IPsec实验笔记
2018年6月19日 星期二
上午 12:09
实验拓扑图如下:
2017年南京太阁XCNP课程关于IPsec的一个实验
实验需求:
R1-R2-R3 外网接口和环回口宣告进IGP协议,将R1虚拟成运营商的ISP,R2和R3分别为一个园区的边界路由器
在边界路由器配置IPsec,使内网的PC4和PC5相互访问
配置思路:
1.R2-R1-R3 运行eigrp,分别将外网接口和换回口宣告进EIGRP进程,然后测试各接口连通性
2.在R2和R3在做PAT,由于要配置ipsec因此内网接之间不参与PAT ,可以利用扩展ACL精确匹配来实现
例如在R2做如下配置:
ip access-list extended PAT deny ip 172.16.24.0 0.0.0.255 192.168.35.0 0.0.0.255 permit ip 172.16.24.0 0.0.0.255 1.1.1.0 0.0.0.255 permit ip 172.16.24.0 0.0.0.255 3.3.3.0 0.0.0.255 permit ip 172.16.24.0 0.0.0.255 12.1.1.0 0.0.0.255 permit ip 172.16.24.0 0.0.0.255 13.1.1.0 0.0.0.255 ip nat pool 24 12.1.1.24 12.1.1.24 prefix-length 24 ip nat inside source list PAT pool 24 overload
3.在R2配置去往R3内网的静态路由,在R3配置去往R2内网的静态路由
例如R2配置:
ip route 192.168.35.0 255.255.255.0 Serial1/0 12.1.1.1
4.在R2和R3路由器上分别进行IPsec的配置(如果忘记命令可以用提示符来帮助,此处在R2配置如下)
兴趣流量的ACL
ip access-list extended crpto-acl permit ip 172.16.24.0 0.0.0.255 192.168.35.0 0.0.0.255
创建预共享秘钥
crypto isakmp key CCIE address 0.0.0.0
设置crypto isakmp policy
crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2
设置crypto ipsec transform-set
crypto ipsec transform-set R2-R3 esp-aes 256 esp-md5-hmac mode tunnel
设置crypto map
crypto map CCIE 10 ipsec-isakmp set peer 13.1.1.3 set transform-set R2-R3 match address crpto-acl crypto map CCIE
在外网接口挂上crypto map
interface Serial1/0 ip address 12.1.1.2 255.255.255.0 ip nat outside crypto map CCIE
1. 测试PC4与PC5 连通性,然后分别在R2和R3上查看IPsec各个阶段的SA
show crypto engine connection active
此命令用于显示构建的每个阶段 2 SA 和已发送的流量数。由于阶段 2(安全关联)SA 是单向的,因此每个 SA 只会显示一个方向的流量(加密为出站流量,解密为入站流量)。
show crypto isakmp sa 一阶段SA
此命令用于显示对等体之间构建的 Internet 安全连接和密钥管理协议 (ISAKMP) 安全关联 (SA)。
show crypto ipsec sa 二阶段SA
此命令用于显示对等体之间构建的 IPSec SA,能看到两条单向的SA,此处图片太长就不截图了
具体配置请看一下内容:
R2:
hostname R2 crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key CCIE address 0.0.0.0 crypto ipsec transform-set R2-R3 esp-aes 256 esp-md5-hmac mode tunnel crypto map CCIE 10 ipsec-isakmp set peer 13.1.1.3 set transform-set R2-R3 match address crpto-acl interface Loopback0 ip address 2.2.2.2 255.255.255.0 interface Ethernet0/0 ip address 172.16.24.254 255.255.255.0 ip nat inside interface Serial1/0 ip address 12.1.1.2 255.255.255.0 ip nat outside crypto map CCIE router eigrp 90 network 2.2.2.2 0.0.0.0 network 12.1.1.2 0.0.0.0 ip nat pool 24 12.1.1.24 12.1.1.24 prefix-length 24 ip nat inside source list PAT pool 24 overload ip route 192.168.35.0 255.255.255.0 Serial1/0 12.1.1.1 ip access-list extended PAT deny ip 172.16.24.0 0.0.0.255 192.168.35.0 0.0.0.255 permit ip 172.16.24.0 0.0.0.255 1.1.1.0 0.0.0.255 permit ip 172.16.24.0 0.0.0.255 3.3.3.0 0.0.0.255 permit ip 172.16.24.0 0.0.0.255 12.1.1.0 0.0.0.255 permit ip 172.16.24.0 0.0.0.255 13.1.1.0 0.0.0.255 ip access-list extended crpto-acl permit ip 172.16.24.0 0.0.0.255 192.168.35.0 0.0.0.25
R3:
hostname R3 crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key CCIE address 0.0.0.0 crypto ipsec transform-set R3-R2 esp-aes 256 esp-md5-hmac mode tunnel crypto map CCIE 10 ipsec-isakmp set peer 12.1.1.2 set transform-set R3-R2 match address crpto-acl interface Loopback0 ip address 3.3.3.3 255.255.255.0 interface Ethernet0/0 ip address 192.168.35.254 255.255.255.0 ip nat inside interface Serial1/1 ip address 13.1.1.3 255.255.255.0 ip nat outside crypto map CCIE router eigrp 90 network 3.3.3.3 0.0.0.0 network 13.1.1.3 0.0.0.0 ip nat pool 35 13.1.1.35 13.1.1.35 prefix-length 24 ip nat inside source list PAT pool 35 overload ip route 172.16.24.0 255.255.255.0 Serial1/1 13.1.1.1 ip access-list extended PAT deny ip 192.168.35.0 0.0.0.255 172.16.24.0 0.0.0.255 permit ip 192.168.35.0 0.0.0.255 1.1.1.0 0.0.0.255 permit ip 192.168.35.0 0.0.0.255 2.2.2.0 0.0.0.255 permit ip 192.168.35.0 0.0.0.255 12.1.1.0 0.0.0.255 permit ip 192.168.35.0 0.0.0.255 13.1.1.0 0.0.0.255 ip access-list extended crpto-acl permit ip 192.168.35.0 0.0.0.255 172.16.24.0 0.0.0.255
R1:
hostname R1 interface Loopback0 ip address 1.1.1.1 255.255.255.0 interface Serial1/0 ip address 13.1.1.1 255.255.255.0 interface Serial1/1 ip address 12.1.1.1 255.255.255.0 router eigrp 90 network 1.1.1.1 0.0.0.0 network 12.1.1.1 0.0.0.0 network 13.1.1.1 0.0.0.0
PC4:
Ip 172.16.24.4 255.255.255.0 172.16.24.254
PC5:
Ip 192.168.35.5 255.255.255.0 192.168.35.254