端到端IPSecVPN的配置流程.ppt

目录,四.测试并验证IPSec是否正常工作,三.配置IPSec参数,二.配置IKE参数,一.配置IPSec前的准备工作,四.端到端IPSecVPN的配置示例,一、配置IPSec前的准备工作,确认在配置IPSec之前，网络是通的。确认AH流量(IP协议号为50)、ESP流量(IP协议号为51)和ISAKMP流量(UDP的端口500)不会被ACL所阻塞。,在RouterA上ping路由器RouterBRouterA上要有到site2的路由，RouterB上有到site1的路由有必要的情况下，在路由器中添加类似以下的ACL条目：,RouterA#showaccess-listsaccess-list102permitahphost172.30.2.2host172.30.1.2access-list102permitesphost172.30.2.2host172.30.1.2access-list102permitudphost172.30.2.2host172.30.1.2eqisakmp,E0/1172.30.1.2,Site1,Site2,E0/1172.30.2.2,A,B,10.0.1.3,10.0.2.3,RouterA,RouterB,RouterA(config)#nocryptoisakmpenableRouterA(config)#cryptoisakmpenable,命令：router(config)#nocryptoisakmpenable,默认情况下，IKE处于开启状态IKE在全局模式下对所有端口启用对于不希望使用IKE的端口，可以用ACL屏蔽UDP的500端口，达到阻断IKE的目的,二、配置IKE参数,启用IKE,命令：router(config)#cryptoisakmppolicypriority,二、配置IKE参数-STEP2-创建IKE策略集policy,RouterA(config)#cryptoisakmppolicy110RouterA(config-isakmp)#encryptiondesRouterA(config-isakmp)#hashmd5RouterA(config-isakmp)#group1RouterA(config-isakmp)#authenticationpre-shareRouterA(config-isakmp)#lifetime86400,Authentication-身份认证方式Encryption-加密算法Group-DH算法组Hash-摘要算法Lifetime-IKE生存期,创建IKE策略集policy,二、配置IKE参数,创建IKE策略集policy-IKE策略集的取值,86400秒,86400秒,IKESA生存期,DHGroup2,DHGroup1,密钥交换算法,Rsa-sig,Pre-share,身份认证方式,SHA-1,MD5,摘要算法,3DES,DES,加密算法,更安全的取值,安全的取值,参数,(56bit密钥),(3次DES运算),(128bit密钥),(160bit密钥),(768bit密钥),(1024bit密钥),(共享密钥),(数字签名),二、配置IKE参数,创建IKE策略集policy-IKE策略集的优先级,cryptoisakmppolicy100hashmd5authenticationpre-sharecryptoisakmppolicy200authenticationrsa-sighashshacryptoisakmppolicy300authenticationpre-sharehashmd5,RouterA(config)#,RouterB(config)#,cryptoisakmppolicy100hashmd5authenticationpre-sharecryptoisakmppolicy200authenticationrsa-sighashshacryptoisakmppolicy300authenticationrsa-sighashmd5,Priority表示策略集的优先级，该值越小表示优先级越高路由器将首先比较优先级最高的策略集是否匹配，因此本例中虽然三个策略集都匹配，但路由器只会采用policy100建议把最安全的策略集设为最高优先级,二、配置IKE参数,创建IKE策略集policy-使用共享密钥进行身份认证,RouterA(config)#cryptoisakmpkeycisco1234address172.30.2.2,router(config)#cryptoisakmpkeykeystringaddresspeer-address,router(config)#cryptoisakmpkeykeystringhostnamehostname,共享密钥Cisco1234,Site1,Site2,172.30.2.2,A,B,10.0.1.3,10.0.2.3,RouterA,RouterB,两端路由器使用的共享密钥必须相同可以用IP地址或主机名来指定对端,命令：,举例：,二、配置IKE参数,创建IKE策略集policy-验证IKE配置,RouterA#showcryptoisakmppolicyProtectionsuiteofpriority110encryptionalgorithm:DES-DataEncryptionStandard(56bitkeys).hashalgorithm:MessageDigest5authenticationmethod:Pre-SharedKeyDiffie-Hellmangroup:#1(768bit)lifetime:86400seconds,novolumelimitDefaultprotectionsuiteencryptionalgorithm:DES-DataEncryptionStandard(56bitkeys).hashalgorithm:SecureHashStandardauthenticationmethod:Rivest-Shamir-AdlemanSignatureDiffie-Hellmangroup:#1(768bit)lifetime:86400seconds,novolumelimit,router#showcryptoisakmppolicy,命令：（显示已配置的和缺省的策略集）,三、配置IPSec参数,配置IPSec变换集,命令：,router(config)#cryptoipsectransform-settransform-set-nametransform1transform2transform3router(cfg-crypto