zoukankan      html  css  js  c++  java
  • ipsec_笔记

    1.基础IP配置
    R1 

    int f0/1
    ip add 12.1.1.1 255.255.255.0
    no sh
    int f0/0
    ip add 13.1.1.1 255.255.255.0
    no sh
    int loo 0
    ip add 1.1.1.1 255.255.255.255
    R2:
    int f0/1
    ip add 12.1.1.2 255.255.255.0
    no sh
    int f0/0
    ip add 192.168.1.254 255.255.255.0
    no sh
    ip access-list 100 deny ip per 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    ip access-list 100 permit ip any any
    int f0/1
    ip nat outside
    int f0/0
    ip nat inside
    ip nat inside list 100 int f0/1 over
    R3:
    int f0/0
    ip add 13.1.1.3 255.255.255.0
    no sh
    int f0/1
    ip add 192.168.2.254 255.255.255.0
    no sh
    ip access-list 100 deny ip per 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    ip access-list 100 permit ip any any
    int f0/0
    ip nat outside
    int f0/1
    ip nat inside 
    ip nat inside list 100 inside int f0/0 over
    R4:
    int f0/0
    ip add 192.168.1.1 255.255.255.0
    no sh
    no ip routing
    ip default gateway 192.168.1.254
    R5:
    int f0/1
    ip add 192.168.2.1 255.255.255.0
    no sh
    no ip routing
    ip default gateway 192.168.2.254
    2.ipsec配置
    R3:
    第一阶段
    show crypto isakmp policy

    crypto isakmp policy 10
    encryption aes
    hash md5
    authentication per-share
    group 2
    lifetime 3600
    show crypto isakmp policy

     (config)#crypto isakmp key 6 CCIE55 address 12.1.1.2 


    第二阶段:
    crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
    mode tunnel
    crypto map CCIE55MAP  10 ipsec-isakmp 
    =======================================
    access-list 101 per ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    =======================================
     set peer 12.1.1.2
    set transform-set CCIE55
    match address 101 
    在R2上做类似配置:
    R2配置如下:
    access-list 101 per ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    crypto isakmp policy 10
    encryption aes
    hash md5
    authentication per-share
    group 2
    lifetime 3600
    crypto isakmp key 6 CCIE55 address 13.1.1.3 
    crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
    mode tunnel
    crypto map CCIE55MAP  10 ipsec-isakmp 
     set peer 13.1.1.3
    set transform-set CCIE55
    match address 101 
    在R3上调用:
    R3:
    int f0/0 
    crypto map CCIE55MAP
    R2:
    int f0/1
    crypto map CCIE55MAP

    验证ipsec :
    第一阶段:show crypto isakmp sa(如果没有表项,可以ping一下,流量触发)
    show crypto isakmp key
    第二阶段:show crypto ipsec sa
    R2:show crypto ipsec sa

     

    R3:show crypto ipsec sa
     




  • 相关阅读:
    记一次JAVA WEB项目解决XSS攻击的办法(亲测有效)
    常用oracle可重复执行的脚本模板
    mybatis配置文件查询参数的传递
    oracle xmltype导入并解析Excel数据 (五)中间表数据入库
    oracle xmltype导入并解析Excel数据 (四)特别说明
    oracle xmltype导入并解析Excel数据 (三)解析Excel数据
    oracle xmltype导入并解析Excel数据 (二)规则说明
    oracle xmltype导入并解析Excel数据 (一)创建表与序
    ipv4,ipv6起止地址判断,网段判断
    HTML li标签排列有空白间隙
  • 原文地址:https://www.cnblogs.com/paddingtoneyes/p/13296799.html
Copyright © 2011-2022 走看看