Terence's Blog

Jugglers and singers require applause.

IPSec VPN实验:Site-to-Site

用一个路由器模拟Internet网络,R1、R3模拟两个公司的网关路由器。R1上启用Loopback 0接口模拟公司1的内部网络192.168.1.0/24,R3启用Loopback 0接口模拟公司3内部网络192.168.3.0/24,两个网关路由器配置成Site-to-Site类型的IPSec VPN,使公司1与公司3的内部网络能互相通信!

R1的外网接口F0/0的IP为192.168.12.1/24 ,R3的外网接口F0/1的IP为192.168.23.3/24 ,因为在三个路由器上运行了OSPF,所以R1的F0/0能ping通R3的F0/1,R1、R3上需要配置默认路由,否则数据包到达网关没有查到相应路由表就会被丢弃,VPN通道就无法建立。

R1上的IPSec VPN配置

//匹配感兴趣流量
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
//配置IKE第一阶段:ISAKMP SA
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
//匹配预共享密匙
crypto isakmp key 6 cisco address 192.168.23.3
!
//配置IKE第二阶段:IPSec SA
crypto ipsec transform-set SET esp-3des esp-md5-hmac 
  mode tunnel
!
//定义一个crypto map
crypto map VPN 10 ipsec-isakmp 
 set peer 192.168.23.3
 set transform-set SET 
 match address 100
!
//在外网接口上调用crypto map
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 crypto map VPN

R3上的配置与R1差不多,匹配感兴趣流量和对端IP时刚好与R1相反

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 cisco address 192.168.12.1
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac 
  mode tunnel
!
crypto map VPN 10 ipsec-isakmp 
 set peer 192.168.12.1
 set transform-set SET 
 match address 100
!
interface FastEthernet0/1
 ip address 192.168.23.3 255.255.255.0
 crypto map VPN
!

R1上没有R3内部网络192.168.3.0/24的路由

R1#sh ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C    192.168.12.0/24 is directly connected, FastEthernet0/0
O    192.168.23.0/24 [110/20] via 192.168.12.2, 02:49:46, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Loopback0
S*   0.0.0.0/0 is directly connected, FastEthernet0/0

在R1上用Loopback 0接口ping R3的Loopback 0接口,重复50次。因为需要数据包碰撞Crypto MAP才触发VPN通道,所以第一次ping的时候前几个包会丢包

R1#ping 192.168.3.1 source 192.168.1.1 repeat 50

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 98 percent (49/50), round-trip min/avg/max = 16/22/28 ms

IPSec VPN加密、加密的数据包个数一般相差不远

R1#sh crypto engine connections active 
Crypto Engine Connections

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
    9 Fa0/0      IPsec 3DES MD5                  0       49 192.168.12.1
   10 Fa0/0      IPsec 3DES MD5                 49        0 192.168.12.1
 1002 Fa0/0      IKE   MD5 3DES                  0        0 192.168.12.1

配置的时候注意保持两端网关路由器的ISAKMP SA认证方式、预共享密匙(如果认证方式为Pre-share)、HASH算法(MD5、SHA)、加密方式(AES、DES、3DES)、DH算法(group 1、2、5)一致,IPSec SA都选用ESP或者AH封装。匹配感兴趣流量的ACL两端相对称,否则可能导致一端加密了另一端不能加密的问题!