说明:动态的crypto map 配置的IPSCE ×××,通常用在中心站点为固定IP地址,分支站点为动态IP地址的场合,这种配置也通常用在一方为思科设备,另一方为非思科设备的情况。
一,Center中心站点配置说明:
Center#
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 #8个0指匹配任意IP地址。
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto dynamic-map dymap 10 #动态CRYPTO MAP 只需设置转换集,任意PEER和感兴趣流都可以被中心站点接受,中心站点也不用设备PEER和感兴趣流
set transform-set cisco
!
crypto map To_branch 10000 ipsec-isakmp dynamic dymap #一般动态序号配置为最大,是为了序号小的明细的静态crypto map 优先。
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
crypto map To_branch #crypto map 应用于接口。
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Center#
二,Branch分支机构配置:
Branch#
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map To_center 10 ipsec-isakmp
set peer 202.100.1.1 #设置为中心站点的固定IP地址。
set transform-set cisco
match address vpn
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address dhcp
duplex auto
speed auto
crypto map To_center #IPSEC crypto map 应用于接口。
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 61.128.1.10
!
ip access-list extended vpn #分支站点需要定义感兴趣流
permit ip host 2.2.2.2 host 1.1.1.1
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Branch#
三,配置测试:
Branch#ping 1.1.1.1 so 2.2.2.2 #动态Crypto map 只能由分支站点向中心站点先发起感兴趣流。
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/59/112 ms
Branch#
四,配置信息查看:
Branch#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Branch#show crypto engine conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet1/0 61.128.1.12 set HMAC_MD5+3DES_56_C 0 0
2001 FastEthernet1/0 61.128.1.12 set DES+MD5 17 0
2002 FastEthernet1/0 61.128.1.12 set DES+MD5 0 17
Branch#show crypto isakmp sa
dst src state conn-id slot status
202.100.1.1 61.128.1.12 QM_IDLE 1 0 ACTIVE
Branch#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: To_center, local addr 61.128.1.12
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0) #感兴趣流
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0) #感兴趣流
current_peer 202.100.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36
#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 0
local crypto endpt.: 61.128.1.12, remote crypto endpt.: 202.100.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x37062F6B(923152235)
inbound esp sas:
spi: 0x5909C929(1493813545)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: To_center
sa timing: remaining key lifetime (k/sec): (4525079/2552)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x37062F6B(923152235)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, } #采用隧道模式
conn id: 2001, flow_id: SW:1, crypto map: To_center
sa timing: remaining key lifetime (k/sec): (4525079/2544)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Branch#