IPSec ×××(site to site)配置-白红宇

IPSec ×××(site to site)配置

阅读量：7259 次

发布时间：2019-06-29

本文共 13384 字，大约阅读时间需要 44 分钟。

网络拓扑如下

说明实现两个网关之间IPSec×××通道。

配置需要以下6步

1.配置两端路由能够保证两端互通

2.设置感兴趣流量,两端的ACL需要对称

3.IKE1即ISAKMPSA配置

4.IKE2即IPSecSA配置

5.MAP需要结合234

6.MAP应用到接口上

具体配置如下

R1的主要配置

cryptoisakmppolicy10

encr3des

hashmd5

authenticationpre-share

group2

cryptoisakmpkey6HSKaddress172.16.1.2

cryptoipsectransform-setHSK1esp-3desesp-md5-hmac

modetunnel

cryptomap×××10ipsec-isakmp

setpeer172.16.1.2

settransform-setHSK1

matchaddress100

interfaceLoopback0

ipaddress192.168.1.1255.255.255.0

interfaceSerial0/0

ipaddress172.16.1.1255.255.255.0

ipaccess-group100out

clockrate2000000

cryptomap×××

iproute0.0.0.00.0.0.0Serial0/0

access-list100permitip192.168.1.00.0.0.255192.168.2.00.0.0.255

R2主要配置如下

cryptoisakmppolicy10

encr3des

hashmd5

authenticationpre-share

group2

cryptoisakmpkey6HSKaddress172.16.1.1

cryptoipsectransform-setHSK1esp-3desesp-md5-hmac

modetunnel

cryptomap×××10ipsec-isakmp

setpeer172.16.1.1

settransform-setHSK1

matchaddress100

interfaceLoopback0

ipaddress192.168.2.1255.255.255.0

interfaceSerial0/0

ipaddress172.16.1.2255.255.255.0

ipaccess-group100out

clockrate2000000

cryptomap×××

iproute0.0.0.00.0.0.0Serial0/0

access-list100permitip192.168.2.00.0.0.255192.168.1.00.0.0.255

接下来看试验效果我们在R1上打开debugcryptoisakmp和debugcryptoipsec看看现象

R1#ping192.168.2.1source192.168.1.1

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto192.168.2.1,timeoutis2seconds:

Packetsentwithasourceaddressof192.168.1.1

*Mar100:59:45.839:IPSEC(sa_request):,

(keyeng.msg.)OUTBOUNDlocal=172.16.1.1,remote=172.16.1.2,

local_proxy=192.168.1.0/255.255.255.0/0/0(type=4),

remote_proxy=192.168.2.0/255.255.255.0/0/0(type=4),

protocol=ESP,transform=NONE(Tunnel),

lifedur=3600sand4608000kb,

spi=0x0(0),conn_id=0,keysize=0,flags=0x0

*Mar100:59:45.847:ISAKMP:(0):SArequestprofileis(NULL)

*Mar100:59:45.847:ISAKMP:Createdapeerstructfor172.16.1.2,peerport500

*Mar100:59:45.847:ISAKMP:Newpeercreatedpeer=0x646DF4E0peer_handle=0x80000003

*Mar100:59:45.851:ISAKMP:Lockingpeerstruct0x646DF4E0,refcount1forisakmp_initiator

*Mar100:59:45.851:ISAKMP:localport500,remoteport500

*Mar100:59:45.851:ISAKMP:setnewnode0toQM_IDLE

*Mar100:59:45.855:insertsasuccessfullysa=6490D1E0

*Mar100:59:45.855:ISAKMP:(0):CannotstartAggressivemode,tryingMainmode.

*Mar100:59:45.855:ISAKMP.:(0):foundpeerpre-sharedkeymatching172.16.1.2

*Mar100:59:45.859:ISAKMP:(0):constructedNAT-Tvendor-07ID

*Mar100:59:45.859:ISAKMP:(0):constructedNAT-Tvendor-03ID

*Mar100:59:45.859:ISAKMP:(0):constructedNAT-Tvendor-02ID

*Mar100:59:45.859:ISAKMP:(0):Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MM

*Mar100:59:45.863:ISAKMP:(0):OldState=IKE_READYNewState=IKE_I_MM1

*Mar100:59:45.863:ISAKMP:(0):beginningMainModeexchange

*Mar100:59:45.863:ISAKMP:(0):sendingpacketto172.16.1.2my_port500peer_port500(I)MM_NO_STATE

*Mar100:59:45.867:ISAKMP:(0):SendinganIKEIPv4Packet.

