IPSec ***(site to site)配置

網絡拓撲如下

說明實現兩個網關之間IPSec***通道。

配置需要以下6步

1.配置兩端路由能夠保證兩端互通

2.設置感興趣流量,兩端的ACL需要對稱

3.IKE1即ISAKMPSA配置

4.IKE2即IPSecSA配置

5.MAP需要結合234

6.MAP應用到接口上

具體配置如下

R1的主要配置

cryptoisakmppolicy10
encr3des
hashmd5
authenticationpre-share
group2
cryptoisakmpkey6HSKaddress172.16.1.2

cryptoipsectransform-setHSK1esp-3desesp-md5-hmac
modetunnel

cryptomap***10ipsec-isakmp
setpeer172.16.1.2
settransform-setHSK1
matchaddress100

interfaceLoopback0
ipaddress192.168.1.1255.255.255.0

interfaceSerial0/0
ipaddress172.16.1.1255.255.255.0
ipaccess-group100out
clockrate2000000
cryptomap***

iproute0.0.0.00.0.0.0Serial0/0

access-list100permitip192.168.1.00.0.0.255192.168.2.00.0.0.255

R2主要配置如下

cryptoisakmppolicy10
encr3des
hashmd5
authenticationpre-share
group2
cryptoisakmpkey6HSKaddress172.16.1.1

cryptoipsectransform-setHSK1esp-3desesp-md5-hmac
modetunnel

cryptomap***10ipsec-isakmp
setpeer172.16.1.1
settransform-setHSK1
matchaddress100

interfaceLoopback0
ipaddress192.168.2.1255.255.255.0

interfaceSerial0/0
ipaddress172.16.1.2255.255.255.0
ipaccess-group100out
clockrate2000000
cryptomap***

iproute0.0.0.00.0.0.0Serial0/0

access-list100permitip192.168.2.00.0.0.255192.168.1.00.0.0.255

接下來看試驗效果我們在R1上打開debugcryptoisakmp和debugcryptoipsec看看現象

R1#ping192.168.2.1source192.168.1.1

Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto192.168.2.1,timeoutis2seconds:
Packetsentwithasourceaddressof192.168.1.1

*Mar100:59:45.839:IPSEC(sa_request):,
(keyeng.msg.)OUTBOUNDlocal=172.16.1.1,remote=172.16.1.2,
local_proxy=192.168.1.0/255.255.255.0/0/0(type=4),
remote_proxy=192.168.2.0/255.255.255.0/0/0(type=4),
protocol=ESP,transform=NONE(Tunnel),
lifedur=3600sand4608000kb,
spi=0x0(0),conn_id=0,keysize=0,flags=0x0
*Mar100:59:45.847:ISAKMP:(0):SArequestprofileis(NULL)
*Mar100:59:45.847:ISAKMP:Createdapeerstructfor172.16.1.2,peerport500
*Mar100:59:45.847:ISAKMP:Newpeercreatedpeer=0x646DF4E0peer_handle=0x80000003
*Mar100:59:45.851:ISAKMP:Lockingpeerstruct0x646DF4E0,refcount1forisakmp_initiator
*Mar100:59:45.851:ISAKMP:localport500,remoteport500
*Mar100:59:45.851:ISAKMP:setnewnode0toQM_IDLE
*Mar100:59:45.855:insertsasuccessfullysa=6490D1E0
*Mar100:59:45.855:ISAKMP:(0):CannotstartAggressivemode,tryingMainmode.
*Mar100:59:45.855:ISAKMP.:(0):foundpeerpre-sharedkeymatching172.16.1.2
*Mar100:59:45.859:ISAKMP:(0):constructedNAT-Tvendor-07ID
*Mar100:59:45.859:ISAKMP:(0):constructedNAT-Tvendor-03ID
*Mar100:59:45.859:ISAKMP:(0):constructedNAT-Tvendor-02ID
*Mar100:59:45.859:ISAKMP:(0):Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MM
*Mar100:59:45.863:ISAKMP:(0):OldState=IKE_READYNewState=IKE_I_MM1

