- 浏览: 136216 次
- 性别:
- 来自: 南京
-
文章分类
最新评论
-
weitongyixun:
多谢。。。。。
PL/SQL Developer 高亮括号 -
guojigjkill:
谢了。,对我有用
泛型. -
56148083:
我也看到类似的方式修改oracleXE字符集,安装第一种方法修 ...
Oracle10g Express 版本修改字符集全过程 -
q821424508:
人烟稀少啊
泛型. -
zht110227:
很好,很强大。不过在这个地方:这个是由于VC6.0的INCLU ...
windows XP 调通tuxedo的simpapp所经历的艰苦过程
12.1. 创建Tunnel
提问 ="FONT-FAMILY: 宋体">通过隧道的方式在网络中传输IP数据
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router5(config)#interface Tunnel3
Router5(config-if)#ip address 192.168.35.5 255.255.255.252
Router5(config-if)#tunnel source 172.25.1.7
Router5(config-if)#tunnel destination 172.25.1.5
Router5(config-if)#exit
Router5(config)#end
Router5#
注释 Tunnel的配置中也可以使用tunnel source Ethernet0 的方式来捆绑到端口。产生出来的虚拟隧道接口通常会一直UP,即使对端关机,12.2(8)T后引入了keeplive参数可以对隧道的状态进行监控,keepalive 3 2 每隔3秒一个Keeplive,如果两次没收到就认为端口当掉。如果对数据包的完整性或者防止乱序包,可以配置tunnel checksum,tunnel sequence-datagrams,但需要注意的是GRE不是TCP,数据包丢弃了不会重传。缺省情况下隧道的模式GRE,也可以通过tunnel mode ipip 命令来改变其模式。由于GRE是封装IP数据包所以不可避免地产生了MTU的问题,对于TCP连接可以使用ip tcp path-mtu-discovery,但对于非TCP的GRE,需要使用tunnel path-mtu-discovery。在12.2(13)T以后引入了tunnel path-mtu-discovery min-mtu 500 来定义最小的MTU从而保证安全
12.2. 其他协议隧道至IP
提问 通过隧道的方式在IP网络中传输其他协议数据,比如IPX
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ipx routing AAAA.BBBB.0001
Router1(config)#interface Tunnel1
Router1(config-if)#ipx network AAA
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
Router5#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ipx routing AAAA.BBBB.0002
Router5(config)#interface Tunnel3
Router5(config-if)#ipx network AAA
Router5(config-if)#tunnel source 172.25.1.7
Router5(config-if)#tunnel destination 172.25.1.5
Router5(config-if)#exit
Router5(config)#end
Router5#
注释 注意的是隧道模式里面只有GRE模式是支持IPX的。同时可以在隧道接口下配置多个不同的协议从而支持在隧道中封装多个协议
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#ipx network AAA
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.25.1.7
Router1(config-if)#exit
Router1(config)#end
Router1#
12.3. 隧道和动态路由协议
提问 在隧道中传递路由协议
回答
怎么解决到tunnel destination的路由不是通过tunnel接口的问题,第一种方法是静态路由
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router1(config)#ip route 172.22.1.2 255.255.255.255 172.25.1.1
Router1(config)#router eigrp 55
Router1(config-router)#network 192.168.35.0
Router1(config-router)#exit
Router1(config)#end
Router1#
第二种对tunnel接口采用另外的路由协议,从而排除此地址在互联的路由协议中
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router1(config)#router eigrp 55
Router1(config-router)#network 172.22.0.0
Router1(config-router)#network 172.25.0.0
Router1(config-router)#end
Router1(config)#router rip
Router1(config-router)#network 192.168.35.0
Router1(config-router)#exit
Router1(config)#end
Router1#
第三种方法路由过滤
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.35.6 255.255.255.252
Router1(config-if)#tunnel source 172.25.1.5
Router1(config-if)#tunnel destination 172.22.1.2
Router1(config-if)#exit
Router11(config)#ip prefix-list TUNNELROUTES seq 10 permit 192.168.0.0/16 ge 17
Router1(config)#router eigrp 55
Router1(config-router)#network 172.22.0.0
Router1(config-router)#network 172.25.0.0
Router1(config-router)#network 192.168.35.0
Router1(config-router)#distribute-list prefix TUNNELROUTES out Tunnel1
Router1(config-router)#exit
Router1(config)#end
Router1#
注释 前两种很简单但是冗余性和扩展性不好,推荐第三种
12.4. 查看隧道状态
提问 查看隧道状态
回答
Router1#show interface Tunnel5
Router1#ping 192.168.66.6
Router1#ping 172.22.1.4
注释
12.5. 在GRE隧道中创建一个加密的路由器到路由器的VPN
提问 通过预共享密匙的方法创建互联网连接路由器的加密VPN
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encr aes 256
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth
Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)#mode transport
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto map TUNNELMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)#set peer 172.16.2.1
Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router1(config-crypto-map)#match address 102
Router1(config-crypto-map)#exit
Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.1.1 255.255.255.252
Router1(config-if)#tunnel source 172.16.1.1
Router1(config-if)#tunnel destination 172.16.2.1
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 172.16.1.1 255.255.255.0
Router1(config-if)#ip access-group 101 in
Router1(config-if)#crypto map TUNNELMAP
