DS VPN实验

企业开发 2023-08-22 17:54:48 阅读次数: 0

目录

DS VPN实验

1、首先为所有接口配置ip地址、回环地址:

2、为3-8这些设备配置一条缺省指向R2

3、在R1-R3-R4这三个设备之间搭建MGRE

4、配置OSPF让各个主机之间可以进行通信

5、修改隧道接口的网络类型为p2mp

6、在R1上开启重定向、在R3、R4上配置最短

7、现在需要在R3-R5-R6和R4-R7-R8这两个部分进行MGRE的搭建

8、现在就可以配置IPSEC了

9、测试

DS VPN实验

实验图拓扑:

 1、首先为所有接口配置ip地址、回环地址:

[R1]int gi 0/0/0
[R1-GigabitEthernet0/0/0]ip add 100.1.12.1 24
[R1]ip route-static 0.0.0.0 0 100.1.12.2

[R2]int g1/0/0
[R2-GigabitEthernet1/0/0]ip address 100.1.23.1 24
[R2-GigabitEthernet1/0/0]int gi 0/0/0
[R2-GigabitEthernet0/0/0]ip add 100.1.12.2 24 
[R2-GigabitEthernet0/0/0]in gi 0/0/2
[R2-GigabitEthernet0/0/2]ip add 100.1.24.1 24
[R2-GigabitEthernet0/0/2]int gi 2/0/0
[R2-GigabitEthernet2/0/0]ip add 100.1.26.1 24
[R2-GigabitEthernet2/0/0]int gi 3/0/0
[R2-GigabitEthernet3/0/0]ip add 100.1.27.1 24
[R2-GigabitEthernet3/0/0]int gi 4/0/0
[R2-GigabitEthernet4/0/0]ip add 100.1.28.1 24
[R2-GigabitEthernet4/0/0]int gi 1/0/0
[R2-GigabitEthernet1/0/0]ip add 100.1.25.1 24
[R2-GigabitEthernet1/0/0]int gi 0/0/1
[R2-GigabitEthernet0/0/1]ip add 100.1.23.1 24
[R2-GigabitEthernet0/0/1]int lo0
[R2-LoopBack0]ip add 10.2.2.2 24

[R3]int gi 0/0/0
[R3-GigabitEthernet0/0/0]ip add 100.1.23.2 24
[R3-LoopBack0]ip add 10.3.3.3 24
[R4]int gi 0/0/0
[R4-GigabitEthernet0/0/0]ip add 100.1.24.2 24
[R4-GigabitEthernet0/0/0]int lo0
[R4-LoopBack0]ip add 10.4.4.4 24
[R5]int gi 0/0/0
[R5-GigabitEthernet0/0/0]ip add 100.1.25.2 24
[R5-GigabitEthernet0/0/0]int lo0
[R5-LoopBack0]ip add 10.5.5.5 24
[R6]int gi 0/0/0
[R6-GigabitEthernet0/0/0]ip add 100.1.26.2 24
[R6-GigabitEthernet0/0/0]int lo0
[R6-LoopBack0]ip add 10.6.6.6 24
[R7]int gi0/0/0
[R7-GigabitEthernet0/0/0]ip add 100.1.27.2 24
[R7-GigabitEthernet0/0/0]int lo0
[R7-LoopBack0]ip add 10.7.7.7 24
[R8-GigabitEthernet0/0/0]ip add 100.1.28.2 24
[R8-GigabitEthernet0/0/0]int lo0
[R8-LoopBack0]ip add 10.8.8.8 24

 2、为3-8这些设备配置一条缺省指向R2

[R3]ip route-static 0.0.0.0 0 100.1.23.1
[R4]ip route-static 0.0.0.0 0 100.1.24.1
[R5]ip route-static 0.0.0.0 0 100.1.25.1
[R6]ip route-static 0.0.0.0 0 100.1.26.1
[R7]ip route-static 0.0.0.0 0 100.1.27.1
[R8]ip route-static 0.0.0.0 0 100.1.28.1

3、在R1-R3-R4这三个设备之间搭建MGRE

R1(中心站点):

[R1]int tunnel 0/0/0
[R1-Tunnel0/0/0]tunnel-protocol gre p2mp 
[R1-Tunnel0/0/0]source g0/0/0
[R1-Tunnel0/0/0]ip add 10.0.0.1 24
[R1-Tunnel0/0/0]nhrp  network-id 100
[R1-Tunnel0/0/0]nhrp authentication cipher 123456 #nhrp 接口认证
[R1-Tunnel0/0/0]nhrp entry  multicast dynamic
[R1-Tunnel0/0/0]gre key 1 #grekey加强安全性

