【安全系列】IPSEC ××× 配置實例

LAN to LAN IPSEC ××× 的配置報告

此次實驗報告以配置和查看現象爲主，原理部分後續會在原理篇中，敬請關注。

 

【實驗拓撲】

 

 

【實驗要求】

 

1. 虛擬PC1 所鏈接的內網(192.168.12.0)經過 IPSEC-××× 方式訪問 R3 所鏈接的內網(192.168.23.0)；

 

2.在第一步驟的基礎上，實現 R1 所鏈接的內網(192.168.12.0)和 R3 所鏈接的內網(192.168.23.0)能經過 NAT 轉換訪問外網，而 R1 所鏈接的內網(192.168.12.0)仍然經過 IPSEC-××× 方式訪問 R3 所鏈接的內網(192.168.23.0)。

 

 

【實驗配置】

 

要求1配置：

1）PC1上配置ip地址和網關。

2）R1上的主要配置：

crypto isakmp policy 10 先定義IKE策略集
hash md5                                定義散列算法
authentication pre-share 定義認證算法
encryption des                     定義加密方式

crypto isakmp key speedfull address 23.23.23.3     指定協商密鑰和對等體ip

crypto ipsec transform-set sf esp-des esp-md5-hmac             再定義ipsec策略（esp爲封裝類型）
crypto map sf 10 ipsec-isakmp
match address 120    定義須要加密的數據流
set peer 23.23.23.3
set transform-set sf

access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255

int s1/0
crypto map sf (將加密圖應用到接口）

 

R1上還要配置一條默認路由，ip route 0.0.0.0 0.0.0.0 s1/0 使得能與外網連通。

 

3）同理R3上的配置相似。

幾個查看命令能夠看你配置的是否正確：

*********isakmp相關內容********

R1#show crypto isakmp policy    

Global IKE policy
Protection suite of priority 10
                encryption algorithm:     DES - Data Encryption Standard (56 bit keys).
                hash algorithm:                 Message Digest 5
                authentication method:    Pre-Shared Key
                Diffie-Hellman group:     #1 (768 bit)
                lifetime:                             86400 seconds, no volume limit
Default protection suite
                encryption algorithm:     DES - Data Encryption Standard (56 bit keys).
                hash algorithm:                 Secure Hash Standard
                authentication method:    Rivest-Shamir-Adleman Signature
                Diffie-Hellman group:     #1 (768 bit)
                lifetime:                             86400 seconds, no volume limit

R1#show crypto isakmp peers    
Peer: 23.23.23.3 Port: 500 Local: 12.12.12.1
Phase1 id: 23.23.23.3


R1#show crypto isakmp policy    

Global IKE policy
Protection suite of priority 10
                encryption algorithm:     DES - Data Encryption Standard (56 bit keys).
                hash algorithm:                 Message Digest 5
                authentication method:    Pre-Shared Key
                Diffie-Hellman group:     #1 (768 bit)
                lifetime:                             86400 seconds, no volume limit
Default protection suite
                encryption algorithm:     DES - Data Encryption Standard (56 bit keys).
                hash algorithm:                 Secure Hash Standard
                authentication method:    Rivest-Shamir-Adleman Signature
                Diffie-Hellman group:     #1 (768 bit)
                lifetime:                             86400 seconds, no volume limit




R1#show crypto isakmp sa
dst                         src                         state                    conn-id slot status
12.12.12.1            23.23.23.3            QM_IDLE                            1        0 ACTIVE



 

 

*********ipsec相關內容************

 

R1#show crypto ipsec client ez***    
Easy ××× Remote Phase: 4        ---這個是什麼意思 ，還不是很清楚。

R1#show crypto ipsec sa

interface: Serial1/0
        Crypto map tag: sf, local addr 12.12.12.1

     protected vrf: (none)
     local    ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
     remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
     current_peer 23.23.23.3 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
        #pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 6, #recv errors 0

         local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
         path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
         current outbound spi: 0xC1E4CEB7(3252997815)

         inbound esp sas:
            spi: 0x9F566494(2673239188)
                transform: esp-des esp-md5-hmac ,
                in use settings ={Tunnel, }
                conn id: 2001, flow_id: SW:1, crypto map: sf
                sa timing: remaining key lifetime (k/sec): (4540031/1720)
                IV size: 8 bytes
                replay detection support: Y
                Status: ACTIVE

         inbound ah sas:

         inbound pcp sas:

         outbound esp sas:
            spi: 0xC1E4CEB7(3252997815)
                transform: esp-des esp-md5-hmac ,
                in use settings ={Tunnel, }
                conn id: 2002, flow_id: SW:2, crypto map: sf
                sa timing: remaining key lifetime (k/sec): (4540032/1719)
                IV size: 8 bytes
                replay detection support: Y
                Status: ACTIVE

         outbound ah sas:

         outbound pcp sas:


R1# show crypto ipsec transform-set    
Transform set sf: { esp-des esp-md5-hmac    }    
     will negotiate = { Tunnel,    },    
        



 

 

********map的相關內容*************

R1#show crypto map    
Crypto Map "sf" 10 ipsec-isakmp
                Peer = 23.23.23.3
                Extended IP access list 120
                        access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
                Current peer: 23.23.23.3
                Security association lifetime: 4608000 kilobytes/3600 seconds
                PFS (Y/N): N
                Transform sets={    
                                sf,    
                }
                Interfaces using crypto map sf:
                                Serial1/0

 

 

如今用測試一下：

若是沒有設置***，虛擬pc是不能ping到pc2的。

pc2#ping 192.168.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/166/264 ms

 

經過查看命令和ping測試，證實***已經連通。第一步要求完成。

 

 

要求2配置：

若是使用了NAT，那麼在出口處，ip的源地址將被修改，若是不設置，數據包將被丟棄，由於***是不容許數據包被修改的。使用訪問控制列表實現：

 

nat的配置這裏再也不說明。

 

若是這樣配置，將出現ping不通狀況，由於源地址被改了。

看如下debug說明：

ip nat inside source list 1 interface Serial1/0 overload
!
access-list 1 permit any

d via RIB
*Mar    1 01:33:10.183: IP: s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), len 100, sending
*Mar    1 01:33:10.403: IP: s=23.23.23.2 (FastEthernet0/0), d=192.168.23.2, len 56, rcvd 1
*Mar    1 01:33:10.407: IP: tableid=0, s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), route

源地址被修改爲了23.23.23.2

pc2#ping 192.168.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

 

因此應該這樣配置，建個訪問控制列表，讓端到斷的網段出去的時候不進行nat轉換。

 

ip nat inside source list 101 interface Serial1/0 overload
!
access-list 101 deny     ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 101 permit ip 192.168.12.0 0.0.0.255 any

 

這樣就能夠ping通了。

 

 

【實驗總結】

 

實驗配置比較多，可是隻要了解了大概的思路就不難。

首先要建一條安全的通訊信道，經過isakmp，設定相關參數就能夠（兩邊要同樣，若是不同，它會自動尋找同樣的策略集）。

而後就是選擇ipsec的加密方式，esp或是ah，設定相關參數便可。

最後就是注意nat的問題。

 

因爲是初學，理解沒那麼深，有什麼錯誤的地方，還請你們指出。