本文共 6416 字,大约阅读时间需要 21 分钟。
1.拓扑图:
参考:2.基本接口配置: R1: int e0/0 ip add 10.1.1.1 255.255.255.0 no sh int l0 ip add 1.1.1.1 255.255.255.0FW1: int e0 ip add 10.1.1.10 255.255.255.0 nameif inside no sh int e1 ip add 202.100.1.10 255.255.255.0 nameif outside no shR2: int E0/0 ip add 202.100.1.2 255.255.255.0 no sh int e0/1 ip add 202.100.2.2 255.255.255.0 no shR3: int e0/0 ip add 202.100.2.3 255.255.255.0 no sh int l0 ip add 3.3.3.3 255.255.255.03.路由配置:R1: ip route 0.0.0.0 0.0.0.0 10.1.1.10 pixfirewall: route outside 0.0.0.0 0.0.0.0 202.100.1.2R3: ip route 0.0.0.0 0.0.0.0 202.100.2.24.防火墙NAT及策略配置: access-list 10 permit ip 10.1.1.0 255.255.255.0 any nat (inside) 1 access-list 10 global (outside) 1 interface access-list outside extended permit icmp any any access-group outside in interface outside 备注:配置icmp测试只是为了方便测试,可以不需要。5.GRE及动态路由配置:R1: int tunnel 0 ip add 192.168.0.1 255.255.255.0 tunnel source ethernet 0/0 tunnel destination 202.100.2.3 router ospf 1 router-id 1.1.1.1 network 1.1.1.0 0.0.0.255 a 0 network 192.168.0.0 0.0.0.255 a 0R3: int tunnel 0 ip add 192.168.0.3 255.255.255.0 tunnel source ethernet 0/0 tunnel destination 202.100.1.10 备注:此处tunnel目标地址与传统配置方式不同,需要配置为NAT后的地址。 router ospf 1 router-id 3.3.3.3 network 3.3.3.0 0.0.0.255 a 0 network 192.168.0.0 0.0.0.255 a 0 备注:此时ospf邻居还无法建立,因为防火墙不会将到达其外部接口的GRE流量转发到内部路由器。6.VPN配置(profile方式):A.配置第一阶段策略:R1: crypto isakmp policy 10 group 2 ha md en de au pr crypto isakmp key 0 cisco address 202.100.2.3R3: crypto isakmp policy 10 group 2 ha md en de au pr crypto isakmp key 0 cisco address 202.100.1.10B.配置第二阶段策略:R1、R3: crypto ipsec transform-set transet esp-des esp-md5-hmac mode transportC.配置Ipsec Profile,关联转换集: R1、R3: crypto ipsec profile myprofile set transform-set transetD.tunnel接口调用profile: R1、R3: int tunnel 0 tunnel protection ipsec profile myprofile7.设置路由器tunnel 接口参数: R1、R3: int tunnel 0 tunnel mode ipsec ipv4 备注:配置完成后,OSPF邻居会自动建立,如果不配置的话,无法完成quick mode,会报如下错误: *Mar 1 00:31:05.887: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 202.100.1.10 并且debug crypto ipsec 会有如下信息: Crypto IPSEC debugging is on R3# *Mar 1 00:31:43.807: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 202.100.2.3, remote= 202.100.1.10, local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1), remote_proxy= 202.100.1.10/255.255.255.255/47/0 (type=1) *Mar 1 00:31:43.831: IPSEC(key_engine): got a queue event with 1 kei messages *Mar 1 00:31:43.839: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 202.100.2.3, remote= 202.100.1.10, local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1), remote_proxy= 202.100.1.10/255.255.255.255/47/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0xC6C45BEE(3334757358), conn_id= 0, keysize= 0, flags= 0x400A *Mar 1 00:31:43.891: IPSEC(key_engine): got a queue event with 1 kei messages *Mar 1 00:32:11.455: IPSEC(key_engine): got a queue event with 1 kei messages *Mar 1 00:32:11.631: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 202.100.2.3, remote= 202.100.1.10, local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1), remote_proxy= 10.1.1.1/255.255.255.255/47/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400 *Mar 1 00:32:11.647: map_db_find_best did not find matching map *Mar 1 00:32:11.651: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 202.100.2.3 *Mar 1 00:32:11.663: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 202.100.1.10 *Mar 1 00:32:13.839: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 202.100.2.3, remote= 202.100.1.10, local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1), remote_proxy= 202.100.1.10/255.255.255.255/47/0 (type=1) *Mar 1 00:32:13.851: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 202.100.2.3, remote= 202.100.1.10, local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1), remote_proxy= 202.100.1.10/255.255.255.255/47/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x90CF1F1D(2429493021), conn_id= 0, keysize= 0, flags= 0x400A *Mar 1 00:32:41.031: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 202.100.2.3, remote= 202.100.1.10, local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1), remote_proxy= 10.1.1.1/255.255.255.255/47/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel-UDP), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400 *Mar 1 00:32:41.047: map_db_find_best did not find matching map *Mar 1 00:32:41.051: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 202.100.2.3 *Mar 1 00:32:43.847: IPSEC(key_engine): request timer fired: count = 2,8.验证IPSEC: A.两台路由器都有ospf触发的加解密数据流: R1#show crypto engine conn active ID Interface IP-Address State Algorithm Encrypt Decrypt 4 Tunnel0 192.168.0.1 set HMAC_MD5+DES_56_CB 0 0 2001 Tunnel0 10.1.1.1 set DES+MD5 0 51 2002 Tunnel0 10.1.1.1 set DES+MD5 52 0 R3#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 4 Ethernet0/0 202.100.2.3 set HMAC_MD5+DES_56_CB 0 0 2001 Ethernet0/0 202.100.2.3 set DES+MD5 0 54 2002 Ethernet0/0 202.100.2.3 set DES+MD5 53 0B.ospf邻居成功建立: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 3.3.3.3 0 FULL/ - 00:00:35 192.168.0.2 Tunnel0 R3#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 0 FULL/ - 00:00:37 192.168.0.1 Tunnel0C.双方都通过OSPF学到对方路由: R1#show ip route ospf 3.0.0.0/32 is subnetted, 1 subnets O 3.3.3.3 [110/11112] via 192.168.0.2, 00:07:58, Tunnel0 R3#show ip route ospf 1.0.0.0/32 is subnetted, 1 subnets O 1.1.1.1 [110/11112] via 192.168.0.1, 00:08:17, TunneD.PING测试: R1#ping 3.3.3.3 source 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/75/228 ms9.总结(与传统IPsec配置的差别): 相同的网络环境,传统方式与profile方式的差别:A.传统方式是物理口配置加密图,profile方式指定tunnel接口ipsec保护。 B.传统方式tunnel目标地址为对方的实际地址,而profile方式目标地址为NAT之后的地址。 C.profile方式tunnel接口需要输入tunnel mode ipsec ipv4。 -----后面学CCNP 安全的课程,这种方式有一个新名词:静态VTI方式的VPN。
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/841281,如需转载请自行联系原作者