1
ip nhrp shortcut
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
④测试NHRP:
R4#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/42/52 ms
R4#ping 172.16.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!!.!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/95/236 ms
R4#
R1#show ip nhrp
172.16.1.3/32 via 172.16.1.3, Tunnel0 created 00:02:58, expire 01:59:45
 Type: dynamic, Flags: router nat used
 NBMA address: 202.100.1.3
172.16.1.4/32 via 172.16.1.4, Tunnel0 created 00:00:36, expire 01:59:44
 Type: dynamic, Flags: router nat
 NBMA address: 202.100.1.4
4.静态路由配置:
R1(config)#ip route 192.168.3.0 255.255.255.0 172.16.1.3
R1(config)#ip route 192.168.4.0 255.255.255.0 172.16.1.4

R3(config)#ip route 192.168.0.0 255.255.0.0 172.16.1.1
R4(config)#ip route 192.168.0.0 255.255.0.0 172.16.1.1
5.GET***配置:
①密钥服务器产生密钥:
R2(KS):
ip domain name yuntian.com
crypto key generate rsa modulus 1024 label get***key
②第一阶段:
R2(KS):
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.1.1
crypto isakmp key cisco address 202.100.1.3
crypto isakmp key cisco address 202.100.1.4
R1、R3、R4(GM1、2、3):
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.1.2
②配置感兴趣流:
R2(KS):
ip access-list extended ALL-DM***-Traffic
permit gre any any
③第二阶段策略并创建ipsec profile与其关联:
R2(KS):
crypto ipsec transform-set get***-set esp-des esp-sha-hmac
exit
crypto ipsec profile get***-profile
set transform-set get***-set
④GET***组配置:
R2(KS):
crypto gdoi group get***group
identity number 12345678
server local
 address ipv4 202.100.1.2
 rekey algorithm aes 256
 rekey authentication mypubkey rsa get***key
 rekey transport unicast
 sa ipsec 1
  profile get***-profile
  match address ipv4 ALL-DM***-Traffic
R1、R3、R4(GM1、2、3):
crypto gdoi group get***group
identity number 12345678
server address ipv4 202.100.1.2
⑤成员服务器配置Crypto map:
R1、R3、R4(GM1、2、3):
crypto map get***map 10 gdoi
set group get***group
interface FastEthernet0/0
crypto map get***map
6.验证:
①查看密钥服务器和组成员GET***状态
R2#show crypto gdoi group get***group
   Group Name               : get***group (Unicast)
   Group Identity           : 12345678
   Group Members            : 3
   IPSec SA Direction       : Both
   Active Group Server      : Local
   Group Rekey Lifetime     : 86400 secs
   Group Rekey
       Remaining Lifetime   : 86352 secs
   Rekey Retransmit Period  : 10 secs
   Rekey Retransmit Attempts: 2
   Group Retransmit
       Remaining Lifetime   : 0 secs

     IPSec SA Number        : 1
     IPSec SA Rekey Lifetime: 3600 secs
     Profile Name           : get***-profile
     Replay method          : Count Based
     Replay Window Size     : 64
     SA Rekey
        Remaining Lifetime  : 3553 secs
     ACL Configured         : access-list ALL-DM***-Traffic

   Group Server list        : Local
R1#show crypto gdoi group get***group
   Group Name               : get***group
   Group Identity           : 12345678
   Rekeys received          : 0
   IPSec SA Direction       : Both
   Active Group Server      : 202.100.1.2
   Group Server list        : 202.100.1.2

   GM Reregisters in        : 3473 secs
   Rekey Received           : never


   Rekeys received          
        Cumulative          : 0
        After registration  : 0
   Rekey Acks sent          : 0

ACL Downloaded From KS 202.100.1.2:
  access-list  permit gre any any

KEK POLICY:
   Rekey Transport Type     : Unicast
   Lifetime (secs)          : 86399
   Encrypt Algorithm        : AES
   Key Size                 : 256    
   Sig Hash Algorithm       : HMAC_AUTH_SHA
   Sig Key Length (bits)    : 1024    

TEK POLICY:
 FastEthernet0/0:
   IPsec SA:
       sa direction:inbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac
       sa timing:remaining key lifetime (sec): (3527)
       Anti-Replay : Disabled

   IPsec SA:
       sa direction:outbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac
       sa timing:remaining key lifetime (sec): (3527)
       Anti-Replay : Disabled
R3#show crypto gdoi group get***group
   Group Name               : get***group
   Group Identity           : 12345678
   Rekeys received          : 0
   IPSec SA Direction       : Both
   Active Group Server      : 202.100.1.2
   Group Server list        : 202.100.1.2

   GM Reregisters in        : 3437 secs
   Rekey Received           : never


   Rekeys received          
        Cumulative          : 0
        After registration  : 0
   Rekey Acks sent          : 0

ACL Downloaded From KS 202.100.1.2:
  access-list  permit gre any any

KEK POLICY:
   Rekey Transport Type     : Unicast
   Lifetime (secs)          : 86387
   Encrypt Algorithm        : AES
   Key Size                 : 256    
   Sig Hash Algorithm       : HMAC_AUTH_SHA
   Sig Key Length (bits)    : 1024    

