5.1 Configure S2S
一、網絡基本配置
Site1
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
no shut
ip address 202.100.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 202.100.1.10
Site2
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/1
no shut
ip address 61.128.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 61.128.1.10
Internet
interface FastEthernet0/0
no shut
ip address 202.100.1.10 255.255.255.0
interface FastEthernet0/1
no shut
ip address 61.128.1.10 255.255.255.0
注意:在項目中,實施IPSec ×××前我們最主要的應該解決路由問題,應該在建立IPSec ×××的對等體上知道去往對端加密點與通訊點路由。
二、配置ISAKMP Policy
crypto isakmp policy 10
注:policy number 本地有效。
encr 3des
注:默認加密爲des。
hash md5
注:默認hash爲sha。
authentication pre-share
注:默認認證爲RSA。
group 2
注:默認group1。
crypto isakmp key cisco123 address 61.128.1.1
可以通過sh crypto isakmp policy 查看配置策略與默認策略。
三、配置感興趣流
ip access-list extended s2s
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
四、創建轉換集
crypto ipsec transform-set s2s-set esp-des esp-md5-hmac
五、創建Crypto map
crypto map s2s-map 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set s2s-set
match address s2s
六、接口調用MAP
interface FastEthernet0/0
crypto map s2s-map
說明:Site2配置策略與Site1相同,配置內容略。
測試
觸發感興趣流
Site1#ping 2.2.2.2 so lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Site1#sh cry en conn active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec DES+MD5 0 4 202.100.1.1
2 Fa0/0 IPsec DES+MD5 4 0 202.100.1.1
1001 Fa0/0 IKE MD5+3DES 0 0 202.100.1.1
Site2#sh cry en conn active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/1 IPsec DES+MD5 0 4 61.128.1.1
2 Fa0/1 IPsec DES+MD5 4 0 61.128.1.1
1001 Fa0/1 IKE MD5+3DES 0 0 61.128.1.1
注:查看加解密。
Site1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
61.128.1.1 202.100.1.1 QM_IDLE 1001 0 ACTIVE
注:查看isakmp sa。
Site1#sh crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 61.128.1.1 port 500
IKE SA: local 202.100.1.1/500 remote 61.128.1.1/500 Active
IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 2.2.2.0/255.255.255.0
Active SAs: 2, origin: crypto map
Site1#clear crypto session
注:清除×××會話。
Site1#clear crypto sa
Site1#clear crypto ips
5.2 Configure GRE
一、基本網絡配置
Site1
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface Loopback1
ip address 2.2.2.2 255.255.255.0
interface Loopback3
ip address 3.3.3.3 255.255.255.0
interface FastEthernet0/0
no shut
ip address 202.100.1.1 255.255.255.0
ip route 61.128.1.1 255.255.255.255 202.100.1.10
Internet
interface FastEthernet0/0
no shut
ip address 202.100.1.10 255.255.255.0
interface FastEthernet0/1
no shut
ip address 61.128.1.10 255.255.255.0
Site2
interface Loopback0
ip address 4.4.4.4 255.255.255.0
interface Loopback1
ip address 5.5.5.5 255.255.255.0
interface Loopback2
ip address 6.6.6.6 255.255.255.0
interface FastEthernet0/1
no shut
ip address 61.128.1.1 255.255.255.0
ip route 202.100.1.1 255.255.255.255 61.128.1.10
二、GRE配置
Site1
interface Tunnel0
ip address 172.16.12.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 61.128.1.1
Site2
interface Tunnel0
ip address 172.16.12.2 255.255.255.0
tunnel source 61.128.1.1
tunnel destination 202.100.1.1
注:GRE分爲兩種,一種爲P-to-P,另一種爲M-GRE。P-to-P必須要指定源、目,一定要保證源到目的連通性。
P-to-P下IP地址的配置必須在同一個網段,建議配置一個內網沒有應用的地址。
三、動態路由協議配置
Site1
router eigrp 100
network 1.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
network 3.3.3.0 0.0.0.255
network 172.16.12.0 0.0.0.255
no auto-summary
Site2
router eigrp 100
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
network 6.6.6.0 0.0.0.255
network 172.16.12.0 0.0.0.255
no auto-summary
注:IPSec ×××不能夠支持加密二層和組播流量,這樣一個限制就意味着不能夠通過IPSec ×××運行動態路由協議。爲了解決這個問題,我們採用了GRE,它能很好的封裝組播和二層協議,能夠爲我們的IPSec ×××提供動態路由協議的服務。工程中都是通過GRE來實現兩個對等體身後網絡的連接性,但是GRE存在一定安全性,所以該技術也在進一步淡化。
GRE 包結構
SIP:X SIP:202.100.1.1 GRE EIGRP
DIP:Y DIP:61.128.1.1 GRE EIGRP
5.3 Configure GRE Over IPSec
在上一個GRE實驗中,追加IPSec配置
Site1
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 add 61.128.1.1
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
注:哪個MODE都不會影響×××通信,只是說tunnel會多出一個IP頭部,也就是20個字節。如果一邊爲傳輸,一邊爲隧道,同樣不會不會影響×××通信。IOS會自動協商成隧道模式。
access-list 110 permit gre host 202.100.1.1 host 61.128.1.1
crypto map cisco 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set cisco
match address 110
interface Tunnel0
crypto map cisco
interface FastEthernet0/0
crypto map cisco
注:建議調用在物理接口。
Site2
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 202.100.1.1
crypto ipsec transform-set cisco esp-des esp-md5-hmac
mode transport
crypto ipsec profile ipsecpr
set transform-set cisco
interface Tunnel0
tunnel protection ipsec profile ipsecpr
注意:因爲所有的感興趣流量都是通過Tunnel口來發送的,並且加密點也爲Tunnel口,所以將Ipsec Profile用於Tunnel口保護是已經隱含的定義了感興趣流和PEER。它也能夠運用在一些特殊的×××裏面。例如:DM×××、Remote×××等。
IPSec Profile配置方式替代了原來的Cry Map 和感興趣流(ACL)。
測試
Site1#sh cry en conn active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec DES+MD5 0 25 202.100.1.1
2 Fa0/0 IPsec DES+MD5 26 0 202.100.1.1
1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.1
Site1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.1.1 61.128.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
最後包結構
Tunnel
SIP:202.100.1.1 ESP/AH SIP:X GRE SIP:X EIGRP
DIP:61.128.1.1 ESP/AH DIP:Y GRE DIP:Y EIGRP
GRE
SIP:202.100.1.1 GRE SIP:X EIGRP
DIP:61.128.1.1 GRE DIP:Y EIGRP
Transport
SIP:202.100.1.1 ESP/AH GRE SIP:X EIGRP
DIP:61.128.1.1 ESP/AH GRE DIP:Y EIGRP