R1(config)#ip route 0.0.0.0 0.0.0.0 202.102.48.66
R3(config)#ip route 0.0.0.0 0.0.0.0 211.64.135.33
R1(config)#do ping 211.64.135.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 211.64.135.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/72 ms
R1(config)# |
3、在R1上进入IKE策略编辑模式,配置IKE第一阶段协商并指定密钥:
R1(config)#crypto isakmp key 0 cisco address 211.64.135.34(指定共享密钥及地址,0为非加密)
R1(config)#crypto isakmp policy 1 (进入IKE策略编辑模式,1代表优先级)
R1(config-isakmp)#authentication pre-share (指定使用预共享密钥)
R1(config-isakmp)#encryption 3des (加密方式为3des)
R1(config-isakmp)#hash md5 (配置散列算法,默认为sha,路由器不够强大就用md5)
R1(config-isakmp)#group 1 (使用Diffie-Hellman 组1进行密钥交换)
R1(config-isakmp)#lifetime 1000 (IKE SA生命周期,默认为86400秒,也就是一天) |
R1(config)#crypto ipsec transform-set TEST esp-3des esp-md5-hmac (配置IPsec变换集,对数据的交换进行加密) |
R1(config)#access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R1(config)#crypto map R1_vpn_R3 10 ipsec-isakmp (配置加密映射表)
R1(config-crypto-map)#set peer 211.64.135.34 (设置对等体IP)
R1(config-crypto-map)#set transform-set TEST (引用之前设置的IPsec变换集)
R1(config-crypto-map)#match address 100 (匹配ACL 100 对其数据流进行保护) |
R1(config-crypto-map)#int s1/1
R1(config-if)#crypto map R1_vpn_R3 (进入接口,挂接映射表) |
R3(config)#crypto isakmp key 0 cisco address 202.102.48.65
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#hash md5
R3(config-isakmp)#group 1
R3(config-isakmp)#lifetime 1000
R3(config)#crypto ipsec transform-set TEST esp-3des esp-md5-hmac
R3(config)#access-list 100 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
R3(config)#crypto map R3_vpn_R1 10 IPSec-ISakmp
R3(config-crypto-map)#set peer 202.102.48.65
R3(config-crypto-map)#set transform-set TEST
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#int s1/0
R3(config-if)#crypto map R3_vpn_R1
R3(config-if)#
*Mar 1 04:54:57.322: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON (配置完之后状态提示就为ON) |
R1#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
.!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/35/68 ms
R1# |
R1#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 1 (可以看到我们定义的加密策略,配置要和R3保持一致。协商才能成功)
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 1000 seconds, no volume limit
Default protection suite (依然存在系统默认的加密策略)
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
|
R1#sh crypto isakmp key
Keyring Hostname/Address Preshared Key
default 211.64.135.34 cisco
R3#sh crypto isakmp key
Keyring Hostname/Address Preshared Key
default 202.102.48.65 cisco |
R3#sh crypto ipsec transform-set
Transform set TEST: { esp-3des esp-md5-hmac }
will negotiate = { Tunnel, },
|
R1#sh crypto isakmp sa
dst src state conn-id slot status
202.102.48.65 211.64.135.34 QM_IDLE 1 0 ACTIVE (isakmp的sa处于活动状态) |
R1#sh crypto ipsec sa
interface: Serial1/1
Crypto map tag: R1_vpn_R3, local addr 202.102.48.65 (可以看到本地的加密图标记)
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer 211.64.135.34 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.102.48.65, remote crypto endpt.: 211.64.135.34
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0x5C97AB5B(1553443675)
inbound esp sas:
spi: 0x454D5992(1162697106)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: R1_vpn_R3
sa timing: remaining key lifetime (k/sec): (4434675/3031)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5C97AB5B(1553443675)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: R1_vpn_R3
sa timing: remaining key lifetime (k/sec): (4434675/3030)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1# |