Cisco路由器配置Ipsec

Topology：

配置第一阶段加密

ZB(config)#crypto is
ZB(config)#crypto isakmp po
ZB(config)#crypto isakmp policy 1
ZB(config-isakmp)#au
ZB(config-isakmp)#authentication p
#验证方式为预共享密钥 
ZB(config-isakmp)#authentication pre-share 
ZB(config-isakmp)#enc
ZB(config-isakmp)#encryption 3
#加密算法为3des
ZB(config-isakmp)#encryption 3des 
ZB(config-isakmp)#ha
ZB(config-isakmp)#hash md
#完整性校验算法为md5
ZB(config-isakmp)#hash md5 
ZB(config-isakmp)#gr
#DH组为2
ZB(config-isakmp)#group 2
#SA建立后，没有数据传输时的存活时间
ZB(config-isakmp)#li
ZB(config-isakmp)#lifetime 3600
ZB(config-isakmp)#
ZB(config)#crypto isakmp key admin add
ZB(config)#crypto isakmp key admin address 2.2.2.1
ZB(config)#
----------------------------------------------------------
配置第二阶段加密
ZB(config)#rypto ipsec transform-set v*n ah-sha-hmac esp-3des
ZB(config)#crypto map cisco 1 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
ZB(config-crypto-map)#set peer 2.2.2.1
ZB(config-crypto-map)#set transform-set v*n
ZB(config-crypto-map)#add
ZB(config-crypto-map)#ma
ZB(config-crypto-map)#match add
ZB(config-crypto-map)#match address 101
ZB(config-crypto-map)#
ZB(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.25
----------------------------------------------------------
将map应用在fa0/0接口
ZB(config)#inter fa0/0
ZB(config-if)#crypto map cisco
*Jan  3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

ZB(config-if)#

在另外一台(FB)上面配置按照ZB路由器配置既可。

其中ISP路由器中只需要配置接口IP，并在R1和R2上写一条静态路由，将数据抛给ISP。

随后在PC1上tracert 192.168.2.2

PC>tracert 192.168.2.2


Tracing route to 192.168.2.2 over a maximum of 30 hops: 


  1   0 ms      1 ms      0 ms      192.168.1.1
  2   *         *         *         Request timed out.
  3   0 ms      0 ms      0 ms      192.168.2.2


Trace complete.

----------------------------------------------------------
在ZB路由器上查看第一阶段SA建立过程
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
2.2.2.1         1.1.1.1         QM_IDLE           1028    0 ACTIVE


IPv6 Crypto ISAKMP SA
----------------------------------------------------------
第二阶段SA查看
ZB#show crypto ipsec sa


interface: FastEthernet0/0
    Crypto map tag: cisco, local addr 1.1.1.1


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer 2.2.2.1 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
   #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 1, #recv errors 0


     local crypto endpt.: 1.1.1.1, remote crypto endpt.:2.2.2.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x19EE6B60(435055456)


     inbound esp sas:
      spi: 0x05CF1BA1(97459105)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2006, flow_id: FPGA:1, crypto map: cisco
        sa timing: remaining key lifetime (k/sec): (4525504/3132)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     inbound ah sas:
      spi: 0x77772C45(2004298821)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2006, flow_id: FPGA:1, crypto map: cisco
        sa timing: remaining key lifetime (k/sec): (4525504/3132)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     inbound pcp sas:


     outbound esp sas:
      spi: 0x19EE6B60(435055456)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2007, flow_id: FPGA:1, crypto map: cisco
        sa timing: remaining key lifetime (k/sec): (4525504/3132)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     outbound ah sas:
      spi: 0x7D8B6D32(2106289458)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2007, flow_id: FPGA:1, crypto map: cisco
        sa timing: remaining key lifetime (k/sec): (4525504/3132)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound pcp sas:

分隔线:因为博客中不能上传文件，只能将配置贴在下方

----------------------------------------------------------------------------------------------

ZB#sh run
Building configuration...


Current configuration : 915 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ZB
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp key admin address 2.2.2.1
!
!
crypto ipsec transform-set v*n ah-sha-hmac esp-3des
!
crypto map cisco 1 ipsec-isakmp 
 set peer 2.2.2.1
 set transform-set v*n 
 match address 101
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map cisco
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2 
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

----------------------------------------------------------------------------------------------

ISP#sh run
Building configuration...


Current configuration : 504 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 2.2.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

----------------------------------------------------------------------------------------------

FB#sh run
Building configuration...


Current configuration : 915 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname FB
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp key admin address 1.1.1.1
!
!
crypto ipsec transform-set v*n ah-sha-hmac esp-3des
!
crypto map cisco 1 ipsec-isakmp 
 set peer 1.1.1.1
 set transform-set v*n 
 match address 101
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
 ip address 2.2.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map cisco
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 2.2.2.2 
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

----------------------------------------------------------------------------------------------