在GRE隧道上装备根据预同享密钥的IPsec51CTO博客 - 牛牛娱乐

在GRE隧道上装备根据预同享密钥的IPsec51CTO博客

2019年02月24日11时26分14秒 | 作者: 千风 | 标签: 装备,地道,形式 | 浏览: 2593

    根据IPsec仅支撑单播和IP协议的局性性。关于组播、播送和非IP流量的特性不能支撑。那么咱们能够另一种方法:运用GRE来封装这些流量,再用IPsec加密这些感兴趣流。使之经过GRE的地道处理IPsec仅支撑IP协议和单播的特性。但需求留意的是IPsec的地道形式会损坏GRE的报头,所以咱们有必要要把它装备成传输形式。
  
一、下面经过一个试验来看一下装备进程:
1、拓扑图:     2、装备各路由器的IP。并且在R1和R3上装备默许路由,以保证网络的连通性:
R1(config)#ip route 0.0.0.0 0.0.0.0 202.102.48.66   R3(config)#ip route 0.0.0.0 0.0.0.0 211.64.135.33 R3#ping 202.102.48.65   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 202.102.48.65, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/29/80 ms
  3、在R1和R3上装备地道:
R1(config)#int tunnel 1 (创立地道1) R1(config-if)#ip unnumbered s1/1(为节约IP借用s1/1物理接口地址) R1(config-if)#tunnel source s1/1 (指定地道的源) R1(config-if)#tunnel destination 211.64.135.34 (指定方针地道) R1(config-if)# *Mar  1 02:59:02.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up  (装备之后也能看到R1的up状况)   R3(config-if)#ip unnumbered s1/0 R3(config-if)#tunnel source s1/0 R3(config-if)#tunnel destination 202.102.48.65 R3(config-if)# *Mar  1 03:04:20.319: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
  4、R1和R3地道树立之后,写一条静态路由,保证两头loopback接口能够通讯:
R1(config)#ip route 192.168.0.0 255.255.0.0 tunnel 1   R3(config)#ip route 172.16.0.0 255.255.0.0 tunnel 1   R3(config)#do ping 172.16.1.1   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/60 ms R3(config)#
  5、在GRE地道中,经过IPsec加密这些感兴趣流。为使GRE的报头完好,下面在R1和R3上装备IPsec的传输形式:
R1(config)#crypto isakmp key 0 CISCO address 211.64.135.34 (界说预同享密钥) R1(config)#crypto isakmp policy 1 (进入IKE战略修改形式,1代表优先级) R1(config-isakmp)#authentication pre-share(运用预同享认证形式) R1(config-isakmp)#encryption 3des (封装3DES) R1(config-isakmp)#hash md5 (设置哈希算法为MD5) R1(config-isakmp)#group 1 (运用Diffie-Hellman 组1进行密钥交流) R1(config-isakmp)#lifetime 86400 (当然也能够不写这一条,由于86400秒是默许的生命周期) R1(config-isakmp)#exit R1(config)#crypto ipsec transform-set TEST esp-3des(装备IPsec的改换集,对数据交流进行加密) R1(cfg-crypto-trans)#mode transport(为保证GRE报头的完好性,主张装备成传输形式) R1(cfg-crypto-trans)#exit R1(config)#access-list 100 per gre host 202.102.48.65 host 211.64.135.34(树立一个对GRE的ACL) R1(config)#crypto map R1_GRE_R3 10 ipsec-isakmp (装备加密映射表) R1(config-crypto-map)#set peer 211.64.135.34 (设置对等体IP) R1(config-crypto-map)#set transform-set TEST (引证之前设置的IPsec的改换集) R1(config-crypto-map)#match address 100 (匹配ACL 100) R1(config-crypto-map)#int s1/1(进入需求挂接的接口) R1(config-if)#crypto map R1_GRE_R3 (挂接映射表)   R3(config)#crypto isakmp key 0 CISCO address 202.102.48.65 R3(config)#crypto isakmp policy 1 R3(config-isakmp)#authentication pre-share R3(config-isakmp)#encryption 3des R3(config-isakmp)#group 1 R3(config-isakmp)#hash md5 R3(config-isakmp)#exit R3(config)#crypto ipsec transform-set TEST esp-3des R3(cfg-crypto-trans)#mode transport R3(cfg-crypto-trans)#exit R3(config)#access-list 100 permit gre host 211.64.135.34 host 202.102.48.65 R3(config)#crypto map R3_GRE_R1 10 ipsec-isakmp R3(config-crypto-map)#set peer 202.102.48.65 R3(config-crypto-map)#set transform-set TEST R3(config-crypto-map)#match address 100 R3(config-crypto-map)#int s1/0 R3(config-if)#crypto map R3_GRE_R1 R3(config-if)# *Mar  1 05:11:19.770: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON  (装备完之后状况为on)
  二、验证一下试验的作用:
1、咱们用扩展ping验证一下R1和R3的回环地址的通讯状况:
R1#ping ip Target IP address: 192.168.1.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.16.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 .!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/84 ms R1#
  2、咱们能够用sh crypto isakmp sa 检查IKE第一阶段的洽谈信息,也能够用sh crypto ipsec sa来检查第二阶段的安全相关信息。前次试验现已很具体地剖析了这些信息,这儿咱们只看一下R1的IKE会话信息:
R1#sh crypto session Crypto session current status   Interface: Serial1/1 (本地的IPsec会话接口) Session status: UP-ACTIVE   (状况现已up) Peer: 211.64.135.34 port 500 (对等体的IP和端口号)   IKE SA: local 202.102.48.65/500 remote 211.64.135.34/500 Active   IPSEC FLOW: permit 47 host 202.102.48.65 host 211.64.135.34         Active SAs: 2, origin: crypto map
版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表牛牛娱乐立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章