通信人家园

标题: [原创] [查看完整版帖子] [打印本页]

时间: 2007-8-18 09:40

作者: liuguo_hello 标题: [原创]

VPN配置简单说明书一、 IKE协商的阶段简单描述：
IKE协商可以和TCP的三次握手来类比，只不过IKE协商要比TCP的三次握手要复杂一些，IKE协商采用的UDP报文格式，默认端口是500，在主模式下，一个正常的IKE协商过程需要经过9个报文的来回，才最终建立起通信双方所需要的IPSec SA，然后双方利用该SA就可以对数据流进行加密和解密。下面结合简单描述一下协商的过程。 假设A和B进行通信，A作为发起方，A发送的第一个报文内容是本地所支持的IKE的策略（即下面所提到的

olicy），该policy的内容有加密算法、hash算法、D-H组、认证方式、SA的生存时间等5个元素。这5个元素里面值得注意的是认证方式，目前采用的主要认证方式有预共享和数字证书。在简单的VPN应用中，一般采用预共享方式来认证身份。在本文的配置中也是以预共享为例来说明的。可以配置多个策略，对端只要有一个与其相同，对端就可以采用该policy，并在第二个报文中将该policy发送回来，表明采用该policy为后续的通信进行保护。第三和第四个报文是进行D-H交换的D-H公开值，这与具体的配置影响不大。在完成上面四个报文交换后，利用D-H算法，A和B就可以协商出一个公共的秘密，后续的密钥都是从该秘密衍生出来的。第五和第六个报文是身份验证过程，前面已经提高后，有两种身份验证方式——预共享和数字证书，在这里，A将其身份信息和一些其他信息发送给B，B接受到后，对A的身份进行验证，同时B将自己的身份信息也发送给A进行验证。采用预共享验证方式的时候，需要配置预共享密钥，标识身份有两种方式，其一是IP地址，其二是主机名（hostname）。在一般的配置中，可以选用IP地址来标识身份。完成前面六个报文交换的过程，就是完成IKE第一阶段的协商过程。如果打开调试信息，会看到IKE SA Establish（IKE SA已经建立），也称作主模式已经完成。 IKE的第二阶段是快速模式协商的过程。该模式中的三个报文主要是协商IPSec SA，利用第一阶段所协商出来的公共的秘密，可以为该三个报文进行加密。在配置中，主要涉及到数据流、变换集合以及对完美前向保护（

FS）的支持。在很多时候，会发现IKE SA已经建立成功，但是IPSec SA无法建立起来，这时最有可能的原因是数据流是否匹配（A所要保护的数据流是否和B所保护的数据流相对应）、变换集合是否一致以及pfs配置是否一致。 二、 IKE、IPSec配置基本步骤 1．配置IKE 策略（policy） policy就是上图中的IKE策略。

olicy里面的内容有hash算法、加密算法、D-H组、生存时间。可以配置多个policy，只要对端有一个相同的，双方就可以采用该policy，不过要主要policy中的认证方式，因为认证方式的不同会影响后续的配置不同。一般采用预共享（preshare）。在目前的安全路由器和VPN3020上的实现上都有默认的配置选项，也就是说如果你新增加一条策略后，即使什么都不配置，退出后，也会有默认值的。 2．配置预共享密钥（preshare） 在配置预共享密钥的时候，需要选择是IP地址还是Hostname来标识该密钥，如果对端是IP地址标识身份，就采用IP地址来标识密钥；如果对端是Hostname来标识身份，则采用hostname来标识密钥。 3．配置本端标识（localid） 本端标识有IP地址和Hostname，在安全路由器上，默认的是用IP地址来标识。即不配置本端标识，就表示是用IP地址来标识。 以上三个步骤就完成IKE的配置，以下是IPSec的配置： 4．配置数据流（access-list） 很容易理解，部署任何VPN都需要对数据流所限制，不可能对所有的数据流都进行加密（any to any）。配置好数据流后，在加密映射（map）中引用该数据流。 5．配置变换集合（transform-set） 变换集合是某个对等方能接受的一组IPSec协议和密码学算法。双方只要一致即可。注意，在VPN3020和带加密模块的安全路由器上支持国密办的SSP02算法。 6．配置加密映射（map） 为IPSec创建的加密映射条目使得用于建立IPSec安全联盟的各个部件协调工作，它包括以下部分： l 所要保护的数据流（引用步骤4所配置的数据流） l 对端的IP地址（这个是必须的，除非是动态加密映射，见本文后面的章节） l 对所要保护的数据流采用什么加密算法和采用什么安全协议（引用步骤5所配置的变换集合） l 是否需要支持