*Mar100:59:45.863:ISAKMP:(0):beginningMainModeexchange
*Mar100:59:45.863:ISAKMP:(0):sendingpacketto172.16.1.2my_port500peer_port500(I)MM_NO_STATE
*Mar100:59:45.867:ISAKMP:(0):SendinganIKEIPv4Packet.
*Mar100:59:46.087:ISAKMP(0:0):receivedpacketfrom172.16.1.2dport500sport500Global(I)MM_NO_STATE
*Mar100:59:46.091:ISAKMP:(0):Input=IKE_M!!!!
Succe***ateis80percent(4/5),round-tripmin/avg/max=40/85/188ms
R1#ESG_FROM_PEER,IKE_MM_EXCH
*Mar100:59:46.091:ISAKMP:(0):OldState=IKE_I_MM1NewState=IKE_I_MM2

*Mar100:59:46.095:ISAKMP:(0):processingSApayload.messageID=0
*Mar100:59:46.095:ISAKMP:(0):processingvendoridpayload
*Mar100:59:46.095:ISAKMP:(0):vendorIDseemsUnity/DPDbutmajor245mismatch
*Mar100:59:46.099:ISAKMP(0:0):vendorIDisNAT-Tv7
*Mar100:59:46.099:ISAKMP:(0):foundpeerpre-sharedkeymatching172.16.1.2
*Mar100:59:46.099:ISAKMP:(0):localpresharedkeyfound
*Mar100:59:46.099:ISAKMP:Scanningprofilesforxauth...
*Mar100:59:46.103:ISAKMP:(0):CheckingISAKMPtransform1againstpriority10policy
*Mar100:59:46.103:ISAKMP:encryption3DES-CBC
*Mar100:59:46.103:ISAKMP:hashMD5
*Mar100:59:46.103:ISAKMP:defaultgroup2
*Mar100:59:46.103:ISAKMP:authpre-share
*Mar100:59:46.107:ISAKMP:lifetypeinseconds
*Mar100:59:46.107:ISAKMP:lifeduration(VPI)of0x00x10x510x80
*Mar100:59:46.107:ISAKMP:(0):attsareacceptable.Nextpayloadis0
*Mar100:59:46.111:ISAKMP:(0):processingvendoridpayload
*Mar100:59:46.111:ISAKMP:(0):vendorIDseemsUnity/DPDbutmajor245mismatch
*Mar100:59:46.111:ISAKMP(0:0):vendorIDisNAT-Tv7
*Mar100:59:46.111:ISAKMP:(0):Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE
*Mar100:59:46.115:ISAKMP:(0):OldState=IKE_I_MM2NewState=IKE_I_MM2

*Mar100:59:46.123:ISAKMP:(0):sendingpacketto172.16.1.2my_port500peer_port500(I)MM_SA_SETUP
*Mar100:59:46.123:ISAKMP:(0):SendinganIKEIPv4Packet.
*Mar100:59:46.123:ISAKMP:(0):Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE
*Mar100:59:46.127:ISAKMP:(0):OldState=IKE_I_MM2NewState=IKE_I_MM3

*Mar100:59:46.331:ISAKMP(0:0):receivedpacketfrom172.16.1.2dport500sport500Global(I)MM_SA_SETUP
*Mar100:59:46.335:ISAKMP:(0):Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH
*Mar100:59:46.335:ISAKMP:(0):OldState=IKE_I_MM3NewState=IKE_I_MM4

*Mar100:59:46.339:ISAKMP:(0):processingKEpayload.messageID=0
*Mar100:59:46.395:ISAKMP:(0):processingNONCEpayload.messageID=0
*Mar100:59:46.395:ISAKMP:(0):foundpeerpre-sharedkeymatching172.16.1.2
*Mar100:59:46.399:ISAKMP:(1002):processingvendoridpayload
*Mar100:59:46.399:ISAKMP:(1002):vendorIDisUnity
*Mar100:59:46.403:ISAKMP:(1002):processingvendoridpayload
*Mar100:59:46.403:ISAKMP:(1002):vendorIDisDPD
*Mar100:59:46.403:ISAKMP:(1002):processingvendoridpayload
*Mar100:59:46.403:ISAKMP:(1002):speakingtoanotherIOSbox!
*Mar100:59:46.403:ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE
*Mar100:59:46.403:ISAKMP:(1002):OldState=IKE_I_MM4NewState=IKE_I_MM4

