网络拓扑:

wKioL1c6zzDDkDfIAABMnt0vl1A724.png

R0配置:

ISP>en

ISP#sh run

Building configuration...


Current configuration : 707 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname ISP

!

!

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

license udi pid CISCO2911/K9 sn FTX1524YI8Z

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

ip address 1.1.1.1 255.255.255.248

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 2.2.2.1 255.255.255.248

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end



ISP#  


R6配置:

Router#sh run

Building configuration...


Current configuration : 1331 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 10000

!

crypto isakmp key 123 address 2.2.2.2

!

!

crypto ipsec security-association lifetime seconds 1800

!

crypto ipsec transform-set ***-set esp-des

!

crypto map test-map 1 ipsec-isakmp

set peer 2.2.2.2

set security-association lifetime seconds 1800

set transform-set ***-set

match address 100

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 1.1.1.2 255.255.255.248

ip nat outside

duplex auto

speed auto

crypto map test-map

!

interface FastEthernet0/1

ip address 192.168.100.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 1.1.1.1

ip route 192.168.0.0 255.255.0.0 192.168.100.2

!

ip flow-export version 9

!

!

access-list 100 permit ip 192.168.0.0 0.0.255.255 174.36.0.0 0.0.255.255

access-list 101 deny ip 192.168.0.0 0.0.255.255 174.36.0.0 0.0.255.255 //拒绝R6内网到R5内网走NAT流量(在permit前)

access-list 101 permit ip any any

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end



Router# 


R5配置:

Router#sh run

Building configuration...


Current configuration : 1326 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 10000

!

crypto isakmp key 123 address 1.1.1.2

!

!

crypto ipsec security-association lifetime seconds 1800

!

crypto ipsec transform-set ***-set esp-des

!

crypto map test-map 1 ipsec-isakmp

set peer 1.1.1.2

set security-association lifetime seconds 1800

set transform-set ***-set

match address 100

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 2.2.2.2 255.255.255.248

ip nat outside

duplex auto

speed auto

crypto map test-map

!

interface FastEthernet0/1

ip address 174.36.10.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 2.2.2.1

ip route 174.36.0.0 255.255.0.0 174.36.10.2

!

ip flow-export version 9

!

!

access-list 100 permit ip 174.36.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 101 deny ip 174.36.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 101 permit ip any any

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end



Router#  


验证:

wKioL1c713agFfqhAAAaW_4Y77Q407.png


wKiom1c71pqAIRpfAAA4AbvRLXQ485.png




***配置详解:

R6(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.100.2

 

在IPSEC中,IKE被用来自动协商SA和密钥,如果被关闭用crypto isakmp enable启用

R6(config)#crypto isakmp policy 1     //建立IKE协商策略,编号为1

R6(config-isakmp)#encryption 3des    //设置加密使用的算法为3DES

R6(config-isakmp)#hash sha    //设置密钥认证的算法为sha

R6(config-isakmp)#authentication pre-share     //告诉router要先使用预共享密钥,手工指定

R6(config-isakmp)#group 2   

R6(config-isakmp)#lifetime 10000 //声明SA的生存时间为10000,超过后SA将重新协商

R6(config-isakmp)#exit

R6(config)#crypto isakmp key 123 address 2.2.2.2

//设置加密密钥为123,要求二端的密码相匹配,和对端地址

 

配置访问控制列表

注意:

当一个路由器接收到发往另一个路由器的内部网络报文时,IPSEC被启动,访问列表被用于确定哪些业务 将启动IKE和IPSEC协商

Crypto访问控制列表必须是互为镜像的,如:R6加密了所有流向R5的TCP流量,则R5必须加密流回R6的所有TCP流量

R6(config)#access-list 100 permit ip 192.168.0.0 0.0.255.255 174.36.0.0 0.0.255.255

//定义从192.168.0.0网络发往174.36.0.0的报文全部加密

 

//配置IPSEC传输模式,用于定义***隧道的认证类型,完整性与负载加密

 

