Cisco IOS Cookbook 中文精简版第十二章隧道和VPN (1
[转贴 2008-07-22 09:10:25]
12.1. 创建Tunnel
提问 通过隧道的方式在网络中传输IP数据
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#interface Tunnel3
Router5(config-if)#ip address 192.168.35.5 255.255.255.252
Router5(config-if)#tunnel source 172.25.1.7
Router5(config-if)#tunnel destination 172.25.1.5
Router5(config-if)#exit
Router5(config)#end
Router5#
注释 Tunnel的配置中也可以使用tunnel source Ethernet0 的方式来捆绑到端口。产生出来的虚拟隧道接口通常会一直UP,即使对端关机,12.2(8)T后引入了keeplive参数可以对隧道的状态进行监控,keepalive 3 2 每隔3秒一个Keeplive,如果两次没收到就认为端口当掉。如果对数据包的完整性或者防止乱序包,可以配置tunnel checksum,tunnel sequence-datagrams,但需要注意的是GRE不是TCP,数据包丢弃了不会重传。缺省情况下隧道的模式GRE,也可以通过tunnel mode ipip 命令来改变其模式。由于GRE是封装IP数据包所以不可避免地产生了MTU的问题,对于TCP连接可以使用ip tcp path-mtu-discovery,但对于非TCP的GRE,需要使用tunnel path-mtu-discovery。在12.2(13)T以后引入了tunnel path-mtu-discovery min-mtu 500 来定义最小的MTU从而保证安全
12.2. 其他协议隧道至IP
提问 通过隧道的方式在IP网络中传输其他协议数据,比如IPX
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ipx routing AAAA.BBBB.0001
Router1(config)#interface Tunnel1
Router1(config-if)#ipx network AAA
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ipx routing AAAA.BBBB.0002
Router5(config)#interface Tunnel3
Router5(config-if)#ipx network AAA
Router5(config-if)#tunnel source 172.25.1.7
Router5(config-if)#tunnel destination 172.25.1.5
Router5(config-if)#exit
Router5(config)#end
Router5#
注释 注意的是隧道模式里面只有GRE模式是支持IPX的。同时可以在隧道接口下配置多个不同的协议从而支持在隧道中封装多个协议
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#ipx network AAA
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
12.3. 隧道和动态路由协议
提问 在隧道中传递路由协议
回答
怎么解决到tunnel destination的路由不是通过tunnel接口的问题,第一种方法是静态路由
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
oNormal>Router1(config-if)#exit
Router1(config)#ip route 172.22.1.2 255.255.255.255 172.25.1.1
Router1(config)#router eigrp 55
Router1(config-router)#network 192.168.35.0
Router1(config-router)#exit
Router1(config)#end
Router1#
第二种对tunnel接口采用另外的路由协议,从而排除此地址在互联的路由协议中
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router1(config)#router eigrp 55
Router1(config-router)#network 172.22.0.0
Router1(config-router)#network 172.25.0.0
Router1(config-router)#end
Router1(config)#router rip
Router1(config-router)#network 192.168.35.0
Router1(config-router)#exit
Router1(config)#end
Router1#
第三种方法路由过滤
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router11(config)#ip prefix-list TUNNELROUTES seq 10 permit 192.168.0.0/16 ge 17
Router1(config)#router eigrp 55
Router1(config-router)#network 172.22.0.0
Router1(config-router)#network 172.25.0.0
Router1(config-router)#network 192.168.35.0
Router1(config-router)#distribute-list prefix TUNNELROUTES out Tunnel1
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 前两种很简单但是冗余性和扩展性不好,推荐第三种
12.4. 查看隧道状态
提问 查看隧道状态
回答
Router1#show interface Tunnel5
Router1#ping 192.168.66.6
Router1#ping 172.22.1.4
注释
12.5. 在GRE隧道中创建一个加密的路由器到路由器的VPN
提问 通过预共享密匙的方法创建互联网连接路由器的加密VPN
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encr aes 256
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth
Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)#mode transport
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto map TUNNELMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)#set peer 172.16.2.1
Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router1(config-crypto-map)#match address 102
Router1(config-crypto-map)#exit
Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.1.1 255.255.255.252
Router1(config-if)#tunnel source 172.16.1.1
Router1(config-if)#tunnel destination 172.16.2.1
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 172.16.1.1 255.255.255.0
Router1(config-if)#ip access-group 101 in
Router1(config-if)#crypto map TUNNELMAP
Router1(config-if)#exit
Router1(config)#access-list 101 permit gre host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 deny ip any any log
Router1(config)#interface Loopback0
Router1(config-if)#ip address 192.168.16.1 255.255.255.0
Router1(config-if)#exit
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router1(config)#ip route 192.168.15.0 255.255.255.0 192.168.1.2
Router1(config)#end
Router1#
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#encr aes 256
