1.Router-to-Router LAN-toLAN ×××
1.1拓扑
1.2配置
1.基本连通性路由配置:
R5(config)#int f0/0
R5(config-if)#ip add 15.15.15.5 255.255.255.0
R5(config-if)#no sh
R5(config-if)#ex
R5(config)#ip route 0.0.0.0 0.0.0.0 15.15.15.1
R5(config)#int lo0
R5(config-if)#ip add 5.5.5.5 255.255.255.0
R5(config-if)#
R1(config)#int f0/0
R1(config-if)#ip add 15.15.15.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int f1/0
R1(config-if)#ip add 16.16.16.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#ex
R1(config)#ip route 0.0.0.0 0.0.0.0 16.16.16.6
R1(config)#ip route 5.5.5.5 255.255.255.255 15.15.15.5
R1(config)#
R6(config)#int f1/0
R6(config-if)#ip add 16.16.16.6 255.255.255.0
R6(config-if)#no sh
R6(config-if)#int f0/0
R6(config-if)#ip add 26.26.26.6 255.255.255.0
R6(config-if)#no sh
R2(config)#int f0/0
R2(config-if)#ip add 26.26.26.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int f1/0
R2(config-if)#ip add 23.23.23.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#ex
R2(config)#ip route 0.0.0.0 0.0.0.0 26.26.26.6
R2(config)#
R3(config)#int f1/0
R3(config-if)#ip add 23.23.23.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#ex
R3(config)#ip route 0.0.0.0 0.0.0.0 23.23.23.2
R3(config)#
2.配置LAN-toLAN ×××
2.1在R1上配置IKE(ISAKMP)策略:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 2
R1(config-isakmp)#ex
2.2在R1上定义认证标识:
R1(config)#crypto isakmp key 0 cisco123 address 26.26.26.2
2.3在R1上配置IPSec transform-set:
R1(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#mode ?
transport transport (payload encapsulation) mode
tunnel tunnel (datagram encapsulation) mode
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#ex
R1(config)#
2.4在R1上定义感兴趣流量:
R1(config)#access-list 100 permit ip 15.15.15.0 0.0.0.255 23.23.23.0 0.0.0.255
R1(config)#
2.5在R1上创建crypto map:
R1(config)#crypto map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 26.26.26.2
R1(config-crypto-map)#set transform-set myset
R1(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#ex
2.6在R1上将crypto map 应用于外部接口:
R1(config)#int f1/0
R1(config-if)#crypto map l2l
R1(config-if)#
*Mar 1 00:30:38.199: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#ex
3.使用同样的方式配置R2的LAN-to-LAN ×××
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#hash sh
R2(config-isakmp)#group 2
R2(config-isakmp)#ex
R2(config)#crypto isakmp key 0 cisco123 address 16.16.16.1
R2(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#ex
R2(config)#access-list 100 permit ip 23.23.23.0 0.0.0.255 15.15.15.0 0.0.0.255
R2(config)#crypto map l2l 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 16.16.16.1
R2(config-crypto-map)#set transform-set myset
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#ex
R2(config)#int f0/0
R2(config-if)#crypto map l2l
R2(config-if)#
*Mar 1 00:46:37.707: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#
1.3验证
1.查看IKE(ISAKMP)策略:
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#
2.查看Phase One 时的认证密码:
R1#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 26.26.26.2 cisco123
3.查看IKE SA(ISAKMP SA):
R1#show crypto isakmp sa
dst src state conn-id slot status
R1#
说明:虽然R1与R2之间已经配置足够的×××命令,但IKE SA仍然没有建立,因为在灭有用户流量的传输来初始化的情况下,IKE SA通常是无法自动建立的。
4.查看R1上的IKE SA的peer:
R1#show crypto isakmp peers
R1#
说明:可以看见目前没有任何IKE SA peer。
5.查看R1上的IPSec Transform:
R1#show crypto ipsec transform-set
Transform set myset: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },
R1#
说明:IPSec transform显示了数据封装使用esp加3des加密,并且使用esp结合sha做hash运算,默认没有指定IPSec mode,默认的mode为tunnel.
