{"id":872,"date":"2012-08-07T21:37:00","date_gmt":"2012-08-07T13:37:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=872"},"modified":"2023-11-07T21:52:49","modified_gmt":"2023-11-07T13:52:49","slug":"cisco-vpn","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/872","title":{"rendered":"Cisco VPN"},"content":{"rendered":"\n

\u8a2d\u5b9aIPsec VPN<\/strong><\/p>\n\n\n\n

PART1:\u5b9a\u7fa9IKE<\/strong>

\u5b9a\u7fa9crypto isakmp policy(\u5169\u7aef\u9ede\u9700\u4e00\u81f4)
(config)# crypto isakmp policy < policy-id>
<\/strong>(config-isakmp)#authentication pre-share
<\/strong>(config-isakmp)#group < bit-type><\/strong>
\u3000 bit-type\u70ba1\u8868\u793a\u4f7f\u7528768bit key\uff0c2\u8868\u793a\u4f7f\u75281024bit key 
(config-isakmp)#encryption < encryption-method> \/\/optional <\/strong>
\u3000\u5e38\u898b\u7684\u65b9\u6cd5\u67093des,aes 128 
(config-isakmp)#lifetime 60 \/\/optional<\/strong>
\u3000\u9810\u8a2d\u70ba86400(1\u5929)\u3000
2
\u5b9a\u7fa9ISAKMP Pre-share key
(config)# crypto isakmp key < samekey> address < site-ip><\/strong><\/p>\n\n\n\n

PART2:\u5b9a\u7fa9IPsec<\/strong>
1
\u5b9a\u7fa9Transform Sets
(config)# crypto ipsec transform-set < transform-set-name> < para>
<\/strong>para\u5e38\u898b\u7684\u6709
esp-3des esp-sha-hmac
ah-md5-hmac esp-des esp-md5-hmac

\u5b9a\u7fa9crypto map
(config)# crypto map < crypt-name> < crypt-lifetime> ipsec-isakmp  (\u5169\u7aef\u9ede\u9700\u4e00\u81f4)
(config-crypto-map)# set peer < site-ip>
(config-crypto-map)# set transform-set < transform-set-name>
(config-crypto-map)# match address < acl>
<\/strong>\u3000acl\u6307\u5b9a\u53ef\u4f7f\u7528IPsec\u7684ip,\u50cf\u662faccess-list < acl> permit ip < src net> < dst net> 
(config-crypto-map)# set security-association lifetime seconds < sec> \/\/optional<\/strong>
3
\u5957\u7528crypto map\u5230\u4ecb\u9762\u4e0a
(config)# interface < int>
(config-if)# crypto map < crypt-name><\/strong>
\u5c01\u5305\u5f9e\u8a72\u4ecb\u9762\u96e2\u958b\u6642\u6703\u5957\u7528ipsec\u898f\u5247<\/p>\n\n\n\n

ex:
IPSEC VPN\u672c\u7aefsite\u70ba10.1.1.1,\u53e6\u4e00\u7aefsite\u70ba10.1.1.2
IKE\u90e8\u4efd,\u8981\u6c42policy\u70ba1,\u4f7f\u7528pre-share,isakmp key\u4f7f\u7528thisiskey
IPsec\u53ea\u5141\u8a31172.16.1.0\/24\u5230172.16.100.0\/24,\u7576\u8a72\u6d41\u91cf\u9032\u5165gi0\/1\u6642\u958b\u59cbipsec vpn

IKE
1.1
r1(config)# crypto isakmp policy 1
r1(config-isakmp)#authentication pre-share
1.2
r1(config)# crypto isakmp key thisiskey address 10.1.1.2

IPsec
2.1
(config)# crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
2.2
(config)# crypto map is 10 ipsec-isakmp 
(config-crypto-map)# set peer 10.1.1.2
(config-crypto-map)# set transform-set ts1 
(config-crypto-map)# match address 101
(config)#access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.100.0 0.0.0.255 
2.3
(config)# interface gi0\/1
(config-if)# crypto map is<\/p>\n\n\n\n