*Mar100:59:46.087:ISAKMP(0:0):receivedpacketfrom172.16.1.2dport500sport500Global(I)MM_NO_STATE

*Mar100:59:46.091:ISAKMP:(0):Input=IKE_M!!!!

Succe***ateis80percent(4/5),round-tripmin/avg/max=40/85/188ms

R1#ESG_FROM_PEER,IKE_MM_EXCH

*Mar100:59:46.091:ISAKMP:(0):OldState=IKE_I_MM1NewState=IKE_I_MM2

*Mar100:59:46.095:ISAKMP:(0):processingSApayload.messageID=0

*Mar100:59:46.095:ISAKMP:(0):processingvendoridpayload

*Mar100:59:46.095:ISAKMP:(0):vendorIDseemsUnity/DPDbutmajor245mismatch

*Mar100:59:46.099:ISAKMP(0:0):vendorIDisNAT-Tv7

*Mar100:59:46.099:ISAKMP:(0):foundpeerpre-sharedkeymatching172.16.1.2

*Mar100:59:46.099:ISAKMP:(0):localpresharedkeyfound

*Mar100:59:46.099:ISAKMP:Scanningprofilesforxauth...

*Mar100:59:46.103:ISAKMP:(0):CheckingISAKMPtransform1againstpriority10policy

*Mar100:59:46.103:ISAKMP:encryption3DES-CBC

*Mar100:59:46.103:ISAKMP:hashMD5

*Mar100:59:46.103:ISAKMP:defaultgroup2

*Mar100:59:46.103:ISAKMP:authpre-share

*Mar100:59:46.107:ISAKMP:lifetypeinseconds

*Mar100:59:46.107:ISAKMP:lifeduration(VPI)of0x00x10x510x80

*Mar100:59:46.107:ISAKMP:(0):attsareacceptable.Nextpayloadis0

*Mar100:59:46.111:ISAKMP:(0):processingvendoridpayload

*Mar100:59:46.111:ISAKMP:(0):vendorIDseemsUnity/DPDbutmajor245mismatch

*Mar100:59:46.111:ISAKMP(0:0):vendorIDisNAT-Tv7

*Mar100:59:46.111:ISAKMP:(0):Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE

*Mar100:59:46.115:ISAKMP:(0):OldState=IKE_I_MM2NewState=IKE_I_MM2

*Mar100:59:46.123:ISAKMP:(0):sendingpacketto172.16.1.2my_port500peer_port500(I)MM_SA_SETUP

*Mar100:59:46.123:ISAKMP:(0):SendinganIKEIPv4Packet.

*Mar100:59:46.123:ISAKMP:(0):Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE

*Mar100:59:46.127:ISAKMP:(0):OldState=IKE_I_MM2NewState=IKE_I_MM3

*Mar100:59:46.331:ISAKMP(0:0):receivedpacketfrom172.16.1.2dport500sport500Global(I)MM_SA_SETUP

*Mar100:59:46.335:ISAKMP:(0):Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH

*Mar100:59:46.335:ISAKMP:(0):OldState=IKE_I_MM3NewState=IKE_I_MM4

*Mar100:59:46.339:ISAKMP:(0):processingKEpayload.messageID=0

*Mar100:59:46.395:ISAKMP:(0):processingNONCEpayload.messageID=0

*Mar100:59:46.395:ISAKMP:(0):foundpeerpre-sharedkeymatching172.16.1.2

*Mar100:59:46.399:ISAKMP:(1002):processingvendoridpayload

*Mar100:59:46.399:ISAKMP:(1002):vendorIDisUnity

*Mar100:59:46.403:ISAKMP:(1002):processingvendoridpayload

*Mar100:59:46.403:ISAKMP:(1002):vendorIDisDPD

*Mar100:59:46.403:ISAKMP:(1002):processingvendoridpayload

*Mar100:59:46.403:ISAKMP:(1002):speakingtoanotherIOSbox!