Router1(config-if)#exit
Router1(config)#access-list 101 permit gre host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 deny ip any any log
Router1(config)#interface Loopback0
Router1(config-if)#ip address 192.168.16.1 255.255.255.0
Router1(config-if)#exit
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router1(config)#ip route 192.168.15.0 255.255.255.0 192.168.1.2
Router1(config)#end
Router1#
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#encr aes 256
Router2(config-isakmp)#authentication pre-share
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1
Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)#mode transport
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map TUNNELMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router2(config-crypto-map)#set peer 172.16.1.1
Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router2(config-crypto-map)#match address 102
Router2(config-crypto-map)#exit
Router2(config)#access-list 102 permit gre host 172.16.2.1 host 172.16.1.1
Router2(config)#interface Tunnel1
Router2(config-if)#ip address 192.168.1.2 255.255.255.252
Router2(config-if)#tunnel source 172.16.2.1
Router2(config-if)#tunnel destination 172.16.1.1
Router2(config-if)#exit
Router2(config)#interface FastEthernet0/0
Router2(config-if)#ip address 172.16.2.1 255.255.255.0
Router2(config-if)#ip access-group 101 in
Router2(config-if)#crypto map TUNNELMAP
Router2(config-if)#exit
Router2(config)#access-list 101 permit gre host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 deny ip any any log
Router2(config)#interface Loopback0
Router2(config-if)#ip address 192.168.15.1 255.255.255.0
Router2(config-if)#exit
Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router2(config)#ip route 192.168.16.0 255.255.255.0 192.168.1.1
Router2(config)#end
Router2#
注释 第一步首先使用ISAKMP来生成合适的密匙交换策略,当双方协商SA参数时,先从优先级低的策略开始,使用show crypto isakmp policy来查看当前策略。然后定义初始的密匙crypto isakmp key,这里可以基于IP地址也可以基于主机名,如果基于主机名对端要配置crypto isakmp identity hostname,用show crypto isakmp key来验证。show crypto isakmp sa 用来查看协商的ISAKMP SA状态,而最后的IPSec SA通过show crypto ipsec sa 来查看。下一步是定义IPSec的transform set,是定义如何处理符合的数据包,并且要定义Ipsec的透明模式,缺省使用隧道模式,对于GRE使用透明模式,GRE隧道比传统的IPSec隧道好在更简单和更灵活,比如可以传递动态路由协议等。最后使用crypto map命令整合。最后要注意的是crypto map应用于接收GRE数据包的接口而不是tunnel接口。
show crypto engine connections active 显示当前连接情况
12.6. 在两个路由器的Lan接口之间创建加密VPN
提问 使用预共享密匙的方式创建加密VPN通过互联网连接的两个LAN接口
回答
R1
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encr aes 256
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto isakmp key TUNNELKEY01 address 172.16.2.1 no-xauth
Router1(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)#exit
Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)#crypto map LAN2LANMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)#set peer 172.16.2.1
Router1(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM
Router1(config-crypto-map)#match address 103
Router1(config-crypto-map)#exit
Router1(config)#access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 192.168.16.1 255.255.255.0
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 172.16.1.1 255.255.255.0
Router1(config-if)#ip access-group 101 in
Router1(config-if)#crypto map LAN2LANMAP
Router1(config-if)#exit
Router1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 deny ip any any log
Router1(config)#end
Router1#
R2
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#crypto isakmp policy 10
Router2(config-isakmp)#encr aes 256
Router2(config-isakmp)#authentication pre-share
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto isakmp key TUNNELKEY01 address 172.16.1.1
Router2(config)#crypto ipsec transform-set LAN2LAN-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map LAN2LANMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router2(config-crypto-map)#set peer 172.16.1.1
Router2(config-crypto-map)#set transform-set LAN2LAN-TRANSFORM
Router2(config-crypto-map)#match address 103
Router2(config-crypto-map)#exit
Router2(config)#access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
Router2(config)#interface FastEthernet0/1
Router2(config-if)#description Internal LAN
Router2(config-if)#ip address 192.168.15.1 255.255.255.0