Router2(config-isakmp)#authentication pre-share
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1
Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)#mode transport
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map TUNNELMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router2(config-crypto-map)#set peer 172.16.1.1
Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router2(config-crypto-map)#match address 102
Router2(config-crypto-map)#exit
Router2(config)#access-list 102 permit gre host 172.16.2.1 host 172.16.1.1
Router2(config)#interface Tunnel1
Router2(config-if)#ip address 192.168.1.2 255.255.255.252
Router2(config-if)#tunnel source 172.16.2.1
Router2(config-if)#tunnel destination 172.16.1.1
Router2(config-if)#exit
Router2(config)#interface FastEthernet0/0
Router2(config-if)#ip address 172.16.2.1 255.255.255.0
Router2(config-if)#ip access-group 101 in
Router2(config-if)#crypto map TUNNELMAP
Router2(config-if)#exit
Router2(config)#access-list 101 permit gre host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 deny ip any any log
Router2(config)#interface Loopback0
Router2(config-if)#ip address 192.168.15.1 255.255.255.0
Router2(config-if)#exit
Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router2(config)#ip route 192.168.16.0 255.255.255.0 192.168.1.1
Router2(config)#end
Router2#
注释 第一步首先使用ISAKMP来生成合适的密匙交换策略,当双方协商SA参数时,先从优先级低的策略开始,使用show crypto isakmp policy来查看当前策略。然后定义初始的密匙crypto isakmp key,这里可以基于IP地址也可以基于主机名,如果基于主机名对端要配置crypto isakmp identity hostname,用show crypto isakmp key来验证。show crypto isakmp sa 用来查看协商的ISAKMP SA状态,而最后的IPSec SA通过show crypto ipsec sa 来查看。下一步是定义IPSec的transform set,是定义如何处理符合的数据包,并且要定义Ipsec的透明模式,缺省使用隧道模式,对于GRE使用透明模式,GRE隧道比传统的IPSec隧道好在更简单和更灵活,比如可以传递动态路由协议等。最后使用crypto map命令整合。最后要注意的是crypto map应用于接收GRE数据包的接口而不是tunnel接口。
show crypto engine connections active 显示当前连接情况
12.6. 在两个路由器的Lan接口之间创建加密VPN
提问 使用预共享密匙的方式创建加密VPN通过互联网连接的两个LAN接口
回答
R1
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encr aes 256
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
ang=EN-US>Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth
Router1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)#exit
Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)#set peer 172.16.2.1
Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM
Router1(config-crypto-map)#match address 103
Router1(config-crypto-map)#exit
Router1(config)#access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 192.168.16.1 255.255.255.0
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 172.16.1.1 255.255.255.0
Router1(config-if)#ip access-group 101 in
Router1(config-if)#crypto map LAN2LANMAP
Router1(config-if)#exit
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 deny ip any any log
Router1(config)#end
Router1#
R2
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#encr aes 256
Router2(config-isakmp)#authentication pre-share
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1
Router2(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map LAN2LANMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router2(config-crypto-map)#set peer 172.16.1.1
Router2(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM
Router2(config-crypto-map)#match address 103
Router2(config-crypto-map)#exit
Router2(config)#access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
Router2(config)#interface FastEthernet0/1
Router2(config-if)#description Internal LAN
Router2(config-if)#ip address 192.168.15.1 255.255.255.0
Router2(config-if)#exit
Router2(config)#interface FastEthernet0/0
Router2(config-if)#description Connection to Internet
Router2(config-if)#ip address 172.16.2.1 255.255.255.0
Router2(config-if)#crypto map LAN2LANMAP
Router2(config-if)#exit
Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 deny ip any any log
Router2(config)#end
Router2#
注释 这里跟前节区别在于12.5建立的是可路由的加密VPN。前面配置了mode transport 而这里使用了IPSec隧道缺省的隧道模式。在ACL配置上前者允许的是GRE的数据包,这里是内部LAN接口之间的数据包,所以这里两个互联是桥接,前者两个互联是路由。通常我们更喜欢路由模式多一些
12.7. 生成RSA 密匙
提问 生成共享的RSA密匙用于加密或者认证
回答
先在R1上生成自己的pubkey
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto key generate rsa
The name for the keys will be: Router1.oreilly.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