*Mar100:59:46.403:ISAKMP:(1002):Sendinitialcontact
*Mar100:59:46.403:ISAKMP:(1002):SAisdoingpre-sharedkeyauthenticationusingidtypeID_IPV4_ADDR
*Mar100:59:46.403:ISAKMP(0:1002):IDpayload
next-payload:8
type:1
address:172.16.1.1
protocol:17
port:500
length:12
*Mar100:59:46.403:ISAKMP:(1002):Totalpayloadlength:12
*Mar100:59:46.407:ISAKMP:(1002):sendingpacketto172.16.1.2my_port500peer_port500(I)MM_KEY_EXCH
*Mar100:59:46.407:ISAKMP:(1002):SendinganIKEIPv4Packet.
*Mar100:59:46.407:ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE
*Mar100:59:46.411:ISAKMP:(1002):OldState=IKE_I_MM4NewState=IKE_I_MM5

*Mar100:59:46.547:ISAKMP(0:1002):receivedpacketfrom172.16.1.2dport500sport500Global(I)MM_KEY_EXCH
*Mar100:59:46.551:ISAKMP:(1002):processingIDpayload.messageID=0
*Mar100:59:46.551:ISAKMP(0:1002):IDpayload
next-payload:8
type:1
address:172.16.1.2
protocol:17
port:500
length:12
*Mar100:59:46.555:ISAKMP:(0)::peermatches*none*oftheprofiles
*Mar100:59:46.555:ISAKMP:(1002):processingHASHpayload.messageID=0
*Mar100:59:46.559:ISAKMP:(1002):SAauthenticationstatus:
authenticated
*Mar100:59:46.559:ISAKMP:(1002):SAhasbeenauthenticatedwith172.16.1.2
*Mar100:59:46.559:ISAKMP:Tryingtoinsertapeer172.16.1.1/172.16.1.2/500/,andinsertedsuccessfully646DF4E0.
*Mar100:59:46.563:ISAKMP:(1002):Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH
*Mar100:59:46.563:ISAKMP:(1002):OldState=IKE_I_MM5NewState=IKE_I_MM6

*Mar100:59:46.571:ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE
*Mar100:59:46.571:ISAKMP:(1002):OldState=IKE_I_MM6NewState=IKE_I_MM6

*Mar100:59:46.575:ISAKMP(0:1002):receivedpacketfrom172.16.1.2dport500sport500Global(I)MM_KEY_EXCH
*Mar100:59:46.575:ISAKMP:setnewnode1670074093toQM_IDLE
*Mar100:59:46.579:ISAKMP:(1002):processingHASHpayload.messageID=1670074093
*Mar100:59:46.579:ISAKMP:(1002):processingDELETEpayload.messageID=1670074093
*Mar100:59:46.583:ISAKMP:(1002):peerdoesnotdoparanoidkeepalives.

*Mar100:59:46.583:ISAKMP:(1002):deletingnode1670074093errorFALSEreason"Informational(in)state1"
*Mar100:59:46.587:IPSEC(key_engine):gotaqueueeventwith1KMImessage(s)
*Mar100:59:46.587:IPSEC(key_engine_delete_sas):rec'ddeletenotifyfromISAKMP
*Mar100:59:46.591:ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE
*Mar100:59:46.595:ISAKMP:(1002):OldState=IKE_I_MM6NewState=IKE_P1_COMPLETE

*Mar100:59:46.599:ISAKMP:(1002):beginningQuickModeexchange,M-IDof-2018734306
*Mar100:59:46.599:ISAKMP:(1002):QMInitiatorgetsspi
*Mar100:59:46.603:ISAKMP:(1002):sendingpacketto172.16.1.2my_port500peer_port500(I)QM_IDLE
*Mar100:59:46.603:ISAKMP:(1002):SendinganIKEIPv4Packet.
*Mar100:59:46.607:ISAKMP:(1002):Node-2018734306,Input=IKE_MESG_INTERNAL,IKE_INIT_QM
*Mar100:59:46.607:ISAKMP:(1002):OldState=IKE_QM_READYNewState=IKE_QM_I_QM1
*Mar100:59:46.607:ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PHASE1_COMPLETE
*Mar100:59:46.611:ISAKMP:(1002):OldState=IKE_P1_COMPLETENewState=IKE_P1_COMPLETE