Router2(config-if)#exit
Router2(config)#interface FastEthernet0/0
Router2(config-if)#description Connection to Internet
Router2(config-if)#ip address 172.16.2.1 255.255.255.0
Router2(config-if)#crypto map LAN2LANMAP
Router2(config-if)#exit
Router2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 deny ip any any log
Router2(config)#end
Router2#
注释 这里跟前节区别在于12.5建立的是可路由的加密VPN。前面配置了mode transport 而这里使用了IPSec隧道缺省的隧道模式。在ACL配置上前者允许的是GRE的数据包,这里是内部LAN接口之间的数据包,所以这里两个互联是桥接,前者两个互联是路由。通常我们更喜欢路由模式多一些
12.7. 生成RSA 密匙
提问 生成共享的RSA密匙用于加密或者认证
回答
先在R1上生成自己的pubkey
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto key generate rsa
The name for the keys will be: Router1.oreilly.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]
Router1(config)#end
Router1#show crypto key mypubkey rsa
% Key pair was generated at: 01:19:45 EST Mar 1 2003
Key name: Router1.oreilly.com
Usage: General Purpose Key
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001
% Key pair was generated at: 01:19:52 EST Mar 1 2003
Key name: Router1.oreilly.com.server
Usage: Encryption Key
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BD928A BD5637E6
2265621C 3AC57138 911CA27D 11F40AA1 E657EA26 6EBF654C 952A3319 D421A33C
E2ECA87E CD7E050C 8A8FE64D B73954EA BF2ED639 BC6A8F74 5B9550EA 4119E796
A97430E2 4B1BF7D3 ED1469FF AEA83690 A0FEA871 BBFBE8AD 19020301 0001
Router1#
然后拷贝粘贴到对端路由器
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#crypto key pubkey-chain rsa
Router2(config-pubkey-chain)#addressed-key 192.168.99.1
Router2(config-pubkey-key)#address 192.168.99.1
Router2(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
Router2(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
Router2(config-pubkey)#D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
Router2(config-pubkey)#B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
Router2(config-pubkey)#FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
Router2(config-pubkey)#2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001
Router2(config-pubkey)#quit
Router2(config-pubkey-key)#exit
Router2(config-pubkey-chain)#exit
Router2(config)#end
Router2#show crypto key pubkey-chain rsa address 192.168.99.1
Key address: 192.168.99.1
Usage: General Purpose Key
Source: Manually entered
Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001
Router2#
注释 由于密匙里面包含路由器名和域名,所以必须首先配置
Router1(config)#hostname Router1
Router1(config)#ip domain-name oreilly.com
如果修改上面配置则密匙无效。通过命令crypto key zeroize rsa 来删除当前密匙
12.8. 使用RSA密匙创建路由器到路由器的VPN
提问 利用RSA密匙创建一个加密的VPN
回答
R1
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto key pubkey-chain rsa
Router1(config-pubkey-chain)#addressed-key 172.16.2.1
Router1(config-pubkey-key)#address 172.16.2.1
Router1(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
Router1(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00EB0AB2
Router1(config-pubkey)#EA33B519 0CD95EFF EDFD4723 BED73640 97981CC0 1FC83FBF 5C6DF97C 8CB8CE0A
Router1(config-pubkey)#C5FE959D 1E055002 83B92EF4 35B69545 C3217E5F E0C32A73 44FD2373 15979E77
Router1(config-pubkey)#75598BE0 B4A4E7B2 3C318C2D 3BF3B192 8B71D8C9 A1E0F929 0E84BDAD EC909833
Router1(config-pubkey)#BC425170 400BD26A 319E632F 4E9649F5 BA7ADA40 5A94B09C 05F8414E 33020301 0001
Router1(config-pubkey)#quit
Router1(config-pubkey-key)#exit
Router1(config-pubkey-chain)#exit
Router1(config)#crypto isakmp policy 100
Router1(config-isakmp)#encryption aes 256
Router1(config-isakmp)#authentication rsa-encr
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router1(cfg-crypto-trans)#mode transport
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-crypto-map)#set peer 172.16.2.1
Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router1(config-crypto-map)#match address 102
Router1(config-crypto-map)#exit
Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1
Router1(config)#interface Tunnel1
Router1(config-if)#ip address 192.168.1.1 255.255.255.252
Router1(config-if)#tunnel source 172.16.1.1
Router1(config-if)#tunnel destination 172.16.2.1
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip address 172.16.1.1 255.255.255.0
Router1(config-if)#ip access-group 101 in
Router1(config-if)#crypto map TUNNEL-RSA
Router1(config-if)#exit
