Note: This experiment is only a record of personal study notes. If there are any deficiencies, I hope all friends will actively criticize and correct them~
Topology:
illustrate:
R1:
g 0/0:192.168.1.1/24
g 0/1:10.1.1.1/24
tunnel 1:172.16.1.1/24
R2:
g 0/0:192.168.2.1/24
g 0/1:10.1.1.2/24
tunnel 1:172.16.1.2/24Configuration idea:
R1 configuration:
R1_config#int g 0/1
R1_config_g0/1#ip add 10.1.1.1 255.255.255.0
R1_config_g0/1#int g 0/0
R1_config_g0/0#ip add 192.168.1.1 255.255.255.0
R1_config_g0/0#
R1_config#interface tunnel 1
R1_config_t1#ip address 172.16.1.1 255.255.255.0
R1_config_t1#tunnel source 10.1..1.1
R1_config_t1#tunnel destination 10.1.1.2
R1_config_t1#exit
R1_config#
R1_config#ip access-list extended 1
R1_config_ext_nacl#permit gre 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
R1_config_ext_nacl#exit
R1_config#
R1_config#crypto isakmp policy 10
R1_config_isakmp#authentication pre-share
R1_config_isakmp#encryption 3des
R1_config_isakmp#hash md5
R1_config_isakmp#group 2
R1_config_isakmp#lifetime 4000
R1_config_isakmp#exit
R1_config#
R1_config#crypto isakmp key 6 123456 address 172.16.1.2 255.255.255.0
R1_config#
R1_config#crypto ipsec transform-set LR esp-3des esp-md5-hmac
R1-transform-set#mode tunnel
R1-transform-set#exit
R1_config#
R1_config#crypto map lirong 10 ipsec-isakmp
R1_crypto_map#set transform-set LR
R1_crypto_map#set peer 172.16.1.2
R1_crypto_map#match address 1
R1_crypto_map#exit
R1_config#interface gigaEthernet 0/1
R1_config_g0/1#crypto map lirong
R1_config_g0/1#exitR2 configuration:
R2_config#int g 0/1
R2_config_g0/1#ip add 10.1.1.2 255.255.255.0
R2_config_g0/1#int g 0/0
R2_config_g0/0#ip add 192.168.2.1 255.255.255.0
R2_config_g0/0#exit
R2_config#
R2_config#interface tunnel 1
R2_config_t1#ip add 172.16.1.2 255.255.255.0
R2_config_t1#tunnel source 10.1.1.2
R2_config_t1#tunnel destination 10.1.1.1
R2_config#
R2_config#ip access-list extended 1
R2_config_ext_nacl#permit gre 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
R2_config_ext_nacl#exit
R2_config#
R2_config#crypto isakmp policy 10
R2_config_isakmp#authentication pre-share
R2_config_isakmp#encryption 3des
R2_config_isakmp#hash md5
R2_config_isakmp#group 2
R2_config_isakmp#lifetime 4000
R2_config_isakmp#exit
R2_config#
R2_config#crypto isakmp key 6 123456 address 172.16.1.1 255.255.255.0
R2_config#
R2_config#crypto ipsec transform-set LR esp-3des esp-md5-hmac
R2-transform-set#mode tunnel
R2-transform-set#exit
R2_config#
R2_config#crypto map lirong 10 ipsec-isakmp
R2_crypto_map#set peer 172.16.1.1
R2_crypto_map#set transform-set LR
R2_crypto_map#match address 1
R2_crypto_map#exit
R2_config#
R2_config_g0/1#crypto map lirong
R2_config_g0/1#exit
R2_config#Test Results:
R2#ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1): 56 data bytes
!!!!!
--- 172.16.1.1 ping 统计信息 ---
5 发送报文, 5 响应报文, 0% 没有应答
往返时间 最小/平均/最大 = 0/0/0 ms
R2#Detailed explanation of related commands
transfor-type
In encryption transformation configuration mode, to set the transformation type, use the transform-type command
transform-type transform1 [transform2[transform3]]
Instructions for use:
The transformation set can specify one or two IPSec security protocols (or ESP, or AH, or both), and specify which algorithm is used with the selected security protocol. The ESP and AH IPSec security protocols are described in detail in the section "IPSec Protocol: Encapsulation Security Protocol and Check Header". The transformation set can specify one or two IPSec security protocols (or ESP, or AH, or both), and specify which algorithm to use with the selected security protocol. The AH IPSec security protocol is described in "IPSec Protocol: Encapsulation Security Protocols and Checking Headers" is described in detail.
The definition of a transformation set can specify one to three transformations - each transformation represents a combination of an IPSec security protocol (ESP or AH) and the algorithm you want to use. When a transformation set is used in IPSec security association negotiation, the whole transformation set (combination of protocols, algorithms and other settings) must match a transformation set at the peer end. The definition of the transformation set can specify one to three transformations - each transformation represents a combination of an IPSec security protocol (ESP or AH) and the desired algorithm. When a certain transformation set is used in the IPSec security association negotiation, the entire transformation The set (combination of protocol, algorithm and other settings) must match a transformation set of the peer.
In a transformation set, AH protocol, ESP or both can be specified. If an ESP is specified in the transformation set, then only the ESP encryption transformation can be defined, or both the ESP encryption transformation and the ESP authentication transformation can be defined. The possible transformation combinations are shown in the table below. In a transformation set, AH protocol, ESP or both can be specified. If an ESP is specified in the transformation set, then only ESP encryption transformation can be defined, encryption transformation can also be defined, and both encryption transformation and ESP verification transformation can be defined. Both are defined. The possible transformation combinations are shown in the table below.
IPSec protocol : ESP and AH
Both ESP and AH protocols provide security services for IPSec.
ESP provides packet encryption, and optional data authentication and anti-replay services. AH provides data verification and anti-replay services.
ESP encapsulates protected data—either a complete IP self-addressing packet (or just the payload)—with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header directly after the outer IP header and before the inner IP packet or payload. In the tunnel mode, the entire IP datagram needs to be encapsulated and protected, while in the transport mode, only the payload in the IP datagram is encapsulated/protected. To learn more about these two modes, see the description of the mode command.
choose the appropriate transformation