实验2 Ipsec VPN设计与应用Word格式.docx
- 文档编号:20380476
- 上传时间:2023-01-22
- 格式:DOCX
- 页数:17
- 大小:31.45KB
实验2 Ipsec VPN设计与应用Word格式.docx
《实验2 Ipsec VPN设计与应用Word格式.docx》由会员分享,可在线阅读,更多相关《实验2 Ipsec VPN设计与应用Word格式.docx(17页珍藏版)》请在冰豆网上搜索。
R1(config-isakmp)#group1
R1(config-isakmp)#exit
6.配置IPsec变换集,其用于IKE阶段二的IPsec的SA协商。
指定协商的加密参数。
其包含了安全和压缩协议、散列算法和加密算法。
本配置使用了esp与des的协作的认证加密算法,实现对数据的保护。
并且指定其用于隧道模式。
R1(config)#cryptoipsectransform-setTRANesp-desesp-md5-hmac
R1(cfg-crypto-trans)#modetunnel
R1(cfg-crypto-trans)#exit
7.配置加密访问控制列表,用于指出那些数据流是需要加密的,有时也被称为定义IPsec的感兴趣流。
R1(config)#access-list100permitip192.168.0.00.0.0.255192.168.1.00.0.0.255
8.配置加密映射表,用于关联相关的变换集。
R1(config)#cryptomapvpn_to_R210ipsec-isakmp
%NOTE:
Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
R1(config-crypto-map)#setpeer200.1.1.2
R1(config-crypto-map)#settransform-setTRAN
R1(config-crypto-map)#matchaddress100
R1(config-crypto-map)#exit
R1(config)#exit
R1#
9.将加密映射表应用到需要建立隧道接口。
R1(config)#interfacef0/0
R1(config-if)#cryptomapvpn_to_R2
R1(config-if)#exit
10.在R2采用如上配置进行配置IKE阶段1和阶段2。
R2(config)#cryptoisakmpenable
R2(config)#
R2(config)#cryptoisakmpkey6testkeyaddress200.1.1.1
R2(config)#cryptoisakmppolicy2
R2(config-isakmp)#hashmd5
R2(config-isakmp)#encryptiondes
R2(config-isakmp)#authenticationpre-share
R2(config-isakmp)#lifetime86400
R2(config-isakmp)#group1
R2(config-isakmp)#exit
R2(config)#cryptoipsectransform-setTRANesp-desesp-md5-hmac
R2(cfg-crypto-trans)#modetunnel
R2(cfg-crypto-trans)#exit
R2(config)#access-list100permitip192.168.1.00.0.0.255192.168.0.00.0.0.255
R2(config)#cryptomapvpn_to_R110ipsec-isakmp
R2(config-crypto-map)#setpeer200.1.1.1
R2(config-crypto-map)#settransform-setTRAN
R2(config-crypto-map)#matchaddress100
R2(config-crypto-map)#exit
R2(config)#interfacef0/0
R2(config-if)#cryptomapvpn_to_R1
R2(config-if)#exit
11.在R1路由器打开ISAKMP的调试。
R1#debugcryptoisakmp
CryptoISAKMPdebuggingison
R1#debugcryptoipsec
CryptoIPSECdebuggingison
12.确认R1和R2的ISAKMP的策略。
R1#showcryptoisakmppolicy
GlobalIKEpolicy
Protectionsuiteofpriority1
encryptionalgorithm:
DES-DataEncryptionStandard(56bitkeys).
