笔记：CCNAS_ PTA_Site-to-Site-IPsec-VPN

一、实验环境

实验拓扑

地址规划

ISAKMP第一阶段安全参数

//对照isakmp命令视图

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#?
authentication 	Set authentication method for protection suite
                      设置认证方法--< pre-share/Pre-Shared Key>
encryption 		Set encryption algorithm for protection suite
                      设置加密算法--<3des/des/aes>
Exit				 Exit from ISAKMP protection suite configuration mode
                      退出ISAKMP配置模式
group 			Set the Diffie-Hellman group
                      设置Diffie-Hellman组--<1/2/5>
hash 			Set hash algorithm for protection suite
                      配置哈希算法--<md5/sha>
lifetime 			Set lifetime for ISAKMP security association
                      设置ISAKMP生存期-- <60-86400>

IPsec第二阶段安全参数

实验要点

· Verify connectivity throughout the network.
·验证整个网络的连接性。
· Configure router R1 to support a site-to-site IPsec VPN with R3.
·配置路由器R1，用R3支持站点到站点的IPsec VPN。

二、实验过程

1. Configure ACL 110 to identify the traffic from the LAN on R1 to the LAN on R3 as interesting.
This interesting traffic will trigger the IPsec VPN to be implemented whenever there is traffic between R1 to R3 LANs.
//翻译很奇怪)，大概意思就是在VPN两端R1.R3配置一个ACL 110，识别允许通过本机为数据源、对端为目标的数据流，这样就可以匹配ACL的数据触发Ipsec的加密

R1(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
R3(config)#access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

2. Configure the crypto ISAKMP policy 10 properties on R1 along with the shared crypto key vpnpa55.Refer to the ISAKMP Phase 1 table for the specific parameters to configure.Default values do not have to be configured therefore only the encryption, key exchange method, and DH method must be configured.
//在R1上配置加密ISAKMP策略policy 10以及共享加密密钥vpnpa55。有关要配置的特定参数，请参阅ISAKMP阶段1表。不必配置默认值，因此仅必须配置加密，密钥交换方法和DH方法

R1(config)#crypto isakmp policy 10 
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#exit
R1(config)#crypto isakmp key vpnpa55 address 10.2.2.2

3. Create the transform-set VPN-SET to use esp-3des and esp-sha-hmac.Then create the crypto map VPN-MAP that binds all of the Phase 2 parameters together.Use sequence number 10 and identify it as an ipsec-isakmp map.
//创建转换集 VPN-SET 以使用 esp-3des 和 esp-sha-hmac。然后创建将所有第2阶段参数绑定在一起的加密映射VPN-MAP。使用序列号10并将其标识为ipsec-isakmp映射。

R1(config)#crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
R1(config)#crypto map VPN-MAP 10 ipsec-isakmp 
R1(config-crypto-map)#match address 110
R1(config-crypto-map)#set peer 10.2.2.2
R1(config-crypto-map)#set peer 10.1.1.2
R1(config-crypto-map)#set transform-set VPN-SET
R1(config-crypto-map)#exit

4. Configure the crypto map on the outgoing interface. Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/0/0 interface.
//在传出接口上配置加密映射。将VPN-MAP加密映射绑定到输出的串行0/0/0接口。

R1(config)#interface serial 0/0/0
R1(config-if)#crypto map VPN-MAP
*Jan  3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

5. Configure the ISAKMP Phase 1 properties on R3.Configure the crypto ISAKMP policy 10 properties on R3 along with the shared crypto key vpnpa55.
//在R3上配置加密ISAKMP policy 10属性以及共享加密密钥vpnpa55

R3(config)#crypto isakmp policy 10
R3(config-isakmp)#encryption aes
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#exit
R3(config)#crypto isakmp key vpnpa55 address 10.1.1.2

6. create the transform-set VPN-SET to use esp-3des and esp-sha-hmac.Then create the crypto map VPN-MAP that binds all of the Phase 2 parameters together.Use sequence number 10 and identify it as an ipsec-isakmp map.
//创建转换集VPN-SET 以使用esp-3des和esp-sha-hmac。然后创建将所有第2阶段参数绑定在一起的加密映射VPN-MAP。使用序列号10并将其标识为ipsec-isakmp 映射。

R3(config)#crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac 
R3(config)#crypto map VPN-MAP 10 ipsec-isakmp
R3(config-crypto-map)#match address 110
R3(config-crypto-map)#set peer 10.1.1.2
R3(config-crypto-map)#set peer 10.2.2.2
R3(config-crypto-map)#set transform-set VPN-SET
R3(config-crypto-map)#exit

7. Configure the crypto map on the outgoing interface.Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/0/1 interface.
//将VPN-MAP加密映射绑定到传出的Serial 0/0/1接口

R3(config)#interface s0/0/1
R3(config-if)#crypto map VPN-MAP
*Jan  3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

三、验证

show crypto ipsec sa查看封装，加密，解封装和解密

R1#show crypto ipsec sa
interface: Serial0/0/0
    Crypto map tag: VPN-MAP, local addr 10.1.1.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer 10.2.2.2 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0
。。。。。

PC-A ping PC-C，显示ping通后

再次查看封装，加密，解封装和解密，包个数已经变化了

R1#show crypto ipsec sa
interface: Serial0/0/0
    Crypto map tag: VPN-MAP, local addr 10.1.1.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer 10.2.2.2 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 0
   #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 1, #recv errors 0
。。。。。

PC-A ping PC-C，pt查看传送ICMP数据包，可以看到数据包结构已经加了一层ESP加密层

实验完整配置文档

R1 running-config
Building configuration…

Current configuration : 1465 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
enable secret 5 $1$ mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp key vpnpa55 address 10.2.2.2
!
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
!
crypto map VPN-MAP 10 ipsec-isakmp
set peer 10.2.2.2
set peer 10.1.1.2
set transform-set VPN-SET
match address 110
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.1.2 255.255.255.252
clock rate 128000
crypto map VPN-MAP
!
interface Serial0/0/1
no ip address
clock rate 128000
!
interface Vlan1
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
banner motd ^C
************ AUTHORIZED ACCESS ONLY *************
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
^C
!
!
!
!
logging trap debugging
line con 0
password ciscoconpa55
login
!
line aux 0
!
line vty 0 4
password ciscovtypa55
login
!
!
ntp update-calendar
!
End

R3 running-config
Building configuration…

Current configuration : 1457 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
!
!
enable secret 5 $1$ mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp key vpnpa55 address 10.1.1.2
!
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
!
crypto map VPN-MAP 10 ipsec-isakmp
set peer 10.1.1.2
set peer 10.2.2.2
set transform-set VPN-SET
match address 110
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/0/1
ip address 10.2.2.2 255.255.255.252
crypto map VPN-MAP
!
interface Vlan1
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
network 192.168.3.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
banner motd ^C
************ AUTHORIZED ACCESS ONLY *************
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
^C
!
!
!
!
logging trap debugging
line con 0
password ciscoconpa55
login
!
line aux 0
!
line vty 0 4
password ciscovtypa55
login
!
!
ntp update-calendar
!
end