LAN to LAN IPSEC ××× 的配置报告

这次实验报告以配置和查看现象为主,原理部分后续会在原理篇中,敬请关注。
 
【实验拓扑】
 
【安全系列】IPSEC ××× 配置实例
 
【实验要求】
 
1. 虚拟PC1 所连接的内网(192.168.12.0)通过 IPSEC-××× 方式访问 R3 所连接的内网(192.168.23.0);
 
2.在第一步骤的基础上,实现 R1 所连接的内网(192.168.12.0)和 R3 所连接的内网(192.168.23.0)能通过 NAT 转换访问外网,而 R1 所连接的内网(192.168.12.0)仍然通过 IPSEC-××× 方式访问 R3 所连接的内网(192.168.23.0)。

 
 
【实验配置】
 
要求1配置:
1)PC1上配置ip地址和网关。
2)R1上的主要配置:

crypto isakmp policy 10 先定义IKE策略集

hash md5                                定义散列算法

authentication pre-share 定义认证算法

encryption des                     定义加密方式

crypto isakmp key speedfull address 23.23.23.3     指定协商密钥和对等体ip

crypto ipsec transform-set sf esp-des esp-md5-hmac             再定义ipsec策略(esp为封装类型)

crypto map sf 10 ipsec-isakmp

match address 120    定义需要加密的数据流

set peer 23.23.23.3

set transform-set sf

access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255

int s1/0

crypto map sf (将加密图应用到接口)

 
R1上还要配置一条默认路由,ip route 0.0.0.0 0.0.0.0 s1/0 使得能与外网连通。
 
3)同理R3上的配置类似。
几个查看命令可以看你配置的是否正确:
*********isakmp相关内容********

R1#show crypto isakmp policy    

Global IKE policy

Protection suite of priority 10

                encryption algorithm:     DES – Data Encryption Standard (56 bit keys).

                hash algorithm:                 Message Digest 5

                authentication method:    Pre-Shared Key

                Diffie-Hellman group:     #1 (768 bit)

                lifetime:                             86400 seconds, no volume limit

Default protection suite

                encryption algorithm:     DES – Data Encryption Standard (56 bit keys).

                hash algorithm:                 Secure Hash Standard

                authentication method:    Rivest-Shamir-Adleman Signature

                Diffie-Hellman group:     #1 (768 bit)

                lifetime:                             86400 seconds, no volume limit

R1#show crypto isakmp peers    

Peer: 23.23.23.3 Port: 500 Local: 12.12.12.1

Phase1 id: 23.23.23.3

R1#show crypto isakmp policy    

Global IKE policy

Protection suite of priority 10

                encryption algorithm:     DES – Data Encryption Standard (56 bit keys).

                hash algorithm:                 Message Digest 5

                authentication method:    Pre-Shared Key

                Diffie-Hellman group:     #1 (768 bit)

                lifetime:                             86400 seconds, no volume limit

Default protection suite

                encryption algorithm:     DES – Data Encryption Standard (56 bit keys).

                hash algorithm:                 Secure Hash Standard

                authentication method:    Rivest-Shamir-Adleman Signature

                Diffie-Hellman group:     #1 (768 bit)

                lifetime:                             86400 seconds, no volume limit

R1#show crypto isakmp sa

dst                         src                         state                    conn-id slot status

12.12.12.1            23.23.23.3            QM_IDLE                            1        0 ACTIVE

 

 
*********ipsec相关内容************
 

R1#show crypto ipsec client ez***    

Easy ××× Remote Phase: 4        —这个是什么意思 ,还不是很清楚。

R1#show crypto ipsec sa

interface: Serial1/0

        Crypto map tag: sf, local addr 12.12.12.1

     protected vrf: (none)

     local    ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)

     remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)

     current_peer 23.23.23.3 port 500

         PERMIT, flags={origin_is_acl,}

        #pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96

        #pkts decaps: 105, #pkts decrypt: 105, #pkts verify: 105

        #pkts compressed: 0, #pkts decompressed: 0

        #pkts not compressed: 0, #pkts compr. failed: 0

        #pkts not decompressed: 0, #pkts decompress failed: 0

        #send errors 6, #recv errors 0

         local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3

         path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0

         current outbound spi: 0xC1E4CEB7(3252997815)

         inbound esp sas:

            spi: 0x9F566494(2673239188)

                transform: esp-des esp-md5-hmac ,

                in use settings ={Tunnel, }

                conn id: 2001, flow_id: SW:1, crypto map: sf

                sa timing: remaining key lifetime (k/sec): (4540031/1720)

                IV size: 8 bytes

                replay detection support: Y

                Status: ACTIVE

         inbound ah sas:

         inbound pcp sas:

         outbound esp sas:

            spi: 0xC1E4CEB7(3252997815)

                transform: esp-des esp-md5-hmac ,

                in use settings ={Tunnel, }

                conn id: 2002, flow_id: SW:2, crypto map: sf

                sa timing: remaining key lifetime (k/sec): (4540032/1719)

                IV size: 8 bytes

                replay detection support: Y

                Status: ACTIVE

         outbound ah sas:

         outbound pcp sas:

R1# show crypto ipsec transform-set    

Transform set sf: { esp-des esp-md5-hmac    }    

     will negotiate = { Tunnel,    },    

        

 

 
********map的相关内容*************

R1#show crypto map    

Crypto Map “sf” 10 ipsec-isakmp

                Peer = 23.23.23.3

                Extended IP access list 120

                        access-list 120 permit ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255

                Current peer: 23.23.23.3

                Security association lifetime: 4608000 kilobytes/3600 seconds

                PFS (Y/N): N

                Transform sets={    

                                sf,    

                }

                Interfaces using crypto map sf:

                                Serial1/0

 

 
现在用测试一下:
如果没有设置***,虚拟pc是不能ping到pc2的。
pc2#ping 192.168.12.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 108/166/264 ms

 
通过查看命令和ping测试,证明***已经连通。第一步要求完成。
 
 
要求2配置:
如果使用了NAT,那么在出口处,ip的源地址将被修改,如果不设置,数据包将被丢弃,因为***是不允许数据包被修改的。使用访问控制列表实现:
 
nat的配置这里不再说明。
 
如果这样配置,将出现ping不通情况,因为源地址被改了。
看以下debug说明:
ip nat inside source list 1 interface Serial1/0 overload

!

access-list 1 permit any

d via RIB

*Mar    1 01:33:10.183: IP: s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), len 100, sending

*Mar    1 01:33:10.403: IP: s=23.23.23.2 (FastEthernet0/0), d=192.168.23.2, len 56, rcvd 1

*Mar    1 01:33:10.407: IP: tableid=0, s=192.168.23.2 (local), d=192.168.12.1 (FastEthernet0/0), route

源地址被修改成了23.23.23.2
pc2#ping 192.168.12.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

 
所以应该这样配置,建个访问控制列表,让端到断的网段出去的时候不进行nat转换。
 
ip nat inside source list 101 interface Serial1/0 overload

!

access-list 101 deny     ip 192.168.12.0 0.0.0.255 192.168.23.0 0.0.0.255

access-list 101 permit ip 192.168.12.0 0.0.0.255 any

 
这样就可以ping通了。
 
 
【实验总结】
 
实验配置比较多,但是只要了解了大概的思路就不难。
首先要建一条安全的通信信道,通过isakmp,设定相关参数就可以(两边要一样,如果不一样,它会自动寻找一样的策略集)。
然后就是选择ipsec的加密方式,esp或是ah,设定相关参数即可。
最后就是注意nat的问题。
 
由于是初学,理解没那么深,有什么错误的地方,还请大家指出。