Router1(config)#access-list 101 permit gre host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp
Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1
Router1(config)#access-list 101 deny ip any any log
Router1(config)#end
Router1#
R2
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#crypto key pubkey-chain rsa
Router2(config-pubkey-chain)#addressed-key 172.16.1.1
Router2(config-pubkey-key)#address 172.16.1.1
Router2(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
Router2(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A0830E
Router2(config-pubkey)#01E4B6E1 08823E41 8A98A7F4 DB0E6277 1E7AA500 F7B620CA 49BCBEBA B0A0455A
Router2(config-pubkey)#114BA6B9 5ADE0D2E 7DC3EFC1 D7D07015 01C83E08 7305ED3C 71F04B44 31A1C574
Router2(config-pubkey)#C0E6ACA2 C191DB07 3D347F88 2D2884BF 99C2AF80 45BC1BE9 6D2BF684 B60C04E6
Router2(config-pubkey)#0F3D5C09 7C26694F 8FB75F90 2FA1DF46 94401D54 82ACA366 E621DD04 4B020301 0001
Router2(config-pubkey)#quit
Router2(config-pubkey-key)#exit
Router2(config-pubkey-chain)#exit
Router2(config)#crypto isakmp policy 100
Router2(config-isakmp)#encryption aes 256
Router2(config-isakmp)#authentication rsa-encr
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256
Router2(cfg-crypto-trans)#mode transport
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp
Router2(config-crypto-map)#set peer 172.16.1.1
Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router2(config-crypto-map)#match address 102
Router2(config-crypto-map)#exit
Router2(config)#access-list 102 permit gre host 172.16.2.1 host 172.16.1.1
Router2(config)#interface Tunnel1
Router2(config-if)#ip address 192.168.1.2 255.255.255.252
Router2(config-if)#tunnel source 172.16.2.1
Router2(config-if)#tunnel destination 172.16.1.1
Router2(config-if)#exit
Router2(config)#interface FastEthernet0/0
Router2(config-if)#ip address 172.16.1.1 255.255.255.0
Router2(config-if)#ip access-group 101 in
Router2(config-if)#crypto map TUNNEL-RSA
Router2(config-if)#exit
Router2(config)#access-list 101 permit gre host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp
Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1
Router2(config)#access-list 101 deny ip any any log
Router2(config)#end
Router2#
注释 类似12.3和12.6
12.9. 创建主机到路由器的VPN
提问 从远端主机到路由器的VPN连接
回答
只有路由器的配置,没有主机上软件的配置
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default group tacacs+
Router1(config)#aaa authentication enable default group tacacs+
Router1(config)#tacacs-server host 172.25.1.1
Router1(config)#tacacs-server key NEOSHI
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto ipsec transform-set VPN-TRANSFORMS ah-sha-hmac esp-sha-hmac esp-3des
Router1(cfg-crypto-trans)#mode tunnel
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto dynamic-map VPN-USER-MAP 50
Router1(config-crypto-map)#description A dynamic crypto map for VPN users
Router1(config-crypto-map)#match address 115
Router1(config-crypto-map)#set transform-set VPN-TRANSFORMS
Router1(config-crypto-map)#exit
Router1(config)#access-list 115 deny any 224.0.0.0 35.255.255.255
Router1(config)#access-list 115 deny any 172.25.1.255 0.0.0.0
Router1(config)#access-list 115 permit any any
Router1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN-USER-MAP
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 172.25.1.5 255.255.255.0
Router1(config-if)#crypto map CRYPTOMAP
Router1(config-if)#exit
Router1(config)#exit
Router1#
注释 由于主机可能来自任意地址所以这里使用过了dynamic crypto maps
12.10. 创建SSL VPN
提问 使用路由器的WebVPN服务来创建SSL VPN
回答
Core#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Core(config)#hostname Core
Core(config)#ip domain-name oreilly.com
Core(config)#aaa new-model
Core(config)#aaa authentication login local_auth local
Core(config)#username ijbrown secret ianspassword
Core(config)#username kdooley secret kevinspassword
Core(config)#crypto pki trustpoint WEBVPN
Core(ca-trustpoint)#enrollment selfsigned
Core(ca-trustpoint)#rsakeypair WEBVPN 1024
Core(ca-trustpoint)#subject-name CN=WEBVPN OU=cookbooks O=oreilly
Core(ca-trustpoint)#exit
Core(config)#crypto pki enroll WEBVPN
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-3299111097.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.
