实验一: L2L ×××
Rack01  ×××    ----R1-----R5----R3----
-192.168.1.1/24-loop0-r1-s0:218.87.15.1-----218.87.15.5-s0/1-r5-s0/3:202.101.53.5----202.101.53.3-s0-r3-loop0:192.168.3.3/24-
通讯点和加密点分析:
通讯点:192.168.1.1/24-------------192.168.3.1/24
加密点:218.87.15.1/24-------------202.101.53.3/24
中间路由器需要有加密点的路由:
internet只需要知道218.87.15.1和202.101.53.3的路由
加密设备需要:
1.对端加密点的路由 202.101.53.0 (r1而言)
2.感兴趣流目的的路由 (也就是对端通讯点) 192.168.3.0/24 (r1而言)

s:218.87.15.1  d:202.101.53.3 | esp | s:192.168.1.1  d:192.168.3.1  | pyload | esp-trail |
r1:
en
conf t
host r1
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s0
defa int s1
defa int e0
no   int loop0
int loop0
ip add 192.168.1.1 255.255.255.0
int s0
ip add 218.87.15.1 255.255.255.0
no sh
exit
ip route 202.101.53.0 255.255.255.0 218.87.15.5
end
conf t
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 202.101.53.3
crypto ipsec transform-set ts esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
 set peer 202.101.53.3
 set transform-set ts
 match address my***
interface Serial0
 ip address 218.87.15.1 255.255.255.0
 crypto map mymap
ip access-list extended my***
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
end
 

r5:
en
conf t
host r5
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s0/0
defa int s0/1
defa int s0/2
defa int s0/3
defa int e0/0
no   int loop0
int s0/1
ip add 218.87.15.5 255.255.255.0
clock r 64000
no sh
int s0/3
ip add 202.101.53.5 255.255.255.0
clock r 64000
no sh
exit
end
 
 
r3:
en
conf t
host r3
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s0
defa int s1
defa int e0
no   int loop0
int loop0
ip add 192.168.3.1 255.255.255.0
int s0
ip add 202.101.53.3 255.255.255.0
no sh
exit
ip route 218.87.15.0 255.255.255.0 202.101.53.5
end
conf t
crypto isakmp policy 20
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 218.87.15.1
crypto ipsec transform-set myts esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
 set peer 218.87.15.1
 set transform-set myts
 match address ***
interface Serial0
 ip address 202.101.53.3 255.255.255.0
 crypto map mymap
ip access-list extended ***
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
end

=======================================================================================================
实验二: ISAKMP Profile ×××

ISAKMP Profile (拓展学习),IOS:12.3(升级前为12.24 5 T); 适应于总部与各种不同需求的分部做×××,如总部r1需与分部一r3做L2L-×××, 同时r1又需与另一分部r4做拨号×××,还可能与另一分部r6做DM×××:
step1:路由:
r1:
  ip route 0.0.0.0 0.0.0.0 218.87.15.5
r3:
  ip route 0.0.0.0 0.0.0.0 202.101.53.5
 
step2:isakmp策略:
r1:
  crypto isakmp policy 10
    hash md5
    authentication pre-share
  crypto keyring cisco
    pre-shared-key address 202.101.53.3 key 0 cisco
  crypto isakmp profile cisco
    match identity address 202.101.53.3
    keyring cisco

r3:
  crypto isakmp policy 10
    hash md5
    authentication pre-share
  crypto keyring cisco
    pre-shared-key address 218.87.15.1 key 0 cisco
  crypto isakmp profile cisco
    match identity address 218.87.15.1
    keyring cisco

step3:IPSec 策略:
r1:
  crypto ipsec transform-set ts esp-des esp-md5-hmac
r3:
  crypto ipsec transform-set ts esp-des esp-md5-hmac

step4:感兴趣流:
r1:
ip access-list extended ***
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
r3:
ip access-list extended ***
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

step5:定义并应用crypto map
r1:
crypto map mymap 10 ipsec-isakmp
 set peer 202.101.53.3
 set transform-set ts
 match address ***
 set isakmp-profile cisco
int s0
  crypto map mymap