\u986f\u793aIPsec\u8cc7\u8a0a
#show crypto isakmp sa<\/strong>
dst src state conn-id slot status
10.0.0.1 10.0.0.2 QM_IDLE 1 0 ACTIVE \/\/ip sec\u7684\u5169\u7aefsite ip 
ps:\u82e5\u672a\u6709\u6d41\u91cf\u4f7f\u7528IPsec,\u5247\u4e0d\u6703\u6709\u4efb\u4f55\u8a0a\u606f\u986f\u793a\u3000<\/p>\n\n\n\n

\u986f\u793aipsec\u5b89\u5168\u6027\u76f8\u95dc\u8a2d\u5b9a 
#show crypto ipsec sa<\/strong><\/p>\n\n\n\n

\u986f\u793a\u6240\u6709ipsec\u3000session\u8cc7\u8a0a
#show crypto engine connections active<\/strong>
\u756b\u9762\u5927\u81f4\u5982\u4e0b
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial1\/0 10.0.0.1 set HMAC_SHA+3DES_56_C 0 0
2001 Serial1\/0 10.0.0.1 set AES+SHA 28 0
2002 Serial1\/0 10.0.0.1 set AES+SHA 0 0<\/p>\n\n\n\n

\u986f\u793a\u52a0\u5bc6\u7684\u5c0d\u61c9
#show crypto map<\/strong>
\u756b\u9762\u5927\u81f4\u5982\u4e0b
Crypto Map “SDM_CMAP_1” 1 ipsec-isakmp
\u3000Description: Tunnel to10.0.0.2
\u3000Peer = 10.0.0.2
\u3000Extended IP access list 100
\u3000\u3000access-list 100 permit gre host 10.0.0.1 host 10.0.0.2
\u3000Current peer: 10.0.0.2
\u3000Security association lifetime: 4608000 kilobytes\/3600 seconds
\u3000PFS (Y\/N): N
\u3000Transform sets={
\u3000\u3000TSHOOT-TRANSFORM,
\u3000}
\u3000Interfaces using crypto map SDM_CMAP_1:
\u3000\u3000Serial1\/0
\u3000\u3000Tunnel0<\/p>\n\n\n\n

\u986f\u793atunnel\u7684\u72c0\u614b\u53ca\u8cc7\u8a0a
#show interfaces tunnel < id>\u00a0<\/strong><\/p>\n\n\n\n

……………………………………………………………………………………<\/p>\n\n\n\n

\u8a2d\u5b9aGRE\u00a0<\/strong>\u00a0<\/p>\n\n\n\n

\u6b65\u9a5f\u5982\u4e0b\u00a0<\/p>\n\n\n\n

(config)#interface tunnel < tunnel-num><\/strong>
(config-if)#ip address < ip mask><\/strong>\u3000\u3000\/\/\u908f\u8f2f\u4e0a\u7684\u4f4d\u7f6e\u3000\u00a0
(config-if)#tunnel source < src-site-interface><\/strong>\u00a0\/\/\u5be6\u969b\u4e0a\u8655\u7406gre\u7684\u4f86\u6e90\u3000
(config-if)#tunnel destination < dst-site-ip><\/strong>\u3000\/\/\u5be6\u969b\u4e0a\u8655\u7406gre\u7684\u76ee\u5730\u3000
dst-site-ip\u7684\u4f4d\u7f6e\u9700\u548csrc-site-interface\u4e0a\u7684ip\u4f4d\u7f6e\u540c\u7db2\u6bb5
\u5c01\u5305\u5f9e\u8a72tunnel\u4ecb\u9762\u96e2\u958b\u6642\u6703\u5957\u7528GRE\u898f\u5247
ps:
tunnel source\u4e5f\u53ef\u4f7f\u7528loopback(config)# interface loopback < loopback-num>
(config-if)# ip address < ip mask>\u00a0\u00a0<\/p>\n\n\n\n