R3:

[R3]int Tunnel 0/0/0
[R3-Tunnel0/0/0]tunnel-protocol gre p2mp 
[R3-Tunnel0/0/0]source g0/0/0
[R3-Tunnel0/0/0]gre key 1
[R3-Tunnel0/0/0]ip add 10.0.0.3 24
[R3-Tunnel0/0/0]nhrp  network-id 100
[R3-Tunnel0/0/0]nhrp entry 10.0.0.1 100.1.12.1 register 
[R3-Tunnel0/0/0]nhrp authentication cipher 123456

R4:

[R4]int tu0/0/0
[R4-Tunnel0/0/0]tunnel-protocol gre  p2mp 
[R4-Tunnel0/0/0]source gi0/0/0
[R4-Tunnel0/0/0]gre key 1
[R4-Tunnel0/0/0]ip add 10.0.0.4 24
[R4-Tunnel0/0/0]nhrp network-id 100
[R4-Tunnel0/0/0]nhrp entry 10.0.0.1 100.1.12.1 register 
[R4-Tunnel0/0/0]nhrp authentication cipher 123456

可以在R1上查看注册信息:

 4、配置OSPF让各个主机之间可以进行通信

R1:

[R1]ospf 1 router-id  1.1.1.1
[R1-ospf-1-area-0.0.0.0]network  10.0.0.0 0.255.255.255

R3:

[R3]ospf 1 ro	
[R3]ospf 1 router-id  3.3.3.3
[R3-ospf-1] area 0.0.0.0 
[R3-ospf-1-area-0.0.0.0]  network 10.0.0.0 0.255.255.255

R4:

[R4]ospf 1 router-id  4.4.4.4
[R4-ospf-1] area 0.0.0.0 
[R4-ospf-1-area-0.0.0.0]  network 10.0.0.0 0.255.255.255

5、修改隧道接口的网络类型为p2mp

[R1]int tu0/0/0
[R1-Tunnel0/0/0]ospf network-type p2mp
[R3]int t0/0/0
[R3-Tunnel0/0/0]ospf network-type p2mp
[R4]int Tunnel 0/0/0
[R4-Tunnel0/0/0]ospf network-type p2mp

6、在R1上开启重定向、在R3、R4上配置最短

[R1-Tunnel0/0/0]nhrp redirect
[R3-Tunnel0/0/0]nhrp shortcut 
[R4-Tunnel0/0/0]nhrp  shortcut

这时候可以使用trace 10.0.0.4查看访问的路径;

注:这里可以看出来访问路径已经不是先去10.0.0.1,而是直接去访问10.0.0.4

7、现在需要在R3-R5-R6和R4-R7-R8这两个部分进行MGRE的搭建

R3(中心站点):

[R3]int t0/0/0
[R3-Tunnel0/0/0]nhrp entry multicast dynamic 
[R3-Tunnel0/0/0]nhrp  redirect

R5:

[R5]int Tunnel 0/0/0
[R5-Tunnel0/0/0]tunnel-protocol gre p2mp 
[R5-Tunnel0/0/0]source gi0/0/0
[R5-Tunnel0/0/0]gre  key  1
[R5-Tunnel0/0/0]ip address  10.0.0.5 24
[R5-Tunnel0/0/0]nhrp network-id 100
[R5-Tunnel0/0/0]nhrp authentication cipher 123456
[R5-Tunnel0/0/0]nhrp entry 10.0.0.3 100.1.23.2 register 
[R5-Tunnel0/0/0]nhrp shortcut 
[R5-Tunnel0/0/0]ospf network-type p2mp
[R5]ospf 1 router-id 5.5.5.5 
[R5-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255

R6:

[R6]int Tunnel 0/0/0
[R6-Tunnel0/0/0] tunnel-protocol gre p2mp
[R6-Tunnel0/0/0] gre key 1
[R6-Tunnel0/0/0] ospf network-type p2mp
[R6-Tunnel0/0/0] nhrp shortcut
[R6-Tunnel0/0/0] nhrp network-id 100
[R6-Tunnel0/0/0] nhrp entry 10.0.0.3 100.1.23.2 register
[R6-Tunnel0/0/0]nhrp authentication cipher 123456
[R6-Tunnel0/0/0]ip add 10.0.0.6 24
[R6]ospf 1 router-id  6.6.6.6
[R6-ospf-1-area-0.0.0.0]network  10.0.0.0 0.255.255.255

R4(中心站点:)