FS（双方要一致） l SA的生存时间（是可选的，不配置的话有默认值） 7．应用（激活）加密映射 在安全路由器上是将该加密映射应用到接口上去，而在VPN3020上是激活（active）该map。 三、 动态加密映射技术 目前，安全路由器系列和VPN系列均支持动态加密映射。什么是动态加密映射？动态加密映射所应用的环境是什么呢？我们可以从以下的一个案例中来说明动态加密映射的概念。如下图：<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;"> <span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">在上图的网络拓扑中，<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">MP803<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">接入<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">Internet<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">的并不是宽带接入（固定<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">IP<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">地址），而是在通过电信<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">ADSL<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">拨号来获取到<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">IP<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">地址，不是固定的<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">IP<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">地址。这时候，对于上端<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">MP2600A<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">来说，就存在问题了，回想一下前面所描述的配置步骤，在步骤六中配置加密映射的时候，需要配置对端的<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">peer IP<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">地址，这时候怎么办呢？或许您想到<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">——<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">那我每次拨号获取到<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">IP<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">地址后，再在两端来配置<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">IPSec——<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">这种解决办法是<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">OK<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">的，只要客户或者您自己容忍每次<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">MP803<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">重新拨号后，您重新去更改配置。显然，这样方法充其量只能用来测试的。<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;"> <span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">动态加密映射就是用来解决这类问题的。顾名思义，动态加密映射，就是说，在配置加密映射的时候，不需要配置对端的<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">peer IP<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">地址。目前，安全路由器和<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">VPN<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">系列都支持动态加密映射，但由于两者实现上的差异，导致他们在配置动态加密映射的时候存在一些不同，在后文的实际配置案例中会讲到。<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">

时间: 2007-8-18 09:40

作者: liuguo_hello

四、 NAT穿越略述 NAT穿越是指在两台VPN网关之间的还存在NAT设备，从原理来说，NAT和IPSec存在一定的矛盾。主要体现两点：NAT更改了IP数据包的IP源地址或者目的地址，这与IPSec协议中的AH认证头协议存在不可调和的矛盾，因此如果IPSec报文需要穿越NAT设备的话，在配置变换集合的时候就不能选用AH协议（目前，由于ESP协议也提供验证功能，AH使用很少）；第二点是NAT设备的端口地址转换是针对TCP/UDP/ICMP等协议。对于ESP协议，没有相应的处理机制。具体详细资料请查看IETF的草案。此外，NAT穿越目前还没有国际标准，公司在国内率先实现了NAT穿越功能。目前，公司的安全路由器、VPN3020等都已经实现了NAT穿越。 NAT穿越对于路由器和VPN3020上的配置没有任何的改变。目前，公司的北京办和总部的互联的两台路由器建立隧道就是穿越了NAT。 五、 实际配置案例 案例1：路由器与路由器互通 网络拓扑如图所示： 网络拓扑1需求：两台MP2600路由器，都有固定的公网IP地址，现在需要构建VPN，保护在两台路由器后面的网络。使

C1能够访问到

时间: 2007-8-18 09:41

作者: liuguo_hello

//步骤六:配置加密映射,将各种组件联系在一起 crypto map map1 1 ipsec-isakmp match address 1001 //引用步骤4所配置的数据流 set peer <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">2.2.2</chsdate>.2 set transform-set tr1 //引用步骤5所配置的变化集合 set security-association lifetime seconds 28800 set security-association lifetime kilobytes 4608000 exitinterface loopback0 exitinterface fastethernet0 ip address <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 255.255.255.0 //步骤七:将加密映射应用到接口上去. crypto map map1 exitinterface ethernet0 ip address 192.168.1.1 255.255.255.0 exitip route <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.0 0.0.0.0 1.1.1.1//步骤1：配置IKE的policy crypto isakmp policy 1 encryption des hash sha authentication pre-share group 1 lifetime 86400 exit//步骤2:配置预共享密钥,此处配置的是对端VPN网关的IP地址. crypto isakmp key maipu address <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">2.2.2</chsdate>.2 ======================================================= MP2600B ======================================================= MP2600B#sh running-<place wst="on"><placename wst="on">config</placename>  <placetype wst="on">Building</placetype></place> Configuration...doneCurrent configuration...version <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">2.24.8</chsdate> hostname MP2600B user faint password 0 faint enable password [WOWWWNXSX encrypt no service password-encrypt no service enhanced-secure ip tcp timestamp//该数据流与MP<chmetcnv wst="on" tcsc="0" numbertype="1" negative="False" hasspace="False" sourcevalue="2600" unitname="a">2600A</chmetcnv>的数据流相对应。 ip access-list extended 1001 permit ip 192.168.2.0 <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.255 192.168.1.0 0.0.0.255  exitcrypto ipsec transform-set tr1 esp-des esp-md5-hmac mode tunnel exit<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">crypto map map1 1 ipsec-isakmp match address 1001 set peer <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 set transform-set tr1  set security-association lifetime seconds 28800

