实验2 Ipsec VPN设计与应用.docx
- 文档编号:7273144
- 上传时间:2023-01-22
- 格式:DOCX
- 页数:17
- 大小:31.45KB
实验2 Ipsec VPN设计与应用.docx
《实验2 Ipsec VPN设计与应用.docx》由会员分享,可在线阅读,更多相关《实验2 Ipsec VPN设计与应用.docx(17页珍藏版)》请在冰豆网上搜索。
实验2IpsecVPN设计与应用
实验二IpsecVPN设计与应用
一、实验目的:
1.掌握IPsec隧道配置。
2.深刻理解IKE阶段1与阶段2的协商过程。
二、实验拓扑图:
实验步骤及要求:
1.配置各台路由器的IP地址,并且使用Ping命令确认各路由器的直连口的互通。
2.在R1和R2上配置静态路由。
确保Internet网络骨干可以相互通信。
R1(config)#iproute0.0.0.00.0.0.0f0/0
R2(config)#iproute0.0.0.00.0.0.0f0/0
3.在R1路由器上配置IKE阶段一需要使用策略。
R1(config)#cryptoisakmpenable
4.配置预共享密钥,在两台对等体路由器上密钥必须一致。
R1(config)#cryptoisakmpkey6testkeyaddress200.1.1.2
5.为IKE阶段一的协商,配置ISAKMP的策略。
可以在本地配置多个ISAKMP的策略,在与对等体协商,会选择一个匹配策略,而不管策略的编号。
R1(config)#
R1(config)#cryptoisakmppolicy1
R1(config-isakmp)#hashmd5
R1(config-isakmp)#encryptiondes
R1(config-isakmp)#authenticationpre-share
R1(config-isakmp)#lifetime86400
R1(config-isakmp)#group1
R1(config-isakmp)#exit
R1(config)#
6.配置IPsec变换集,其用于IKE阶段二的IPsec的SA协商。
指定协商的加密参数。
其包含了安全和压缩协议、散列算法和加密算法。
本配置使用了esp与des的协作的认证加密算法,实现对数据的保护。
并且指定其用于隧道模式。
R1(config)#cryptoipsectransform-setTRANesp-desesp-md5-hmac
R1(cfg-crypto-trans)#modetunnel
R1(cfg-crypto-trans)#exit
R1(config)#
7.配置加密访问控制列表,用于指出那些数据流是需要加密的,有时也被称为定义IPsec的感兴趣流。
R1(config)#access-list100permitip192.168.0.00.0.0.255192.168.1.00.0.0.255
R1(config)#
8.配置加密映射表,用于关联相关的变换集。
R1(config)#cryptomapvpn_to_R210ipsec-isakmp
%NOTE:
Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
R1(config-crypto-map)#setpeer200.1.1.2
R1(config-crypto-map)#settransform-setTRAN
R1(config-crypto-map)#matchaddress100
R1(config-crypto-map)#exit
R1(config)#exit
R1#
9.将加密映射表应用到需要建立隧道接口。
R1(config)#interfacef0/0
R1(config-if)#cryptomapvpn_to_R2
R1(config-if)#exit
R1(config)#
10.在R2采用如上配置进行配置IKE阶段1和阶段2。
R2(config)#cryptoisakmpenable
R2(config)#
R2(config)#cryptoisakmpkey6testkeyaddress200.1.1.1
R2(config)#
R2(config)#cryptoisakmppolicy2
R2(config-isakmp)#hashmd5
R2(config-isakmp)#encryptiondes
R2(config-isakmp)#authenticationpre-share
R2(config-isakmp)#lifetime86400
R2(config-isakmp)#group1
R2(config-isakmp)#exit
R2(config)#
R2(config)#cryptoipsectransform-setTRANesp-desesp-md5-hmac
R2(cfg-crypto-trans)#modetunnel
R2(cfg-crypto-trans)#exit
R2(config)#
R2(config)#access-list100permitip192.168.1.00.0.0.255192.168.0.00.0.0.255
R2(config)#
R2(config)#cryptomapvpn_to_R110ipsec-isakmp
%NOTE:
Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
R2(config-crypto-map)#setpeer200.1.1.1
R2(config-crypto-map)#settransform-setTRAN
R2(config-crypto-map)#matchaddress100
R2(config-crypto-map)#exit
R2(config)#interfacef0/0
R2(config-if)#cryptomapvpn_to_R1
R2(config-if)#exit
R2(config)#
11.在R1路由器打开ISAKMP的调试。
R1#
R1#debugcryptoisakmp
CryptoISAKMPdebuggingison
R1#
R1#debugcryptoipsec
CryptoIPSECdebuggingison
R1#
12.确认R1和R2的ISAKMP的策略。
R1#showcryptoisakmppolicy
GlobalIKEpolicy
Protectionsuiteofpriority1
encryptionalgorithm:
DES-DataEncryptionStandard(56bitkeys).
