实验目的:
l掌握L2L IPsec-VPN的配置步骤
l掌握L2L IPsec-VPN的阶段运行原理
实验说明:
l通过此实验练习,可以更好的掌握IPsec-VPN的实现原理以及工作场景
实验环境:
l四台支持SPSERVICES的IOS的路由器
l直通线
实验拓扑:
实验步骤:
PC(config)#interface f0/0
PC(config-if)#ip address 192.168.1.1 255.255.255.0
PC(config-if)#no shutdown
PC(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254
SITE1(config)#interface f0/0
SITE1(config-if)#ip address 192.168.1.254 255.255.255.0
SITE1(config-if)#no shutdown
SITE1(config-if)#int f1/0
SITE1(config-if)#ip address 12.1.1.1 255.255.255.0
SITE1(config-if)#no shutdown
SITE1(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2
Internet(config)#interface f1/0
Internet(config-if)#ip address 12.1.1.2 255.255.255.0
Internet(config-if)#no shutdown
Internet(config-if)#int f1/1
Internet(config-if)#ip address 23.1.1.2 255.255.255.0
Internet(config-if)#no shutdown
SITE2(config)#interface f1/1
SITE2(config-if)#ip address 23.1.1.3 255.255.255.0
SITE2(config-if)#no shutdown
SITE2(config)#int lo 0
SITE2(config-if)#ip address 10.1.1.1 255.255.255.0
SITE2(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.2
第一阶段建立isakmp sa,需要来回6个包
SITE1(config)#crypto isakmp policy 10
SITE1(config-isakmp)#encryption 3des
SITE1(config-isakmp)#group 2
SITE1(config-isakmp)#authentication pre-share
SITE1(config-isakmp)#hash md5
第二阶段建立ipsec sa,需要来回3个包
SITE1(config)#crypto isakmp key cisco address 23.1.1.3
SITE1(config)#crypto ipsec transform-set ccie esp-3des esp-md5-hmac
SITE1(cfg-crypto-trans)#mode tunnel
SITE1(config)#ip access-list extended test
SITE1(config-ext-nacl)#permit ip host 192.168.1.1 host 10.1.1.1
SITE1(config)#crypto map vpn 10 ipsec-isakmp
SITE1(config-crypto-map)#set peer 23.1.1.3
SITE1(config-crypto-map)#match address test
SITE1(config-crypto-map)#set transform-set ccie
SITE1(config)#int f1/0
SITE1(config-if)#crypto map vpn
SITE2(config)#crypto isakmp policy 10
SITE2(config-isakmp)#encryption 3des
SITE2(config-isakmp)#group 2
SITE2(config-isakmp)#authentication pre-share
SITE2(config-isakmp)#hash md5
SITE2(config)#crypto isakmp key cisco address 12.1.1.1
SITE2(config)#crypto ipsec transform-set ccie esp-3des esp-md5-hmac
SITE2(cfg-crypto-trans)#mode tunnel
SITE2(config)#ip access-list extended test
SITE2(config-ext-nacl)#permit ip host 10.1.1.1 host 192.168.1.1
SITE2(config)#crypto map vpn 10 ipsec-isakmp
SITE2(config-crypto-map)#set peer 12.1.1.1
SITE2(config-crypto-map)#match address test
SITE2(config-crypto-map)#set transform-set ccie
SITE2(config)#int f1/1
SITE2(config-if)#crypto map vpn
验证:
PC#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 52/94/120 ms
SITE1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
23.1.1.3 12.1.1.1 QM_IDLE 1001 ACTIVE
SITE1#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: vpn, local addr 12.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)
current_peer 23.1.1.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 18, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x72B7D5BC(1924650428)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD559673B(3579406139)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4604983/3413)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x72B7D5BC(1924650428)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4604983/3413)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
总结:
L2L IPsec-vpn用于分支与总部直接的vpn的技术,它可以替代广域网的相关技术,只是由于通过Internet的传输,带宽无法实时的保证,因此传输的流量质量不会得到保证。L2L 通过建立isakmp sa和ipsec sa实现网络的通信。但是L2L无法实现动态路由的传输,因为L2L不支持组播地址的传输,如果要实现动态路由的VPN,则需要GRE over IPsec-vpn。
本文暂时没有评论,来添加一个吧(●'◡'●)