实验环境(模拟多站点vpn)
R1和R3 , R4建立vpn
R3和R1 , R4建立vpn
R4和R1 , R3建立vpn
一,基本配置
1.R1的基本配置
R1(config)#int loopback 0
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#no sh
R1(config-if)#int f0/0
R1(config-if)#ip add 10.0.0.1 255.255.255.0
R1(config-if)#no sh
R1(config)#line console 0
R1(config-line)#logging synchronous
R1(config-line)#exit
R1(config)#no ip domain-lookup
R1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.2
R1(config)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.0.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
Loopback0 1.1.1.1 YES manual up up
2.R2的基本配置
R2(config)#no ip domain-lookup
R2(config)#line console 0
R2(config-line)#logg syn
R2(config-line)#exit
R2(config)#int f0/0
R2(config-if)#ip add 10.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int f1/0
R2(config-if)#ip add 20.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config)#int f2/0
R2(config-if)#ip add 30.0.0.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.0.2 YES manual up up
FastEthernet1/0 20.0.0.2 YES manual up up
FastEthernet2/0 30.0.0.2 YES manual up up
3.R3的基本配置
R3(config)#int loopback 0
R3(config-if)#ip add 2.2.2.2 255.255.255.255
R3(config-if)#int f0/0
R3(config-if)#ip add 20.0.0.1 255.255.255.0
R3(config-if)#no sh
R3(config-if)#ip route 0.0.0.0 0.0.0.0 20.0.0.2
R3(config)#line console 0
R3(config-line)#logging synchronous
R3(config-line)#exit
R3(config)#no ip domain-lookup
R3(config)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 20.0.0.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
Loopback0 2.2.2.2 YES manual up up
4.R4的基本配置
R4(config)#no ip domain-lookup
R4(config)#line console 0
R4(config-line)#logging syn
R4(config-line)#exit
R4(config)#int loopback 0
R4(config-if)#ip add 3.3.3.3 255.255.255.255
R4(config-if)#no sh
R4(config-if)#int f0/0
R4(config-if)#ip add 30.0.0.1 255.255.255.0
R4(config-if)#no sh
R4(config-if)#ip route 0.0.0.0 0.0.0.0 30.0.0.2
R4(config)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 30.0.0.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
Loopback0 3.3.3.3 YES manual up up
二,ipsec vpn配置
1.R1和R3之间的vpn(R1和R3之间的策略要相同,设置相同的密钥为vpnR1-R3)
R1上的配置
R1(config)#crypto isakmp policy 1 配置安全策略
R1(config-isakmp)#encryption 3des 采用何种加密
R1(config-isakmp)#hash sha 验证
R1(config-isakmp)#authentication pre-share 身份验证预共享
R1(config-isakmp)#group 2 DH组为2 组号越大,算法越安全,占用设备资源越多,路由支持1,2,5
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 vpnR1-R3 address 20.0.0.1 配置预共享密钥(两台设备的密钥要相同)0表示为明文,1表示密钥被加密。
R1(config)#access-list 111 permit ip 1.1.1.1 0.0.0.0 2.2.2.2 0.0.0.0 配置acl(指定需要保护的流量)注意两端对等体上的acl互为镜像,否则阶段2建立会失败
R1(config)#crypto ipsec transform-set vpn esp-des esp-sha-hmac 定义传输集 此处有两种协议AH协议(只能验证),ESP协议(支持验证和加密)AH对整个数据都验证(包括ip头),所以不能和NAT共存,esp只验证有效载荷(不包括ip头)可以和NAT共存)
R1(cfg-crypto-trans)#exit
R1(config)#crypto map vpn-map 1 ipsec-isakmp 定义map,路由的一个接口只能应用一个MAP,所以配置多站点vpn时,通过map序号区分
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 20.0.0.1 指定对等体
R1(config-crypto-map)#set transform-set vpn 指定传输集
R1(config-crypto-map)#match address 111 需要保护的流量
R1(config-crypto-map)#exit
R1(config)#int f0/0
R1(config-if)#crypto map vpn-map把map应用到接口
R1(config-if)#
*Mar 1 00:28:06.035: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#
R3上的配置
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#en 3des
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 0 vpnR1-R3 address 10.0.0.1
R3(config)#access-list 111 permit ip 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0
R3(config)#crypto ipsec transform-set vpn esp-des esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto map vpn-map 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 10.0.0.1
R3(config-crypto-map)#set transform-set vpn
R3(config-crypto-map)#match address 111
R3(config-crypto-map)#exit
R3(config)#int f0/0
R3(config-if)#crypto map vpn-map
R3(config-if)#
*Mar 1 00:52:47.967: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
