Cisco 配置IPsec VPN

IPsec VPN

互联配置

ISP

1
2
3
4
5
6
7
8
9
Router(config)#hostname ISP
ISP(config)#int gi0/0
ISP(config-if)#ip add 100.0.0.1 255.255.255.252
ISP(config-if)#int gi0/1
ISP(config-if)#ip add 200.0.0.1 255.255.255.252
ISP(config-if)#int gi0/0 
ISP(config-if)#no shutdown 
ISP(config-if)#int gi0/1
ISP(config-if)#no shutdown

BJ_R1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Router(config)#hostname BJ_R1
BJ_R1(config)#int gi0/3
BJ_R1(config-if)#ip add 100.0.0.2 255.255.255.252 
BJ_R1(config-if)#no shu
BJ_R1(config-if)#int gi0/0
BJ_R1(config-if)#ip add 192.168.10.254 255.255.255.0
BJ_R1(config-if)#no shu
BJ_R1(config-if)#exit
BJ_R1(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.1

BJ_R1(config)#service dhcp 
BJ_R1(config)#ip dhcp pool PC1
BJ_R1(dhcp-config)#network 192.168.10.0 255.255.255.0 
BJ_R1(dhcp-config)#default-router 192.168.10.254

SH_R1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Router(config)#hostname SH_R1
SH_R1(config)#int gi0/3
SH_R1(config-if)#ip add 200.0.0.2 255.255.255.252
SH_R1(config-if)#no shu
SH_R1(config-if)#int gi0/0
SH_R1(config-if)#ip add 192.168.20.254 255.255.255.0
SH_R1(config-if)#no shu
SH_R1(config-if)#exit
SH_R1(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.1

SH_R1(config)#service dhcp 
SH_R1(config)#ip dhcp pool PC2
SH_R1(dhcp-config)#network 192.168.20.0 255.255.255.0
SH_R1(dhcp-config)#default-router 192.168.20.254

IPsec VPN

BJ_R1总部配置

配置isakmp策略

1
2
3
BJ_R1(config)#crypto isakmp policy 1    //创建新的isakmp策略 
BJ_R1(config-isakmp)# encryption 3des   //指定使用3DES进行加密 
BJ_R1(config-isakmp)# authentication pre-share  //指定认证方式为“预共享密码”,如使用数字证书配置“authentication rsa-sig”,如使用数字信封配置"authentication digital-email"

配置预共享密钥

1
BJ_R1(config)#crypto isakmp key 0 ruijie address 0.0.0.0 0.0.0.0    //配置预共享密钥为“ruijie”,IPSEC客户端也必须配置相同的密钥。由于对端的ip地址是动态的,因此使用address 0.0.0.0 0.0.0.0代表所有ipsec客户端

配置ipsec加密转换集

1
BJ_R1(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac     //指定ipsec使用esp封装des加密、MD5检验

配置动态ipsec加密图

1
2
3
BJ_R1(config)#crypto dynamic-map dymymap 5  //新建名为“dymymap”的动态ipsec加密图 
BJ_R1(config-crypto-map)# set transform-set myset   //指定加密转换集为“myset”
BJ_R1(config-crypto-map)# reverse-route     //配置反向路由注入;如不配置该功能(或者友商设备不支持),则需在IPSEC两端部署静态路由或动态路由协议。

将动态ipsec加密图映射到静态的ipsec加密图中

1
BJ_R1(config)#crypto map mymap 10 ipsec-isakmp dynamic dymymap  //将动态的“dymymap”ipsec加密图映射至静态ipsec加密图mymap中

将加密图应用到接口(以专线口为G0/3为例,则mymap要应用到该接口下)

1
2
BJ_R1(config)#interface GigabitEthernet 0/3 
BJ_R1(config-if)# crypto map mymap  // 生效接口

上海分公司

配置ipsec感兴趣流

1
2
SH_R1(config)#access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255   //指定感兴趣流为源(分公司)地址192.168.20.0/24,目的地址(总公司)为192.168.10.0/24的网段。

配置isakmp策略

1
2
3
4
SH_R1(config)#crypto isakmp keepalive 10 periodic   // 配置IPSEC DPD探测功能 
SH_R1(config)#crypto isakmp policy 1    //创建新的isakmp策略 
SH_R1(config-isakmp)#authentication pre-share    //指定认证方式为“预共享密码”,如使用数字证书配置“authentication rsa-sig”,如使用数字信封配置“authentication digital-email”。 
SH_R1(config-isakmp)#encryption 3des   //指定使用3DES进行加密

配置预共享密钥

1
SH_R1(config)#crypto isakmp key 0 ruijie address 100.0.0.2 // 指定peer 100.0.0.2的预共享密钥为“ruijie”,与总部出口路由器上配置的一致。如使用数字证书/信封认证则无需配置。如果中心端为域名,则此处IP地址替换为域名,同时在设备上增加DNS配置:ip name-server x.x.x.x(x.x.x.x为域名服务器IP)

