×××篇之ISAKMP Profile ×××
R1---------------------------R5
.1 200.100.1.0/24 .2
R2---------------------------R5 其中R5模拟ISP
.1 200.100.2.0/24 .2
R3---------------------------R5
.1 200.100.3.0/24 .2
优势:在一个企业当中,如果分部比较多的情况,单纯的IPSEC-×××就无法满足现有需求,因为IPSEC-×××一条命令把Peer给写死了,ISAKMP Profile ×××可以帮助公司总部与多个分部联系起来,既节省成本,又提高安全!
详细配置:
R1:
Building configuration...
Current configuration : 1930 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
!
crypto keyring cisco
pre-shared-key address 200.100.2.1 key 6 cisco
crypto keyring cisco1
pre-shared-key address 200.100.3.1 key 6 cisco
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile cisco
keyring cisco
keyring cisco1
match identity address 200.100.2.1 255.255.255.255
match identity address 200.100.3.1 255.255.255.255
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
!
crypto map tor2 1 ipsec-isakmp
set peer 200.100.2.1
set peer 200.100.3.1
set transform-set cisco
set isakmp-profile cisco
match address 100
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 200.100.1.1 255.255.255.0
serial restart-delay 0
no dce-terminal-timing-enable
crypto map tor2
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.100.1.2
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 100 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
!
crypto keyring cisco
pre-shared-key address 200.100.2.1 key 6 cisco
crypto keyring cisco1
pre-shared-key address 200.100.3.1 key 6 cisco
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile cisco
keyring cisco
keyring cisco1
match identity address 200.100.2.1 255.255.255.255
match identity address 200.100.3.1 255.255.255.255
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
!
crypto map tor2 1 ipsec-isakmp
set peer 200.100.2.1
set peer 200.100.3.1
set transform-set cisco
set isakmp-profile cisco
match address 100
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 200.100.1.1 255.255.255.0
serial restart-delay 0
no dce-terminal-timing-enable
crypto map tor2
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.100.1.2
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 100 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
R2:
Building configuration...
Current configuration : 1548 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
no ip domain lookup
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 cisco address 200.100.1.1
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
crypto map tor1 1 ipsec-isakmp
set peer 200.100.1.1
set transform-set cisco
match address 100
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 200.100.2.1 255.255.255.0
serial restart-delay 0
no dce-terminal-timing-enable
crypto map tor1
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.100.2.2
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
no ip domain lookup
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 cisco address 200.100.1.1
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
crypto map tor1 1 ipsec-isakmp
set peer 200.100.1.1
set transform-set cisco
match address 100
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 200.100.2.1 255.255.255.0
serial restart-delay 0
no dce-terminal-timing-enable
crypto map tor1
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.100.2.2
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
R3:
Current configuration : 1546 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 cisco address 200.100.1.1
!
!
crypto ipsec transform-set tor1 esp-3des esp-md5-hmac
!
crypto map tor1 1 ipsec-isakmp
set peer 200.100.1.1
set transform-set tor1
match address 100
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 200.100.3.1 255.255.255.0
serial restart-delay 0
no dce-terminal-timing-enable
crypto map tor1
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.100.3.2
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 cisco address 200.100.1.1
!
!
crypto ipsec transform-set tor1 esp-3des esp-md5-hmac
!
crypto map tor1 1 ipsec-isakmp
set peer 200.100.1.1
set transform-set tor1
match address 100
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 200.100.3.1 255.255.255.0
serial restart-delay 0
no dce-terminal-timing-enable
crypto map tor1
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.100.3.2
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
R5:(模拟ISP)
Current configuration : 1168 bytes!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
no ip domain lookup
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 200.100.1.2 255.255.255.0
serial restart-delay 0
clock rate 64000
no dce-terminal-timing-enable
!
interface Serial1/1
ip address 200.100.2.2 255.255.255.0
serial restart-delay 0
clock rate 64000
no dce-terminal-timing-enable
!
interface Serial1/2
ip address 200.100.3.2 255.255.255.0
serial restart-delay 0
clock rate 64000
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
验证:
R2拼R1:
R2#ping 1.1.1.1 source 2.2.2.2 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 112/249/436 ms
Sending 10, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 112/249/436 ms
R3拼R1:
R3#ping 1.1.1.1 source 3.3.3.3 r 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 20/228/352 ms
Sending 10, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 20/228/352 ms
注:两家分公司不能拼通,如要实现,需用动态多点×××。
转载于:https://blog.51cto.com/justim/222918