r3:
crypto map mymap 10 ipsec-isakmp
 set peer 218.87.15.1
 set transform-set ts
 match address ***
 set isakmp-profile cisco
int s0
 crypto map mymap
-----------
安全×××模拟器上效果:
r1:
en
conf t
host r1
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s1/0
defa int s1/1
defa int e0/0
no   int loop0
int loop0
ip add 192.168.1.1 255.255.255.0
int s1/0
ip add 218.87.15.1 255.255.255.0
no sh
exit
ip route 202.101.53.0 255.255.255.0 218.87.15.5
ip route 192.168.3.0  255.255.255.0 218.87.15.5
end
conf t
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto keyring cisco
  pre-shared-key address 202.101.53.3 key 0 cisco
crypto isakmp profile cisco
    match identity address 202.101.53.3
    keyring cisco

crypto ipsec transform-set ts esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
 set peer 202.101.53.3
 set transform-set ts
 match address my***
 set isakmp-profile cisco
interface Serial1/0
 ip address 218.87.15.1 255.255.255.0
 crypto map mymap
ip access-list extended my***
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
end
 

r2(r5):
en
conf t
host r5
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s1/0
defa int s1/1
defa int s1/2
defa int s1/3
defa int e0/0
no   int loop0
int s1/1
ip add 218.87.15.5 255.255.255.0
clock r 64000
no sh
int s1/0
ip add 202.101.53.5 255.255.255.0
clock r 64000
no sh
exit
end
 
 
r3:
en
conf t
host r3
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s1/0
defa int s1/1
defa int e0/0
no   int loop0
int loop0
ip add 192.168.3.1 255.255.255.0
int s1/1
ip add 202.101.53.3 255.255.255.0
clock r 64000
no sh
exit
ip route 218.87.15.0 255.255.255.0 202.101.53.5
ip route 192.168.1.0 255.255.255.0 202.101.53.5
end
conf t
crypto isakmp policy 20
 hash md5
 authentication pre-share
 group 2
crypto keyring cisco
  pre-shared-key address 218.87.15.1 key 0 cisco
crypto isakmp profile cisco
  match identity address 218.87.15.1
  keyring cisco
crypto ipsec transform-set myts esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
 set peer 218.87.15.1
 set transform-set myts
 match address ***
 set isakmp-profile cisco
interface Serial1/1
 ip address 202.101.53.3 255.255.255.0
 crypto map mymap
ip access-list extended ***
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
end
---------------
GRE OVER IPSEC ------- L2L
 
==========================================================================================================
实验三: IPSec Profile ××× 

IPSec Profile(拓展学习) IOS:12.4;适用于×××站点间要跑动态路由协议
r1:
en
conf t
host r1
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s0
defa int s1
defa int e0
no   int loop0
int loop0
ip add 192.168.1.1 255.255.255.0
int s0
ip add 218.87.15.1 255.255.255.0
no sh
exit
ip route 202.101.53.0 255.255.255.0 218.87.15.5
end
conf t
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 202.101.53.3
crypto ipsec transform-set ts esp-des esp-md5-hmac
crypto ipsec profile ipspro
  set transform-set ts
  exit
int tunnel 0
  tunnel mode ipsec ipv4
  ip add 192.168.13.1 255.255.255.0
  tunnel source s0
  tunnel destination 202.101.53.3
  tunnel protection ipsec profile ipspro
interface Serial0
 ip address 218.87.15.1 255.255.255.0
end
 

r5:
en
conf t
host r5
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s0/0
defa int s0/1
defa int s0/2
defa int s0/3
defa int e0/0
no   int loop0
int s0/1
ip add 218.87.15.5 255.255.255.0
clock r 64000
no sh
int s0/3
ip add 202.101.53.5 255.255.255.0
clock r 64000
no sh
exit
end
 
