《最新IPsec-Site-to-site-VPN实验.doc》由会员分享,可在线阅读,更多相关《最新IPsec-Site-to-site-VPN实验.doc(35页珍藏版)》请在得力文库 - 分享文档赚钱的网站上搜索。
1、Four short words sum up what has lifted most successful individuals above the crowd: a little bit more.-author-dateIPsec-Site-to-site-VPN实验IPsec Site to site VPN实验IPsec Site to site VPN实验一:实验拓扑及实验要求实验要求:1. 用Dynamips GUI或GNS3搭建如上图所示的网络环境;2. IPsec Site to Site VPN实现分公司与总公司之间所有数据通信的机密性及完整性保护;3. IPsec S
2、ite to Site VPN实现分公司与总公司之间TCP等关键数据通信的机密性及完整性保护(AH + ESP),ICMP数据的完整性保护(AH);(选做一)4. IPsec VPN完美地实现了“Site to Site”数据的保护,但是无法实现公司局域网内数据的保护。因此最佳的做法是计算机上(CPU资源丰富)使用传输模式的ESP加密保护,路由器或安全网关上站到站的AH隧道保护。(选做二)二:实验操作过程及配置说明基本设置R1基本设置R1(config)#int f0/0 #R1上的IPsec VPN接口,一般为外网接口R1(config-if)#ip add 1.1.1.1 255.255.
3、255.252R1(config-if)#no shR1(config-if)#int f1/0 #R1上的内网接口R1(config-if)#ip add 192.168.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#exitR1(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2 #R1上默认路由配置R2基本设置R2(config)#int f1/0R2(config-if)#ip add 1.1.1.2 255.255.255.252R2(config-if)#no shR2(config-if)#int
4、 f0/0R2(config-if)#ip add 2.2.2.1 255.255.255.252R2(config-if)#no shR3基本设置R3(config)#int f1/0 #R3上的IPsec VPN接口R3(config-if)#ip add 2.2.2.2 255.255.255.252R3(config-if)#no shR3(config-if)#int f0/0 #R3上的内网接口R3(config-if)#ip add 172.16.1.1 255.255.255.0R3(config-if)#no shR3(config)#ip route 0.0.0.0 0.0
5、.0.0 2.2.2.1 #R3上默认路由配置R1 IPsec设置R1 IKE策略定义R1(config)#crypto isakmp policy 10 #定义IKE策略及其优先级R1(config-isakmp)#encryption aes 128 #设置IKE的加密算法为128bits AESR1(config-isakmp)#hash sha#设置IKE的认证算法为SHA-1R1(config-isakmp)#authentication pre-share#设置IKE的认证方法为预共享密钥R1(config-isakmp)#group 2#设置isakmp的密钥协商算法为DH“群2
6、”(1024bits)R1(config-isakmp)#lifetime 3600#设置IKE SA的寿命为3600秒R1(config-isakmp)#exitIKE策略中,与对端共享的口令(预共享密钥认证) R1(config)#crypto isakmp key haha address 2.2.2.2 #设置IKE认证中与对端共享的口令定义R1中IPsec的感兴趣流R1(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 #从192网段到172网段的流量是需要被加密的定义R1中IPs
7、ec的转换集R1(config)#crypto ipsec transform-set R1set ah-md5-hmac esp-aes 256 esp-sha-hmac #AH + ESP的保护R1(cfg-crypto-trans)#mode tunnel #默认为Tunnel模式,可以不设定义R1中IPsec的加密图R1(config)#crypto map R1map 10 ipsec-isakmp #定义R1上的加密图,以关联IPsec所需的组件% NOTE: This new crypto map will remain disabled until a peer and a v
8、alid access list have been configured.R1(config-crypto-map)#match address 101 #匹配访问控制列表(应用IPsec的感兴趣流)R1(config-crypto-map)#set peer 2.2.2.2 #设置IPsec VPN的对端R1(config-crypto-map)#set transform-set R1set #应用IPsec VPN的转换集(保护方式)R1(config-crypto-map)#set pfs group2 #设置IPsec VPN的PFS(密钥完美向前保密)在R1的VPN接口上应用IP
9、sec的加密图R1(config)#int f0/0R1(config-if)#crypto map R1map*Mar 1 02:30:24.671: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONR3 IPsec设置R3 IKE策略定义R3(config)#crypto isakmp policy 10R3(config-isakmp)#encryption aes 128R3(config-isakmp)#hash shaR3(config-isakmp)#authentication pre-shareR3(config-isakmp)#lifetime 3
10、600R3(config-isakmp)#group 2R3(config-isakmp)#exitIKE策略中,与对端共享的口令(预共享密钥认证) R3(config)#crypto isakmp key haha address 1.1.1.1 #设置IKE认证中与对端共享的口令定义R3中IPsec的感兴趣流R3(config)# access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255定义R3中IPsec的转换集R3(config)#crypto ipsec transform-set r3set ah-md
11、5-hmac esp-aes 256 esp-sha-hmacR3(cfg-crypto-trans)#mode tunnelR3(cfg-crypto-trans)#exit定义R3中IPsec的加密图R3(config)#crypto map R3map 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.R3(config-crypto-map)#match address 101R3(config