*Mar100:59:46.403:ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE

*Mar100:59:46.403:ISAKMP:(1002):OldState=IKE_I_MM4NewState=IKE_I_MM4

*Mar100:59:46.403:ISAKMP:(1002):Sendinitialcontact

*Mar100:59:46.403:ISAKMP:(1002):SAisdoingpre-sharedkeyauthenticationusingidtypeID_IPV4_ADDR

*Mar100:59:46.403:ISAKMP(0:1002):IDpayload

next-payload:8

type:1

address:172.16.1.1

protocol:17

port:500

length:12

*Mar100:59:46.403:ISAKMP:(1002):Totalpayloadlength:12

*Mar100:59:46.407:ISAKMP:(1002):sendingpacketto172.16.1.2my_port500peer_port500(I)MM_KEY_EXCH

*Mar100:59:46.407:ISAKMP:(1002):SendinganIKEIPv4Packet.

*Mar100:59:46.407:ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE

*Mar100:59:46.411:ISAKMP:(1002):OldState=IKE_I_MM4NewState=IKE_I_MM5

*Mar100:59:46.547:ISAKMP(0:1002):receivedpacketfrom172.16.1.2dport500sport500Global(I)MM_KEY_EXCH

*Mar100:59:46.551:ISAKMP:(1002):processingIDpayload.messageID=0

*Mar100:59:46.551:ISAKMP(0:1002):IDpayload

next-payload:8

type:1

address:172.16.1.2

protocol:17

port:500

length:12

*Mar100:59:46.555:ISAKMP:(0)::peermatches*none*oftheprofiles

*Mar100:59:46.555:ISAKMP:(1002):processingHASHpayload.messageID=0

*Mar100:59:46.559:ISAKMP:(1002):SAauthenticationstatus:

authenticated

*Mar100:59:46.559:ISAKMP:(1002):SAhasbeenauthenticatedwith172.16.1.2

*Mar100:59:46.559:ISAKMP:Tryingtoinsertapeer172.16.1.1/172.16.1.2/500/,andinsertedsuccessfully646DF4E0.

*Mar100:59:46.563:ISAKMP:(1002):Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH

*Mar100:59:46.563:ISAKMP:(1002):OldState=IKE_I_MM5NewState=IKE_I_MM6

*Mar100:59:46.571:ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE

*Mar100:59:46.571:ISAKMP:(1002):OldState=IKE_I_MM6NewState=IKE_I_MM6

*Mar100:59:46.575:ISAKMP(0:1002):receivedpacketfrom172.16.1.2dport500sport500Global(I)MM_KEY_EXCH

*Mar100:59:46.575:ISAKMP:setnewnode1670074093toQM_IDLE

*Mar100:59:46.579:ISAKMP:(1002):processingHASHpayload.messageID=1670074093

*Mar100:59:46.579:ISAKMP:(1002):processingDELETEpayload.messageID=1670074093

*Mar100:59:46.583:ISAKMP:(1002):peerdoesnotdoparanoidkeepalives.

*Mar100:59:46.583:ISAKMP:(1002):deletingnode1670074093errorFALSEreason"Informational(in)state1"

*Mar100:59:46.587:IPSEC(key_engine):gotaqueueeventwith1KMImessage(s)

*Mar100:59:46.587:IPSEC(key_engine_delete_sas):rec'ddeletenotifyfromISAKMP

*Mar100:59:46.591:ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE

*Mar100:59:46.595:ISAKMP:(1002):OldState=IKE_I_MM6NewState=IKE_P1_COMPLETE

*Mar100:59:46.599:ISAKMP:(1002):beginningQuickModeexchange,M-IDof-2018734306

*Mar100:59:46.599:ISAKMP:(1002):QMInitiatorgetsspi

*Mar100:59:46.603:ISAKMP:(1002):sendingpacketto172.16.1.2my_port500peer_port500(I)QM_IDLE

*Mar100:59:46.603:ISAKMP:(1002):SendinganIKEIPv4Packet.