 
r3:
en
conf t
host r3
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s0
defa int s1
defa int e0
no   int loop0
int loop0
ip add 192.168.3.1 255.255.255.0
int s0
ip add 202.101.53.3 255.255.255.0
no sh
exit
ip route 218.87.15.0 255.255.255.0 202.101.53.5
end
conf t
crypto isakmp policy 20
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 218.87.15.1
crypto ipsec transform-set myts esp-des esp-md5-hmac
crypto ipsec profile ipspro
  set transform-set cisco
  exit
int tunnel 0
  tunnel mode ipsec ipv4
  ip add 192.168.13.3 255.255.255.0
  tunnel source s0
  tunnel destination 218.87.15.1
  tunnel protection ipsec profile ipspro
interface Serial0
 ip address 202.101.53.3 255.255.255.0
end
-----------------------------------------------------------------------------------------------------
Crypto map 对密文或明文入方向的流量的处理:
====================================================================================
是否感兴趣流       是否加密       有无map        action
    N/A               是            有            解密
     是               不            有            drop
     是               是           没有           forward
     N/A              是           没有           解密  ---如r1通过s0口(有map)发包给r3的s0口,r3通过s1口(有map)回包给r1的s1口
建议每个接口都启crypto map , 因为启了crypto map 的接口对不配置的感兴趣流没有影响.
-----------------------------------------------------------------------------------------------------
实验四:动态Dynamic ×××
Dynamic ××× 适用于中心站点IP固定,分支办事处××× IP地址不固定(如都是CISCO产品建议使用EZ×××,如分支办事处非思科产品建议使用该方式),该方式分支办事处配置同实验一中的L2L分支办事处配置,中心站点配置区别如下:
r1:
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto dynamic-map dmap 10
  set transform-set cisco
  match add  *** ---------------------------该行可省略
  exit
crypto map smap 10 ipsec-isakmp dynamic dmap 
int s0
  crypto map smap
                      ------------------------------------该方式应为分支主动发起流量才行,中心站点被动建×××。动态×××不安全

-------------------------------------------------------------------------------------------------------------------
实验五:IPSec over GRE (拓展学习)
该方式工作中使用较少,这里讲解方便大家理解数据包在被路由器加密前的处理过程,和crypto map 撞击的方式.
GRE 在最外面。该实验可以解决×××中原来不能解决的动态路由问题,但12.4的IOS解决方式更好(参见前实验三)
GRE 注意:
1.tunnel 起来的前提是只要有路由到达destination地址则tunnel 会 up,但不一定能拼通该地址;
2.动态路由宣告时可以对tunnel宣告,也可以对tunnel后的内网如loopback口宣告,但不能对tunnel source口宣告,否则会产生递归路由,一下up一下down;
原因:
        218.87.15.1  202.101.53.3 | gre | 192.168.1.1 192.168.3.1
查目标地址的路由,走隧道而封装GRE,之后又查路由,又进行封装,这样不停循环
int tunnel 0
  crymap map mymap ---------------------必须加上
int s0
  crymap map mymap ---------------------建议加上,能够阻止未加密的感兴趣流进入
包的处理过程:
1. 192.168.1.1的包抵达router, 原始包 s:192.168.1.1  d:192.168.3.1
2. 查询:路由表 结果:送到tunnel接口
3. 撞击上tunnel 口上的map <匹配上感兴趣流>
4. 触发加密
   <加密后s:218.87.15.1 d:202.101.53.3 esp s:192.168.1.1 d:192.168.3.1>
5. 加密后的新包继续查询:路由表  结果:送出物理接口s0
6. 虽然物理口有crypto map ,但因为新包不能匹配上感兴趣流,所以直接穿出物理口,送往目的地
7. 最终包结构:
   < s:218.87.15.1  d:202.101.53.3 | esp | s:192.168.1.1 d:192.168.3.1 >
-------------------------------------------------------------------------------------------------
×××指PEER时改掉原来的源目地址:
r1: loopback1:1.1.1.1 (对端新的peer地址)    r3: loopback1:3.3.3.3 (对端新的peer地址)
  r1:tunnel0--192.168.13.1----------------------------r3:tunnel0--192.168.13.3
crypto map mymap local-address loopback1 ------------*** 的更新源由原来的s0改为loop1后需加上该语句
s:218.87.15.1  d:202.101.53.3  gre  s:1.1.1.1 d:3.3.3.3 esp s:192.168.1.1 d:192.168.3.1 ------IPSec over GRE (gre 在外 )
crypto isakmp key cisco address 3.3.3.3
r1#ping 192.168.3.1  sour 192.168.1.1
r1:eigrp   tun0  loo0  loo1
r3:eigrp   tun0  loo0  loo1
 
