本文介绍了两个路由器NYr1和NYr2之间的IPSec隧道配置,包括ISAKMP策略、IKE密钥交换、IPSec转换集及加密映射等关键设置。此外还展示了PIX防火墙的配置,以及通过ping测试验证了IPSec隧道的成功建立。
Lo0-10.1.1.1/24 Lo0-20.1.1.1/24
! !
R1----(16.1.1.0/24)---(outside)---PIX----(inside)---26.1.1.0/24--R2
hostname NYr1
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key isakey address 16.1.1.102
crypto ipsec transform-set transet esp-des esp-sha-hmac
mode transport
!
crypto map cryptmap 10 ipsec-isakmp
set peer 16.1.1.102
set transform-set transet
match address 101
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 16.1.1.101 255.255.255.0
crypto map cryptmap
ip route 20.1.1.0 255.255.255.0 16.1.1.1
access-list 101 permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
================================================== =============
hostname NYr2
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key isakey address 16.1.1.101
crypto ipsec transform-set transet esp-des esp-sha-hmac
mode transport
!
crypto map cryptmap 10 ipsec-isakmp
set peer 16.1.1.101
set transform-set transet
match address 101
interface Loopback0
ip address 20.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 26.1.1.102 255.255.255.0
half-duplex
crypto map cryptmap
ip route 10.1.1.0 255.255.255.0 26.1.1.1
access-list 101 permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
================================================== =============
PIX Version 7.0(4)
!
hostname NYpix1
interface Ethernet0
nameif outside
security-level 0
ip address 16.1.1.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 90
ip address 26.1.1.1 255.255.255.0
access-list 101 extended permit esp host 16.1.1.101 host 26.1.1.102
access-list 101 extended permit udp host 16.1.1.101 host 26.1.1.102 eq isakmp
static (inside,outside) 16.1.1.102 26.1.1.102 netmask 255.255.255.255
access-group 101 in interface outside
route inside 20.1.1.0 255.255.255.0 26.1.1.102 1
route outside 10.1.1.0 255.255.255.0 16.1.1.101 1
================================================== ====
NYr1#ping 20.1.1.1 sourc 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
NYr1#sh cry ips sa
interface: Ethernet0/0
Crypto map tag: cryptmap, local addr. 16.1.1.101
protected vrf:
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
current_peer: 16.1.1.102:4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0
local crypto endpt.: 16.1.1.101, remote crypto endpt.: 16.1.1.102
path mtu 1500, media mtu 1500
current outbound spi: 87E06165
inbound esp sas:
spi: 0x16CCF1CE(382529998)
transform: esp-des esp-sha-hmac ,
NYr1#ping 20.1.1.1 sourc 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
NYr1#sh cry ips sa
interface: Ethernet0/0
Crypto map tag: cryptmap, local addr. 16.1.1.101
protected vrf:
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
current_peer: 16.1.1.102:4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0
local crypto endpt.: 16.1.1.101, remote crypto endpt.: 16.1.1.102
path mtu 1500, media mtu 1500
current outbound spi: 87E06165
inbound esp sas:
spi: 0x16CCF1CE(382529998)
transform: esp-des esp-sha-hmac ,
! !
R1----(16.1.1.0/24)---(outside)---PIX----(inside)---26.1.1.0/24--R2
hostname NYr1
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key isakey address 16.1.1.102
crypto ipsec transform-set transet esp-des esp-sha-hmac
mode transport
!
crypto map cryptmap 10 ipsec-isakmp
set peer 16.1.1.102
set transform-set transet
match address 101
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 16.1.1.101 255.255.255.0
crypto map cryptmap
ip route 20.1.1.0 255.255.255.0 16.1.1.1
access-list 101 permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
================================================== =============
hostname NYr2
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key isakey address 16.1.1.101
crypto ipsec transform-set transet esp-des esp-sha-hmac
mode transport
!
crypto map cryptmap 10 ipsec-isakmp
set peer 16.1.1.101
set transform-set transet
match address 101
interface Loopback0
ip address 20.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 26.1.1.102 255.255.255.0
half-duplex
crypto map cryptmap
ip route 10.1.1.0 255.255.255.0 26.1.1.1
access-list 101 permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
================================================== =============
PIX Version 7.0(4)
!
hostname NYpix1
interface Ethernet0
nameif outside
security-level 0
ip address 16.1.1.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 90
ip address 26.1.1.1 255.255.255.0
access-list 101 extended permit esp host 16.1.1.101 host 26.1.1.102
access-list 101 extended permit udp host 16.1.1.101 host 26.1.1.102 eq isakmp
static (inside,outside) 16.1.1.102 26.1.1.102 netmask 255.255.255.255
access-group 101 in interface outside
route inside 20.1.1.0 255.255.255.0 26.1.1.102 1
route outside 10.1.1.0 255.255.255.0 16.1.1.101 1
================================================== ====
NYr1#ping 20.1.1.1 sourc 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
NYr1#sh cry ips sa
interface: Ethernet0/0
Crypto map tag: cryptmap, local addr. 16.1.1.101
protected vrf:
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
current_peer: 16.1.1.102:4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0
local crypto endpt.: 16.1.1.101, remote crypto endpt.: 16.1.1.102
path mtu 1500, media mtu 1500
current outbound spi: 87E06165
inbound esp sas:
spi: 0x16CCF1CE(382529998)
transform: esp-des esp-sha-hmac ,
NYr1#ping 20.1.1.1 sourc 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
NYr1#sh cry ips sa
interface: Ethernet0/0
Crypto map tag: cryptmap, local addr. 16.1.1.101
protected vrf:
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
current_peer: 16.1.1.102:4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0
local crypto endpt.: 16.1.1.101, remote crypto endpt.: 16.1.1.102
path mtu 1500, media mtu 1500
current outbound spi: 87E06165
inbound esp sas:
spi: 0x16CCF1CE(382529998)
transform: esp-des esp-sha-hmac ,
扫一扫
929
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