时间: 2007-8-18 09:42

作者: liuguo_hello

set security-association lifetime kilobytes 4608000 exit interface loopback0 exitinterface fastethernet0 ip address <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">2.2.2</chsdate>.2 255.255.255.0 crypto map map1 exitinterface ethernet0 ip address 192.168.2.1 255.255.255.0 exitinterface serial0 physical-layer sync encapsulation hdlc exitinterface serial2 physical-layer sync encapsulation hdlc exitip route <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.0 0.0.0.0 2.2.2.1//与MP<chmetcnv wst="on" tcsc="0" numbertype="1" negative="False" hasspace="False" sourcevalue="2600" unitname="a">2600A</chmetcnv>的policy至少有一个相同 crypto isakmp policy 1 encryption des hash sha authentication pre-share group 1 lifetime 86400 exit crypto isakmp key maipu address <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 路由器上的调试命令： 如果是telnet登录到路由器上，执行ter monitor命令。然后打开调试开关 debug crypto isakmp normal就能够看到IKE的协商过程和调试信息，从调试信息中可以获取到协商到那个阶段，由于那些问题而协商失败。 以下是两端成功的协商信息。
注意：如果中途协商失败，两端需要执行clear crypto sa命令来清除当前SA的状态以便于重新协商。 几个与IPSec相关的show命令： show crypto isakmp policy：查看路由器上已经配置了那些policy； show crypto isakmp connection ：查看路由器上已经存在的isakmp 连接数； show crypto isakmp identity：查看路由器上的身份标识方式； show crypto ipsec sa；查看路由器上已经存在的IPSec SA；该命令比较重要，有时候通过该命令来判断IPSec SA是否已经建立成功。 Show crypto ipsec transform-set：查看路由器上已经配置的变换集合。 案例2：路由器与路由器之动态加密映射 网络拓扑如图所示： 网络拓扑2 下面简单说明其配置步骤： IKE的配置与前述的配置步骤一样，主要是IPSec的配置有些差异。动态加密映射是不需要配置所要保护的数据流。因此，步骤四：配置变换集合；步骤五：配置动态加密映射（在路由器上的命令是：crypto dynamic-map）；步骤六：配置一个静态加密映射，将其与动态加密映射关联起来；步骤七：在接口上应用步骤六中配置的静态加密映射，此处不能也无法应用动态加密映射； 配置规划：MP803所挂接的局域网当需要和总部通信的时候（源：192.168.2.0/24；目的：192.168.1.0/24），应该走VPN隧道，这也是我们要保护的数据流，对于其他的数据流，例如局域网中的主机上网的数据流，应该是走NAT（源：192.168.2.0/24；目的：any），很明显，这两个数据流是包含的关系，路由器的处理顺序是先进行NAT转换，到了接口后再匹配VPN隧道。因此在配置NAT的数据流的时候，先要deny掉该上总部内网的数据流。 具体配置脚本： ================================================================= MP803：ADSL拨号，同时实现上网和走NAT ================================================================= hostname MP803 enable password [WOWWWNXSX encrypt no service password-encrypt no service enhanced-secure ip tcp timestamp//定义要保护的数据流 ip access-list extended 1001 permit ip 192.168.2.0 <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.255 192.168.1.0 0.0.0.255  exit//定义该数据流走NAT上网，为了避免走内网的数据流也“上网”去了， //先deny该数据流 ip access-list extended 1002 deny ip 192.168.2.0 <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.255 192.168.1.0 0.0.0.255 permit ip 192.168.2.0 0.0.0.255 any exit  dialer-list 1 protocol ip permit//配置NAT ip nat inside source list 1002 interface dialer0 overload<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;"> crypto isakmp policy 1 encryption des