TEK POLICY:
 FastEthernet0/0:
   IPsec SA:
       sa direction:inbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac
       sa timing:remaining key lifetime (sec): (3495)
       Anti-Replay : Disabled

   IPsec SA:
       sa direction:outbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac
       sa timing:remaining key lifetime (sec): (3495)
       Anti-Replay : Disabled
R4#show crypto gdoi group get***group
   Group Name               : get***group
   Group Identity           : 12345678
   Rekeys received          : 0
   IPSec SA Direction       : Both
   Active Group Server      : 202.100.1.2
   Group Server list        : 202.100.1.2

   GM Reregisters in        : 3408 secs
   Rekey Received           : never


   Rekeys received          
        Cumulative          : 0
        After registration  : 0
   Rekey Acks sent          : 0

ACL Downloaded From KS 202.100.1.2:
  access-list  permit gre any any

KEK POLICY:
   Rekey Transport Type     : Unicast
   Lifetime (secs)          : 86380
   Encrypt Algorithm        : AES
   Key Size                 : 256    
   Sig Hash Algorithm       : HMAC_AUTH_SHA
   Sig Key Length (bits)    : 1024    

TEK POLICY:
 FastEthernet0/0:
   IPsec SA:
       sa direction:inbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac
       sa timing:remaining key lifetime (sec): (3465)
       Anti-Replay : Disabled

   IPsec SA:
       sa direction:outbound
       spi: 0x8EAF909E(2393870494)
       transform: esp-des esp-sha-hmac
       sa timing:remaining key lifetime (sec): (3465)
       Anti-Replay : Disabled
②查看密钥服务器上注册的成员:
R2#show crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group get***group : 0

Group Member ID   : 202.100.1.1
Group ID          : 12345678
Group Name        : get***group
Key Server ID     : 202.100.1.2
Rekeys sent       : 0
Rekey Acks Rcvd   : 0
Rekey Acks missed : 0

Sent seq num :    0    0    0    0
Rcvd seq num :    0    0    0    0

Group Member ID   : 202.100.1.3
Group ID          : 12345678
Group Name        : get***group
Key Server ID     : 202.100.1.2
Rekeys sent       : 0
Rekey Acks Rcvd   : 0
Rekey Acks missed : 0

Sent seq num :    0    0    0    0
Rcvd seq num :    0    0    0    0

Group Member ID   : 202.100.1.4
Group ID          : 12345678
Group Name        : get***group
Key Server ID     : 202.100.1.2
Rekeys sent       : 0
Rekey Acks Rcvd   : 0
Rekey Acks missed : 0

Sent seq num :    0    0    0    0
Rcvd seq num :    0    0    0    0

④组成员上测试GET***的加解密

第一步:在R1(GM1)测试前查看加解密状况
R1#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0        0 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                   0        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.1
1002 <none>     IKE   SHA+AES256                0        0

第二步:R1(GM1)上通过Ping产生加密的感兴趣流
R1#ping 192.168.3.3 source 192.168.1.1 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 68/101/344 ms
第三步:在R1(GM1)查看加解密状况
R1#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0      100 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                 100        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.1
1002 <none>     IKE   SHA+AES256                0        0

⑤第一阶段的安全关联:
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.1     202.100.1.2     GDOI_REKEY        1002    0 ACTIVE
202.100.1.2     202.100.1.1     GDOI_IDLE         1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.2     202.100.1.4     GDOI_IDLE         1003    0 ACTIVE
202.100.1.2     202.100.1.1     GDOI_IDLE         1001    0 ACTIVE
202.100.1.2     202.100.1.3     GDOI_IDLE         1002    0 ACTIVE

IPv6 Crypto ISAKMP SA
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.3     202.100.1.2     GDOI_REKEY        1002    0 ACTIVE
202.100.1.2     202.100.1.3     GDOI_IDLE         1001    0 ACTIVE

IPv6 Crypto ISAKMP SA
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.1.2     202.100.1.4     GDOI_IDLE         1001    0 ACTIVE
202.100.1.4     202.100.1.2     GDOI_REKEY        1002    0 ACTIVE

IPv6 Crypto ISAKMP SA

⑤第二阶段的安全关联:
R1#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0      100 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                 100        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.1
1002 <none>     IKE   SHA+AES256                0        0

R2#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.2
1002 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.2
1003 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.2
R3#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0      100 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                 100        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.3
1002 <none>     IKE   SHA+AES256                0        0

R4#ping 192.168.3.3 source 192.168.4.4  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/94/112 ms
R4#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0       10 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                  10        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.4
1002 <none>     IKE   SHA+AES256                0        0
R4#ping 192.168.3.3 source 192.168.4.4  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/96/116 ms
R4#show crypto engine connections active
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   1 Fa0/0      IPsec DES+SHA                   0       15 0.0.0.0
   2 Fa0/0      IPsec DES+SHA                  15        0 0.0.0.0
1001 Fa0/0      IKE   SHA+DES                   0        0 202.100.1.4
1002 <none>     IKE   SHA+AES256                0        0