某軟件開發公司在中小城市建立了分支公司,分支公司開發項目小組所在網絡地址爲172.16.10.0/24,該網絡的主機可以通過***訪問總公司開發數據服務器(10.10.33.0/24)。
根據上述需求,網絡管理員需要在分支公司的網關路由器上同時配置***。
1.分支公司的網關路由器
路由方面的配置
R1(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.2
配置ISAKMP策略
R1(config)#crypto isakmp policy 1
R1(config-isakmap)#encryption 3des
R1(config-isakmap)#hash sha
R1(config-isakmap)#authentication pre-share
R1(config-isakmap)#group 2
R1(config-isakmap)#lifetime 10000
R1(config)#crypto isakmp key qqnet-key address 200.0.0.1
配置ACL
R1(config)#access-list 100 permit ip 172.16.10.0 0.0.0.255 10.10.33.0 0.0.0.255
配置IPSec變換集
R1(config)#crypto ipsec transform-set qqnet-set esp-des ah-sha-hmac
R1(config)#crypto ipsec security-association lifetime seconds 1800
配置加密映射
R1(config)#crypto map qqnet-map 1 ipsec-isakmp
R1(config-crypto-map)#set peer 200.0.0.1
R1(config-crypto-map)#set transform-set qqnet-set
R1(config-crypto-map)#match address 100
將映射應用在接口
R1(config)#interface f0/0
R1(config-if)#crypto map qqnet-map
2.總公司的網關路由器
路由方面的配置
R2(config)#ip route 0.0.0.0 0.0.0.0200.0.0.2
IPSec ***方面的配置
R2(config)#crypto isakmp policy 1
R2(config-isakmap)#encryption 3des
R2(config-isakmap)#hash sha
R2(config-isakmap)#authentication pre-share
R2(config-isakmap)#group 2
R2(config-isakmap)#lifetime 10000
R2(config)#crypto isakmp key 0 qqnet-key address 100.0.0.1
R2(config)#access-list 100 permit ip 10.10.33.0 0.0.0.255 172.16.10.0 0.0.0.255
R2(config)#crypto ipsec transform-set qqnet-set esp-des ah-sha-hmac
//加密和認證算法要與分公司匹配
R2(config)#crypto ipsec security-association lifetime seconds 1800
R2(config)#crypto map qqnet-map 1 ipsec-isakmp
R2(config-crypto-map)#set peer 100.0.0.1
R2(config-crypto-map)#set transform-setqqnet-set
R2(config-crypto-map)#match address 100
R2(config)#interface f0/0
R2(config-if)#crypto map qqnet-map
3.顯示ISAKMP協商策略的配置結果
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard //SHA
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 10000 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
5.顯示IPSec變換集
R1#show crypto ipsec transform-set
Transform set qqnet-set: { ah-sha-hmac }
will negotiate = { Tunnel, },
{ esp-des }
will negotiate = { Tunnel, },
6.顯示數據連接建立的生存週期
R1#show crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/1800 seconds
8.查看Crypto Map的信息
R1#show crypto map
Crypto Map "qqnet-map" 1 ipsec-isakmp
Peer = 200.0.0.1
Extended IP access list 100
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255
Current peer: 200.0.0.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): N
Transform sets={
qqnet-set, }
Interfaces using crypto map qqnet-map:
FastEthernet0/0
通過show crypto map命令可以查看到:Crypto Map的名稱、Crypto ACL、對等體的IP地址、IPSec SA的生存週期、是否啓用PFS、應用Crypto Map的接口。