`

IPsec-VPN

阅读更多

IPsec-VPN
SITE-TO-SITE & EASY

confidentiality 机密
data integrity  完整
authentication  认证

intern key exchange (IKE)
encapsulating security payload (ESP)
authorization header (AH)

original frame L2 IP L4 payload
transport mode L2 IP ESP-AH L4 payload
tunnel mode    L2 new-IP payESP-AH ip L4 ESP-AH payload

peer authorization methods:
username and password
otp (pin/tan)
biometric
preshared keys
digital certificates

show version (k9 k8)

R1

route 0.0.0.0 0.0.0.0 serial 0/0 (路由)

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 (感兴趣流量 isakmp sa)

crypto isakmp policy 10  (ike1 isakmp sa)
authentication pre-share
hash MD5
encryption des
group 2
lifetime 86400
exit
crypto isakmp key DAVY address 200.1.1.2
show isakmp policy

crypto ipsec transform-set SET esp-des esp-md5-hmac  (ike2 ipsec sa)
mode tunnel

drypto map VPN 10 ipsec-isakmp (把前面步骤结合)
set peer 200.1.1.2
match address 100
set transform-set SET
exit

interface serial 0/0 (接口调用)
crypto map VPN


R2
route 0.0.0.0 0.0.0.0 serial 0/0
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp policy 10  (ike1 isakmp sa)
authentication pre-share
hash MD5
encryption des
#group 2
#lifetime 86400
exit
crypto isakmp key DAVY address 200.1.1.1
 

crypto ipsec transform-set SET esp-des esp-md5-hmac  (ike2 ipsec sa)
mode tunnel

drypto map VPN 10 ipsec-isakmp (把前面步骤结合)
set peer 200.1.1.1
match address 100
set transform-set SET
exit

interface serial 0/0 (接口调用)
crypto map VPN

debug crypto ipsec
show isakmp policy
show isakmp sa
show crypto ipsec sa
show crypto engine connections active
show crypto ipsec security-association-lifetime
clear crypto ipsec
clear crypto sa
clear crypto isakmp

优化安全
ike udp port 500
ESP and AH ip protocol number 50 and 51
NAT udp port 4500 tcp port number has to be configured

R1
access-list 102 permit esp host 200.1.1.2 host 200.1.1.1
#access-list 102 permit ahp host 200.1.1.2 host 200.1.1.1
access-list 102 permit udp host 200.1.1.2 host 200.1.1.1 eq isakmp
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
interface s 0/0
ip access-group 102 in

R2
access-list 102 permit esp host 200.1.1.1 host 200.1.1.2
#access-list 102 permit ahp host 200.1.1.1 host 200.1.1.2
access-list 102 permit udp host 200.1.1.1 host 200.1.1.2 eq isakmp
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
interface s 0/0
ip access-group 102 in


SDM软件使用

conf ter
ip http secure-server
show running-config
line vty 0 4
transport input ssh telnet
logging local
username DAVY privilege 15 password amanda


GRE (generic routing encapsulation)
支持多种网络协议
new-ip GRE(4字节) ip tcp data
GRE:flags protocol-type checksum offset key sequence-number
协议号47
 
R1
conf ter
interface tunnel 1
ip address 172.16.1.1 255.255.255.252 (为指定静态路由)
tunnel source serial 0/0(200.1.1.1)
tunnel destination 200.1.1.2
tunnel mode gre ip

route 0.0.0.0 0.0.0.0 tunnel 1


R2

conf ter
interface tunnel 2
ip address 172.16.1.2 255.255.255.252
tunnel source serial 0/0 (200.1.1.2)
tunnel destination 200.1.1.1
tunnel mode gre ip

route 0.0.0.0 0.0.0.0 tunnel 2


GRE over IPsec

tunnel mode:   ip esp ip GRE ip tcp data esp
transport mode:ip esp GRE ip tcp data esp (节约20个字节)

