VPN配置大全
给CCSP的学员授课,顺便就总结下.
转载请注明出处:
红头发(aka CCIE#15101)
http://www.91lab.com
一.基于PSK的IPsec VPN配置
首先IOS带k的就可以了,支持加密特性,拓扑如下:
1.R1基本配置:
R1(config)#interface loopback0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#interface serial0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.252
R1(config-if)#clock rate 56000
R1(config-if)#no shutdown
R1(config-if)#exit
2.定义感兴趣流量与路由协议:
R1(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0
3.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp key 91lab address 192.168.1.2
4.定义IKE策略:
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption aes 128 /---默认是DES加密---/
R1(config-isakmp)#hash sha /---默认是SHA-1---/
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2 /---默认是768位的DH1---/
R1(config-isakmp)#lifetime 3600 /---默认是86400秒---/
R1(config-isakmp)#exit
5.定义IPSec转换集(transform set):
R1(config)#crypto ipsec transform-set tt esp-aes 128 esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
6.定义crypto map并应用在接口上:
R1(config)#crypto map cisco 10 ipsec-isakmp
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set peer 192.168.1.2 /---定义要应用crypto map的对等体地址---/
R1(config-crypto-map)#set transform-set tt /---定义crypto map要应用的IPsec转换集---/
R1(config-crypto-map)#exit
R1(config)#interface serial0/0
R1(config-if)#crypto map cisco
*Mar 1 00:08:31.131: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#end
R1#
R1配置完成.
同理,R2相关配置如下:
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key 91lab address 192.168.1.1
!
!
crypto ipsec transform-set tt esp-aes esp-sha-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set tt
match address 100
!
!
!
!
interface Loopback0
ip address 10.2.2.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
二.采用积极模式并PSK的IPsec VPN配置
1.R1基本配置:
R1(config)#interface loopback0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#interface serial0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.252
R1(config-if)#clock rate 56000
R1(config-if)#no shutdown
R1(config-if)#exit
2.定义感兴趣流量与路由协议:
R1(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0
3.全局启用ISAKMP并定义对等体及其PSK(预共享密钥),采用积极模式:
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp peer address 192.168.1.2
R1(config-isakmp-peer)#set aggressive-mode client-endpoint ipv4-address 192.168.1.1
R1(config-isakmp-peer)#set aggressive-mode password 91lab
4.定义IKE策略:
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption aes 128 /---默认是DES加密---/
R1(config-isakmp)#hash sha /---默认是SHA-1---/
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2 /---默认是768位的DH1---/
R1(config-isakmp)#lifetime 3600 /---默认是86400秒---/
R1(config-isakmp)#exit
5.定义IPSec转换集(transform set):
R1(config)#crypto ipsec transform-set tt esp-aes 128 esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
6.定义crypto map并应用在接口上:
R1(config)#crypto map cisco 10 ipsec-isakmp
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set peer 192.168.1.2 /---定义要应用crypto map的对等体地址---/
R1(config-crypto-map)#set transform-set tt /---定义crypto map要应用的IPsec转换集---/
R1(config-crypto-map)#exit
R1(config)#interface serial0/0
R1(config-if)#crypto map cisco
*Mar 1 00:08:31.131: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#end
R1#
R1配置完成.
同理,R2配置如下:
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp peer address 192.168.1.1
set aggressive-mode password 91lab
set aggressive-mode client-endpoint ipv4-address 192.168.1.1
!
!
crypto ipsec transform-set tt esp-aes esp-sha-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set tt
match address 100
!
!
!
!