hashalgorithm:
MessageDigest5
authenticationmethod:
Pre-SharedKey
Diffie-Hellmangroup:
#1(768bit)
lifetime:
86400seconds,novolumelimit
Defaultprotectionsuite
encryptionalgorithm:
DES-DataEncryptionStandard(56bitkeys).
hashalgorithm:
SecureHashStandard
authenticationmethod:
Rivest-Shamir-AdlemanSignature
Diffie-Hellmangroup:
#1(768bit)
lifetime:
86400seconds,novolumelimit
R1#
R2#showcryptoisakmppolicy
GlobalIKEpolicy
Protectionsuiteofpriority2
encryptionalgorithm:
DES-DataEncryptionStandard(56bitkeys).
hashalgorithm:
MessageDigest5
authenticationmethod:
Pre-SharedKey
Diffie-Hellmangroup:
#1(768bit)
lifetime:
86400seconds,novolumelimit
Defaultprotectionsuite
encryptionalgorithm:
DES-DataEncryptionStandard(56bitkeys).
hashalgorithm:
SecureHashStandard
authenticationmethod:
Rivest-Shamir-AdlemanSignature
Diffie-Hellmangroup:
#1(768bit)
lifetime:
86400seconds,novolumelimit
R2#
13.在R1与R2上查看ISAKMP的预共享密钥配置,并确认双方配置一致。
R1#showcryptoisakmpkey
KeyringHostname/AddressPresharedKey
default200.1.1.2testkey
R1#
R2#showcryptoisakmpkey
KeyringHostname/AddressPresharedKey
default200.1.1.1testkey
R2#
14.在R1与R2上查看IPsec的变换集。
R1#showcryptoipsectransform-set
TransformsetTRAN:
{esp-des}
willnegotiate={Tunnel,},
R1#
R2#showcryptoipsectransform-set
TransformsetTRAN:
{esp-des}
willnegotiate={Tunnel,},
R2#
15.在R1上使用扩展命令去ping路由器R2回环口的私有地址。
R1#ping
Protocol[ip]:
TargetIPaddress:
192.168.1.254
Repeatcount[5]:
Datagramsize[100]:
Timeoutinseconds[2]:
Extendedcommands[n]:
y
Sourceaddressorinterface:
192.168.0.254
Typeofservice[0]:
SetDFbitinIPheader?
[no]:
Validatereplydata?
[no]:
Datapattern[0xABCD]:
Loose,Strict,Record,Timestamp,Verbose[none]:
Sweeprangeofsizes[n]:
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto192.168.1.1,timeoutis2seconds:
Packetsentwithasourceaddressof172.16.1.1
*Jun517:
08:
59.519:
IPSEC(sa_request):
(keyeng.msg.)OUTBOUNDlocal=200.1.1.1,remote=200.1.1.2,
local_proxy=172.16.0.0/255.255.0.0/0/0(type=4),
remote_proxy=192.168.0.0/255.255.0.0/0/0(type=4),
protocol=ESP,transform=NONE(Tunnel),
lifedur=3600sand4608000kb,
spi=0x0(0),conn_id=0,keysize=0,flags=0x0
*Jun517:
08:
59.535:
ISAKMP:
(0):
SArequestprofileis(NULL)
*Jun517:
08:
59.539:
ISAKMP:
Createdapeerstructfor200.1.1.2,peerport500
*Jun517:
08:
59.539:
ISAKMP:
Newpeercreatedpeer=0x653F9630peer_handle=0x80000005
*Jun517:
08:
59.543:
ISAKMP:
Lockingpeerstruct0x653F9630,refcount1forisakmp_initiator
*Jun517:
08:
59.547:
ISAKMP:
localport500,remoteport500
*Jun517:
08:
59.547:
ISAKMP:
setnewnode0toQM_IDLE
*Jun517:
08:
59.551:
insertsasuccessfullysa=65D68724
*Jun517:
08:
59.555:
ISAKMP:
(0):
CannotstartAggressivemode,tryingMainmode.
*Jun517:
08:
59.555:
ISAKMP:
(0):
foundpeerpre-sharedkeymatching200.1.1.2
*Jun517:
08:
59.559:
ISAKMP:
(0):
constructedNAT-Tvendor-07ID
*Jun517:
08:
59.559:
ISAKMP:
(0):
constructedNAT-Tvendor-03ID
*Jun517:
08:
59.559:
ISAKMP:
(0):
constructedNAT-Tvendor-02ID
*Jun517:
08:
59.559:
ISAKMP:
(0):
Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MM
*Jun517:
08:
59.559:
ISAKMP:
(0):
OldState=IKE_READYNewState=IKE_I_MM1
*Jun517:
08:
59.559:
ISAKMP:
(0):
beginningMainModeexchange
*Jun517:
08:
59.559:
ISAKMP:
(0):
sendingpacketto200.1.1.2my_port500peer_port500(I)MM_NO_STATE
*Jun517:
08:
59.663:
ISAKMP(0:
0):
receivedpacketfrom200.1.1.2dport500sport500Global(I)MM_NO_STATE
*Jun517:
08:
59.671:
ISAKMP:
(0):
Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH
*Jun517:
08:
59.671:
ISAKMP:
(0):
OldState=IKE_I_MM1NewState=IKE_I_MM2
*Jun517:
08:
59.683:
ISAKMP:
(0):
processingSApayload.messageID=0
*Jun517:
08:
59.687:
ISAKMP:
(0):
processingvendoridpayload
*J.