R1
conf ter
interface tunnel 1
ip address 172.16.1.1 255.255.255.252 (为指定静态路由)
tunnel source serial 0/0(200.1.1.1)
tunnel destination 200.1.1.2
tunnel mode gre ip

route 0.0.0.0 0.0.0.0 tunnel 1

#access-list 100 permit ip host 200.1.1.1 host 200.1.1.2
access-list 100 permit gre host 200.1.1.1 host 200.1.1.2 (比较细致)

crypto isakmp policy 10  (ike1 isakmp sa)
authentication pre-share
hash MD5
encryption des
group 2
lifetime 86400
exit
crypto isakmp key DAVY address 200.1.1.2
 
crypto ipsec transform-set SET esp-des esp-md5-hmac  (ike2 ipsec sa)
mode transport
exit

drypto map VPN 10 ipsec-isakmp (把前面步骤结合)
set peer 200.1.1.2
match address 100
set transform-set SET
exit

interface serial 0/0 (接口调用)
crypto map VPN

R2
conf ter
interface tunnel 2
ip address 172.16.1.2 255.255.255.252
tunnel source serial 0/0 (200.1.1.2)
tunnel destination 200.1.1.1
tunnel mode gre ip

route 0.0.0.0 0.0.0.0 tunnel 2

#access-list 100 permit ip host 200.1.1.2 host 200.1.1.1
access-list 100 permit gre host 200.1.1.2 host 200.1.1.1 (比较细致)

crypto isakmp policy 10  (ike1 isakmp sa)
authentication pre-share
hash MD5
encryption des
group 2
lifetime 86400
exit
crypto isakmp key DAVY address 200.1.1.1
 
crypto ipsec transform-set SET esp-des esp-md5-hmac  (ike2 ipsec sa)
mode transport
exit

drypto map VPN 10 ipsec-isakmp (把前面步骤结合)
set peer 200.1.1.1
match address 100
set transform-set SET
exit

interface serial 0/0 (接口调用)
crypto map VPN

基础上去掉静态路由协议 使用动态路由协议
R1
no route 0.0.0.0 0.0.0.0 tunnel 1

ip router eigrp 90
no auto-summary
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255

R2
no route 0.0.0.0 0.0.0.0 tunnel 2

ip router eigrp 90
no auto-summary
network 172.16.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255


vpn-HA

failures
access link failure
remote peer failure
device failure
path failure
DPD报文

remote-end
R1 (master)
interface fastethernet 0/0
ip address 10.1.1.2 255.255.255.0
standby 1 preempt
standby 1 ip 10.1.1.1
standby 1 priority 150
R2 (backup)
interface fastethernet 0/0
ip address 10.1.1.3 255.255.255.0
standby 1 preempt
standby 1 ip 10.1.1.1

head-end
inter
conf ter
interface fastethernet 0/0
ip address 10.1.1.3 255.255.255.0
standby 1 preempt
standby 1 ip 10.1.1.1
standby 1 name VPNNA
standby track fastethernet 0/1
crypto map CM redundancy VPNNA (sso:stateful (IPsec stateful failure ,IPsec stateless  failure ))
crypto dynamic-map DM 10
set transform-set TS
reverse-route
crypto map CM 10 ipsec-isakmp dynamic DM
redundancy inter-device
scheme standby VPNNA
ipc rone default
association 1
protocol sotp
local-port 12345
local-ip 10.1.1.1.1
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 20
remote-port 12345
remote-ip 10.1.1.2

backup up a wan connection with ipsec vpn
静态路由(浮动路由AD)
动态路由

easy vpn(client 端)
SDM上配置
规划 R2为web服务器(s0/0 192.168.1.0/24) R1网关路由(s0/0 192.168.1.0/24 f0/0 192.168.16.0/24 pool:192.168.8.1-100) pc外网用户

conf ter
int f1/0
ip address 192.168.16.5 255.255.255.0
no shutdown
int s0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
ip http secure-server
line vty 0 4
transport input ssh telnet
login local
exit
username DAVY privilege 15 password wolf
(分割通道,local vlan,pool,验证账号密码)都在SDM上配置


R2
conf ter
int s0/0
ip address 192.168.1.2 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.1

line vty 0 4
no login
exit

(远程网关路由器R2)
ip http server
ip http authentication local
username DAVY privilege 15 password wolf

 


 

分享到:
评论

相关推荐

    WilfridLaurier 数据结构课下作业

    数据结构是计算机科学中的核心课程,它探讨了如何有效地存储和组织数据,以便进行高效的检索、插入和删除操作。在“Wilfrid Laurier 数据结构课下作业”中,我们可以预见到一系列关于这个主题的深入练习和问题解决。...

