ipsec实验

实验：

1.首先设置R1和Site2的环回口地址

R1(config)#int lo 0 -------设置R1环回口

R1(config-if)#ip address 1.1.1.1 255.255.255.0

R1(config-if)#no shutdown

SITE2(config)#int lo 0 -------设置SITE2环回口

SITE2(config-if)#ip address 2.2.2.2 255.255.255.0

SITE2(config-if)#no shutdown

2.配置各个接口的IP地址

R1(config)#int e0/0

R1(config-if)#ip address 10.1.1.10 255.255.255.0

R1(config-if)#no shutdown

SITE1(config)#int e0/0

SITE1(config-if)#ip address 10.1.1.1 255.255.255.0

SITE1(config-if)#no shutdown

SITE1(config-if)#exit

SITE1(config)#int e0/1

SITE1(config-if)#ip address 202.100.1.1 255.255.255.0

SITE1(config-if)#no shutdown

Internet(config)#int e0/0

Internet(config-if)#ip add

Internet(config-if)#ip address 202.100.1.10 255.255.255.0

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#int e0/1

Internet(config-if)#ip address 202.100.2.10 255.255.255.0

Internet(config-if)#no shutdown

SITE2(config-if)#int e0/0

SITE2(config-if)#ip address 202.100.2.2 255.255.255.0

SITE2(config-if)#no shutdown

3.设置静态路由

RRR(config)#ip route 2.2.2.2 255.255.255.255 10.1.1.1

SITE1(config)#ip route 2.2.2.2 255.255.255.255 202.100.1.10

SITE1(config)#ip route 202.100.2.0 255.255.255.0 202.100.1.10

SITE2(config)#ip route 1.1.1.0 255.255.255.0 202.100.2.10

SITE2(config)#ip route 202.100.1.0 255.255.255.0 202.100.2.10

SITE1(config)#ip route 1.1.1.0 255.255.255.255 10.1.1.10

4.设置IPset

SITE1(config)#crypto isakmp enable------------------------（路由器默认开启，防火墙默认关闭）

SITE1(config)#crypto isakmp policy 10

SITE1(config-isakmp)#encryption 3des ---------------------认证，对称加密

SITE1(config-isakmp)#hash md5 --------------------------保证完整性，需要秘钥

SITE1(config-isakmp)#group 5 --------------------------提供秘钥

SITE1(config-isakmp)#authentication pre-share

SITE1(config-isakmp)#exit

SITE1(config)#crypto isakmp key ccna123 address 202.100.2.1 --------------------用预共享秘钥，指到对面与ISP相连接口的地址

SITE2(config)#crypto isakmp policy 10 -----------10只是一个标志

SITE2(config-isakmp)#encryption 3des

SITE2(config-isakmp)#hash md5

SITE2(config-isakmp)#group 5

SITE2(config-isakmp)#authentication pre-share

SITE2(config-isakmp)#exit

SITE2(config)#crypto isakmp key ccna123 address 202.100.1.1

SITE1#show crypto isakmp policy -------------------------查看配置

Global IKE policy

Protection suite of priority 10

encryption algorithm: Three key triple DES

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #5 (1536 bit)

lifetime: 86400 seconds, no volume limit 老化时间

设置感兴趣流

SITE1(config)#ip access-list extended vpn --------------------------------------命名扩展ACL

SITE1(config-ext-nacl)#permit ip host 1.1.1.1 host 2.2.2.2

SITE2(config)#ip access-list extended vpn --------------------------------------VPN是个名字

SITE2(config-ext-nacl)#permit ip host 2.2.2.2 host 1.1.1.1

SITE1(config)#crypto ipsec transform-set vpn esp-des esp-md5-hmac -----------------VPN是个名字，hmac提供原认证

SITE1(cfg-crypto-trans)#mode tunnel -------------------------设置模式为tunnel

SITE2(config)#crypto ipsec transform-set vpn esp-des esp-md5-hmac

SITE2(cfg-crypto-trans)#mode tunnel

整合在一起

SITE1(config)#crypto map cry-map 10 ipsec-isakmp ---------------------定义的名字cry-map

SITE1(config-crypto-map)#match address vpn

SITE1(config-crypto-map)#set peer 202.100.2.1 ----------------------------对端地址

SITE1(config-crypto-map)#set transform-set vpn

SITE2(config)#crypto map cry-map 10 ipsec-isakmp

SITE2(config-crypto-map)#match address vpn

SITE2(config-crypto-map)#set transform-set vpn

SITE2(config-crypto-map)#set peer 202.100.1.1

最后一步调用

SITE1(config)#int e0/1 -------------与Internet相连的接口

SITE1(config-if)#crypot map cry-map

SITE2(config)#int e0/0

SITE2(config-if)#crypot map cry-map

查看命令

SITE2#show crypto isakmp sa --------------------------------------第一阶段的sa

SITE2#show crypto ipsec sa