随着互联网与企业的结合越来越紧,VPN大行其道,很多时候,都是总部---分支这样的结构.
总部采用光纤(静态的IP接入方式)分支采用ADSL接入方式,像这种案例,那么我们的传统的site-to-site的ipsec配置就明显不行了,因为在这种拓朴图下,必须采用新的方法,在服务器配置Tunnel Endpoint Discovery (TED)协议,让会话给动态IP的用户端发起就可以了,因为总部是固定的IP。结合Dynamic map就可以了。配置方法比原来的只是增加了一二个命令而已.要注意的是,要是用户端非cisco中路由器的话,要注意设置的参数是IKE phase1的要用积极模式连接!所用的加密算法要和总部设置一致。
R1为总部,R2为分支
拓朴图R1 s1/1------s1/0 R2
R1配置
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1-hub
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set net esp-des esp-md5-hmac
!
crypto dynamic-map tedmap 1
set transform-set net
match address 100
!
!
crypto map vpn 1 ipsec-isakmp dynamic tedmap discover
!
!
!
!
!
interface Loopback0
ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.2.1 255.255.255.0
serial restart-delay 0
clock rate 64000
crypto map vpn
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
ip route 0.0.0.0 0.0.0.0 Serial1/1
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
R2配置
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2-SPOKE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 192.168.2.1
!
!
crypto ipsec transform-set net esp-des esp-md5-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 192.168.2.1
set transform-set net
match address 100
!
!
!
!
!
interface Loopback0
ip address 10.0.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.2.2 255.255.255.252
serial restart-delay 0
clock rate 64000
crypto map vpn
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
ip route 0.0.0.0 0.0.0.0 Serial1/0
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
测试:要在用户端发起会话!!在R1/R2上启动deb crypto isakmp 和deb crypto ipsec 。方便观察会话过程
复制内容到剪贴板
代码:R2-SPOKE# ping
Protocol [ip]:
Target IP address: 10.0.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.0.2.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 64/173/328 ms
R2-SPOKE#sh cry
R2-SPOKE#sh crypto sa
R2-SPOKE#sh crypto is
R2-SPOKE#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.2.1 192.168.2.2 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
R2-SPOKE#如果一切正常,在deb的内容中会到到此行:
复制内容到剪贴板
代码:*Aug 17 16:34:21.959: ISAKMP:(1001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE说明会话正确建立。
当然了,这只是实验而已,实际工作中,加密算法要加强一点,还要启动isakmp 的lifetime之类的。 |