interface Loopback0
ip address 10.2.2.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
三.GRE隧道与IPsec的结合
GRE隧道本身不带安全特性,可以通过结合基于PSK的IPsec来实现安全功能.拓扑如下:
1.R1基本配置:
R1(config)#interface loopback0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#interface serial0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.252
R1(config-if)#clock rate 56000
R1(config-if)#no shutdown
R1(config)#interface tunnel 0
R1(config-if)#ip unnumbered serial0/0
R1(config-if)#tunnel source serial0/0
R1(config-if)#tunnel destination 192.168.1.1
R1(config-if)#tunnel mode gre ip /---可以不打,默认即为GRE---/
R1(config-if)#no shutdown
R1(config-if)#exit
2.定义感兴趣流量与路由协议:
R1(config)#access-list 100 permit gre host 192.168.1.1 host 192.168.1.2
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0
R1(config)#ip route 10.2.2.0 255.255.255.0 serial0/0
3.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp key 91lab address 192.168.1.2
4.定义IKE策略:
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption aes 128 /---默认是DES加密---/
R1(config-isakmp)#hash sha /---默认是SHA-1---/
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2 /---默认是768位的DH1---/
R1(config-isakmp)#lifetime 3600 /---默认是86400秒---/
R1(config-isakmp)#exit
5.定义IPSec转换集(transform set):
R1(config)#crypto ipsec transform-set tt esp-aes 128 esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
6.定义crypto map并应用在接口上:
R1(config)#crypto map cisco 10 ipsec-isakmp
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set peer 192.168.1.2 /---定义要应用crypto map的对等体地址---/
R1(config-crypto-map)#set transform-set tt /---定义crypto map要应用的
IPsec转换集---/
R1(config-crypto-map)#exit
R1(config)#interface serial0/0
R1(config-if)#crypto map cisco
*Mar 1 00:08:31.131: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#end
R1#
R1配置完成.
同理,R2相关配置如下:
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key 91lab address 192.168.1.1
!
!
crypto ipsec transform-set tt esp-aes esp-sha-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set tt
match address 100
!
!
!
interface Tunnel0
ip unnumbered Serial0/0
tunnel source Serial0/0
tunnel destination 192.168.1.1
!
interface Loopback0
ip address 10.2.2.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
access-list 100 permit gre host 10.2.2.1 host 10.1.1.1
!
四.IPsec VPN的高可用性
通常情况下,我们希望IPsec VPN流量可以在主从路由器之间做到无缝切换,可以通过HSRP与SSO相结合的方式来达到此目的.HSRP用于保证接入流量的热备份.一旦主路由器down掉后,HSRP立即将IKE信息与SA传递给备份路由器;而SSO允许主从路由器之间共享IKE与SA信息.
SPOKE配置如下:
1.定义感兴趣流量与路由协议:
SPOKE(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
SPOKE(config)#ip route 0.0.0.0 0.0.0.0 serial0/0
2.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):
SPOKE(config)#crypto isakmp enable
SPOKE(config)#crypto isakmp key 91lab address 0.0.0.0 0.0.0.0
3.定义IKE策略:
SPOKE(config)#crypto isakmp policy 10
SPOKE(config-isakmp)#encryption aes 128 /---默认是DES加密---/
SPOKE(config-isakmp)#hash sha /---默认是SHA-1---/
SPOKE(config-isakmp)#authentication pre-share
SPOKE(config-isakmp)#group 2 /---默认是768位的DH1---/
SPOKE(config-isakmp)#lifetime 3600 /---默认是86400秒---/
SPOKE(config-isakmp)#exit
4.定义IPSec转换集(transform set):
SPOKE(config)#crypto ipsec transform-set nuaiko esp-aes 128 esp-sha-hmac
SPOKE(cfg-crypto-trans)#exit
5.定义crypto map并应用在接口上:
SPOKE(config)#crypto map ccsp 10 ipsec-isakmp
SPOKE(config-crypto-map)#match address 100
SPOKE(config-crypto-map)#set peer 16.1.1.254 /---定义crypto map的对等体地址,这里为对端HSRP的虚拟IP地址---/
SPOKE(config-crypto-map)#set transform-set nuaiko /---定义crypto map要应用的IPsec转换集---/
SPOKE(config-crypto-map)#exit
SPOKE(config)#interface serial0/0
SPOKE(config-if)#crypto map ccsp
*Mar 1 00:08:31.131: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
SPOKE(config-if)#end
SPOKE#
SPOKE配置完成.