ex: 
r1 loopback ip\u6307\u5b9a\u70ba10.1.1.1 ,r2 loopback ip\u6307\u5b9a\u70ba10.1.1.9
r1 gre tunnel\u4ecb\u9762IP\u70ba10.9.2.11
(config)# interface loopback 1
(config-if)# ip address 10.1.1.1 255.255.255.0  2
(config)#interface tunnel 9
(config-if)#ip address 10.9.2.1 255.255.255.255
(config-if)#tunnel source loopback 1
(config-if)#tunnel destination 10.1.1.9 ex:
R1\u4ecb\u9762eth0:10.1.1.1\/24(\u9023\u63a5\u5167\u7db2) serial0:202.38.160.1\/24(\u9023\u63a5Internet)
R2\u4ecb\u9762eth0:10.3.1.1\/24(\u9023\u63a5\u5167\u7db2) serial0:192.15.135.80\/24(\u9023\u63a5Internet)
R1\u90e8\u4efd 
R1(config)#interface tunnel 0
R1(config-if)#ip address 10.2.1.1 255.255.255.0\u3000\u3000 
R1(config-if)#tunnel source serial0 \u3000
R1(config-if)#tunnel destination 192.15.135.80
R1(config)ip route 10.3.1.0 255.255.255.0 10.2.1.2
R2\u90e8\u4efd 
R2(config)#interface tunnel 0
R2(config-if)#ip address 10.2.1.2 255.255.255.0\u3000\u3000 
R2(config-if)#tunnel source serial0 \u3000
R2(config-if)#tunnel destination 202.38.160.1
R2(config)ip route 10.1.1.0 255.255.255.0 10.2.1.1<\/p>\n\n\n\n

ps:
\u4e0a\u8ff0\u7bc4\u4f8b\u4e4b\u4ecb\u9762\u5982\u72c0\u614b\u5982\u4e0b
R1# sh ip int brie<\/strong>
Interface IP-Address OK? Method Status Protocol
Ethernet0 10.1.1.1 YES manual up up
Serial0 202.38.160.1 YES manual up up \/\/\u5be6\u969b\u4e0a\u8655\u7406gre\u7684\u4f86\u6e90
Tunnel0 10.2.1.1 YES manual up up \/\/GRE\u908f\u8f2f\u4e0a\u7684\u4f4d\u7f6e<\/p>\n\n\n\n

…………………………………………………………………………………………………….\u00a0<\/p>\n\n\n\n

\u8a2d\u5b9aGRE\/IPsec tunnel<\/strong><\/p>\n\n\n\n

\u5176\u5c01\u5305\u67b6\u69cb\u70ba[IP for ipsec][ipsec][ [IP for gre][gre][\u539f\u59cbpacket] ]\u00a0\u00a0<\/p>\n\n\n\n

ex:
IKE\u90e8\u4efd,\u8981\u6c42policy\u70ba1,\u4f7f\u7528pre-share,isakmp key\u4f7f\u7528thisiskey
IPsec\u53ea\u5141\u8a3110.1.1.1\/24\u523010.1.1.2\/24,\u7576\u8a72\u6d41\u91cf\u9032\u5165r1\u7684loopback1\u6642\u958b\u59cbipsec vpn
IPSEC VPN\u672c\u7aefsite\u70ba10.1.1.1(loopback1),\u53e6\u4e00\u7aefsite\u70ba10.1.1.2(loopback2)
r1 gre tunnel9\u4ecb\u9762IP\u70ba192.168.1.1,r2 gre tunnel9\u4ecb\u9762ip\u70ba192.168.1.2<\/p>\n\n\n\n

1
IKE
r1(config)# crypto isakmp policy 1
r1(config-isakmp)#authentication pre-share
r1(config)# crypto isakmp key thisiskey address 10.1.1.2<\/strong>
2
IPsec
(config)# crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
(config)# crypto map is 10 ipsec-isakmp
(config-crypto-map)# set peer 10.1.1.2<\/strong>
(config-crypto-map)# set transform-set ts1
(config-crypto-map)# match address 101
(config)#access-list 101 permit ip 10.1.1.1 0.0.0.0 10.1.1.2 0.0.0.0  
3
GRE and IPsec
3.1
(config)# interface tunnel 9
(config-if)# crypto map is (config-if)#ip address 192.168.1.1<\/strong> 255.255.255.255
(config-if)#tunnel source loopback 1
(config-if)#tunnel destination 192.168.1.2<\/strong>
3.2
(config)# loopback 1
(config-if)# ip address 10.1.1.1 255.255.255.0<\/p>\n","protected":false},"excerpt":{"rendered":"

\u8a2d\u5b9aIPsec VPN PART1:\u5b9a\u7fa9IKE1  …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[31],"tags":[],"class_list":["post-872","post","type-post","status-publish","format-standard","hentry","category-cisco-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=872"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/872\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}