安全×××模拟器上效果:
r1:
en
conf t
host r1
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s1/0
defa int s1/1
defa int e0/0
no   int loop0
int loop0
ip add 192.168.1.1 255.255.255.0
int loop1
ip add 1.1.1.1 255.255.255.0
ip ospf network point-to-point
int s1/0
ip add 218.87.15.1 255.255.255.0
no sh
exit
ip route 0.0.0.0 0.0.0.0 218.87.15.5
end
conf t
int tunnel 0
  ip add 192.168.13.1 255.255.255.0
  tunnel source s1/0
  tunnel destination 202.101.53.3
  crypto map mymap
  exit
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto keyring cisco
  pre-shared-key address 3.3.3.3 key 0 cisco
crypto isakmp profile cisco
    match identity address 3.3.3.3
    keyring cisco
crypto ipsec transform-set ts esp-des esp-md5-hmac
crypto map mymap local-address loopback1
crypto map mymap 10 ipsec-isakmp
 set peer 3.3.3.3
 set transform-set ts
 match address my***
 set isakmp-profile cisco
 exit
router ospf 100
 router-id 1.1.1.1
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.1.1 0.0.0.0 area 0
 network 192.168.13.1 0.0.0.0 area 0
 exit
interface Serial1/0
 ip address 218.87.15.1 255.255.255.0
 crypto map mymap
ip access-list extended my***
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
end
 

r2(r5):
en
conf t
host r5
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s1/0
defa int s1/1
defa int s1/2
defa int s1/3
defa int e0/0
no   int loop0
int s1/1
ip add 218.87.15.5 255.255.255.0
clock r 64000
no sh
int s1/0
ip add 202.101.53.5 255.255.255.0
clock r 64000
no sh
exit
end
 
 
r3:
en
conf t
host r3
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s1/0
defa int s1/1
defa int e0/0
no   int loop0
int loop0
ip add 192.168.3.1 255.255.255.0
int loop1
ip add 3.3.3.3 255.255.255.0
ip ospf network point-to-point
int s1/1
ip add 202.101.53.3 255.255.255.0
clock r 64000
no sh
exit
ip route 0.0.0.0 0.0.0.0 202.101.53.5
end
conf t
int tunnel 0
  ip add 192.168.13.3 255.255.255.0
  tunnel source s1/1
  tunnel destination 218.87.15.1
  crypto map mymap
  exit
crypto isakmp policy 20
 hash md5
 authentication pre-share
 group 2
crypto keyring cisco
  pre-shared-key address 1.1.1.1 key 0 cisco
crypto isakmp profile cisco
  match identity address 1.1.1.1
  keyring cisco
crypto ipsec transform-set myts esp-des esp-md5-hmac
crypto map mymap local-address loopback1
crypto map mymap 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set myts
 match address ***
 set isakmp-profile cisco
 exit
router ospf 100
 router-id 3.3.3.3
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.3.1 0.0.0.0 area 0
 network 192.168.13.3 0.0.0.0 area 0
 exit
interface Serial1/1
 ip address 202.101.53.3 255.255.255.0
 crypto map mymap
ip access-list extended ***
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
end
 
 
=====================================================================================================================
实验六:GRE  over IPSec (拓展学习)
 
