2019/5/9 - - -
About IPsec VPN with the experimental
IPsec VPN
establish IPsec VPN connection requires three steps:
1, the flow trigger IPsec
need to use an extended ACL to define (matching, permit) to protect traffic
How do?
access-list 100 permit ip 172.16.10.0 0.0.0.255 10.10.33.0 0.0.0.255
do show running-config | include access-list #查看access-list
supplement:
Standard ACL
List Number: 1-99
can only match the packet's source address
Extended ACL
list number: 100-199
packet finer matching, based on the data packet
(the source address, destination address, protocol, port)
2, an administrative connection
IKE
manner in which (1) negotiate the use of an administrative connection
Encryption algorithms (DES, 3DES, AES)
Crypto ISAKMP Policy 1
Encryption aes
Integrity (authentication) Algorithm (Hash algorithm, the MD5 \ SHAl \ the SHA-2)
the hash SHA256
Type of authentication device, method (certificate pre-shared key Key Share -Pre)
authentication pre-Share
DH key group
Group. 5
DHl 768 bit
DH2 1024 bit
DH5 1536 bit
...
Lifecycle management connection
Lifetime 3600
(2) by the DH shared key algorithms
(3) the peer to authenticate each other
命令:
crypto isakmp key 0 cisco address 200.0.20.2
show running | incl crypto
3, to establish a data connection
AH
integrity
ESP
integrity
cryptographically
Task:
Room (1) which need to define a peer traffic protection
the ACL
(2) defines the protocol used to protect the data security
the AH
the ESP
(. 3) the definition of transmission mode
Tunnel,
(4) defines the village green and the key cycle data connection refresh manner
the length of time of flow or
esp-aes crypto ipsec transform-set xhset esp-sha-hmac
name transform set-transmission set of crypto ipsec [parameter 1] [2 parameter] [parameter 3]
Crypto map configuration
associated with the above-described task parameters Crypto Map (encrypted map), and named, to invoke the interface
in Crypto Map, it is necessary to answer the following three questions
(1) What protected
the ACL
(2) how to protect the
transmission set
(3 ) who protection
and Use the peer (peer)
Usually only a crypto map corresponds to the interface of a router, but can be provided with different serial numbers to achieve the multipoint access
command Description:
crypto map 名称 序列号 ipsec-isakmp
crypto map xhmap 113 ipsec-isakmp
set peer 对端地址
set peer 200.0.30.2
set transform-set 传输集的名称
set transform-set xhset
match address 引用的ACL
match address 113
把Crypto Map 调用到接口
举例:
interface fa0/0
crypto map xhmap
crypto map map的名称
experiment
Experimental topology
The experimental software tools in this article "EVE-NG simulator"
First to start the initial configuration of the router
no ip domain lookup -- 不进行域名解析
line console 0 --进入到控制台接口
exec-timeout 0 0 --永不超时
logging synchronous --日志消息同步:避免弹出的消息打断正在输入的命令
show ip interface brief --查看接口的IP地址
write --保存配置
The above topology, into the corresponding interface, the basic configuration of the added IP
The required command
enable --进入特权模式
conf terminal --进入全局配置模式
interface ethernet 0/0 --进入以太网接口 0/0
ip address IP地址 255.255.255.0 --添加IP地址
no shutdown --开启端口
interface loopback 0 --进入回环接口,模拟子网
ip address IP地址 255.255.255.0 --添加IP地址
Now, in addition to the ISP, all add a default route to the ISP's
command:
ip route 0.0.0.0 0.0.0.0 200.0.10.1
ip route 0.0.0.0 0.0.0.0 200.0.20.1
ip route 0.0.0.0 0.0.0.0 200.0.30.1
注:IP地址为ISP与自己相连接的接口的IP地址 ,也是下一跳IP地址
write 保存
Taking Beijing as an example to explain
1, to protect the flow of
Beijing, Hong Kong 1- 2 192.168.1.0 - 172.16.1.0
Beijing 1- Shanghai 192.168.1.0 -10.1.1.0 3
2, point encryption
Beijing - Hong Kong 200.0.10.2 - 200.0.20.2
Beijing - Shanghai 200.0.10.2 - 200.0.30.2
The first step, trigger IPsec traffic
access-list 112 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 113 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
The second step, to establish a link management
1, the manner in which management was established by negotiation link
encryption algorithms (DES, 3DES, AES)
Crypto ISAKMP Policy 1
Encryption aes
integrity (verification) algorithm (Hash algorithm, MD5 \ SHA1 \ SHA-2)
hash sha256
device authentication types, mode (certificate pre-shared key key share -Pre)
authentication pre-share
DH key group
group 5
lifecycle management connection
lifetime 3600
to check the configuration
Show Crypto ISAKMP is designed to Policy
2, key information shared by the DH algorithm
3, peer the identity of each other verification
command:
crypto isakmp key cisco address 200.0.20.2
crypto isakmp key cisco address 200.0.30.2
查看配置
show running | incl crypto
第三步 、建立数据连接
任务:
定义对等体间需要保护何种流量
ACL
定义用来保护数据的安全协议
AH
ESP
定义传输模式
Tunnel隧道
定义数据连接的生村周期以及密钥刷新的方式
流量或时间的长度
crypto ipsec transform-set xhset esp-aes esp-sha-hmac
crypto ipsec transform-set 传输集的名称 [参数1][参数2][参数3]
点到多点
配置Crypto map
通过Crypto Map (加密映射图)关联上述任务参数,并命名,以调用到接口下
在Crypto Map 中,需要回答如下三个问题
定义保护什么
ACL
如何保护
传输集
谁来保护
和peer(对等体)
通常路由器的接口上只对应一个crypto map ,
但是可以通过设置不同的序列号来实现点到多点的访问
北京—香港的crypto map
crypto map 名称 序列号 ipsec-isakmp
crypto map xhmap 112 ipsec-isakmp
set peer 对端地址
set peer 200.0.20.2
set transform-set 传输集的名称
set transform-set xhset
match address 引用的ACL
match address 112
北京—上海
crypto map 名称 序列号 ipsec-isakmp
crypto map xhmap 103 ipsec-isakmp
set peer 对端地址
set peer 200.0.30.2
set transform-set 传输集的名称
set transform-set xhset
match address 引用的ACL
match address 113
把Crypto Map 调用到接口
interface e0/0
crypto map map的名称
crypto map xhmap
show ip access-lists
By way of introduction, a multiplier
there is provided such a file, copying a paste at a position corresponding to the can.
Links: https://pan.baidu.com/s/1cjIN_cSHQbq3MjH8ti8B_w
extraction code: cm7f
effect and ultimately the
three parts of the company to achieve a virtual private, secure and reliable transmission :)
Finally, about vpn verification, check out our main Configuration , are the same, whether the problem
vpn verification
1、show crypto isakmp policy
查看管理链接阶段的策略
2、show crypto isakmp sa
sa---安全联盟
查看IKE SA
3、show crypto ipsec transform-set
查看传输集
4、show crypto ipsec security-association lifetime
查看ipsec sa的生存周期
5、show crypto ipsec sa
查看ipsec sa
IKE udp/500 端口
spi安全索引参数
6、show crypto map
查看加密映射图
OK, have any questions, comments welcome the exchange of O (∩_∩) O ~