1、网络拓扑
2、网络需求
KS与Inside1、Inside2、DMZ2建立GET ×××,ASA对外提供SSL ×××。
3、具体配置
KS:
ip domain name yeslab.net
crypto key generate rsa modulus 1024 label getvpnkey
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 10.1.2.1
crypto isakmp key cisco address 10.1.3.1
crypto isakmp key cisco address 10.1.4.1
crypto isakmp key cisco address 10.1.4.10
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto ipsec profile ipsecprof
set transform-set cisco
crypto gdoi group yeslabgroup
identity number 666888
server local
rekey algorithm aes 192
rekey retransmit 20 number 5
rekey authentication mypubkey rsa getvpnkey
rekey transport unicast
sa ipsec 1
profile ipsecprof
match address ipv4 getvpntraffic
replay time window-size 20
address ipv4 10.1.1.1
router ospf 1
area 0 authentication message-digest
network 10.1.1.0 0.0.0.255 area 0
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 yeslab123
ip access-list extended getvpntraffic
deny udp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 848
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
ASA:
interface Ethernet0/0
nameif outside
security-level 0
ip address 202.100.1.10 255.255.255.0
ospf message-digest-key 1 md5 <removed>
!
interface Ethernet0/1
nameif DMZ1
security-level 60
ip address 10.1.1.10 255.255.255.0
ospf message-digest-key 1 md5 <removed>
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.1.3.10 255.255.255.0
ospf message-digest-key 1 md5 <removed>
!
interface Ethernet0/3
nameif DMZ2
security-level 50
ip address 10.1.2.10 255.255.255.0
ospf message-digest-key 1 md5 <removed>
object-group network dmz2
network-object 10.1.3.0 255.255.255.0
network-object 10.1.4.0 255.255.255.0
network-object 10.10.4.0 255.255.255.0
network-object 10.10.3.0 255.255.255.0
access-list dmz2 extended permit udp host 10.1.2.1 eq 848 host 10.1.1.1 eq 848
access-list dmz2 extended permit esp host 10.10.2.1 object-group dmz2
access-group dmz2 in interface DMZ2
router ospf 1
network 10.1.1.0 255.255.255.0 area 0
network 10.1.2.0 255.255.255.0 area 0
network 10.1.3.0 255.255.255.0 area 0
network 202.100.1.0 255.255.255.0 area 0
area 0 authentication message-digest
webvpn
enable outside
port-forward PF 55555 10.10.2.1 telnet
group-policy for-localuser internal
group-policy for-localuser attributes
banner value welcome yeslab
webvpn
port-forward enable PF
hidden-shares visible
file-entry disable
url-entry disable
username localuser password VPMnI7Ryh0/c7eki encrypted
DMZ.2:
username chen password 0 cisco
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 10.1.1.1
cmap mymap 10 gdoi
set group yeslabgroup
crypto gdoi group yeslabgroup
identity number 666888
server address ipv4 10.1.1.1
crypto
match address telnet
interface Loopback0
ip address 10.10.2.1 255.255.255.0
ip ospf message-digest-key 1 md5 yeslab123
interface FastEthernet0/0
ip address 10.1.2.1 255.255.255.0
ip ospf message-digest-key 1 md5 yeslab123
crypto map mymap
router ospf 1
area 0 authentication message-digest
network 10.1.2.0 0.0.0.255 area 0
network 10.10.2.0 0.0.0.255 area 0
ip access-list extended telnet
deny tcp host 10.10.2.1 eq telnet host 10.1.2.10
deny ospf any any
line vty 0 15
login local
Inside.1:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 10.1.1.1
cmap mymap 10 gdoi
set group yeslabgroup
crypto gdoi group yeslabgroup
identity number 666888
server address ipv4 10.1.1.1
interface Loopback0
ip address 10.10.3.1 255.255.255.0
ip ospf message-digest-key 1 md5 yeslab123
interface FastEthernet0/0
ip address 10.1.3.1 255.255.255.0
ip ospf message-digest-key 1 md5 yeslab123
crypto map mymap
interface FastEthernet0/1
ip address 10.1.4.1 255.255.255.0
ip ospf message-digest-key 1 md5 yeslab123
crypto map mymap
router ospf 1
area 0 authentication message-digest
network 10.1.3.0 0.0.0.255 area 0
network 10.1.4.0 0.0.0.255 area 0
network 10.10.3.0 0.0.0.255 area 0
Inside.2:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 10.1.1.1
cmap mymap 10 gdoi
set group yeslabgroup
crypto gdoi group yeslabgroup
identity number 666888
server address ipv4 10.1.1.1
interface Loopback0
ip address 10.10.4.1 255.255.255.0
ip ospf message-digest-key 1 md5 yeslab123
interface FastEthernet0/0
ip address 10.1.4.10 255.255.255.0
ip ospf message-digest-key 1 md5 yeslab123
crypto map mymap
router ospf 1
area 0 authentication message-digest
network 10.1.4.0 0.0.0.255 area 0
network 10.10.4.0 0.0.0.255 area 0
4、 结果验证
KS#show crypto gdoi
GROUP INFORMATION
Group Name : yeslabgroup (Unicast)
Group Identity : 666888
Group Members : 3
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 85691 secs
Rekey Retransmit Period : 20 secs
Rekey Retransmit Attempts: 5
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : ipsecprof
Replay method : Time Based
Replay Window Size : 20
SA Rekey
Remaining Lifetime : 2892 secs
ACL Configured : access-list getvpntraffic
Group Server list : Local
KS# show crypto gdoi group yeslabgroup
Group Name : yeslabgroup (Unicast)
Group Identity : 666888
Group Members : 3
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 85319 secs
Rekey Retransmit Period : 20 secs
Rekey Retransmit Attempts: 5
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : ipsecprof
Replay method : Time Based
Replay Window Size : 20
SA Rekey
Remaining Lifetime : 2520 secs
ACL Configured : access-list getvpntraffic
Group Server list : Local
DMZ.2#sh crypto gdoi
GROUP INFORMATION
Group Name : yeslabgroup
Group Identity : 666888
Rekeys received : 1
IPSec SA Direction : Both
Active Group Server : 10.1.1.1
Group Server list : 10.1.1.1
GM Reregisters in : 2425 secs
Rekey Received(hh:mm:ss) : 00:18:36
Rekeys received
Cumulative : 1
After registration : 1
Rekey Acks sent : 1
ACL Downloaded From KS 10.1.1.1:
access-list deny udp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 port = 848
access-list permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 86399
Encrypt Algorithm : AES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY:
FastEthernet0/0:
IPsec SA:
sa direction:inbound
spi: 0x6A08A4C6(1778951366)
transform: esp-des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2441)
Anti-Replay(Time Based) : 20 sec interval
IPsec SA:
sa direction:outbound
spi: 0x6A08A4C6(1778951366)
transform: esp-des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2441)
Anti-Replay(Time Based) : 20 sec interval
IPsec SA:
sa direction:inbound
spi: 0xE34224AE(3812762798)
transform: esp-des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2481)
Anti-Replay(Time Based) : 20 sec interval
IPsec SA:
sa direction:outbound
spi: 0xE34224AE(3812762798)
transform: esp-des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2481)
Anti-Replay(Time Based) : 20 sec interval
注:思路大概如此,其中不乏错误,请大家在敲命令时有所注意,勿尽信!
