實驗四十一、×××（IPSec）的配置

一、 實驗目的

1. 掌握手工配置密鑰建立××× 的配置

2. 理解密鑰在隧道建立過程中的作用

二、 應用環境

IPSec 實現了在網絡上的數據機密性、完整性和源認證的功能，有效的保護了數據。

手工配置密鑰減少了密鑰交換的開銷，提高了效率

三、 實驗設備

1. DCR-1751 兩臺

2. PC 機 兩臺

四、 實驗拓撲

五、 實驗要求

配置表

Router-A Router-B

F0/0 192.168.0.1/24 F0/0 192.168.2.1/24

S1/1 (DCE) 192.168.1.1/24 S1/0 192.168.1.2/24

PC SERVER

IP 192.168.0.10/24 192.168.2.2/24

網關 192.168.0.1 192.168.2.1

結果：

在路由器A 與B 之間建立×××，保護從PC 到SERVER 的數據

六、 實驗步驟

第一步：路由器A 的配置

Router-A#conf

Router-A_config#ip access-list extended 101 ！確定要經過××× 保護的數據流

Router-A_config_ext_nacl#permi ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

Router-A_config_ext_nacl#exit

Router-A_config#ip route 0.0.0.0 0.0.0.0 192.168.1.2 ！配置靜態路由

Router-A_config#crypto ipsec transform-set one ！設置變換集

Router-A_config_crypto_trans#transform-type esp-des esp-md5-hmac ！ESP 加密和驗證

Router-A_config_crypto_trans#exit

Router-A_config#crypto map my 10 ipsec-manu ！配置IPSec 加密映射

Router-A_config_crypto_map#set transform-set one ！關聯變換集

Router-A_config_crypto_map#set peer 192.168.1.2 ！設置對等體地址

Router-A_config_crypto_map#match address 101 ！關聯需要加密的數據流

Router-A_config_crypto_map#set security-association inbound esp 2001 cipher

ffeeddccbbaa001122334455667788999988776655443322

Router-A_config_crypto_map#set security-association inbound ah 2000

ffeeddccbbaa00112233445566778899

Router-A_config_crypto_map#set security-association outbound esp 1001 cipher

aabbccddeeff001122334455667788999988776655443322

Router-A_config_crypto_map#set security-association outbound ah 1000

aabbccddeeff00112233445566778899

！手工配置密鑰

Router-A_config_crypto_map#exit

Router-A_config#int s1/1 ！進入××× 的接口

Router-A_config_s1/1#crypto map my ！綁定IPSec 加密映射

Router-A_config_s1/1#^Z

第二步：查看配置（兩端××× 建議成功以后的顯示）

Router-A#sh crypto ipsec sa ！查看IPSec 關聯

Interface: Serial1/1

Crypto map name:my , local addr. 192.168.1.1

local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2

inbound esp sas:

spi:0x7d1(2001)

transform: esp-3des

in use settings ={ Tunnel }

no sa timing

inbound ah sas: spi:0x7d0(2000)

transform: ah-md5-hmac

in use settings ={ Tunnel }

no sa timing

outbound esp sas:

spi:0x3e9(1001)

transform: esp-3des

in use settings ={ Tunnel }

no sa timing

outbound ah sas:

spi:0x3e8(1000)

transform: ah-md5-hmac

in use settings ={ Tunnel }

no sa timing

Router-A#sh crypto map ！查看IPSec 映射

Crypto Map my 10 ipsec-manual

Extended IP access list 101

permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

peer = 192.168.1.2

Inbound esp spi: 2001 ,

cipher key: ffeeddccbbaa001122334455667788999988776655443322 ,

auth key ,

Inbound ah spi: 2000 ,

key: ffeeddccbbaa00112233445566778899 ,

Outbound esp spi: 1001 ,

cipher key: aabbccddeeff001122334455667788999988776655443322 ,

auth key ,

Outbound ah spi: 1000 ,

key: aabbccddeeff00112233445566778899

Transform sets={ one}

Router-A#sh crypto ipsec transform-set ！查看轉換集

Transform set one: { ah-md5-hmac esp-3des }

will negotiate ={ Tunnel }

第三步：路由器B 的配置

Router-B>ena

Router-B#confRouter-B_config#ip access-list extended 101

Router-B_config_ext_nacl#permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

Router-B_config_ext_nacl#exit

Router-B_config#ip route 192.168.0.0 255.255.255.0 192.168.1.1

Router-B_config#crypto ipsec transform-set one

Router-B_config_crypto_trans#transform-type esp-des esp-md5-hmac ！注意與A 要一致

Router-B_config_crypto_trans#exit

Router-B_config#crypto map my 10 ipsec-manu ！注意密鑰與A 要對應

Router-B_config_crypto_map#set transform-set one

Router-B_config_crypto_map#set peer 192.168.1.1

Router-B_config_crypto_map#match address 101

Router-B_config_crypto_map# set security-association inbound esp 1001 cipher

aabbccddeeff001122334455667788999988776655443322

Router-B_config_crypto_map# set security-association inbound ah 1000

aabbccddeeff00112233445566778899

Router-B_config_crypto_map# set security-association outbound esp 2001 cipher

ffeeddccbbaa001122334455667788999988776655443322

Router-B_config_crypto_map# set security-association outbound ah 2000

ffeeddccbbaa00112233445566778899

！注意與A 的對應，inbound 與outbound 交叉一致

Router-B_config_crypto_map#exit

Router-B_config#int s1/0

Router-B_config_s1/0#crypto map my

Router-B_config_s1/0#^Z

第四步：查看配置

Router-B#sh crypto ipsec sa

Interface: Serial1/0

Crypto map name:my , local addr. 192.168.1.2

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.1.1

inbound esp sas:

spi:0x3e9(1001)

transform: esp-3des

in use settings ={ Tunnel }

no sa timing

inbound ah sas:

spi:0x3e8(1000)

transform: ah-md5-hmac

in use settings ={ Tunnel }

no sa timingoutbound esp sas:

spi:0x7d1(2001)

transform: esp-3des

in use settings ={ Tunnel }

no sa timing

outbound ah sas:

spi:0x7d0(2000)

transform: ah-md5-hmac

in use settings ={ Tunnel }

no sa timing

Router-B#sh crypto ipsec transform-set

Transform set one: { ah-md5-hmac esp-3des }

will negotiate ={ Tunnel }

Router-B#sh crypto map

Crypto Map my 10 ipsec-manual

Extended IP access list 101

permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

peer = 192.168.1.1

Inbound esp spi: 1001 ,

cipher key: aabbccddeeff001122334455667788999988776655443322 ,

auth key ,

Inbound ah spi: 1000 ,

key: aabbccddeeff00112233445566778899 ,

Outbound esp spi: 2001 ,

cipher key: ffeeddccbbaa001122334455667788999988776655443322 ,

auth key ,

Outbound ah spi: 2000 ,

key: ffeeddccbbaa00112233445566778899

Transform sets={ one}

第五步：測試

轉載于:https://blog.51cto.com/lorna8023/406576

總結

以上是生活随笔為你收集整理的实验四十一、×××（IPSec）的配置的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。