R6(config)#crypto ipsec transform-set ***-set esp-des

R6(cfg-crypto-trans)#mode tunnel //可选

R6(cfg-crypto-trans)#exit

R6(config)#crypto ipsec security-association lifetime seconds 1800 //定义生存周期1800秒

 

//配置caypt map(加密映射)

R6(config)#crypto map test-map 1 ipsec-isakmp //创建crypto map

//IPSEC-ISAKMP表示采用自动协调,名为test-map,编号1为优先级,越小优先级越高

R6(config-crypto-map)#set peer 2.2.2.2 //设定crypto map所对应的***链路对端IP

R6(config-crypto-map)#set transform-set ***-set //指定crypto map所使用传输模式名

R6(config-crypto-map)#match address 100 //指定此crypto map使用的访问控制列表

R6(config-crypto-map)#exit

 

//将映射应用到对应的接口上,***就可生效了

R6(config)#int f0/0

R6(config-if)#crypto map test-map

 

//配置PAT

R6(config)#access-list 100 permit ip 174.36.0.0 0.0.255.255 192.168.0.0 0.0.255.255

R6(config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 174.36.0.0 0.0.255.255 //从192.168.0.0到174.36.0.0的流量不NAT转换(在permit前)

R6(config)#access-list 101 permit ip any any //所有地址NAT转换

R6(config)#ip nat inside source list 101 interface f0/0 overload //在F0/0上启用PAT

 

R6(config)#int f0/0

R6(config-if)#ip nat outside

R6(config)#int f0/1

R6(config-if)#ip nat inside

 

 

 

R5上的配置

R5(config)#int f0/0

R5(config-if)#ip add 2.2.2.2 255.255.255.248

R5(config-if)#no sh

R5(config)#int f0/1

R5(config-if)#ip add 174.36.10.1 255.255.255.0

R5(config-if)#no sh

 

R5(config-if)#ip route 0.0.0.0 0.0.0.0 174.36.10.2

 

//IPSEC ***的配置,含义与R5基本相同

R5(config)#crypto isakmp policy 1 //建立IKE协商策略,编号为1

R5(config-isakmp)#encryption 3des

R5(config-isakmp)#hash sha //设置密钥认证的算法为sha

R5(config-isakmp)#authentication pre-share //告诉router要先使用预共享密钥,手工指定

R5(config-isakmp)#group 2

R5(config-isakmp)#lifetime 10000

R5(config-isakmp)#exit

 

R5(config)#crypto isakmp key 123 address 1.1.1.2

//设置共享密钥为123,要求二端的密码相匹配,和对端地址

R5(config)#access-list 100 permit ip 174.36.0.0 0.0.255.255 192.168.0.0 0.0.255.255

R5(config)#access-list 101 deny ip 174.36.0.0 0.0.255.255 192.168.0.0 0.0.255.255

R5(config)#access-list 101 permit ip any any

R5(config)#crypto ipsec transform-set ***-set esp-des //加密算法二边要匹配

R5(cfg-crypto-trans)#mode tunnel

R5(cfg-crypto-trans)#exit

 

R5(config)#crypto ipsec security-association lifetime seconds 1800

R5(config)#crypto map test-map 1 ipsec-isakmp

//IPSEC-ISAKMP表示采用自动协调,名为test-map,编号1为优先级,越小优先级越高

R5(config-crypto-map)#set peer 1.1.1.2 //设定crypto map所对应的***链路对端IP

R5(config-crypto-map)#set transform-set ***-set //指定crypto map所使用传输模式名

R5(config-crypto-map)#match address 100 //指定此crypto map使用的访问控制列表

R5(config-crypto-map)#exit

 

应用到接口,生效

R5(config-crypto-map)#int f0/0

R5(config-if)#crypto map test-map

 

 

相关验证结果的查看命令

显示ISAKMP协商策略的结果

R5#sh crypto isakmp policy

 

查看管理连接SA的状态

R5#sh crypto isakmp sa

 

显示IPSEC变换集

R5#sh crypto ipsec transform-set

 

显示数据数据连接SA的细节信息

R5#sh crypto ipsec sa

 

显示Crypto Map的信息

R5#sh crypto map