Do you want to continue generating a new Self Signed Certificate? [yes/no]:yes
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
Core(config)#interface Loopback0
Core(config-if)#ip address 172.25.100.2 255.255.255.255
Core(config-if)#exit
Core(config)#webvpn enable gateway-addr 172.25.100.2
Core(config)# Core(config)#webvpn
Core(config-webvpn)#ssl trustpoint WEBVPN
Core(config-webvpn)#ssl encryption 3des-sha1
Core(config-webvpn)#title "Cisco Cookbook WebVPN Portal"
Core(config-webvpn)#url-list COOKBOOKURLS
Core(config-webvpn-url)#heading "Cookbook URLs"
Core(config-webvpn-url)#url-text "Cisco Cookbook" url-value "http://www.oreilly.com/catalog/ciscockbk/"
Core(config-webvpn-url)#url-text "Perl Cookbook" url-value
"http://www.oreilly.com/catalog/perlckbk2/"
Core(config-webvpn-url)#heading "Cisco URLs"
Core(config-webvpn-url)#url-text "The Books" url-value
"http://www.oreilly.com/pub/topic/cisco"
Core(config-webvpn-url)#exit
Core(config-webvpn)#port-forward list SERVERLOGIN local-port 20003 remote-server 172.25.1.1 remote-port 23
Core(config-webvpn)#exit
Core(config)#end
Core#
注释 12.3(14)T引入了WebVPN服务,但是只能在特定的平台上,只能支持SSLv3,不支持TLS,不支持思科SSL VPN 客户端软件。附带说一下最后的port forward配置,当用户连接上WebVPN后,使用telnet到本地的20003端口就会转发至172.25.1.1的23端口
12.11. 查看IPSec协议状态
提问 查看VPN状态
回答
显示ISAKMP security associations.
Router1#show crypto isakmp sa
IPSec security associations
Router1#show crypto ipsec sa
查看活动的IPSec连接
Router1#show crypto engine connections active
查看被丢弃的数据包
Router1#show crypto engine connections dropped-packet
查看配置的IPSec crypto maps
Router1#show crypto map
对于 dynamic crypto maps
Router1#show crypto dynamic-map
发表评论
-
E1端口与E1-F端口连接
2008-08-03 03:26 1233E1端口与E1-F端口连接 2008年05月06日 星期 ... -
cisco show interface详解 翻译中文
2008-08-03 16:34 1536Router#show interface e0/0 Et ... -
Cisco E1配置白皮书
2008-08-03 16:40 1348E1知识点总结 1、一条E1是2.048M的链路,用PC ... -
cisco IOS cookbook 中文精简版 1-23 路由器配置和文件管理
2008-08-03 17:26 1195第一章路由器配置和文件管理路由器配置和文件管理1.1. 通 ... -
cisco IOS cookbook 中文精简版 2-23 路由器管理
2008-08-03 17:31 9862.1. 创建命令别名 提问 为常用的命令创建简洁的别名回 ... -
Cisco IOS Cookbook 中文精简版 3-23 用户访问和权限管理
2008-08-03 17:36 11583.1. 设置用户名和密码 提问 为每个单独的人员设置不同 ... -
Cisco IOS Cookbook 中文精简版 4-23 TACAS+
2008-08-03 17:38 10234.1. 用户登录集中鉴权提问 使用集中的鉴权方式对用户登 ... -
Cisco IOS Cookbook 中文精简版 5-23 IP路由
2008-08-03 17:39 11155.1. 查找路由条目提问 在路由表中查找特定的路由条目回 ... -