-trans)#,RouterA(config)#cryptoipsectransform-setmineesp-desRouterA(cfg-crypto-trans)#modetunnel,每个变换集中可以包含AH变换、ESP变换和封装模式(隧道模式或传输模式)每个变换集中最多可以有一个AH变换和两个ESP变换,三、配置IPSec参数,RouterA(config)#cryptoipsectransform-settransform-set-name?ah-md5-hmacAH-HMAC-MD5transformah-sha-hmacAH-HMAC-SHAtransformesp-3desESPtransformusing3DES(EDE)cipher(168bits)esp-desESPtransformusingDEScipher(56bits)esp-md5-hmacESPtransformusingHMAC-MD5authesp-sha-hmacESPtransformusingHMAC-SHAauthesp-nullESPtransformw/ocipher,三、配置IPSec参数,用ACL定义需要IPSec保护的流量,router(config)#access-listaccess-list-numberdynamicdynamic-nametimeoutminutesdeny|permitprotocolsourcesource-wildcarddestinationdestination-wildcardprecedencerecedencetostoslog,命令：,Site1,Site2,RouterA(config)#access-list110permittcp10.0.1.00.0.0.25510.0.2.00.0.0.255,定义哪些流量需要IPSec保护Permit=要保护/deny=不用保护,三、配置IPSec参数,两端路由器要配置对称的ACL,RouterA(config)#access-list110permittcp10.0.1.00.0.0.25510.0.2.00.0.0.255,RouterB(config)#access-list101permittcp10.0.2.00.0.0.25510.0.1.00.0.0.255,三、配置IPSec参数,创建cryptomap,router(config)#cryptomapmap-nameseq-numipsec-manual,Site1,Site2,A,B,10.0.1.3,10.0.2.3,RouterA,RouterB,RouterA(config)#cryptomapmymap110ipsec-isakmp,Site3,B,10.0.3.3,RouterC,每个路由器端口只能应用一个cryptomap当一个端口有多个VPN对端时，就使用seq-num来区分需要IPSec保护的流量的ACLVPN对端的IP地址使用的IPSec变换集协商建立IPSecSA的方式(手工或通过IKE)IPSecSA的存活期,router(config)#cryptomapmap-nameseq-numipsec-isakmpdynamicdynamic-map-name,命令：,三、配置IPSec参数,Cryptomap配置示例,RouterA(config)#cryptomapmymap110ipsec-isakmpRouterA(config-crypto-map)#matchaddress110RouterA(config-crypto-map)#setpeer172.30.2.2RouterA(config-crypto-map)#setpeer172.30.3.2RouterA(config-crypto-map)#setpfsgroup1RouterA(config-crypto-map)#settransform-setmineRouterA(config-crypto-map)#setsecurity-associationlifetime86400,Site1,Site2,172.30.2.2,A,B,10.0.1.3,10.0.2.3,RouterA,RouterB,172.30.3.2,B,RouterC,Internet,可配置多个vpn对端进行冗余,三、配置IPSec参数,应用cryptomap到路由器端口上,RouterA(config)#interfaceethernet0/1RouterA(config-if)#cryptomapmymap,E0/1172.30.1.2,Site1,Site2,E0/1172.30.2.2,A,B,10.0.1.3,10.0.2.3,RouterA,RouterB,mymap,router(config-if)#cryptomapmap-name,在出口上应用cryptomap,命令：,四、测试并验证IPSec是否正常工作,显示IKE策略showcryptoisakmppolicy显示IPSec变换集showcryptoipsectransform-set显示cryptomapsshowcryptomap显示IPSecSA的状态showcryptoipsecsadebugIPSec事件debugcryptoipsecdebugISAKMP事件debugcryptoisakmp,五、端到端IPSecVPN的配置示例,RouterA#showruncryptoisakmppolicy110hashmd5authenticationpre-sharecryptoisakmpkeycisco1234address172.30.2.2!cryptoipsectransform-setmineesp-des!cryptomapmymap10ipsec-isakmpsetpeer172.30.2.2settransform-setminematchaddress110!interfaceEthernet0/1ipaddress172.30.1.2255.255.255.0noipdirected-broadcastcryptomapmymap!access-list110permittcp10.0.1.00.0.0.25510.0.2.00.0.0.255,E0/1172.30.1.2,Site1,Site2,E0/1172.30.2.2,A,B,10.0.1.3,10.0.2.3,RouterA,RouterB,RouterB#showruncryptoisakmppolicy110hashmd5authenticationpre-sharecryptois