*Mar100:59:46.607:ISAKMP:(1002):Node-2018734306,Input=IKE_MESG_INTERNAL,IKE_INIT_QM

*Mar100:59:46.607:ISAKMP:(1002):OldState=IKE_QM_READYNewState=IKE_QM_I_QM1

*Mar100:59:46.607:ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PHASE1_COMPLETE

*Mar100:59:46.611:ISAKMP:(1002):OldState=IKE_P1_COMPLETENewState=IKE_P1_COMPLETE

*Mar100:59:46.775:ISAKMP(0:1002):receivedpacketfrom172.16.1.2dport500sport500Global(I)QM_IDLE

*Mar100:59:46.779:ISAKMP:(1002):processingHASHpayload.messageID=-2018734306

*Mar100:59:46.779:ISAKMP:(1002):processingSApayload.messageID=-2018734306

*Mar100:59:46.783:ISAKMP:(1002):CheckingIPSecproposal1

*Mar100:59:46.783:ISAKMP:transform1,ESP_3DES

*Mar100:59:46.783:ISAKMP:attributesintransform:

*Mar100:59:46.783:ISAKMP:encapsis1(Tunnel)

*Mar100:59:46.783:ISAKMP:SAlifetypeinseconds

*Mar100:59:46.783:ISAKMP:SAlifeduration(basic)of3600

*Mar100:59:46.787:ISAKMP:SAlifetypeinkilobytes

*Mar100:59:46.787:ISAKMP:SAlifeduration(VPI)of0x00x460x500x0

*Mar100:59:46.787:ISAKMP:authenticatorisHMAC-MD5

*Mar100:59:46.791:ISAKMP:(1002):attsareacceptable.

*Mar100:59:46.791:IPSEC(validate_proposal_request):proposalpart#1

*Mar100:59:46.791:IPSEC(validate_proposal_request):proposalpart#1,

(keyeng.msg.)INBOUNDlocal=172.16.1.1,remote=172.16.1.2,

local_proxy=192.168.1.0/255.255.255.0/0/0(type=4),

remote_proxy=192.168.2.0/255.255.255.0/0/0(type=4),

protocol=ESP,transform=esp-3desesp-md5-hmac(Tunnel),

lifedur=0sand0kb,

spi=0x0(0),conn_id=0,keysize=0,flags=0x0

*Mar100:59:46.795:Cryptomapdb:proxy_match

srcaddr:192.168.1.0

dstaddr:192.168.2.0

protocol:0

srcport:0

dstport:0

*Mar100:59:46.799:ISAKMP:(1002):processingNONCEpayload.messageID=-2018734306

*Mar100:59:46.799:ISAKMP:(1002):processingIDpayload.messageID=-2018734306

*Mar100:59:46.807:ISAKMP:(1002):CreatingIPSecSAs

*Mar100:59:46.807:inboundSAfrom172.16.1.2to172.16.1.1(f/i)0/0

(proxy192.168.2.0to192.168.1.0)

*Mar100:59:46.811:hasspi0x592F35D4andconn_id0

*Mar100:59:46.811:lifetimeof3600seconds

*Mar100:59:46.811:lifetimeof4608000kilobytes

*Mar100:59:46.811:outboundSAfrom172.16.1.1to172.16.1.2(f/i)0/0

(proxy192.168.1.0to192.168.2.0)

*Mar100:59:46.811:hasspi0x523FFDEandconn_id0

*Mar100:59:46.815:lifetimeof3600seconds

*Mar100:59:46.815:lifetimeof4608000kilobytes

*Mar100:59:46.815:ISAKMP:(1002):sendingpacketto172.16.1.2my_port500peer_port500(I)QM_IDLE

*Mar100:59:46.819:ISAKMP:(1002):SendinganIKEIPv4Packet.