时间: 2007-8-18 09:42

作者: liuguo_hello

hash sha  authentication pre-share group 2 lifetime 28800 exitcrypto isakmp key maipu address <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3crypto ipsec transform-set tr1 esp-des ah-md5-hmac mode tunnel exitcrypto map map1 1001 ipsec-isakmp match address 1001 set peer <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 set transform-set tr1  set security-association lifetime seconds 28800 set security-association lifetime kilobytes 4608000 exitinterface loopback0 exit //拨号配置，map是应用到本虚拟接口 interface dialer0 ip address negotiated dialer pool 1 dialer-group 1 encapsulation ppp ppp pap sent-username 01234mp@169 password 01234mp mtu 1492 ip nat outside crypto map map1 exitinterface fastethernet0 ip address 192.168.2.1 255.255.255.0 ip nat inside exit//物理接口配置 interface atm0 pvc 1/33 encapsulation aal5snap pppoe-client dial-pool-number 1 no ip route-cache no cdp enable exit ip route <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.0 0.0.0.0 dialer0 ======================================================= MP<chmetcnv wst="on" tcsc="0" numbertype="1" negative="False" hasspace="False" sourcevalue="2600" unitname="a">2600A</chmetcnv>：配置动态加密映射 ======================================================= MP<chmetcnv wst="on" tcsc="0" numbertype="1" negative="False" hasspace="False" sourcevalue="2600" unitname="a">2600A</chmetcnv>#sh running-config  Building Configuration...doneCurrent configuration...version <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">2.24.8</chsdate> hostname MP<chmetcnv wst="on" tcsc="0" numbertype="1" negative="False" hasspace="False" sourcevalue="2600" unitname="a">2600A</chmetcnv> enable password [WOWWWNXSX encrypt no service password-encrypt no service enhanced-secure ip tcp timestamp //步骤四:配置变换集合,定义数据加密所使用的算法和安全协议 crypto ipsec transform-set tr1 esp-des esp-md5-hmac mode tunnel exit//步骤五:配置动态加密映射 crypto dynamic-map dmap1 1 ipsec-isakmp set transform-set tr1  set security-association lifetime seconds 28800 set security-association lifetime kilobytes 4608000 exit//步骤六:配置静态加密映射，与该动态加密映射关联起来 crypto map map1 1 ipsec-isakmp dynamic-map dmap1interface fastethernet0 ip address <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 255.255.255.0 //步骤七:将静态加密映射应用到接口上去. crypto map map1 exitinterface ethernet0 ip address 192.168.1.1 255.255.255.0 exitip route <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.0 0.0.0.0 1.1.1.1

时间: 2007-8-18 09:43

作者: liuguo_hello

C1能够访问到

C2。 规划：使用IKE自动协商密钥，policy的参数设置，加密算法为des、验证算法为md5，认证方式为预共享、D-H组为group 1；身份标识为IP地址，以IP地址作来标识预共享密钥；变换集合参数设置，隧道模式为tunnel、协议-算法为esp-des、esp-md5；启用pfs，group组为group2。 配置注意事项： ü 避免配置所要保护的数据流为any到any。首先是在实际使用过程中，不会有这样的需求，其次，这样会让很多本来不需要加密的通信无法通信。并且，VPN3020上目前也不支持配置的数据流为any到any。 ü VPN3020本身带有FW520的所有功能，其默认转发策略是deny，因此，需要打开其策略。避免内网的数据无法通过VPN访问外面。 ü 由于VPN3020实现上的一个缺陷，使得在每次更改接口的IP地址的时候，需要重起IPSec服务（不是重起设备），而重起IPSec服务会造成有关IPSec的配置都丢失，因此，或者在配置好接口地址后，重起IPSec的服务，进行IPSec的配置；或者将IPSec的配置copy到记事本上，然后重起IPSec服务后，粘贴进去。 配置完成或者更改后，需要激活加密映射（用active map命令） 具体配置脚本： ================================================= VPN_A ================================================= Building configuration... ! system setting configure terminal hostname VPN_A enable password 0 mpsec mode route interface trusted ip 192.168.1.1/255.255.255.0 interface untrusted ip <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3/255.255.255.0 ip route 0.0.0.0/0.0.0.0 1.1.1.1 service sshd web port 443 web idle enable web idle 999 service web end ! log config configure log logging user stop logging delete all end ! firewall config configure firewall firewall log start dnat policy permit snat policy permit ldnat policy permit access-list policy input permit //默认转发策略是permit access-list policy forward permit access-list policy output permit srr filter enable end ! vpn config configure vpn //启动IPSec服务 service ipsec //进入ipsec模式 ipsec//步骤四:配置访问列表，定义要保护的数据流 access-list add ac1 permit protocol ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 commit//步骤五：配置变换集合，定义所使用的加密算法和安全协议 transform add tr1 tunnel esp-des esp-md5-hmac<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">//<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">步骤六：配置加密映射，将各个组件组合在一起。<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;"> map add map1 untrusted isakmp match /ac1 //<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">引用步骤四中的定义的数据流<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;"> transform tr1 //<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">引用步骤五中的定义的变换集合<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;"> peer <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">2.2.2</chsdate>.2