安全×××模拟器上效果:
r1:
en
conf t
host r1
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s1/0
defa int s1/1
defa int e0/0
no   int loop0
int loop0
ip add 192.168.1.1 255.255.255.0
int loop1
ip add 1.1.1.1 255.255.255.0
ip ospf network point-to-point
int s1/0
ip add 218.87.15.1 255.255.255.0
no sh
exit
ip route 0.0.0.0 0.0.0.0 218.87.15.5
end
conf t
interface Serial1/0
 ip address 218.87.15.1 255.255.255.0
 exit
int tunnel 0
  ip add 192.168.13.1 255.255.255.0
  tunnel source s1/0
  tunnel destination 202.101.53.3
  exit
router ospf 100
 router-id 1.1.1.1
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.1.1 0.0.0.0 area 0
 network 192.168.13.1 0.0.0.0 area 0
 exit
end

conf t
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
 exit
crypto isakmp key cisco address 202.101.53.3
crypto ipsec transform-set ts esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
 set peer 202.101.53.3
 set transform-set ts
 match address my***
 exit
interface Serial1/0
 crypto map mymap
 exit
ip access-list extended my***
 permit gre any any
end
 

r2(r5):
en
conf t
host r5
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s1/0
defa int s1/1
defa int s1/2
defa int s1/3
defa int e0/0
no   int loop0
int s1/1
ip add 218.87.15.5 255.255.255.0
clock r 64000
no sh
int s1/0
ip add 202.101.53.5 255.255.255.0
clock r 64000
no sh
exit
end
 
 
r3:
en
conf t
host r3
no ip routing
ip routing
no ip domain-lookup
line con 0
logg sy
exit
defa int s1/0
defa int s1/1
defa int e0/0
no   int loop0
int loop0
ip add 192.168.3.1 255.255.255.0
int loop1
ip add 3.3.3.3 255.255.255.0
ip ospf network point-to-point
int s1/1
ip add 202.101.53.3 255.255.255.0
clock r 64000
no sh
exit
ip route 0.0.0.0 0.0.0.0 202.101.53.5
end
conf t
interface Serial1/1
 ip address 202.101.53.3 255.255.255.0
 exit
int tunnel 0
  ip add 192.168.13.3 255.255.255.0
  tunnel source s1/1
  tunnel destination 218.87.15.1
  exit
router ospf 100
 router-id 3.3.3.3
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.3.1 0.0.0.0 area 0
 network 192.168.13.3 0.0.0.0 area 0
end
conf t
crypto isakmp policy 20
 hash md5
 authentication pre-share
 group 2
 exit
crypto isakmp key cisco address 218.87.15.1
crypto ipsec transform-set myts esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp
 set peer  218.87.15.1
 set transform-set myts
 match address ***
 exit
interface Serial1/1
 crypto map mymap
 exit
ip access-list extended ***
 permit gre any any
end

r1#ping 192.168.3.1 source 192.168.1.1  repeat 20
s:218.87.15.1  d:202.101.53.3   esp  s:218.87.15.1  d:202.101.53.3  gre  s:192.168.1.1  d:192.168.3.1

包的处理过程:
1. 192.168.1.1的包抵达router, 原始包 s:192.168.1.1  d:192.168.3.1
2. 查询:路由表 结果:送到tunnel接口
3. tunnel 口上无map 查tunnel source 与 tunnel destination
4. 封装GRE,包结构:
   <s:218.87.15.1  d:202.101.53.3  gre  s:192.168.1.1  d:192.168.3.1>
5. 查路由表: 202.101.53.3 符合默认路由,出口为s1/0
6. 物理口下有cryto map, 并符合感兴趣流即为GRE的流量
7. 触发加密
   <加密后 s:218.87.15.1  d:202.101.53.3 esp  s:218.87.15.1  d:202.101.53.3  gre  s:192.168.1.1  d:192.168.3.1>
8. 加密后的新包继续查询:路由表  结果:送出物理接口s0
  最终包结构:
   < s:218.87.15.1  d:202.101.53.3 esp  s:218.87.15.1  d:202.101.53.3  gre  s:192.168.1.1  d:192.168.3.1 >
==================================================================================================================