*Mar100:59:46.819:ISAKMP:(1002):deletingnode-2018734306errorFALSEreason"NoError"

*Mar100:59:46.819:ISAKMP:(1002):Node-2018734306,Input=IKE_MESG_FROM_PEER,IKE_QM_EXCH

*Mar100:59:46.823:ISAKMP:(1002):OldState=IKE_QM_I_QM1NewState=IKE_QM_PHASE2_COMPLETE

*Mar100:59:46.827:IPSEC(key_engine):gotaqueueeventwith1KMImessage(s)

*Mar100:59:46.827:Cryptomapdb:proxy_match

srcaddr:192.168.1.0

dstaddr:192.168.2.0

protocol:0

srcport:0

dstport:0

*Mar100:59:46.831:IPSEC(crypto_ipsec_sa_find_ident_head):reconnectingwiththesameproxiesandpeer172.16.1.2

*Mar100:59:46.831:IPSEC(policy_db_add_ident):src192.168.1.0,dest192.168.2.0,dest_port0

*Mar100:59:46.831:IPSEC(create_sa):sacreated,

(sa)sa_dest=172.16.1.1,sa_proto=50,

sa_spi=0x592F35D4(1496266196),

sa_trans=esp-3desesp-md5-hmac,sa_conn_id=3

*Mar100:59:46.835:IPSEC(create_sa):sacreated,

(sa)sa_dest=172.16.1.2,sa_proto=50,

sa_spi=0x523FFDE(86245342),

sa_trans=esp-3desesp-md5-hmac,sa_conn_id=4

*Mar100:59:46.835:IPSEC(update_current_outbound_sa):updatedpeer172.16.1.2currentoutboundsatoSPI523FFDE

由上面可以看到数据在传输中的过程。

下面来看看R1的isakmpsa和ipsecsa。

R1#showcryptoisakmpsa

IPv4CryptoISAKMPSA

dstsrcstateconn-idslotstatus

172.16.1.2172.16.1.1QM_IDLE10020ACTIVE

IPv6CryptoISAKMPSA

R1#showcryptoipsecsa

interface:Serial0/0

Cryptomaptag:×××,localaddr172.16.1.1

protectedvrf:(none)

localident(addr/mask/prot/port):(192.168.1.0/255.255.255.0/0/0)

remoteident(addr/mask/prot/port):(192.168.2.0/255.255.255.0/0/0)

current_peer172.16.1.2port500

PERMIT,flags={origin_is_acl,}

#pktsencaps:4,#pktsencrypt:4,#pktsdigest:4

#pktsdecaps:4,#pktsdecrypt:4,#pktsverify:4

#pktscompressed:0,#pktsdecompressed:0

#pktsnotcompressed:0,#pktscompr.failed:0

#pktsnotdecompressed:0,#pktsdecompressfailed:0

#senderrors1,#recverrors0

localcryptoendpt.:172.16.1.1,remotecryptoendpt.:172.16.1.2

pathmtu1500,ipmtu1500,ipmtuidbSerial0/0

currentoutboundspi:0x523FFDE(86245342)

inboundespsas:

spi:0x592F35D4(1496266196)

transform:esp-3desesp-md5-hmac,

inusesettings={Tunnel,}

connid:3,flow_id:3,cryptomap:×××

satiming:remainingkeylifetime(k/sec):(4542746/3345)

IVsize:8bytes

replaydetectionsupport:Y

Status:ACTIVE

inboundahsas:

inboundpcpsas:

outboundespsas:

spi:0x523FFDE(86245342)

transform:esp-3desesp-md5-hmac,

inusesettings={Tunnel,}

connid:4,flow_id:4,cryptomap:×××

satiming:remainingkeylifetime(k/sec):(4542746/3343)

IVsize:8bytes

replaydetectionsupport:Y

Status:ACTIVE

outboundahsas:

outboundpcpsas:

好了实验到这里对简单的IPSec配置算是完成了如果我们只想让主机192.168.1.1通过IPSec×××访问192.168.2.1那我们该放行什么流量呢我们需要添加如下防控列表

R2#showipaccess-lists101

ExtendedIPaccesslist101

10permitahphost172.16.1.1host172.16.1.2

20permitesphost172.16.1.1host172.16.1.2(15matches)

30permitudphost172.16.1.1host172.16.1.2eqisakmp

40permitip92.168.1.00.0.0.255192.168.2.00.0.0.255

看看效果

R1#ping192.168.2.1source192.168.1.1

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto192.168.2.1,timeoutis2seconds:

Packetsentwithasourceaddressof192.168.1.1

!!!!!

Succe***ateis100percent(5/5),round-tripmin/avg/max=32/69/100ms

转载于:https://blog.51cto.com/heshengkai/1298993

你可能感兴趣的文章