[R4-Tunnel0/0/0]nhrp entry multicast dynamic 
[R4-Tunnel0/0/0]nhrp redirect

R7:

[R7]int t0/0/0
[R7-Tunnel0/0/0]tunnel-protocol gre p2mp 
[R7-Tunnel0/0/0]source gi0/0/0
[R7-Tunnel0/0/0]gre key 1
[R7-Tunnel0/0/0]ip add 10.0.0.7 24
[R7-Tunnel0/0/0]nhrp network-id 100
[R7-Tunnel0/0/0]nhrp authentication cipher 123456
[R7-Tunnel0/0/0]nhrp  entry 10.0.0.4 100.1.24.2 register 
[R7-Tunnel0/0/0]nhrp shortcut 
[R7]ospf 1 router-id 7.7.7.7
[R7-ospf-1]area 0
[R7-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255
[R7-ospf-1-area-0.0.0.0]int tu0/0/0
[R7-Tunnel0/0/0]ospf network-type p2mp

R8:

[R8]int Tunnel 0/0/0
[R8-Tunnel0/0/0] ip address 10.0.0.7 255.255.255.0 
[R8-Tunnel0/0/0] tunnel-protocol gre p2mp
[R8-Tunnel0/0/0] source GigabitEthernet0/0/0
[R8-Tunnel0/0/0] gre key 1
[R8-Tunnel0/0/0] ospf network-type p2mp
[R8-Tunnel0/0/0] nhrp authentication cipher %$%${"@cGFyLlVmL@4G,4=J.,.2n%$%$
[R8-Tunnel0/0/0] nhrp shortcut
[R8-Tunnel0/0/0] nhrp network-id 100
[R8-Tunnel0/0/0] nhrp entry 10.0.0.4 100.1.24.2 register
[R8-Tunnel0/0/0]nhrp authentication cipher 123456
[R8-Tunnel0/0/0]ip add 10.0.0.8 24
[R8-Tunnel0/0/0]q
[R8]ospf 1 router-id 8.8.8.8
[R8-ospf-1]area 0
[R8-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255

这时候可以尝试在R6上tracertR7:

 8、现在就可以配置IPSEC了

R3:

[R3]ike proposal 1
[R3-ike-proposal-1]authentication-method pre-share 
[R3-ike-proposal-1]encryption-algorithm aes-cbc-128
[R3-ike-proposal-1]dh group5 
[R3-ike-proposal-1]authentication-algorithm md5 

[R3]ike peer dsvpn v1 
[R3-ike-peer-dsvpn]exchange-mode aggressive 
[R3-ike-peer-dsvpn]pre-shared-key cipher 123456
[R3-ike-peer-dsvpn]ike-proposal 1
[R3-ike-peer-dsvpn]remote-name dsvpn
[R3]ike local-name dsvpn

[R3]ipsec proposal dsvpn
[R3-ipsec-proposal-dsvpn]transform ah-esp 
[R3-ipsec-proposal-dsvpn]encapsulation-mode transport 
[R3-ipsec-proposal-dsvpn]ah authentication-algorithm sha1
[R3-ipsec-proposal-dsvpn]esp encryption-algorithm aes-128
[R3-ipsec-proposal-dsvpn]esp authentication-algorithm md5 

[R3]ipsec profile dsvpn
[R3-ipsec-profile-dsvpn]ike-peer dsvpn 
[R3-ipsec-profile-dsvpn]proposal dsvpn 
[R3-ipsec-profile-dsvpn]q

[R3]in tu0/0/0
[R3-Tunnel0/0/0]ipsec profile dsvpn

注:其他设备的配置与R3相同,这里就不再赘述

查看R3和R4的ospf邻居表:

 

 9、测试

 然后可以抓包查看:

 从抓包的结果可以看出现在传输的数据已经被加密了

猜你喜欢

转载自blog.csdn.net/qq_68163788/article/details/132119543
DS
今日推荐
Arc Browser for Windows 1.0 正式 GA
90后程序员开发视频搬运软件、不到一年获利超 700 万,结局很刑!
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
周排行
rbac——界面、权限
Apache CXF + SpringMVC 整合发布WebService
so插件化
Vue.js实战系列---图标字体制作(svg格式)
PAT乙级 1007 素数对猜想(孪生素数对) (20分) ---(C语言 + 详细注释)
被IRM保护的文档,打开失败
Calendar和Date计算日期差的小问题
win10子系统ubuntu18.4安装docker
利用Wrap Shell Script定位Android Native内存泄漏
MySQL: Transaction (Part I - Basic Concept)
每日归档
更多
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022