实验四十一、×××(IPSec)的配置
實驗四十一、×××(IPSec)的配置
一、 實驗目的
1. 掌握手工配置密鑰建立××× 的配置
2. 理解密鑰在隧道建立過程中的作用
二、 應用環(huán)境
IPSec 實現(xiàn)了在網(wǎng)絡上的數(shù)據(jù)機密性、完整性和源認證的功能,有效的保護了數(shù)據(jù)。
手工配置密鑰減少了密鑰交換的開銷,提高了效率
三、 實驗設備
1. DCR-1751 兩臺
2. PC 機 兩臺
四、 實驗拓撲
五、 實驗要求
配置表
Router-A Router-B
F0/0 192.168.0.1/24 F0/0 192.168.2.1/24
S1/1 (DCE) 192.168.1.1/24 S1/0 192.168.1.2/24
PC SERVER
IP 192.168.0.10/24 192.168.2.2/24
網(wǎng)關 192.168.0.1 192.168.2.1
結果:
在路由器A 與B 之間建立×××,保護從PC 到SERVER 的數(shù)據(jù)
六、 實驗步驟
第一步:路由器A 的配置
Router-A#conf
Router-A_config#ip access-list extended 101 !確定要經(jīng)過××× 保護的數(shù)據(jù)流
Router-A_config_ext_nacl#permi ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
Router-A_config_ext_nacl#exit
Router-A_config#ip route 0.0.0.0 0.0.0.0 192.168.1.2 !配置靜態(tài)路由
Router-A_config#crypto ipsec transform-set one !設置變換集
Router-A_config_crypto_trans#transform-type esp-des esp-md5-hmac !ESP 加密和驗證
Router-A_config_crypto_trans#exit
Router-A_config#crypto map my 10 ipsec-manu !配置IPSec 加密映射
Router-A_config_crypto_map#set transform-set one !關聯(lián)變換集
Router-A_config_crypto_map#set peer 192.168.1.2 !設置對等體地址
Router-A_config_crypto_map#match address 101 !關聯(lián)需要加密的數(shù)據(jù)流
Router-A_config_crypto_map#set security-association inbound esp 2001 cipher
ffeeddccbbaa001122334455667788999988776655443322
Router-A_config_crypto_map#set security-association inbound ah 2000
ffeeddccbbaa00112233445566778899
Router-A_config_crypto_map#set security-association outbound esp 1001 cipher
aabbccddeeff001122334455667788999988776655443322
Router-A_config_crypto_map#set security-association outbound ah 1000
aabbccddeeff00112233445566778899
!手工配置密鑰
Router-A_config_crypto_map#exit
Router-A_config#int s1/1 !進入××× 的接口
Router-A_config_s1/1#crypto map my !綁定IPSec 加密映射
Router-A_config_s1/1#^Z
第二步:查看配置(兩端××× 建議成功以后的顯示)
Router-A#sh crypto ipsec sa !查看IPSec 關聯(lián)
Interface: Serial1/1
Crypto map name:my , local addr. 192.168.1.1
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
inbound esp sas:
spi:0x7d1(2001)
transform: esp-3des
in use settings ={ Tunnel }
no sa timing
inbound ah sas: spi:0x7d0(2000)
transform: ah-md5-hmac
in use settings ={ Tunnel }
no sa timing
outbound esp sas:
spi:0x3e9(1001)
transform: esp-3des
in use settings ={ Tunnel }
no sa timing
outbound ah sas:
spi:0x3e8(1000)
transform: ah-md5-hmac
in use settings ={ Tunnel }
no sa timing
Router-A#sh crypto map !查看IPSec 映射
Crypto Map my 10 ipsec-manual
Extended IP access list 101
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
peer = 192.168.1.2
Inbound esp spi: 2001 ,
cipher key: ffeeddccbbaa001122334455667788999988776655443322 ,
auth key ,
Inbound ah spi: 2000 ,
key: ffeeddccbbaa00112233445566778899 ,
Outbound esp spi: 1001 ,
cipher key: aabbccddeeff001122334455667788999988776655443322 ,
auth key ,
Outbound ah spi: 1000 ,
key: aabbccddeeff00112233445566778899
Transform sets={ one}
Router-A#sh crypto ipsec transform-set !查看轉換集
Transform set one: { ah-md5-hmac esp-3des }
will negotiate ={ Tunnel }
第三步:路由器B 的配置
Router-B>ena
Router-B#confRouter-B_config#ip access-list extended 101
Router-B_config_ext_nacl#permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
Router-B_config_ext_nacl#exit
Router-B_config#ip route 192.168.0.0 255.255.255.0 192.168.1.1
Router-B_config#crypto ipsec transform-set one
Router-B_config_crypto_trans#transform-type esp-des esp-md5-hmac !注意與A 要一致
Router-B_config_crypto_trans#exit
Router-B_config#crypto map my 10 ipsec-manu !注意密鑰與A 要對應
Router-B_config_crypto_map#set transform-set one
Router-B_config_crypto_map#set peer 192.168.1.1
Router-B_config_crypto_map#match address 101
Router-B_config_crypto_map# set security-association inbound esp 1001 cipher
aabbccddeeff001122334455667788999988776655443322
Router-B_config_crypto_map# set security-association inbound ah 1000
aabbccddeeff00112233445566778899
Router-B_config_crypto_map# set security-association outbound esp 2001 cipher
ffeeddccbbaa001122334455667788999988776655443322
Router-B_config_crypto_map# set security-association outbound ah 2000
ffeeddccbbaa00112233445566778899
!注意與A 的對應,inbound 與outbound 交叉一致
Router-B_config_crypto_map#exit
Router-B_config#int s1/0
Router-B_config_s1/0#crypto map my
Router-B_config_s1/0#^Z
第四步:查看配置
Router-B#sh crypto ipsec sa
Interface: Serial1/0
Crypto map name:my , local addr. 192.168.1.2
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.1.1
inbound esp sas:
spi:0x3e9(1001)
transform: esp-3des
in use settings ={ Tunnel }
no sa timing
inbound ah sas:
spi:0x3e8(1000)
transform: ah-md5-hmac
in use settings ={ Tunnel }
no sa timingoutbound esp sas:
spi:0x7d1(2001)
transform: esp-3des
in use settings ={ Tunnel }
no sa timing
outbound ah sas:
spi:0x7d0(2000)
transform: ah-md5-hmac
in use settings ={ Tunnel }
no sa timing
Router-B#sh crypto ipsec transform-set
Transform set one: { ah-md5-hmac esp-3des }
will negotiate ={ Tunnel }
Router-B#sh crypto map
Crypto Map my 10 ipsec-manual
Extended IP access list 101
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
peer = 192.168.1.1
Inbound esp spi: 1001 ,
cipher key: aabbccddeeff001122334455667788999988776655443322 ,
auth key ,
Inbound ah spi: 1000 ,
key: aabbccddeeff00112233445566778899 ,
Outbound esp spi: 2001 ,
cipher key: ffeeddccbbaa001122334455667788999988776655443322 ,
auth key ,
Outbound ah spi: 2000 ,
key: ffeeddccbbaa00112233445566778899
Transform sets={ one}
第五步:測試
轉載于:https://blog.51cto.com/lorna8023/406576
總結
以上是生活随笔為你收集整理的实验四十一、×××(IPSec)的配置的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: C#调用WebService出现“基础连
- 下一篇: 业界资讯:Alternativa 3D