Ключевые слова:cisco, security, crypt, ipsec, tunnel, vpn, (найти похожие документы)
From: Rob Thomas <[email protected]>
Subject: Настройка IPsec в Cisco
Configuring IPsec on Cisco routers
Rob Thomas [email protected]
Оригинал документа: http://www.cymru.com/Documents/cisco-ipsec-howto.txt
Структура сети:
Sun SPARC 20
192.168.80.9/24
|
192.168.80.222/24
Cisco 2514
192.168.10.1/30
|
192.168.10.2/30
Cisco 2514
10.10.10.1/24
Работоспособность можно проверить через ping или telnet с хоста 192.168.0.9
на 10.10.10.1. Маршрутизация статическая.
Настраиваем IPSEC туннель на маршрутизаторе, между точками 192.168.10.1 и 192.168.10.2
! @(#)IPsec Cisco router configuration 10 MAY 2000 Rob Thomas [email protected]
!
crypto isakmp policy 1
! Set the crypto policy to ISAKMP, priority 1.
hash md5
! Use MD5 as the authentication algorithm (instead
! of SHA, which is slower yet more secure).
authentication pre-share
! Utilize the hard-coded key "123FOO123".
!
crypto isakmp key 123FOO123 address 192.168.10.2
! Set the key and the peer with whom to share the
! key. Be careful not to share this with anyone!
!
crypto ipsec transform-set OURIPS esp-des esp-md5-hmac
! Create a transform set called OURIPS that utilizes
! ESP (Encapsulating Security Payload) encrypted with
! DES and authenticated with MD5. In this case, we
! will encrypt only the payload of the packet, not the
! header.
!
crypto map IPSEC-TO-RMT local-address Ethernet0
! Specify that the crypto map called IPSEC-TO-RMT
! will use the local-address on E0 for identification
! purposes. This is not always necessary, but makes
! for nice documentation.
!
crypto map IPSEC-TO-RMT 1 ipsec-isakmp
! Map IPSEC-TO-RMT, sequence number 1, that uses
! ISAKMP for key exchange.
set peer 192.168.10.2
! Our remote peer
set transform-set OURIPS
! Apply the proper transform set (q.v.)
match address IPSEC-TUN
! Only IPSEC the packets that match the extended
! ACL named IPSEC-TUN
ip access-list extended IPSEC-TUN
! Build an ACL to use for IPSEC.
remark IPSEC ACL
! Comments are good. :-)
permit ip any any
! This is a bit misleading. While it will attempt
! to ESP encrypt all packets, multicast packets can
! not be encrypted with IPSEC. For multicast pack-
! ets, a GRE tunnel must be used. Recall that most
! routing protocols use multicast (OSPF, RIP v2) for
! the routing updates.
interface Ethernet0
ip address 192.168.10.1 255.255.255.252
no ip redirects
no ip proxy-arp
no ip mroute-cache
crypto map IPSEC-TO-RMT
! Apply the crypto map IPSEC-TO-RMT to the e0
! interface.
Без использования IPSEC:
192.168.80.9 -> 10.10.10.1 ICMP Echo request
10.10.10.1 -> 192.168.80.9 ICMP Echo reply
192.168.80.9 -> 10.10.10.1 ICMP Echo request
10.10.10.1 -> 192.168.80.9 ICMP Echo reply
192.168.80.9 -> 10.10.10.1 ICMP Echo request
10.10.10.1 -> 192.168.80.9 ICMP Echo reply
С применением IPSEC туннеля:
192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136, ID=243
192.168.10.2 -> 192.168.10.1 IP D=192.168.10.1 S=192.168.10.2 LEN=136, ID=625
192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136, ID=244
192.168.10.2 -> 192.168.10.1 IP D=192.168.10.1 S=192.168.10.2 LEN=136, ID=628
192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136, ID=245
Rob Thomas, [email protected]http://www.enteract.com/~robt