配置ipsec加密转换集

1
SH_R1(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac  //指定ipsec使用esp封装des加密、MD5检验

配置ipsec加密图

1
2
3
4
SH_R1(cfg-crypto-trans)#crypto map mymap 5 ipsec-isakmp  //新建名称为“mymap”的加密图 
SH_R1(config-crypto-map)#set peer 100.0.0.2      //指定peer地址 
SH_R1(config-crypto-map)#set transform-set myset  //指定加密转换集为“myset” 
SH_R1(config-crypto-map)#match address 101    //指定感兴趣流为ACL 101            
1
2
SH_R1(config)#int gi0/3
SH_R1(config-if)#crypto map mymap

测试IPsec

BJ_R1总部

1
2
3
4
5
6
7
VPCS> ping 192.168.20.1

84 bytes from 192.168.20.1 icmp_seq=1 ttl=62 time=13.818 ms
84 bytes from 192.168.20.1 icmp_seq=2 ttl=62 time=13.653 ms
84 bytes from 192.168.20.1 icmp_seq=3 ttl=62 time=9.111 ms
84 bytes from 192.168.20.1 icmp_seq=4 ttl=62 time=11.806 ms
84 bytes from 192.168.20.1 icmp_seq=5 ttl=62 time=11.421 ms

路由表

  • 对端未配置reverse-route路由反向注入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
BJ_R1#show ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 100.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 100.0.0.1
      100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        100.0.0.0/30 is directly connected, GigabitEthernet0/3
L        100.0.0.2/32 is directly connected, GigabitEthernet0/3
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet0/0
L        192.168.10.254/32 is directly connected, GigabitEthernet0/0
  • 对端配置reverse-route路由反向注入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
BJ_R1#show ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 100.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 100.0.0.1
      100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        100.0.0.0/30 is directly connected, GigabitEthernet0/3
L        100.0.0.2/32 is directly connected, GigabitEthernet0/3
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet0/0
L        192.168.10.254/32 is directly connected, GigabitEthernet0/0
S     192.168.20.0/24 [1/0] via 200.0.0.2
1
2
3
4
5
6
7
BJ_R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
100.0.0.2       200.0.0.2       QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
BJ_R1#show crypto ipsec sa  //查看isakmp sa协商情况 

interface: GigabitEthernet0/3
    Crypto map tag: mymap, local addr 100.0.0.2     //接口下所应用的加密图名称  进行isakmp/ipsec协商时所使用的IP地址

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)     //感兴趣流源地址
   remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)     //感兴趣流目的地址
   current_peer 200.0.0.2 port 500
     PERMIT, flags={}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14   //成功封装、加密、摘要报文个数 
    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14   //成功解封装,解密、检验报文个数,有数据通过IPSEC加密进行通信时,重复执行show crypto ipsec sa命令可以看到以上统计个数会不断增加。 
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0  //发送、接收错误报文个数,正常情况下该统计不增加。 

     local crypto endpt.: 100.0.0.2, remote crypto endpt.: 200.0.0.2
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3
     current outbound spi: 0x5828E0BE(1479073982)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9D8B555E(2643154270)   //ipsec sa入方向的spi 
        transform: esp-des esp-md5-hmac ,    //ipsec加密转换集为esp-des esp-md5-hmac 
        in use settings ={Tunnel, }     //采用隧道模式 
        conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4354400/902)    //离安全联盟的生命周期到期还有:4354400千字节/902
        IV size: 8 bytes    // IV向量长度为8
        replay detection support: Y     // 抗重播处理
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x5828E0BE(1479073982)   //ipsec sa出方向的spi,只有看到了inbound spi和outbound spi才说明ipsec sa已经协商成功。 
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4354400/902)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

SH_R1分部

1
2
3
4
5
6
7
VPCS> ping 192.168.10.1

192.168.10.1 icmp_seq=1 timeout
84 bytes from 192.168.10.1 icmp_seq=2 ttl=62 time=15.236 ms
84 bytes from 192.168.10.1 icmp_seq=3 ttl=62 time=10.018 ms
84 bytes from 192.168.10.1 icmp_seq=4 ttl=62 time=10.964 ms
84 bytes from 192.168.10.1 icmp_seq=5 ttl=62 time=11.545 ms
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
SH_R1#show crypto ipsec sa 

interface: GigabitEthernet0/3
    Crypto map tag: mymap, local addr 200.0.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   current_peer 100.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
    #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 200.0.0.2, remote crypto endpt.: 100.0.0.2
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/3
     current outbound spi: 0x9EBCF9F9(2663184889)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x33F1CE01(871484929)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, sibling_flags 80004040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4263260/3376)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9EBCF9F9(2663184889)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, sibling_flags 80004040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4263260/3376)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:
          
     outbound pcp sas:
数通
#Cisco
Cisco 配置IPsec VPN
https://www.gasmaze.com/posts/77f06c8c.html
作者
GasMaze
发布于
2022年7月10日
许可协议