时间: 2007-8-18 09:43

作者: liuguo_hello

life time 28800 life bytes 4608000 pfs 2 //配置支持完美前向保护 commit exit//进入IKE模式 ike//步骤一：配置IKE的policy policy add 1 authentication pre-share encryption des hash md5 group 2 lifetime 28800 commit//步骤二:配置预共享密钥 key preshare ip <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">2.2.2</chsdate>.2 keystring maipu//步骤三:配置本地标识 localid ip <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 exit//步骤七；启用该map active map map1 end ! user config -----以下的配置略================================================= VPN_B ================================================= Building configuration... ! system setting configure terminal hostname VPN_B enable password 0 mpsec mode route interface trusted ip 192.168.2.1/255.255.255.0 interface untrusted ip <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">2.2.2</chsdate>.2/255.255.255.0 ip route 0.0.0.0/0.0.0.0 2.2.2.1 service sshd web port 443 web idle enable web idle 999 service web end ! log config configure log logging user stop logging delete all end ! firewall config configure firewall firewall log start dnat policy permit snat policy permit ldnat policy permit access-list policy input permit access-list policy forward permit access-list policy output permit srr filter enable end ! vpn config configure vpn service ipsec ipsec//步骤四:配置访问列表，定义要保护的数据流，与VPN_A所定义的数据流相对应 access-list add ac1 permit protocol ip 192.168.2.0/255.255.255.0 192.168.1.0/255.255.255.0 committransform add tr1 tunnel esp-des esp-md5-hmac map add map1 untrusted isakmp match /ac1  transform tr1  peer <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 life time 28800 life bytes 4608000 pfs 2  commit exit ike policy add 1 authentication pre-share encryption des hash md5 group group_modp1024 lifetime 28800 commit//步骤二:配置预共享密钥 key preshare ip <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 keystring maipu localid ip 2.2.2.2 exit active map map1 end ! user config -----以下的配置略 VPN3020上的调试命令： 目前，VPN3020上没有给用户使用的调试命令，只能通过一些show信息来查看IKE协商的情况。 show ipsec sa：查看已经建立的IPSec SA信息 show ipsec status：查看当前的IPSec 的状态，如果IPSec SA已经建立，有IPSec SA establish的信息。 案例4：VPN与VPN、路由器之动态加密映射 网络拓扑如图所示：<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;"> <span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">需求：中心是一台<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">VPN3020<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">，有两个网点其中一台是<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">vpn3020<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">（或者是<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">vpn3005<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">，两者的配置是一样的），另一个网点是<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">mp803<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">路由器。接入都是动态接入，电信<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">ADSL<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">接入。<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">MP803<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">可以直接拨号，而<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">VPN3020<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">（或者<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">VPN3005<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">）只有以太口，因此，前面要放置一台<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">ADSL modem<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">，才能够进行<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">

PPoE<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">拨号。现在要求是两个网点所挂接两个网络能够访问中心<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">VPN3020<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">后面所挂接的网络（<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">