hashalgorithm:
MessageDigest5
authenticationmethod:
Pre-SharedKey
Diffie-Hellmangroup:
#1(768bit)
lifetime:
86400seconds,novolumelimit
Defaultprotectionsuite
SecureHashStandard
Rivest-Shamir-AdlemanSignature
R2#showcryptoisakmppolicy
Protectionsuiteofpriority2
R2#
13.在R1与R2上查看ISAKMP的预共享密钥配置,并确认双方配置一致。
R1#showcryptoisakmpkey
KeyringHostname/AddressPresharedKey
default200.1.1.2testkey
R2#showcryptoisakmpkey
default200.1.1.1testkey
14.在R1与R2上查看IPsec的变换集。
R1#showcryptoipsectransform-set
TransformsetTRAN:
{esp-des}
willnegotiate={Tunnel,},
R2#showcryptoipsectransform-set
15.在R1上使用扩展命令去ping路由器R2回环口的私有地址。
R1#ping
Protocol[ip]:
TargetIPaddress:
192.168.1.254
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
192.168.0.254
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto192.168.1.1,timeoutis2seconds:
Packetsentwithasourceaddressof172.16.1.1
*Jun517:
08:
59.519:
IPSEC(sa_request):
(keyeng.msg.)OUTBOUNDlocal=200.1.1.1,remote=200.1.1.2,
local_proxy=172.16.0.0/255.255.0.0/0/0(type=4),
remote_proxy=192.168.0.0/255.255.0.0/0/0(type=4),
protocol=ESP,transform=NONE(Tunnel),
lifedur=3600sand4608000kb,
spi=0x0(0),conn_id=0,keysize=0,flags=0x0
59.535:
ISAKMP:
(0):
SArequestprofileis(NULL)
59.539:
Createdapeerstructfor200.1.1.2,peerport500
Newpeercreatedpeer=0x653F9630peer_handle=0x80000005
59.543:
Lockingpeerstruct0x653F9630,refcount1forisakmp_initiator
59.547:
localport500,remoteport500
setnewnode0toQM_IDLE
59.551:
insertsasuccessfullysa=65D68724
59.555:
CannotstartAggressivemode,tryingMainmode.
foundpeerpre-sharedkeymatching200.1.1.2
59.559:
constructedNAT-Tvendor-07ID
constructedNAT-Tvendor-03ID
constructedNAT-Tvendor-02ID
Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MM
OldState=IKE_READYNewState=IKE_I_MM1
beginningMainModeexchange
sendingpacketto200.1.1.2my_port500peer_port500(I)MM_NO_STATE
59.663:
ISAKMP(0:
0):
receivedpacketfrom200.1.1.2dport500sport500Global(I)MM_NO_STATE
59.671:
Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH
OldState=IKE_I_MM1NewState=IKE_I_MM2
59.683:
processingSApayload.messageID=0
59.687:
processingvendoridpayload
*J.
Successrateis80percent(4/5),round-tripmin/avg/max=36/53/64ms
R1#un517:
vendorIDseemsUnity/DPDbutmajor245mismatch
59.691:
vendorIDisNAT-Tv7
59.695:
localpresharedkeyfound
ISAKMP:
Scanningprofilesforxauth...
59.699:
CheckingISAKMPtransform1againstpriority1policy
encryptionDES-CBC
59.703:
hashMD5
defaultgroup1
59.707:
authpre-share
59.711:
lifetypeinseconds
lifeduration(VPI)of0x00x10x510x80
59.719:
attsareacceptable.Nextpayloadis0
59.723:
59.727:
Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE
OldState=IKE_I_MM2NewState=IKE_I_MM2
sendingpacketto200.1.1.2my_port500peer_port500(I)MM_SA_SETUP
Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE
59.731:
OldState=IKE_I_MM2NewState=IKE_I_MM3
59.951:
receivedpacketfrom200.1.1.2dport500sport500Global(I)MM_SA_SETUP
59.959:
OldState=IKE_I_MM3NewState=IKE_I_MM4
59.975:
processingKEpayload.messageID=0
09:
00.007:
processingNONCEpayload.messageID=0
00.019:
(1001):
vendorIDisUnity
00.023:
vendorIDisDPD
00.027:
00.031:
speakingtoanotherIOSbox!
OldState=IKE_I_MM4NewState=IKE_I_MM4
Sendinitialcontact
SAisdoingpre-sharedkeyauthenticationusingidtypeID_IPV4_ADDR
1001):
IDpayload
next-payload:
8
type:
1
address:
200.1.1.1
protocol:
17
port:
500
length:
12
Totalpayloadlength:
sendingpacket
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 实验2 Ipsec VPN设计与应用 实验 VPN 设计 应用