HUB1配置如下:
1.定义感兴趣流量与路由协议:
HUB1(config)#access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
HUB1(config)#ip route 0.0.0.0 0.0.0.0 16.1.1.3
2.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):
HUB1(config)#crypto isakmp enable
HUB1(config)#crypto isakmp key 91lab address 0.0.0.0 0.0.0.0
3.定义IKE策略:
HUB1(config)#crypto isakmp policy 10
HUB1(config-isakmp)#encryption aes 128 /---默认是DES加密---/
HUB1(config-isakmp)#hash sha /---默认是SHA-1---/
HUB1(config-isakmp)#authentication pre-share
HUB1(config-isakmp)#group 2 /---默认是768位的DH1---/
HUB1(config-isakmp)#lifetime 3600 /---默认是86400秒---/
HUB1(config-isakmp)#exit
4.定义IPSec转换集(transform set):
HUB1(config)#crypto ipsec transform-set nuaiko esp-aes 128 esp-sha-hmac
HUB1(cfg-crypto-trans)#exit
5.定义crypto map:
HUB1(config)#crypto map ccsp 10 ipsec-isakmp
HUB1(config-crypto-map)#match address 100
HUB1(config-crypto-map)#set peer 173.1.1.1 /---定义要应用crypto map的对等体地址---/
HUB1(config-crypto-map)#set transform-set nuaiko /---定义crypto map要应用的IPsec转换集---/
HUB1(config-crypto-map)#exit
6.启用HSRP并应用crypto map:
HUB1(config)#interface ethernet 0/0
HUB1(config-if)#standby 1 ip 16.1.1.254 /---定义HSRP组1的虚拟IP地址---/
HUB1(config-if)#standby 1 priority 105
HUB1(config-if)#standby 1 preempt /---启用抢占特性---/
*Mar 1 00:45:37.987: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 1 state Speak -> Standby
*Mar 1 00:45:37.987: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 1 state Standby -> Active
HUB1(config-if)#standby 1 name ss1 /---定义HSRP冗余组名---/
HUB1(config-if)#standby 1 track ethernet 0/1 /---定义HSRP接口跟踪特性---/
HUB1(config-if)#crypto map ccsp redundancy ss1 stateful /---应用
crypto map,并定义备份IPsec对等体---/
*Mar 1 00:46:47.591: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
HUB1(config-if)#standby delay reload 120 /---定义HSRP组初始化的延迟间隔,官方建议120秒---/
HUB1(config)#interface ethernet 0/1
HUB1(config-if)#standby 2 ip 10.2.2.254
HUB1(config-if)#standby 2 preempt
*Mar 1 00:49:20.791: %HSRP-6-STATECHANGE: Ethernet0/1 Grp 2 state Speak -> Standby
*Mar 1 00:49:20.791: %HSRP-6-STATECHANGE: Ethernet0/1 Grp 2 state Standby -> Active
HUB1(config-if)#standby 2 track ethernet 0/0
HUB1(config-if)#standby 2 name ss2
7.启用基于状态的转换SSO:
HUB1(config)#redundancy inter-device
HUB1(config-red-interdevice)#scheme standby ss2
HUB1(config-red-interdevice)#exit
HUB1(config)#ipc zone default
HUB1(config-ipczone)#association 1
HUB1(config-ipczone)#no shutdown
HUB1(config-ipczone-assoc)#protocol sctp
HUB1(config-ipc-protocol-sctp)#local-port 5000
HUB1(config-ipc-local-sctp)#local-ip 10.2.2.1
HUB1(config-ipc-local-sctp)#exit
HUB1(config-ipc-protocol-sctp)#remote-port 5000
HUB1(config-ipc-remote-sctp)#remote-ip 10.2.2.2
同理,HUB2相关配置如下:
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set nuaiko esp-aes esp-sha-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 173.1.1.2
set transform-set ccsp
match address 100
!
interface ethernet 0/0
standby 1 ip 16.1.1.254
standby 1 priority 105
standby 1 preempt
standby 1 name ss1
standby 1 track ethernet 0/0
crypto map cisco redundancy ss1 stateful
standby delay reload 120
!
interface ethernet 0/1
ip address 10.2.2.2 255.255.255.0
standby 2 ip 10.2.2.254
standby 2 priority 105
standby 2 preempt
standby 2 name ss2
standby 2 track ethernet 0/0
standby delay reload 120
!
ip route 0.0.0.0 0.0.0.0 16.1.1.3
!
access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
redundancy inter-device
scheme standby ss2
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.2.2.2
remote-port 5000
remote-ip 10.2.2.1
HUB2配置完成.
因篇幅问题不能全部显示,请点此查看更多更全内容