*Mar100:59:46.775:ISAKMP(0:1002):receivedpacketfrom172.16.1.2dport500sport500Global(I)QM_IDLE
*Mar100:59:46.779:ISAKMP:(1002):processingHASHpayload.messageID=-2018734306
*Mar100:59:46.779:ISAKMP:(1002):processingSApayload.messageID=-2018734306
*Mar100:59:46.783:ISAKMP:(1002):CheckingIPSecproposal1
*Mar100:59:46.783:ISAKMP:transform1,ESP_3DES
*Mar100:59:46.783:ISAKMP:attributesintransform:
*Mar100:59:46.783:ISAKMP:encapsis1(Tunnel)
*Mar100:59:46.783:ISAKMP:SAlifetypeinseconds
*Mar100:59:46.783:ISAKMP:SAlifeduration(basic)of3600
*Mar100:59:46.787:ISAKMP:SAlifetypeinkilobytes
*Mar100:59:46.787:ISAKMP:SAlifeduration(VPI)of0x00x460x500x0
*Mar100:59:46.787:ISAKMP:authenticatorisHMAC-MD5
*Mar100:59:46.791:ISAKMP:(1002):attsareacceptable.
*Mar100:59:46.791:IPSEC(validate_proposal_request):proposalpart#1
*Mar100:59:46.791:IPSEC(validate_proposal_request):proposalpart#1,
(keyeng.msg.)INBOUNDlocal=172.16.1.1,remote=172.16.1.2,
local_proxy=192.168.1.0/255.255.255.0/0/0(type=4),
remote_proxy=192.168.2.0/255.255.255.0/0/0(type=4),
protocol=ESP,transform=esp-3desesp-md5-hmac(Tunnel),
lifedur=0sand0kb,
spi=0x0(0),conn_id=0,keysize=0,flags=0x0
*Mar100:59:46.795:Cryptomapdb:proxy_match
srcaddr:192.168.1.0
dstaddr:192.168.2.0
protocol:0
srcport:0
dstport:0
*Mar100:59:46.799:ISAKMP:(1002):processingNONCEpayload.messageID=-2018734306
*Mar100:59:46.799:ISAKMP:(1002):processingIDpayload.messageID=-2018734306
*Mar100:59:46.799:ISAKMP:(1002):processingIDpayload.messageID=-2018734306
*Mar100:59:46.807:ISAKMP:(1002):CreatingIPSecSAs
*Mar100:59:46.807:inboundSAfrom172.16.1.2to172.16.1.1(f/i)0/0
(proxy192.168.2.0to192.168.1.0)
*Mar100:59:46.811:hasspi0x592F35D4andconn_id0
*Mar100:59:46.811:lifetimeof3600seconds
*Mar100:59:46.811:lifetimeof4608000kilobytes
*Mar100:59:46.811:outboundSAfrom172.16.1.1to172.16.1.2(f/i)0/0
(proxy192.168.1.0to192.168.2.0)
*Mar100:59:46.811:hasspi0x523FFDEandconn_id0
*Mar100:59:46.815:lifetimeof3600seconds
*Mar100:59:46.815:lifetimeof4608000kilobytes
*Mar100:59:46.815:ISAKMP:(1002):sendingpacketto172.16.1.2my_port500peer_port500(I)QM_IDLE
*Mar100:59:46.819:ISAKMP:(1002):SendinganIKEIPv4Packet.
*Mar100:59:46.819:ISAKMP:(1002):deletingnode-2018734306errorFALSEreason"NoError"
*Mar100:59:46.819:ISAKMP:(1002):Node-2018734306,Input=IKE_MESG_FROM_PEER,IKE_QM_EXCH
*Mar100:59:46.823:ISAKMP:(1002):OldState=IKE_QM_I_QM1NewState=IKE_QM_PHASE2_COMPLETE
*Mar100:59:46.827:IPSEC(key_engine):gotaqueueeventwith1KMImessage(s)
*Mar100:59:46.827:Cryptomapdb:proxy_match
srcaddr:192.168.1.0
dstaddr:192.168.2.0
protocol:0
srcport:0
dstport:0
*Mar100:59:46.831:IPSEC(crypto_ipsec_sa_find_ident_head):reconnectingwiththesameproxiesandpeer172.16.1.2
*Mar100:59:46.831:IPSEC(policy_db_add_ident):src192.168.1.0,dest192.168.2.0,dest_port0