Successrateis80percent(4/5),round-tripmin/avg/max=36/53/64ms
R1#un517:
08:
59.687:
ISAKMP:
(0):
vendorIDseemsUnity/DPDbutmajor245mismatch
*Jun517:
08:
59.691:
ISAKMP(0:
0):
vendorIDisNAT-Tv7
*Jun517:
08:
59.691:
ISAKMP:
(0):
foundpeerpre-sharedkeymatching200.1.1.2
*Jun517:
08:
59.695:
ISAKMP:
(0):
localpresharedkeyfound
*Jun517:
08:
59.695:
ISAKMP:
Scanningprofilesforxauth...
*Jun517:
08:
59.699:
ISAKMP:
(0):
CheckingISAKMPtransform1againstpriority1policy
*Jun517:
08:
59.699:
ISAKMP:
encryptionDES-CBC
*Jun517:
08:
59.703:
ISAKMP:
hashMD5
*Jun517:
08:
59.703:
ISAKMP:
defaultgroup1
*Jun517:
08:
59.707:
ISAKMP:
authpre-share
*Jun517:
08:
59.711:
ISAKMP:
lifetypeinseconds
*Jun517:
08:
59.711:
ISAKMP:
lifeduration(VPI)of0x00x10x510x80
*Jun517:
08:
59.719:
ISAKMP:
(0):
attsareacceptable.Nextpayloadis0
*Jun517:
08:
59.723:
ISAKMP:
(0):
processingvendoridpayload
*Jun517:
08:
59.723:
ISAKMP:
(0):
vendorIDseemsUnity/DPDbutmajor245mismatch
*Jun517:
08:
59.727:
ISAKMP(0:
0):
vendorIDisNAT-Tv7
*Jun517:
08:
59.727:
ISAKMP:
(0):
Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE
*Jun517:
08:
59.727:
ISAKMP:
(0):
OldState=IKE_I_MM2NewState=IKE_I_MM2
*Jun517:
08:
59.727:
ISAKMP:
(0):
sendingpacketto200.1.1.2my_port500peer_port500(I)MM_SA_SETUP
*Jun517:
08:
59.727:
ISAKMP:
(0):
Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE
*Jun517:
08:
59.731:
ISAKMP:
(0):
OldState=IKE_I_MM2NewState=IKE_I_MM3
*Jun517:
08:
59.951:
ISAKMP(0:
0):
receivedpacketfrom200.1.1.2dport500sport500Global(I)MM_SA_SETUP
*Jun517:
08:
59.959:
ISAKMP:
(0):
Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH
*Jun517:
08:
59.959:
ISAKMP:
(0):
OldState=IKE_I_MM3NewState=IKE_I_MM4
*Jun517:
08:
59.975:
ISAKMP:
(0):
processingKEpayload.messageID=0
*Jun517:
09:
00.007:
ISAKMP:
(0):
processingNONCEpayload.messageID=0
*Jun517:
09:
00.007:
ISAKMP:
(0):
foundpeerpre-sharedkeymatching200.1.1.2
*Jun517:
09:
00.019:
ISAKMP:
(1001):
processingvendoridpayload
*Jun517:
09:
00.019:
ISAKMP:
(1001):
vendorIDisUnity
*Jun517:
09:
00.023:
ISAKMP:
(1001):
processingvendoridpayload
*Jun517:
09:
00.023:
ISAKMP:
(1001):
vendorIDisDPD
*Jun517:
09:
00.027:
ISAKMP:
(1001):
processingvendoridpayload
*Jun517:
09:
00.031:
ISAKMP:
(1001):
speakingtoanotherIOSbox!
*Jun517:
09:
00.031:
ISAKMP:
(1001):
Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE
*Jun517:
09:
00.031:
ISAKMP:
(1001):
OldState=IKE_I_MM4NewState=IKE_I_MM4
*Jun517:
09:
00.031:
ISAKMP:
(1001):
Sendinitialcontact
*Jun517:
09:
00.031:
ISAKMP:
(1001):
SAisdoingpre-sharedkeyauthenticationusingidtypeID_IPV4_ADDR
*Jun517:
09:
00.031:
ISAKMP(0:
1001):
IDpayload
next-payload:
8
type:
1
address:
200.1.1.1
protocol:
17
port:
500
length:
12
*Jun517:
09:
00.031:
ISAKMP:
(1001):
Totalpayloadlength:
12
*Jun517:
09:
00.031:
ISAKMP:
(1001):
sendingpacket
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 实验2 Ipsec VPN设计与应用 实验 VPN 设计 应用
![提示](https://static.bdocx.com/images/bang_tan.gif)