Cisco IOS Cookbook 中文精简版 6-23 RIP
2008-08-03 17:40 8856.1. 配置RIP(V1)提问 在简单的网络中启用RIP ... -
Cisco IOS Cookbook 中文精简版 7-23 EIGRP
2008-08-03 17:41 793发表于:2007-3-13 14:20 7. ... -
Cisco IOS Cookbook 中文精简版 8-23 OSPF
2008-08-03 17:42 9308.1. 配置OSPF提问 NT-F ... -
Cisco IOS Cookbook 中文精简版 9-23 BGP
2008-08-03 17:44 12599.1. Configuring BGP 提问 在网络中启 ... -
Cisco IOS Cookbook 中文精简版 10-23 帧中继
2008-08-03 17:46 90110.1. 使用点对点子接口的方式配置帧中继提问 &quo ... -
Cisco IOS Cookbook 中文精简版 11-23 队列和拥塞
2008-08-03 17:48 1319第十一章队列和拥塞11.1. Fast Switching ... -
Cisco IOS Cookbook 中文精简版 13-23 拨号备份
2008-08-03 17:50 896提问 当广域网链路中断 得时候自动拨号恢复备份链路回答Rou ... -
Cisco IOS Cookbook 中文精简版 14-23 NTP和时钟
2008-08-03 17:51 131114.1. 路由器日志显示时间戳提问 在路由器 的日志和排 ... -
Cisco IOS Cookbook 中文精简版 17-23 SNMP
2008-08-03 17:53 166217.1. 配置SNMP 提问 FONT-FAMILY: ... -
Cisco IOS Cookbook 中文精简版 16-23 路由器接口
2008-08-03 17:53 115616.1. 查看接口状态 ... -
Cisco IOS Cookbook 中文精简版 18-23 日志
2008-08-03 17:55 136618.1. 启用本地路由器日志提问 实现路由器自身保存日志 ... -
Cisco IOS Cookbook 中文精简版 19-23 访问列表
2008-08-03 17:56 108119.1. 基于源或者目的地址过滤提问 阻止来自某地址或者 ...
相关推荐
新版Cisco IOS Cookbook 中文精简版
### 思科 Cisco IOS Cookbook 中文精简版 V1.5版 #### 书籍概述与特点 《思科 Cisco IOS Cookbook》是一本专注于思科IOS系统配置的专业指南,旨在帮助读者快速解决网络配置中遇到的问题。该书属于O'Reilly出版社的...
《Cisco IOS Cookbook 中文精简版 完全版》是一本深入浅出的Cisco网络设备配置指南,旨在帮助网络管理员和工程师快速掌握Cisco IOS(Internetwork Operating System)的使用技巧和配置方法。这本书以实例为主,提供...
《Cisco IOS Cookbook中文精简版》是一本专为网络管理员量身打造的实践指南,它涵盖了Cisco路由器和交换机操作系统的各种使用技巧和解决方案。这本书深入浅出地讲解了Cisco IOS(Internetwork Operating System)中...
C#3.0 CookBook(中文版)-1 (共3部分)
C#3.0 CookBook(中文版)-3 (共3部分)
Cisco IOS handbook, applicable for 261X series router.
C#3.0 CookBook(中文版)-2 (共3部分)
《iOS Cookbook(中文版)》是一本专注于iOS应用开发的实战指南,主要针对苹果的移动操作系统iOS进行深入探讨。这本书的中文版使得更多的中国开发者能够方便地学习和掌握iOS开发技术,为中国的iOS开发社区提供了宝贵的...
根据提供的文件信息,以下是从标题、描述、标签和部分内容中提炼出来的知识点。 标题“coverage-cookbook-complete-verification-academy”表明这是一本关于覆盖度(coverage)的食谱手册,隶属于Cadence Academy的...
iOS cookbook5中文版,适合开发者入门,由国外教材翻译而来,内容讲解清楚并且一步步地操作,初学者很容易上手;而且编排风格很清爽,极力推荐。开发过程中,遇到不清楚的地方还可以查看随带的源码,赶紧开始你的ios...
### Cisco IOS Cookbook中文版 V1[1].5 知识点概述 #### 一、书籍简介与特点 - **书籍定位**:《Cisco IOS Cookbook》是一本针对思科IOS系统的实用指南,它属于O'Reilly出版社的Cookbook系列。该系列书籍的特点在于...
ios 11 swift programming cookbook 2017 ios 11 swift programming cookbook 2017
Lott -- Modern Python Cookbook -- 2016 -- code.7z
Aggarwal -- Flask Framework Cookbook -- 2014 -- code.7z