提问 通过隧道的方式在网络中传输IP数据
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#interface Tunnel3
Router5(config-if)#ip address 192.168.35.5 255.255.255.252
Router5(config-if)#tunnel source 172.25.1.7
Router5(config-if)#tunnel destination 172.25.1.5
Router5(config-if)#exit
Router5(config)#end
Router5#
注释 Tunnel的配置中也可以使用tunnel source Ethernet0 的方式来捆绑到端口。产生出来的虚拟隧道接口通常会一直UP,即使对端关机,12.2(8)T后引入了keeplive参数可以对隧道的状态进行监控,keepalive 3 2 每隔3秒一个Keeplive,如果两次没收到就认为端口当掉。如果对数据包的完整性或者防止乱序包,可以配置tunnel checksum,tunnel sequence-datagrams,但需要注意的是GRE不是TCP,数据包丢弃了不会重传。缺省情况下隧道的模式GRE,也可以通过tunnel mode ipip 命令来改变其模式。由于GRE是封装IP数据包所以不可避免地产生了MTU的问题,对于TCP连接可以使用ip tcp path-mtu-discovery,但对于非TCP的GRE,需要使用tunnel path-mtu-discovery。在12.2(13)T以后引入了tunnel path-mtu-discovery min-mtu 500 来定义最小的MTU从而保证安全
12.2. 其他协议隧道至IP
提问 通过隧道的方式在IP网络中传输其他协议数据,比如IPX
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ipx routing AAAA.BBBB.0001
Router1(config)#interface Tunnel1
Router1(config-if)#ipx network AAA
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ipx routing AAAA.BBBB.0002
Router5(config)#interface Tunnel3
Router5(config-if)#ipx network AAA
Router5(config-if)#tunnel source 172.25.1.7
Router5(config-if)#tunnel destination 172.25.1.5
Router5(config-if)#exit
Router5(config)#end
Router5#
注释 注意的是隧道模式里面只有GRE模式是支持IPX的。同时可以在隧道接口下配置多个不同的协议从而支持在隧道中封装多个协议
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#ipx network AAA
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
12.3. 隧道和动态路由协议
提问 在隧道中传递路由协议
回答
怎么解决到tunnel destination的路由不是通过tunnel接口的问题,第一种方法是静态路由
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
oNormal>Router1(config-if)#exit
Router1(config)#ip route 172.22.1.2 255.255.255.255 172.25.1.1
Router1(config)#router eigrp 55
Router1(config-router)#network 192.168.35.0
Router1(config-router)#exit
Router1(config)#end
Router1#
第二种对tunnel接口采用另外的路由协议,从而排除此地址在互联的路由协议中
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router1(config)#router eigrp 55
Router1(config-router)#network 172.22.0.0
Router1(config-router)#network 172.25.0.0
Router1(config-router)#end
Router1(config)#router rip
Router1(config-router)#network 192.168.35.0
Router1(config-router)#exit
Router1(config)#end
Router1#
第三种方法路由过滤
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router11(config)#ip prefix-list TUNNELROUTES seq 10 permit 192.168.0.0/16 ge 17
Router1(config)#router eigrp 55
Router1(config-router)#network 172.22.0.0
Router1(config-router)#network 172.25.0.0
Router1(config-router)#network 192.168.35.0
Router1(config-router)#distribute-list prefix TUNNELROUTES out Tunnel1
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 前两种很简单但是冗余性和扩展性不好,推荐第三种
12.4. 查看隧道状态
提问 查看隧道状态
回答
Router1#show interface Tunnel5
Router1#ping 192.168.66.6
Router1#ping 172.22.1.4
注释
12.5. 在GRE隧道中创建一个加密的路由器到路由器的VPN
提问 通过预共享密匙的方法创建互联网连接路由器的加密VPN
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encr aes 256
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth
Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)#mode transport
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto map TUNNELMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)#set peer 172.16.2.1
Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router1(config-crypto-map)#match address 102
Router1(config-crypto-map)#exit
Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.1.1 255.255.255.252
Router1(config-if)#tunnel source 172.16.1.1
Router1(config-if)#tunnel destination 172.16.2.1
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 172.16.1.1 255.255.255.0
Router1(config-if)#ip access-group 101 in
Router1(config-if)#crypto map TUNNELMAP
Router1(config-if)#exit
Router1(config)#access-list 101 permit gre host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 deny ip any any log
Router1(config)#interface Loopback0
Router1(config-if)#ip address 192.168.16.1 255.255.255.0
Router1(config-if)#exit
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router1(config)#ip route 192.168.15.0 255.255.255.0 192.168.1.2
Router1(config)#end
Router1#
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#encr aes 256
Router2(config-isakmp)#authentication pre-share
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1
Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)#mode transport
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map TUNNELMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router2(config-crypto-map)#set peer 172.16.1.1
Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router2(config-crypto-map)#match address 102
Router2(config-crypto-map)#exit
Router2(config)#access-list 102 permit gre host 172.16.2.1 host 172.16.1.1
Router2(config)#interface Tunnel1
Router2(config-if)#ip address 192.168.1.2 255.255.255.252
Router2(config-if)#tunnel source 172.16.2.1
Router2(config-if)#tunnel destination 172.16.1.1
Router2(config-if)#exit
Router2(config)#interface FastEthernet0/0
Router2(config-if)#ip address 172.16.2.1 255.255.255.0
Router2(config-if)#ip access-group 101 in
Router2(config-if)#crypto map TUNNELMAP
Router2(config-if)#exit
Router2(config)#access-list 101 permit gre host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 deny ip any any log
Router2(config)#interface Loopback0
Router2(config-if)#ip address 192.168.15.1 255.255.255.0
Router2(config-if)#exit
Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router2(config)#ip route 192.168.16.0 255.255.255.0 192.168.1.1
Router2(config)#end
Router2#
注释 第一步首先使用ISAKMP来生成合适的密匙交换策略,当双方协商SA参数时,先从优先级低的策略开始,使用show crypto isakmp policy来查看当前策略。然后定义初始的密匙crypto isakmp key,这里可以基于IP地址也可以基于主机名,如果基于主机名对端要配置crypto isakmp identity hostname,用show crypto isakmp key来验证。show crypto isakmp sa 用来查看协商的ISAKMP SA状态,而最后的IPSec SA通过show crypto ipsec sa 来查看。下一步是定义IPSec的transform set,是定义如何处理符合的数据包,并且要定义Ipsec的透明模式,缺省使用隧道模式,对于GRE使用透明模式,GRE隧道比传统的IPSec隧道好在更简单和更灵活,比如可以传递动态路由协议等。最后使用crypto map命令整合。最后要注意的是crypto map应用于接收GRE数据包的接口而不是tunnel接口。
show crypto engine connections active 显示当前连接情况
12.6. 在两个路由器的Lan接口之间创建加密VPN
提问 使用预共享密匙的方式创建加密VPN通过互联网连接的两个LAN接口
回答
R1
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encr aes 256
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
ang=EN-US>Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth
Router1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)#exit
Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)#set peer 172.16.2.1
Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM
Router1(config-crypto-map)#match address 103
Router1(config-crypto-map)#exit
Router1(config)#access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 192.168.16.1 255.255.255.0
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 172.16.1.1 255.255.255.0
Router1(config-if)#ip access-group 101 in
Router1(config-if)#crypto map LAN2LANMAP
Router1(config-if)#exit
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 deny ip any any log
Router1(config)#end
Router1#
R2
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#encr aes 256
Router2(config-isakmp)#authentication pre-share
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1
Router2(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map LAN2LANMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router2(config-crypto-map)#set peer 172.16.1.1
Router2(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM
Router2(config-crypto-map)#match address 103
Router2(config-crypto-map)#exit
Router2(config)#access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
Router2(config)#interface FastEthernet0/1
Router2(config-if)#description Internal LAN
Router2(config-if)#ip address 192.168.15.1 255.255.255.0
Router2(config-if)#exit
Router2(config)#interface FastEthernet0/0
Router2(config-if)#description Connection to Internet
Router2(config-if)#ip address 172.16.2.1 255.255.255.0
Router2(config-if)#crypto map LAN2LANMAP
Router2(config-if)#exit
Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 deny ip any any log
Router2(config)#end
Router2#
注释 这里跟前节区别在于12.5建立的是可路由的加密VPN。前面配置了mode transport 而这里使用了IPSec隧道缺省的隧道模式。在ACL配置上前者允许的是GRE的数据包,这里是内部LAN接口之间的数据包,所以这里两个互联是桥接,前者两个互联是路由。通常我们更喜欢路由模式多一些
12.7. 生成RSA 密匙
提问 生成共享的RSA密匙用于加密或者认证
回答
先在R1上生成自己的pubkey
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto key generate rsa
The name for the keys will be: Router1.oreilly.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
分类: cisco交换部分
所属版块
: 科技
: 科技
本文章引用通告地址(TrackBack Ping URL)为: 
本文章尚未被引用。