*Mar100:59:46.831:IPSEC(create_sa):sacreated,
(sa)sa_dest=172.16.1.1,sa_proto=50,
sa_spi=0x592F35D4(1496266196),
sa_trans=esp-3desesp-md5-hmac,sa_conn_id=3
*Mar100:59:46.835:IPSEC(create_sa):sacreated,
(sa)sa_dest=172.16.1.2,sa_proto=50,
sa_spi=0x523FFDE(86245342),
sa_trans=esp-3desesp-md5-hmac,sa_conn_id=4
*Mar100:59:46.835:IPSEC(update_current_outbound_sa):updatedpeer172.16.1.2currentoutboundsatoSPI523FFDE

由上面可以看到數據在傳輸中的過程。

下面來看看R1的isakmpsa和ipsecsa。

R1#showcryptoisakmpsa
IPv4CryptoISAKMPSA
dstsrcstateconn-idslotstatus
172.16.1.2172.16.1.1QM_IDLE10020ACTIVE

IPv6CryptoISAKMPSA

R1#showcryptoipsecsa

interface:Serial0/0
Cryptomaptag:***,localaddr172.16.1.1

protectedvrf:(none)
localident(addr/mask/prot/port):(192.168.1.0/255.255.255.0/0/0)
remoteident(addr/mask/prot/port):(192.168.2.0/255.255.255.0/0/0)
current_peer172.16.1.2port500
PERMIT,flags={origin_is_acl,}
#pktsencaps:4,#pktsencrypt:4,#pktsdigest:4
#pktsdecaps:4,#pktsdecrypt:4,#pktsverify:4
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:0,#pktscompr.failed:0
#pktsnotdecompressed:0,#pktsdecompressfailed:0
#senderrors1,#recverrors0

localcryptoendpt.:172.16.1.1,remotecryptoendpt.:172.16.1.2
pathmtu1500,ipmtu1500,ipmtuidbSerial0/0
currentoutboundspi:0x523FFDE(86245342)

inboundespsas:
spi:0x592F35D4(1496266196)
transform:esp-3desesp-md5-hmac,
inusesettings={Tunnel,}
connid:3,flow_id:3,cryptomap:***
satiming:remainingkeylifetime(k/sec):(4542746/3345)
IVsize:8bytes
replaydetectionsupport:Y
Status:ACTIVE

inboundahsas:

inboundpcpsas:

outboundespsas:
spi:0x523FFDE(86245342)
transform:esp-3desesp-md5-hmac,
inusesettings={Tunnel,}
connid:4,flow_id:4,cryptomap:***
satiming:remainingkeylifetime(k/sec):(4542746/3343)
IVsize:8bytes
replaydetectionsupport:Y
Status:ACTIVE

outboundahsas:

outboundpcpsas:

好了實驗到這裏對簡單的IPSec配置算是完成了如果我們只想讓主機192.168.1.1通過IPSec***訪問192.168.2.1那我們該放行什麼流量呢我們需要添加如下防控列表

R2#showipaccess-lists101
ExtendedIPaccesslist101
10permitahphost172.16.1.1host172.16.1.2
20permitesphost172.16.1.1host172.16.1.2(15matches)
30permitudphost172.16.1.1host172.16.1.2eqisakmp
40permitip92.168.1.00.0.0.255192.168.2.00.0.0.255

看看效果

R1#ping192.168.2.1source192.168.1.1

Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto192.168.2.1,timeoutis2seconds:
Packetsentwithasourceaddressof192.168.1.1
!!!!!
Succe***ateis100percent(5/5),round-tripmin/avg/max=32/69/100ms

IPSec ***(site to site)配置

《Python進階》學習筆記

Leetcode 3161. 物塊放置查詢

leetcode 60 排列序列

一個docker容器暴露多個端口

微服務實踐之使用 Visual Studio 2022 調試Dapr 應用程序

wpf附加屬性理解 WPF附加屬性

我的友情鏈接

Kubernetes從Private Registry中拉取容器鏡像的方法

ASA之URL過濾-拒絕與工作無關的網站

Redis Cluster集羣原理

我的友情鏈接

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結