IPSec VPN的配置实现

原创

shexuanyan 2018-01-09 18:53:08 ©著作权

文章标签 IPSec VPN 文章分类 运维

©著作权归作者所有：来自51CTO博客作者shexuanyan的原创作品，请联系作者获取转载授权，否则将追究法律责任

某软件开发公司在中小城市建立了分支公司，分支公司开发项目小组所在网络地址为172.16.10.0/24，该网络的主机可以通过×××访问总公司开发数据服务器（10.10.33.0/24）。根据上述需求，网络管理员需要在分支公司的网关路由器上同时配置×××。 1．分支公司的网关路由器路由方面的配置

R1(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.2

配置ISAKMP策略 R1(config)#crypto isakmp policy 1 R1(config-isakmap)#encryption 3des R1(config-isakmap)#hash sha R1(config-isakmap)#authentication pre-share R1(config-isakmap)#group 2 R1(config-isakmap)#lifetime 10000 R1(config)#crypto isakmp key qqnet-key address 200.0.0.1

配置ACL R1(config)#access-list 100 permit ip 172.16.10.0 0.0.0.255 10.10.33.0 0.0.0.255

配置IPSec变换集 R1(config)#crypto ipsec transform-set qqnet-set esp-des ah-sha-hmac R1(config)#crypto ipsec security-association lifetime seconds 1800

配置加密映射 R1(config)#crypto map qqnet-map 1 ipsec-isakmp R1(config-crypto-map)#set peer 200.0.0.1 R1(config-crypto-map)#set transform-set qqnet-set R1(config-crypto-map)#match address 100

将映射应用在接口 R1(config)#interface f0/0 R1(config-if)#crypto map qqnet-map

2．总公司的网关路由器路由方面的配置 R2(config)#ip route 0.0.0.0 0.0.0.0200.0.0.2

IPSec ×××方面的配置 R2(config)#crypto isakmp policy 1 R2(config-isakmap)#encryption 3des R2(config-isakmap)#hash sha R2(config-isakmap)#authentication pre-share R2(config-isakmap)#group 2 R2(config-isakmap)#lifetime 10000 R2(config)#crypto isakmp key 0 qqnet-key address 100.0.0.1 R2(config)#access-list 100 permit ip 10.10.33.0 0.0.0.255 172.16.10.0 0.0.0.255 R2(config)#crypto ipsec transform-set qqnet-set esp-des ah-sha-hmac //加密和认证算法要与分公司匹配 R2(config)#crypto ipsec security-association lifetime seconds 1800 R2(config)#crypto map qqnet-map 1 ipsec-isakmp R2(config-crypto-map)#set peer 100.0.0.1 R2(config-crypto-map)#set transform-setqqnet-set R2(config-crypto-map)#match address 100 R2(config)#interface f0/0 R2(config-if)#crypto map qqnet-map

3．显示ISAKMP协商策略的配置结果 R1#show crypto isakmp policy

Global IKE policy

Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard //SHA authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 10000 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit

5．显示IPSec变换集 R1#show crypto ipsec transform-set Transform set qqnet-set: { ah-sha-hmac } will negotiate = { Tunnel, }, { esp-des } will negotiate = { Tunnel, },

6．显示数据连接建立的生存周期 R1#show crypto ipsec security-association lifetime Security association lifetime: 4608000 kilobytes/1800 seconds

8．查看Crypto Map的信息 R1#show crypto map Crypto Map "qqnet-map" 1 ipsec-isakmp Peer = 200.0.0.1 Extended IP access list 100 access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255 Current peer: 200.0.0.1 Security association lifetime: 4608000 kilobytes/1800 seconds PFS (Y/N): N Transform sets={ qqnet-set, } Interfaces using crypto map qqnet-map: FastEthernet0/0

通过show crypto map命令可以查看到：Crypto Map的名称、Crypto ACL、对等体的IP地址、IPSec SA的生存周期、是否启用PFS、应用Crypto Map的接口。