C2<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">）。<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;"> <span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">规划：一些具体的<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">IKE<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">、<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">IPSec<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">协商的参数在这里略去。这里重点说明中心<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">VPN<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">（<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">VPN_A<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">）上面的规划，中心可以只配置一个动态的<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">map<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">，数据流源地址为<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">192.168.1.0/24<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">，目的地址为<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">any<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">（注意，不要配置成<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">any <span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">到<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">any<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">），下端的<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">VPN_B<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">的数据流为源地址为<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">192.168.2.0/24 <span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">目的地址为<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">192.168.1.0/24<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">；下端的<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">MP803<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">的数据流为源地址为<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">192.168.3.0/24<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">，目的地址为<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">192.168.1.0/24<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">。<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;"> <span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">具体配置脚本：<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">  =================================================================

时间: 2007-8-18 09:44

作者: liuguo_hello

MP803：ADSL拨号，同时实现上网和走NAT ================================================================= hostname MP803 enable password [WOWWWNXSX encrypt no service password-encrypt no service enhanced-secure ip tcp timestamp//定义要保护的数据流 ip access-list extended 1001 permit ip 192.168.3.0 <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.255 192.168.1.0 0.0.0.255  exit//定义该数据流走NAT上网，为了避免走内网的数据流也“上网”去了， //先deny该数据流 ip access-list extended 1002 deny ip 192.168.3.0 <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.255 192.168.1.0 0.0.0.255 permit ip 192.168.3.0 0.0.0.255 any exit  dialer-list 1 protocol ip permit//配置NAT ip nat inside source list 1002 interface dialer0 overload crypto isakmp policy 1 encryption des hash sha  authentication pre-share group 2 lifetime 28800 exitcrypto isakmp key maipu address <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3crypto ipsec transform-set tr1 esp-des esp-md5-hmac mode tunnel exitcrypto map map1 1001 ipsec-isakmp match address 1001 set peer <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 set transform-set tr1  set security-association lifetime seconds 28800 set security-association lifetime kilobytes 4608000 exitinterface loopback0 exit //拨号配置，map是应用到本虚拟接口 interface dialer0 ip address negotiated dialer pool 1 dialer-group 1 encapsulation ppp ppp pap sent-username 01234mp@169 password 01234mp mtu 1492 ip nat outside crypto map map1 exitinterface fastethernet0 ip address 192.168.3.1 255.255.255.0 ip nat inside exit//物理接口配置 interface atm0 pvc 1/33 encapsulation aal5snap pppoe-client dial-pool-number 1 no ip route-cache no cdp enable exit ip route <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.0 0.0.0.0 dialer0 ================================================================= VPN_B：

PPoE拨号，同时实现上网和走NAT ================================================================= configure terminal hostname VPN_B enable password 7 Z2wdXYed9yoyw mode route interface trusted ip 192.168.2.1/255.255.255.0 service sshd web port 443 web idle enable web idle 10 service web end ! log config configure log logging user stop logging delete all logging user delete all end ! firewall config configure firewall firewall log start dnat policy permit snat policy permit ldnat policy permit//对于走VPN的数据流，避免让其走SNAT出去 snat add any 192.168.2.0/24 192.168.1.0/24 any filter /snat1 log permit //对于其他的数据流，都让其走SNAT出去 snat add masquerade pppoe 192.168.2.0/24 any /snat2 logaccess-list policy input permit access-list policy forward permit access-list policy output permit access-list state input enable access-list state forward enable access-list state output enable srr filter enable end ! vpn config configure vpn service ipsec//启动service dynamic，表示本端为动态获取IP地址 service dynamic interface pppipsec //定义所要保护的数据流 access-list add /ac1 permitprotocol ip 192.168.2.0/255.255.255.0 192.168.1.0/255.255.255.0 commit//定义变换集合 transform add tr1 tunnel esp-des esp-md5-hmac//配置加密映射，注意此处选择关键字是dynamic map add map1 dynamic isakmp //引用所定义的访问列表 match /ac1 //引用所定义的变换集合 transform tr1peer <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 life time 86600 life bytes 4608000 pfs 2 commit exit<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;"> ike //<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">定义<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">IKE<span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: "Times New Roman"; mso-hansi-font-family: "Times New Roman"; mso-font-kerning: 1.0pt; mso-bidi-font-family: "Times New Roman"; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">的<span lang="EN-US" style="FONT-SIZE: 9pt; FONT-FAMILY: "Times New Roman"; mso-fareast-font-family: 宋体; mso-font-kerning: 1.0pt; mso-ansi-language: EN-US; mso-fareast-language: ZH-CN; mso-bidi-language: AR-SA;">policy policy add 1 authentication pre-share

