zoukankan      html  css  js  c++  java

  • ipsec_笔记

    1.基础IP配置
    R1 

    int f0/1
    ip add 12.1.1.1 255.255.255.0
    no sh
    int f0/0
    ip add 13.1.1.1 255.255.255.0
    no sh
    int loo 0
    ip add 1.1.1.1 255.255.255.255
    R2:
    int f0/1
    ip add 12.1.1.2 255.255.255.0
    no sh
    int f0/0
    ip add 192.168.1.254 255.255.255.0
    no sh
    ip access-list 100 deny ip per 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    ip access-list 100 permit ip any any
    int f0/1
    ip nat outside
    int f0/0
    ip nat inside
    ip nat inside list 100 int f0/1 over
    R3:
    int f0/0
    ip add 13.1.1.3 255.255.255.0
    no sh
    int f0/1
    ip add 192.168.2.254 255.255.255.0
    no sh
    ip access-list 100 deny ip per 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    ip access-list 100 permit ip any any
    int f0/0
    ip nat outside
    int f0/1
    ip nat inside 
    ip nat inside list 100 inside int f0/0 over
    R4:
    int f0/0
    ip add 192.168.1.1 255.255.255.0
    no sh
    no ip routing
    ip default gateway 192.168.1.254
    R5:
    int f0/1
    ip add 192.168.2.1 255.255.255.0
    no sh
    no ip routing
    ip default gateway 192.168.2.254
    2.ipsec配置
    R3:
    第一阶段
    show crypto isakmp policy

    crypto isakmp policy 10
    encryption aes
    hash md5
    authentication per-share
    group 2
    lifetime 3600
    show crypto isakmp policy

     (config)#crypto isakmp key 6 CCIE55 address 12.1.1.2 


    第二阶段:
    crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
    mode tunnel
    crypto map CCIE55MAP  10 ipsec-isakmp 
    =======================================
    access-list 101 per ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    =======================================
     set peer 12.1.1.2
    set transform-set CCIE55
    match address 101 
    在R2上做类似配置:
    R2配置如下:
    access-list 101 per ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    crypto isakmp policy 10
    encryption aes
    hash md5
    authentication per-share
    group 2
    lifetime 3600
    crypto isakmp key 6 CCIE55 address 13.1.1.3 
    crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
    mode tunnel
    crypto map CCIE55MAP  10 ipsec-isakmp 
     set peer 13.1.1.3
    set transform-set CCIE55
    match address 101 
    在R3上调用:
    R3:
    int f0/0 
    crypto map CCIE55MAP
    R2:
    int f0/1
    crypto map CCIE55MAP

    验证ipsec :
    第一阶段:show crypto isakmp sa(如果没有表项,可以ping一下,流量触发)
    show crypto isakmp key
    第二阶段:show crypto ipsec sa
    R2:show crypto ipsec sa

     

    R3:show crypto ipsec sa
     
  • 相关阅读:
    iOS开发之Xcode8兼容适配iOS 10资料整理笔记
    C#流概述
    C#回调实现的一般过程
    ASP.Net MVC的学习
    RAID基本知识
    Infiniband基本知识
    [转]开源实时视频码流分析软件:VideoEye
    [转]高分一号的落后与特色
    [转]MVC,MVP 和 MVVM 的图示
    图文助你打开MS SQL Serever的ldf和mdf文件
  • 原文地址:https://www.cnblogs.com/paddingtoneyes/p/13296799.html
Copyright © 2011-2022 走看看