×××配置实例_06：分支机构到中心站点动态IPSEC ×××配置

原创

5609262 2013-06-02 17:14:07 博主文章分类：思科VPN技术 ©著作权

文章标签 cisco IP地址 address ipsec 思科设备 dynamic-map 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者5609262的原创作品，请联系作者获取转载授权，否则将追究法律责任

说明：动态的crypto map 配置的IPSCE ×××，通常用在中心站点为固定IP地址，分支站点为动态IP地址的场合，这种配置也通常用在一方为思科设备，另一方为非思科设备的情况。

一，Center中心站点配置说明：

Center#
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0    #8个0指匹配任意IP地址。
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto dynamic-map dymap 10    #动态CRYPTO MAP 只需设置转换集，任意PEER和感兴趣流都可以被中心站点接受，中心站点也不用设备PEER和感兴趣流
set transform-set cisco
!
crypto map To_branch 10000 ipsec-isakmp dynamic dymap  #一般动态序号配置为最大，是为了序号小的明细的静态crypto map 优先。
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
crypto map To_branch    #crypto map 应用于接口。
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.1.10
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Center#

二，Branch分支机构配置：

Branch#

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.1
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map To_center 10 ipsec-isakmp
set peer 202.100.1.1        #设置为中心站点的固定IP地址。
set transform-set cisco
match address vpn
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address dhcp
duplex auto
speed auto
crypto map To_center    #IPSEC crypto map 应用于接口。
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 61.128.1.10
!
ip access-list extended vpn    #分支站点需要定义感兴趣流
permit ip host 2.2.2.2 host 1.1.1.1
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Branch#

三，配置测试：

Branch#ping 1.1.1.1 so 2.2.2.2 #动态Crypto map 只能由分支站点向中心站点先发起感兴趣流。

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/59/112 ms
Branch#

四，配置信息查看：

Branch#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

Branch#show crypto engine conn ac

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet1/0      61.128.1.12     set    HMAC_MD5+3DES_56_C        0        0
2001 FastEthernet1/0      61.128.1.12     set    DES+MD5                  17        0
2002 FastEthernet1/0      61.128.1.12     set    DES+MD5                   0       17

Branch#show crypto isakmp sa
dst src state conn-id slot status
202.100.1.1 61.128.1.12 QM_IDLE 1 0 ACTIVE

Branch#show crypto ipsec sa

interface: FastEthernet1/0
Crypto map tag: To_center, local addr 61.128.1.12

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)    #感兴趣流
   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)    #感兴趣流
   current_peer 202.100.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36
    #pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

     local crypto endpt.: 61.128.1.12, remote crypto endpt.: 202.100.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
     current outbound spi: 0x37062F6B(923152235)

     inbound esp sas:
      spi: 0x5909C929(1493813545)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: To_center
        sa timing: remaining key lifetime (k/sec): (4525079/2552)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x37062F6B(923152235)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }            #采用隧道模式
        conn id: 2001, flow_id: SW:1, crypto map: To_center
        sa timing: remaining key lifetime (k/sec): (4525079/2544)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:
Branch#