时间: 2007-8-18 09:44

作者: liuguo_hello

encryption des hash sha group 2 lifetime 28800 commit//配置预共享密钥 key preshare ip <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 keystring maipu exit //激活map active map map1 end----中间的配置略! pppoe client config configure pppoeclient //绑定到出口，即从那个接口进行拨号 bind untrusted //配置上端需要认证的用户名和密码 authuser test_name pass test_name //开始进行拨号，完成该命令后用show ip route或者show interface //能够看到

PP链路已经建立成功 pppoe start end---后面的配置略================================================================= VPN_A：中心的VPN ================================================================= ! system setting configure terminal hostname VPN_A enable password 0 mpsec mode route interface trusted ip 192.168.1.1/255.255.255.0 interface untrusted ip <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3/255.255.255.0 ip route 0.0.0.0/0.0.0.0 1.1.1.1 service sshd web port 443 web idle enable web idle 999 service web end ! log config configure log logging user stop logging delete all end ! firewall config configure firewall firewall log start dnat policy permit snat policy permit ldnat policy permit access-list policy input permit //默认转发策略是permit access-list policy forward permit access-list policy output permit srr filter enable end ! vpn configconfigure vpn //启动IPSec服务 service ipsec //进入ipsec模式 ipsec//步骤四:配置访问列表，定义要保护的数据流 access-list add ac1 permit protocol ip 192.168.1.0/255.255.255.0 any commit//步骤五：配置变换集合，定义所使用的加密算法和安全协议 transform add tr1 tunnel esp-des esp-md5-hmac//步骤六：配置加密映射，将各个组件组合在一起。 map add map1 untrusted isakmp //引用步骤四中的定义的数据流 match /ac1 //引用步骤五中的定义的变换集合  transform tr1  peer <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.0 life time 28800 life bytes 4608000 //配置完美前向保护 pfs 2  commit exit//进入IKE模式 ike//步骤一：配置IKE的policy policy add 1 authentication pre-share encryption des hash md5 group 2 lifetime 28800 commit//步骤二:配置预共享密钥 key preshare ip <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">0.0.0</chsdate>.0 keystring maipu//步骤三:配置本地标识 localid ip <chsdate wst="on" isrocdate="False" islunardate="False" day="30" month="12" year="1899">1.1.1</chsdate>.3 exit//步骤七；启用该map active map map1 end ! user config -----以下的配置略配置总结 常见的配置失误： 1． 现象：一端发起协商后，另一端没有任何响应。 可能的原因： ü 检查发起协商的数据流是否匹配所定义的要保护的数据流； ü 检查路由器上是否有默认路由或者到远端局域网段的路由； ü 检查加密映射（map）是否已经应用到接口上去； ü 检查两端的peer地址是否配置正确，确保两个VPN网关本身能够互通； ü 检查预共享密钥是否已经配置； ü 如果发起协商的一端是路由器，对端是VPN3020，检查是否配置了crypto isakmp peer ip-address A.B.C.D，该命令的含义是以野蛮模式发起协商，而目前VPN3020上尚不支持野蛮模式。 ü 如果其中有台VPN设备是VPN3020，确保在配置的时候是先配置了接口地址，然后启动service ipsec命令的，见案例3中的配置注意事项。2． 现象：IKE SA（又称第一阶段主模式）协商不成功 可能的原因： ü 检查两端是否有一致的policy，如果规划使用预共享认证方式，确保双方一致的policy中的认证方式为预共享； ü 预共享密钥是否配置是否一致；3． 现象：IKE SA协商成功了，但是快速模式协商不成功，IPSec SA无法建立 可能的原因： ü 两端的是否有一致的变化集合； ü 两端的所要保护的数据流是否相对应； ü 两端的完美前向保护参数（pfs）是否一致；4． 现象：IPSec SA已经建立成功，但是两边的局域网中两台主机不通。 可能的原因：（这时候已经与IPSec本身没有多大关系了） ü 主机上是否已经配置网关，该网关指向路由器的一个接口； ü 检查两台主机上是否启用了防火墙过滤之类的软件； ü 数据流在Internet上是否已经穿越了NAT（基本可以从路由器出口的地址是否为公网地址来确定）

通信人家园 (https://www.txrjy.com/)