已成功建立
R3#ping 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
*Mar 1 00:58:08.667: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 10.0.0.1:500 Id: 10.0.0.1.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/69/84 ms
R3#sh cry isa sa
dst src state conn-id slot
10.0.0.1 20.0.0.1 QM_IDLE 1 0
R1#sh cry isa sa
dst src state conn-id slot
10.0.0.1 20.0.0.1 QM_IDLE 1 0
R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/48/60 ms
2,R1和R4之间建立vpn(共享密钥为vpnR1-R4)
R1上配置
由于之前已配置了安全策略,就用上面配置的策略
只配置预共享密钥,ACl,map(定义不同的序号,应为一个接口只能应用一个map)
R1(config)#crypto isakmp key 0 vpnR1-R4 address 30.0.0.1 R1和R4的密钥
R1(config)#access-list 115 permit ip 1.1.1.1 0.0.0.0 3.3.3.3 0.0.0.0
R1(config)#crypto map vpn-map 2 ipsec-isakmp 更改map序号
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 30.0.0.1
R1(config-crypto-map)#set transform-set vpn
R1(config-crypto-map)#match address 115
这里无需把map应用接口,因为做R1和R3时已经在R1上应用了,这里通过序号区分的。
R4上配置
R4(config)#crypto isakmp policy 1
R4(config-isakmp)#en 3des
R4(config-isakmp)#hash sha
R4(config-isakmp)#auth pre-share
R4(config-isakmp)#group 2
R4(config-isakmp)#exit
R4(config)#crypto isakmp key 0 vpnR1-R4 address 10.0.0.1
R4(config)#access-list 111 permit ip 3.3.3.3 0.0.0.0 1.1.1.1 0.0.0.0
R4(config)#crypto ipsec transform-set vpn esp-des esp-sha-hmac
R4(cfg-crypto-trans)#exit
R4(config)#crypto map vpn-map 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R4(config-crypto-map)#set peer 10.0.0.1
R4(config-crypto-map)#set transform-set vpn
R4(config-crypto-map)#match address 111
R4(config-crypto-map)#exit
R4(config)#int f0/0
R4(config-if)#crypto map vpn-map
R4(config-if)#
*Mar 1 01:14:43.259: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
验证
R4#ping 1.1.1.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.!!
*Mar 1 01:17:05.183: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 10.0.0.1:500 Id: 10.0.0.1!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 40/60/76 ms
R4#sh cry isa sa
dst src state conn-id slot
10.0.0.1 30.0.0.1 QM_IDLE 1 0
R4#sh cry isa key
Keyring Hostname/Address Preshared Key
default 10.0.0.1 vpnR1-R4 密钥
R1上的查询
R1(config)#do sh cry isa sa
dst src state conn-id slot
10.0.0.1 20.0.0.1 QM_IDLE 1 0
30.0.0.1 10.0.0.1 QM_IDLE 2 0
R1(config)#do sh cry isa key
Keyring Hostname/Address Preshared Key
default 20.0.0.1 vpnR1-R3
30.0.0.1 vpnR1-R4
3.R3和R4搭建vpn
R3的配置
由于之前已配置了安全策略,就用上面配置的策略
只配置预共享密钥,ACl,map(定义不同的序号,应为一个接口只能应用一个map)
R3(config)#crypto isa key 0 vpnR3-R4 address 30.0.0.1
R3(config)#access-list 115 permit ip 2.2.2.2 0.0.0.0 3.3.3.3 0.0.0.0
R3(config)#crypto map vpn-map 2 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 30.0.0.1
R3(config-crypto-map)#set transform-set benet
R3(config-crypto-map)#match address 115
R4的配置
R4(config)#crypto isakmp key 0 vpnR3-R4 address 20.0.0.1
R4(config)#access-list 115 permit ip 3.3.3.3 0.0.0.0 2.2.2.2 0.0.0.0
R4(config)#crypto map vpn-map 2 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R4(config-crypto-map)#set peer 20.0.0.1
R4(config-crypto-map)#set transform-set benet
R4(config-crypto-map)#match address 115
验证
R4
R4(config-crypto-map)#do ping 2.2.2.2 so 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/51/96 ms
R4(config-crypto-map)#
*Mar 1 00:39:11.607: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 20.0.0.1:500 Id: 20.0.0.1
R4(config-crypto-map)#do sh cry isa sa
dst src state conn-id slot
20.0.0.1 30.0.0.1 QM_IDLE 2 0
30.0.0.1 10.0.0.1 QM_IDLE 1 0
R4(config-crypto-map)#do sh cry isa key
Keyring Hostname/Address Preshared Key
default 10.0.0.1 vpnR1-R4
20.0.0.1 vpnR3-R4
R3
R3(config)#do ping 3.3.3.3 so 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/37/64 ms
R3(config)#do sh cry
R3(config)#do sh cry isa sa
dst src state conn-id slot
10.0.0.1 20.0.0.1 QM_IDLE 1 0
20.0.0.1 30.0.0.1 QM_IDLE 2 0
R3(config)#do sh cry isa key
Keyring Hostname/Address Preshared Key
default 10.0.0.1 vpnR1-R3
30.0.0.1 vpnR3-R4
