ipsecVPN配置详解.doc

IpsecVPN的详细建立及传输方式：一、 数据从发送时，根据自己的默认网关，发送到路由器R1。二、 到R1时，路由会将此数据包转发，正常情况下会根据自己的路由表，查找然后转发，但是这是接口s0/0有map的存在，此时路由会查找路由的感兴趣流，如果符合感兴趣流的话，就会触发路由的Ipsec策略，三、 当触发Ipsec的策略时，此时会协商IpsecSA，在协商Ipsecsa时首先会协商isakmp，当isakmp到qm-idle状态时，协商Ipsec策略，协商Ipsec的spi值，四、 当协商成功时，封装上ESP头部，封装R1出口的spi值，发送（此时根据默认路由）。五、 当数据包到达R2时，根据自己的入接口的spi值，查看是否与数据包中的spi值对应，如果对应则，根据Iv接口数据包。发送的本地内网。ESP头部原始Ip 头Spi序列号Iv内网ip头数据Md5Ipsec的lESP的封装方法transport和tunnel方式，当实用transport方式时，是通过封装ESP头部，封装两层ip，透明的在公网传输。根据上面的配置来解释本图：原始ip头：指的是原来的ipv4的的头部，Spi：是双方的sa协商出来的，决定了双发加密，散列的参数和方法。序列号：等同于ip中的序列号Iv：des算法最后一个64bit块，算出来的值，作为传输到对方路由器的解密的一个种子。内网ip头：ESP加密中的要建立通信的ip头数据：要传输的数据Md5：传输的数据的加密方式ipsecVPNRouter1 S0/0 Router2 S0/0 Router2 S0/1 Router3 S0/0 R1的配置方式：version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionhostname R1boot-start-markerboot-end-markerno aaa new-modelmemory-size iomem 5ip cefno ip domain lookupcrypto isakmp policy 1 hash md5 authentication pre-sharecrypto isakmp key 6 cisco address crypto ipsec transform-set cisco esp-des esp-md5-hmac mode transportcrypto map cisco 10 ipsec-isakmp set peer set transform-set cisco match address 101interface Loopback1 ip address interface Serial0/0 ip address serial restart-delay 0 crypto map ciscointerface Serial0/1 no ip address shutdown serial restart-delay 0interface Serial0/2 no ip address shutdown serial restart-delay 0interface Serial0/3 no ip address shutdown serial restart-delay 0ip http serverno ip http secure-serverip route access-list 101 permit ip host host control-planeline con 0 exec-timeout 0 0line aux 0line vty 0 4endR2的配置方式：version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionhostname R2boot-start-markerboot-end-markerno aaa new-modelmemory-size iomem 5ip cefno ip domain lookupinterface Serial0/0 ip address serial restart-delay interface Serial0/1 ip address serial restart-delay 0interface Serial0/2 no ip address shutdown serial restart-delay 0interface Serial0/3 no ip address shutdown serial restart-delay 0ip http serverno ip http secure-servercontrol-planeline con 0 exec-timeout 0 0line aux 0line vty 0 4endR3的配置方式：version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionhostname R3boot-start-markerboot-end-markerno aaa new-modelmemory-size iomem 5ip cefno ip domain lookupcrypto isakmp policy 1 hash md5 authentication pre-sharecrypto isakmp key 6 cisco address crypto ipsec transform-set cisco esp-des esp-md5-hmac mode transportcrypto map cisco 10 ipsec-isakmp set peer set transform-set cisco match address 101interface Loopback1 ip address interface Serial0/0 ip address serial restart-delay 0 crypto map ciscointerface Serial0/1 no ip address shutdown serial restart-delay 0 interface Serial0/2 no ip address shutdown serial restart-delay 0interface Serial0/3 no ip address shutdown serial restart-delay 0ip http serverno ip ht