zoukankan      html  css  js  c++  java
  • ipsec_笔记

    1.基础IP配置
    R1 

    int f0/1
    ip add 12.1.1.1 255.255.255.0
    no sh
    int f0/0
    ip add 13.1.1.1 255.255.255.0
    no sh
    int loo 0
    ip add 1.1.1.1 255.255.255.255
    R2:
    int f0/1
    ip add 12.1.1.2 255.255.255.0
    no sh
    int f0/0
    ip add 192.168.1.254 255.255.255.0
    no sh
    ip access-list 100 deny ip per 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    ip access-list 100 permit ip any any
    int f0/1
    ip nat outside
    int f0/0
    ip nat inside
    ip nat inside list 100 int f0/1 over
    R3:
    int f0/0
    ip add 13.1.1.3 255.255.255.0
    no sh
    int f0/1
    ip add 192.168.2.254 255.255.255.0
    no sh
    ip access-list 100 deny ip per 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    ip access-list 100 permit ip any any
    int f0/0
    ip nat outside
    int f0/1
    ip nat inside 
    ip nat inside list 100 inside int f0/0 over
    R4:
    int f0/0
    ip add 192.168.1.1 255.255.255.0
    no sh
    no ip routing
    ip default gateway 192.168.1.254
    R5:
    int f0/1
    ip add 192.168.2.1 255.255.255.0
    no sh
    no ip routing
    ip default gateway 192.168.2.254
    2.ipsec配置
    R3:
    第一阶段
    show crypto isakmp policy

    crypto isakmp policy 10
    encryption aes
    hash md5
    authentication per-share
    group 2
    lifetime 3600
    show crypto isakmp policy

     (config)#crypto isakmp key 6 CCIE55 address 12.1.1.2 


    第二阶段:
    crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
    mode tunnel
    crypto map CCIE55MAP  10 ipsec-isakmp 
    =======================================
    access-list 101 per ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    =======================================
     set peer 12.1.1.2
    set transform-set CCIE55
    match address 101 
    在R2上做类似配置:
    R2配置如下:
    access-list 101 per ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    crypto isakmp policy 10
    encryption aes
    hash md5
    authentication per-share
    group 2
    lifetime 3600
    crypto isakmp key 6 CCIE55 address 13.1.1.3 
    crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
    mode tunnel
    crypto map CCIE55MAP  10 ipsec-isakmp 
     set peer 13.1.1.3
    set transform-set CCIE55
    match address 101 
    在R3上调用:
    R3:
    int f0/0 
    crypto map CCIE55MAP
    R2:
    int f0/1
    crypto map CCIE55MAP

    验证ipsec :
    第一阶段:show crypto isakmp sa(如果没有表项,可以ping一下,流量触发)
    show crypto isakmp key
    第二阶段:show crypto ipsec sa
    R2:show crypto ipsec sa

     

    R3:show crypto ipsec sa
     




  • 相关阅读:
    创建包含前后255天所有天数的视图。
    VC获取主机名和主机信息
    在PowerDesigner增加unique约束
    差集的几种计算方法
    动态列的处理(统计)。
    一个查询语句各个部分的执行顺序
    IDC机房跳线
    软件下载链接
    IDC装机检查思路
    运维工程师之IDC系列
  • 原文地址:https://www.cnblogs.com/paddingtoneyes/p/13296799.html
Copyright © 2011-2022 走看看