    雅马哈路由器配置大全.docx

    雅马哈路由器配置大全 雅马哈路由器 设置说明手册 ... 远程VPN连接 23 8.1 PPTP-VPN 23 8.2 L2TP/IPsec VPN 25 8.3PPTP和L2TP/IPsec VPN并用 28 9. 连接3G等移动通信网络 31 10. 其它 32 10.1. netvolante dns (dynam

    Pluto实现总结

    通过pluto命令创建ipsec-vpn的过程

    SANGFOR-IPSEC-标准IPSEC(第三方对接)排错指导

    SANGFOR_IPSEC_标准IPSEC(第三方对接)排错指导

    实验4-IPSec VPN

    理解VPN技术的工作原理,了解不同类型VPN技术的主要作用以及各自的主要应用环境。能够完成IPSec VPN技术的应用,并熟练掌握IPSec VPN技术相关的配置命令。公司之间建立VPN隧道,实现跨互联网私有网络。

    HCL模拟器IPSec VPN实验

    HCL模拟器IPSec VPN实验

    IPsec vpn ha 配置和截图

    IPsec vpn ha 配置和截图

    8-2019051092-古昌权-VPN1

    (2) 在默认情况下IPsec的安全策略处于没有启动状态,必须进行指定,IPsec才能发挥作用 (3) 以上策略可以在单台计算机上进行指派,也可以在组策略上批量

    东南大学网络工程与组网技术实验——GRE OVER IPSEC(VPN+安全)

    此资源包含完整实验报告(加上你的学号姓名即可提交) 组网技术实验对于没有基础的同学真的太难了,没有答案寸步难行啊

    中低端路由器典型配置实例

    4、 新增“VPN-L2TP配置-LAC作为客户端的典型配置 5、 新增“VPN-DVPN典型配置” 6、 新增“网络协议-NAT-NAT限制每个源地址最大TCP连接数典型配置” 7、 新增“安全-路由器与VRRP备份组虚地址之间建立...

    密码标准体系(我已经整理好,不缺类容)

    06-IPSec VPN命令参考-IPsec命令.pdf 06-SSL VPN命令参考-SSL VPN命令.pdf 06-VPN命令参考-前言.pdf 06-VPN命令参考-整本手册.pdf 06-VPN命令参考-隧道命令.pdf 1.SSL VPN介绍.pptx 2.SSL VPN基础运维.pptx 3.SSL ...

    华为HCIP-RS学习笔记.rar

    目录: 01-企业网络高级解决方案 02-OSPF 03-路由控制 04-路由策略 05-策略路由 06-路由引入 07-BGP 08-组播基础 09-组播地址 ...34-IPSec VPN 35-MAC安全 36-DHCP安全 37-IP安全 38-ARP安全

    华为HCIP-RS学习笔记【共38章.rar

    目录:网盘文件永久链接 01-企业网络高级解决方案 02-OSPF 03-路由控制 04-路由策略 05-策略路由 06-路由引入 07-BGP 08-组播基础 ...34-IPSec VPN 35-MAC安全 36-DHCP安全 37-IP安全 38-ARP安全

    wireshark1.12和IPSec详解

    标题“wireshark1.12和IPSec详解”指出我们要讨论的是网络分析工具Wireshark的1.12版本以及IPSec(Internet Protocol Security)的详细知识。Wireshark是一款开源的网络封包分析软件,广泛用于网络故障排查、网络...

    GRE Over IPSec配置及抓包分析.doc

    GRE Over IPSec配置及抓包分析.doc

    电源技术中的飞思卡尔和伟创力共推企业市场安全设备平台

    飞思卡尔半导体和伟创力软件系统(FSS)日前联合开发出基于IPSec-VPN的企业安全路由器解决方案。该解决方案采用了飞思卡尔的MPC8555E PowerQUICC III集成通信处理器,以及FSS的增强安全系统(ESS)软件。 MPC8555基于...

    IPSec over GRE -Tunnel口

    ip access-list extended vpn12 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 然后,需要配置 GRE 隧道,实现 PC1 和 PC2 之间的通信。 GRE 隧道可以封装所有的流量,包括 ping 包、GRE 协议包和 OSPF 包。 ...

    深信服IPSec VPN MIG 4.3用户手册

    深信服IPSec VPN MIG 4.3用户手册

    天融信防火墙配置GRE Over IPSEC

    天融信防火墙配置GRE Over IPSEC ...此外由于GRE建立的是简单的,不进行加密的VPN隧道,他通过在物理链路中使用ip地址和路由穿越普通网络。所以很常见的方法就是使用IPSec对GRE进行加密,提供数据安全保证。

    华为HCNP-Security培训视频教程【共23集】.rar

    HCNP-Security IPSec VPN(1) HCNP-Security IPSec VPN(2) HCNP-Security IPSec VPN(3) HCNP-Security IPSec VPN(5) HCNP-Security L2TP VPN(0) — PPPoE HCNP-Security L2TP VPN(1) HCNP-Security...

Global site tag (gtag.js) - Google Analytics