12、-crypto-map)#set transform-set r3setR3(config-crypto-map)#set peer 1.1.1.1R3(config-crypto-map)#set pfs group2在R3的VPN接口上应用IPsec的加密图R3(config)#int f1/0R3(config-if)#crypto map R3map三:实验验证及总结验证命令:R1#sh crypto isakmp ? key Show ISAKMP preshared keys peers Show ISAKMP peer structures policy Show ISAKMP
13、protection suite policy profile Show ISAKMP profiles sa Show ISAKMP Security AssociationsR1#sh crypto ipsec ? client Show Client Status policy Show IPSEC client policies profile Show ipsec profile information sa IPSEC SA table security-association Show parameters for IPSec security associations tran
14、sform-set Crypto transform setsR1#sh crypto mapR1#clear crypto sa Ping验证:数据包捕获验证选做一的配置文件及简要注释选做一(AH保护ICMP及AH+ESP保护TCP):本试验的目的在于掌握IPsec VPN配置中,感兴趣流、转换集及密码图的灵活运用。R1的配置文件及简要注释R1#sh running-config Building configuration.Current configuration : 1304 bytes!version 12.4service timestamps debug datetime mse
15、cservice timestamps log datetime msecno service password-encryption!hostname R1!boot-start-markerboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cefno ip domain lookup ! #IKE策略及其优先级crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key haha address 2.2.2.2! ! # 两个
16、转换集,分别实现AH保护及AH+ESP保护crypto ipsec transform-set R1ah ah-sha-hmac crypto ipsec transform-set R1ahesp ah-sha-hmac esp-aes esp-sha-hmac ! #实现AH保护的加密图crypto map R1map 10 ipsec-isakmp set peer 2.2.2.2 set transform-set R1ah match address 101 #应用ICMP协议的感兴趣流crypto map R1map 11 ipsec-isakmp #实现AH + ESP保护的加密
17、图(注意:同名但不同编号) set peer 2.2.2.2 set transform-set R1ahesp match address 102 #应用TCP协议的感兴趣流 ! interface Loopback0 ip address 192.168.1.1 255.255.255.0! interface FastEthernet0/0 ip address 1.1.1.1 255.255.255.0 duplex auto speed auto crypto map R1map #接口上应用加密图! interface FastEthernet1/0 no ip address s
18、hutdown duplex auto speed auto! ip http serverno ip http secure-serverip route 0.0.0.0 0.0.0.0 1.1.1.2 ! #两个访问控制列表,分别定义不同的感兴趣流access-list 101 permit icmp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 #ICMP协议的感兴趣流access-list 102 permit tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 #TCP协议的感兴趣流! control-
19、plane! line con 0 exec-timeout 0 0 logging synchronousline aux 0line vty 0 4! end R1#R3的配置文件(注释同上):R3#sh runBuilding configuration.Current configuration : 1384 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R3!boot-
20、start-markerboot-end-marker!enable password heihei!no aaa new-modelmemory-size iomem 5!ip cefno ip domain lookup ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key haha address 1.1.1.1! ! crypto ipsec transform-set R3ah ah-sha-hmac crypto ipsec transform-set R3ahes
21、p ah-sha-hmac esp-aes esp-sha-hmac ! crypto map R3map 10 ipsec-isakmp set peer 1.1.1.1 set transform-set R3ah match address 101crypto map R3map 11 ipsec-isakmp set peer 1.1.1.1 set transform-set R3ahesp match address 102 ! interface Loopback0 ip address 172.16.1.1 255.255.255.0! interface FastEthern
22、et0/0 no ip address shutdown duplex auto speed auto! interface FastEthernet1/0 ip address 2.2.2.2 255.255.255.0 duplex auto speed auto crypto map R3map! ip http serverno ip http secure-serverip route 0.0.0.0 0.0.0.0 2.2.2.1 ! access-list 101 permit icmp 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255access-list 102 permit tcp 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 ! control-plane! line con 0 exec-timeout 0 0 logging synchronousline aux 0line vty 0 4 #VTY密码,为TCP连接做测试准备 password haha login ! end 验证:如下图所示:AH仅保护ICMP数据,如下图所示:AH和ESP保护了TCP等关键数据,且在新的应用(ESP)之前,ISAKMP生成了新的IPsec SA !-
黑公网安备:91230400333293403D