在R1和ASA上起×××,使得分公司内网15.15.15.0/24通过Internet安全访问总公司内网192.168.1.0/24。
| 拓扑图: | |
R5只需要配置接口ip地址,加上一条静态路由指向R1即可。
R6只需要配置接口ip地址即可,不需要知道内网ip,只需保证R1和ASA的联通。
分公司R1的配置:
crypto isakmp policy 1 //定义阶段一的密钥加密策略
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key gezi123 address 10.10.10.1 //定义与共享密钥
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac //定义转换集
!
crypto map mymap 1 ipsec-isakmp //定义ipsec策略
set peer 10.10.10.1 //设置对端ip
set transform-set myset //调用转换集
match address 100 //调用感兴趣流量(受保护的流量)
!
interface Serial1/0
ip address 15.15.15.1 255.255.255.0
serial restart-delay 0
clock rate 64000
!
interface Serial1/1
ip address 16.16.16.1 255.255.255.0
clock rate 64000
crypto map mymap //接口下应用ipsec安全策略
ip route 0.0.0.0 0.0.0.0 16.16.16.6
access-list 100 permit ip 15.15.15.0 0.0.0.255 192.168.1.0.0 0.0.0.255
总公司ASA的配置:
ciscoasa(config)# sh run
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.10.10.1 255.0.0.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
//定义感兴趣流量:
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 15.15.15.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1 //定义默认路由
crypto ipsec transform-set myset esp-3des esp-sha-hmac //定义转换集
crypto map mymap 1 match address 100 //定义map
crypto map mymap 1 set peer 16.16.16.1
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
crypto isakmp enable outside //在asa出接口应用map
crypto isakmp policy 1 //阶段1策略
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 16.16.16.1 type ipsec-l2l //定义通道组类型
tunnel-group 16.16.16.1 ipsec-attributes //定义ipsec属性
pre-shared-key * //设置PSK为gezi123
验证:
查看ASA的×××信息:
ciscoasa# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1 //IKE通道数为一个
1 IKE Peer: 16.16.16.1
Type : L2L Role : responder //类型为点到点
Rekey : no State : MM_ACTIV
ciscoasa# sh crypto ipsec sa
interface: outside
Crypto map tag: mymap, seq num: 1, local addr: 10.10.10.1
access-list 100 permit ip 192.168.1.0 255.255.255.0 15.15.15.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
current_peer: 16.16.16.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 16.16.16.1 //本端与对端信息
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 10949813
inbound esp sas:
spi: 0xAED16260 (2932957792)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, } //隧道模式,类型L2L
slot: 0, conn_id: 4096, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4274998/3054)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x10949813 (278173715)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4275000/3054)
IV size: 8 bytes
replay detection support: Y
查看R1的×××信息:
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.10.10.1 16.16.16.1 QM_IDLE 1001 0 ACTIVE
r1#sh crypto ipsec sa
interface: Serial1/1
Crypto map tag: mymap, local addr 16.16.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.15.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 10.10.10.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 16.16.16.1, remote crypto endpt.: 10.10.10.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
current outbound spi: 0xAED16260(2932957792)
inbound esp sas:
spi: 0x10949813(278173715)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4547148/2649)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAED16260(2932957792)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4547142/2648)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
测试分公司与总公司内网连通性
r5#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/41/84 ms
能ping通总公司内网表示L2L ×××建立成功,两内网可以通过IPsec ×××进行通信。
但是这种×××模式的缺点就是成本高,设备维护不方便,最致命的缺点就是只能定义点到点的×××,感兴趣流量也必须一条一条的设。如果分公司很多,对设备的性能要求也很高。不支持路由协议,内网与内网之间的访问局限性很大。