6.查看r1上的IPSec SA:
R1#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: l2l, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (23.23.23.0/255.255.255.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R1#
说明:可以看见当前R1上IPsec SA的信息,但目前的SA为非活动状态,并且SA显示了正确的数据信息,即从本地15.15.15.0/24发往23.23.23.0/24的。
7.查看R1上的IPSec SA 的lifetime:
R1#show crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
R1#
8.查看R1上的crypto map:
R1#show crypto map
Crypto Map "l2l" 1 ipsec-isakmp
Peer = 26.26.26.2
Extended IP access list 100
access-list 100 permit ip 15.15.15.0 0.0.0.255 23.23.23.0 0.0.0.255
Current peer: 26.26.26.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
Interfaces using crypto map l2l:
FastEthernet1/0
R1#
测试×××:
9.从R5向R3发送流量:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
别桑心,等一会再试试。
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 72/117/156 ms
R5#
10.再次查看R1上的IKE SA的peer:
R1#show crypto isakmp peers
Peer: 26.26.26.2 Port: 500 Local: 16.16.16.1
Phase1 id: 26.26.26.2
R1#
11.查看R1上的IKE SA(ISAKMP SA):
R1#show crypto isakmp sa
dst src state conn-id slot status
26.26.26.2 16.16.16.1 QM_IDLE 1 0 ACTIVE
R1#
12.再次查看R1上的IPSec SA:
R1#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: l2l, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (23.23.23.0/255.255.255.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x939BA21B(2476450331)
inbound esp sas:
spi: 0x9C6517EC(2623870956)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4409239/3319)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x939BA21B(2476450331)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: l2l
sa timing: remaining key lifetime (k/sec): (4409239/3317)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
13.查看R5向R3发送数据包的路径走向:
R5#traceroute 23.23.23.3
Type escape sequence to abort.
Tracing the route to 23.23.23.3
1 15.15.15.1 76 msec 40 msec 24 msec
2 * * *
3 23.23.23.3 92 msec * 140 msec
R5#
说明:可以看出中间只有一跳就到达了目的地,说明中间的“多跳”已经被隧道取代为一跳了。
调试×××中感兴趣的流量
1.在R1上将ACL定义的感兴趣的流量改为任意流量,即any:
R1(config)#no access-list 100
R1(config)#access-list 100 permit ip any any
2.查看R1上的crypto map:
R1(config)#do show crypto map
Crypto Map "l2l" 1 ipsec-isakmp
Peer = 26.26.26.2
Extended IP access list 100
access-list 100 permit ip any any
Current peer: 26.26.26.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
Interfaces using crypto map l2l:
FastEthernet1/0
R1(config)#
说明:显示了被IPSec保护的流量为ACL100中的流量,即any。
3.查看R1上的IPSec SA:
R1(config)#do show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: l2l, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 26.26.26.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 26.26.26.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R1(config)#
4.从R5向R3发送流量:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
说明:这次R5向R3发送流量没能激活IKE SA,所以需要将感兴趣流量ACL中的any替换为具体网段,并且源和目的都不能使用any来表示。
5.修改感兴趣的流量的ACL:
R1(config)#no access-list 100
R1(config)#access-list 100 permit ip 15.15.15.0 0.0.0.255 23.23.23.0 0.0.0.255
6.再次从R5向R3发送流量:
R5#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/99/132 ms
R5#
测试NAT对LAN-to-LAN ×××的影响:
1.在R2上配置NAT:
R2(config)#int f0/0
R2(config-if)#ip nat outside
*Mar 1 02:50:43.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R2(config-if)#exit
R2(config)#int f1/0
R2(config-if)#ip nat inside
R2(config-if)#ex
R2(config)#access-list 1 permit any
R2(config)#ip nat inside source list 1 interface f0/0 overload
2.从R3向R5发送流量:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#
说明:和预期一样,IPSec流量是不能穿越NAT的。
3.查看NAT转换信息:
R2(config)#do show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 26.26.26.2:1 23.23.23.3:1 15.15.15.5:1 15.15.15.5:1
R2(config)#
说明:转换表显示刚才的流量被转换,但转换后的流量不会被IPSec认同了。
4.删除R2上的NAT:
R2(config)#int f1/0
R2(config-if)#no ip nat inside
R2(config-if)#int f0/0
R2(config-if)#no ip nat outside
R2(config-if)#ex
5.再次从R3向R5发送流量,成功了:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/92/172 ms
R3#
6.刚刚发现了一个很现实对我来说也很麻烦的问题是:
假如一定要在R2上做NAT,同时将23.23.23.0/24发往15.15.15.0/24的流量不被NAT转换,即保证×××正常工作。
6.1我接着在R2上做过一下配置:
R2(config)#int f1/0
R2(config-if)#ip nat inside
R2(config-if)#int f0/0
R2(config-if)#ip nat outside
R2(config-if)#ex
R2(config)#access-list 1 deny 23.23.23.0 0.0.0.255
R2(config)#access-list 1 permit any
R2(config)#ip nat inside source list 1 interface f0/0 overload
R2(config)#
R2(config)#^Z
R2#clear ip nat translation *
R2#
R2#show ip nat translations
R2#
6.2再次从R3向R5发送流量:
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#ping 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#
这个NAT结果还是很纠结,请求高手指点迷津。
