编程技术开发和娱乐网址导航

网站首页 > 技术文章 正文

「CCIE实验分享」L2L IPsec-VPN实验

luoxia7 2024-09-01 03:46:03 技术文章 2 ℃ 0 评论

实验目的:

l掌握L2L IPsec-VPN的配置步骤

l掌握L2L IPsec-VPN的阶段运行原理

实验说明:

l通过此实验练习,可以更好的掌握IPsec-VPN的实现原理以及工作场景

实验环境:

l四台支持SPSERVICES的IOS的路由器

l直通线

实验拓扑:

实验步骤:

PC(config)#interface f0/0

PC(config-if)#ip address 192.168.1.1 255.255.255.0

PC(config-if)#no shutdown

PC(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254

SITE1(config)#interface f0/0

SITE1(config-if)#ip address 192.168.1.254 255.255.255.0

SITE1(config-if)#no shutdown

SITE1(config-if)#int f1/0

SITE1(config-if)#ip address 12.1.1.1 255.255.255.0

SITE1(config-if)#no shutdown

SITE1(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2

Internet(config)#interface f1/0

Internet(config-if)#ip address 12.1.1.2 255.255.255.0

Internet(config-if)#no shutdown

Internet(config-if)#int f1/1

Internet(config-if)#ip address 23.1.1.2 255.255.255.0

Internet(config-if)#no shutdown

SITE2(config)#interface f1/1

SITE2(config-if)#ip address 23.1.1.3 255.255.255.0

SITE2(config-if)#no shutdown

SITE2(config)#int lo 0

SITE2(config-if)#ip address 10.1.1.1 255.255.255.0

SITE2(config)#ip route 0.0.0.0 0.0.0.0 23.1.1.2

第一阶段建立isakmp sa,需要来回6个包

SITE1(config)#crypto isakmp policy 10

SITE1(config-isakmp)#encryption 3des

SITE1(config-isakmp)#group 2

SITE1(config-isakmp)#authentication pre-share

SITE1(config-isakmp)#hash md5

第二阶段建立ipsec sa,需要来回3个包

SITE1(config)#crypto isakmp key cisco address 23.1.1.3

SITE1(config)#crypto ipsec transform-set ccie esp-3des esp-md5-hmac

SITE1(cfg-crypto-trans)#mode tunnel

SITE1(config)#ip access-list extended test

SITE1(config-ext-nacl)#permit ip host 192.168.1.1 host 10.1.1.1

SITE1(config)#crypto map vpn 10 ipsec-isakmp

SITE1(config-crypto-map)#set peer 23.1.1.3

SITE1(config-crypto-map)#match address test

SITE1(config-crypto-map)#set transform-set ccie

SITE1(config)#int f1/0

SITE1(config-if)#crypto map vpn

SITE2(config)#crypto isakmp policy 10

SITE2(config-isakmp)#encryption 3des

SITE2(config-isakmp)#group 2

SITE2(config-isakmp)#authentication pre-share

SITE2(config-isakmp)#hash md5

SITE2(config)#crypto isakmp key cisco address 12.1.1.1

SITE2(config)#crypto ipsec transform-set ccie esp-3des esp-md5-hmac

SITE2(cfg-crypto-trans)#mode tunnel

SITE2(config)#ip access-list extended test

SITE2(config-ext-nacl)#permit ip host 10.1.1.1 host 192.168.1.1

SITE2(config)#crypto map vpn 10 ipsec-isakmp

SITE2(config-crypto-map)#set peer 12.1.1.1

SITE2(config-crypto-map)#match address test

SITE2(config-crypto-map)#set transform-set ccie

SITE2(config)#int f1/1

SITE2(config-if)#crypto map vpn

验证:

PC#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 52/94/120 ms

SITE1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

23.1.1.3 12.1.1.1 QM_IDLE 1001 ACTIVE

SITE1#show crypto ipsec sa

interface: FastEthernet1/0

Crypto map tag: vpn, local addr 12.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)

current_peer 23.1.1.3 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 18, #recv errors 0

local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0

current outbound spi: 0x72B7D5BC(1924650428)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xD559673B(3579406139)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: vpn

sa timing: remaining key lifetime (k/sec): (4604983/3413)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x72B7D5BC(1924650428)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: vpn

sa timing: remaining key lifetime (k/sec): (4604983/3413)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

总结:

L2L IPsec-vpn用于分支与总部直接的vpn的技术,它可以替代广域网的相关技术,只是由于通过Internet的传输,带宽无法实时的保证,因此传输的流量质量不会得到保证。L2L 通过建立isakmp sa和ipsec sa实现网络的通信。但是L2L无法实现动态路由的传输,因为L2L不支持组播地址的传输,如果要实现动态路由的VPN,则需要GRE over IPsec-vpn。

Tags:

本文暂时没有评论,来添加一个吧(●'◡'●)

欢迎 发表评论:

最近发表
标签列表