基础IPsec-remote基本配置

Setp 1 R4 NAT实现上网即可

R4(config)#int fa0/0

R4(config-if)#ip add 192.168.40.1 255.255.255.0

R4(config-if)#no sh

R4(config-if)#int fa1/0

R4(config-if)#ip add 200.200.24.4 255.255.255.0

R4(config-if)#no sh

R4(config-if)#exit

R4(config)#ip access e for_nat

R4(config-ext-nacl)#deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255

R4(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 any

R4(config-ext-nacl)#exit

R4(config)#ip nat inside source list for_nat interface fa1/0 overload

R4(config)#int fa1/0

R4(config-if)#ip nat outside

R4(config-if)#exit

R4(config)#int fa0/0

R4(config-if)#ip nat inside

R4(config)#ip route 200.200.23.0 255.255.255.0 200.200.24.2

R4# ping 200.200.23.3 source  192.168.40.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.23.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.40.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/207/336 ms

 

Setp 2 R2配置基本IP地址即可

R2(config)#int fa2/0

R2(config-if)#ip add 200.200.24.2 255.255.255.0

R2(config-if)#no sh

R2(config-if)#int fa1/0

R2(config-if)#ip add 200.200.23.2 255.255.255.0

R2(config-if)#no sh

R2(config-if)#exit

 

Setp 3 R3实现NAT功能

R3(config)#int fa1/0

R3(config-if)#ip add 200.200.23.3 255.255.255.0

R3(config-if)#no sh

R3(config-if)#int fa0/0

R3(config-if)#ip add 192.168.30.1 255.255.255.0

R3(config-if)#no sh

R3(config-if)#ip access e for_nat

R3(config-ext-nacl)#deny ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255

R3(config-ext-nacl)#permit ip 192.168.30.0 0.0.0.255 any

R3(config-ext-nacl)#exit

R3(config)#ip nat inside source list for_nat int fa1/0 overload

R3(config)#int fa1/0

R3(config-if)#ip nat ou

R3(config-if)#int fa0/0

R3(config-if)#ip nat inside

R3(config-if)#end

R3(config)#ip route 200.200.24.0 255.255.255.0 200.200.23.2

R3(config)#exit

R3#ping 200.200.24.4 source 192.168.30.1 repeat 10       //测试NAT是否建立成功

 

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 200.200.24.4, timeout is 2 seconds:

Packet sent with a source address of 192.168.30.1

..!!!!!!!!

Success rate is 80 percent (8/10), round-trip min/avg/max = 72/163/276 ms

R3#show ip access

Extended IP access list for_nat

    10 deny ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255

20 permit ip 192.168.30.0 0.0.0.255 any (1 match)

 

Setp 4 定义IKE阶段(IPsec-server)

R3(config)#crypto isakmp policy 10

R3(config-isakmp)#encryption des

R3(config-isakmp)#hash md5

R3(config-isakmp)#group 2

R3(config-isakmp)#authentication pre-share   //采用预共享密钥

R3(config-isakmp)#exit

 

Setp 5

R3(config)#crypto isakmp client configuration group vpn_ccnp //指定一个客户端组,此组用于客户端登陆用户名

R3(config-isakmp-group)#key cisco

R3(config-isakmp-group)#exit

 

Setp 6 开启3A功能

R3(config)#aaa new-model

R3(config)#aaa authentication login  NOACS line none //定义不认证

R3(config)#line con 0

R3(config-line)#login authentication NOACS    //接口调用不验证

R3(config-line)#line aux 0

R3(config-line)#login authentication NOACS

R3(config-line)#line vty 0 4   

R3(config-line)#login authentication NOACS

R3(config-line)#exit

R3(config)#aaa authentication login remote local    //Xauth阶段,客户第二次认证

R3(config)#user ccnp password ccnp

R3(config)#aaa authorization network remote local

 

Setp7 定义客户端地址池

R3(config)#crypto isakmp client configuration group vpn_ccnp

R3(config-isakmp-group)#pool A

R3(config-isakmp-group)#exit

R3(config)#ip local pool A 192.168.100.1 192.168.100.254

 

Setp 8 定义专用的isakmp

R3(config)#crypto isakmp profile pro_A

% A profile is deemed incomplete until it has match identity statements

R3(conf-isa-prof)#match identity group vpn_ccnp       //指定匹配组

R3(conf-isa-prof)#client authentication list remote      //指定验证调用的3A

R3(conf-isa-prof)#isakmp authorization list remote   //指定授权调用的3A

R3(conf-isa-prof)#client configuration address respond   //下发策略

R3(conf-isa-prof)#exit

 

Setp9 定义转换集

R3(config)#crypto ipsec transform-set vpn esp-des esp-md5-hmac //指定数据加密认证采用的方法

R3(cfg-crypto-trans)#mode tunnel //采用隧道模式

R3(cfg-crypto-trans)#exit

 

Setp10 定义动态map

R3(config)#crypto dynamic-map dy_vpn 10

R3(config-crypto-map)#set transform-set vpn   //调用转换集

R3(config-crypto-map)#set isakmp-profile pro_A  //调用前面定义的专用的isakmp

R3(config-crypto-map)#reverse-route //路由的反向注入

R3(config-crypto-map)#exit

 

Setp11 定义标准的map 及接口调用

R3(config)#crypto map vpn_map 10 ipsec-isakmp dynamic dy_vpn

R3(config)#int fa1/0

R3(config-if)#crypto map vpn_map   //在接口调用

R3(config-if)#exit

 

Setp12 路由分割(解决客户端默认网关问题)

R3(config)#access-list 101 permit ip 192.168.30.0 0.0.0.255 any

R3(config)#crypto isakmp client configuration group vpn_ccnp

R3(config-isakmp-group)#acl 101

R3(config-isakmp-group)#exit

R3(config)#exit  

 

R3#show crypto engine connections active

 

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

   1 FastEthernet1/0      200.200.23.3    set    HMAC_MD5+DES_56_CB        0        0

2001 FastEthernet1/0      200.200.23.3    set    DES+MD5                   0        0

2002 FastEthernet1/0      200.200.23.3    set    DES+MD5                   0        0

 

R3#show crypto isakmp sa

dst             src             state          conn-id slot status

200.200.23.3    200.200.24.4    QM_IDLE              1    0 ACTIVE

 

R3#show crypto ipsec sa

 

interface: FastEthernet1/0

    Crypto map tag: vpn_map, local addr 200.200.23.3

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)

   current_peer 200.200.24.4 port 4500

     PERMIT, flags={}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 200.200.23.3, remote crypto endpt.: 200.200.24.4

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0

     current outbound spi: 0x33B6F24A(867627594)

 

     inbound esp sas:

      spi: 0x892C05FD(2301363709)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2001, flow_id: SW:1, crypto map: vpn_map

        sa timing: remaining key lifetime (k/sec): (4584147/3403)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0x33B6F24A(867627594)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2002, flow_id: SW:2, crypto map: vpn_map

        sa timing: remaining key lifetime (k/sec): (4584147/3402)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

 

     outbound ah sas:

 

     outbound pcp sas: