A-A+
思科路由器站点到站点IPSEC SVTI VPN配置
SVTI与GRE相比节省4个字节的GRE头部
一,Site1配置:
- crypto isakmp policy 10 //定义第一阶段ISAKMP安全协商策略,show crypto policy。
- encr 3des
- hash md5
- authentication pre-share
- group 2
- crypto isakmp key cisco address 61.128.1.1
- !
- !
- crypto ipsec transform-set cisco esp-des esp-md5-hmac
- mode tunnel #SVTI技术使用默认的隧道模式
- !
- crypto ipsec profile To_site2_ipsec
- set transform-set cisco
- !
- !
- interface Loopback0
- ip address 1.1.1.1 255.255.255.0
- !
- interface Tunnel0
- ip address 172.16.1.1 255.255.255.0
- tunnel source 202.100.1.1
- tunnel destination 61.128.1.1
- tunnel mode ipsec ipv4 #与GRE IPSEC 配置不同,SVTI使用IPSEC IPVE隧道模式
- tunnel protection ipsec profile To_site2_ipsec
- !
- interface FastEthernet0/0
- ip address 202.100.1.1 255.255.255.0
- duplex auto
- speed auto
- !
- router ospf 1
- log-adjacency-changes
- network 1.1.1.0 0.0.0.255 area 0
- network 172.16.1.0 0.0.0.255 area 0
- !
- no ip http server
- no ip http secure-server
- !
- ip forward-protocol nd
- ip route 0.0.0.0 0.0.0.0 202.100.1.10
- !
- Site1#
二,Site2配置:
- crypto isakmp policy 10
- encr 3des
- hash md5
- authentication pre-share
- group 2
- crypto isakmp key cisco address 202.100.1.1
- !
- !
- crypto ipsec transform-set cisco esp-des
- !
- crypto ipsec profile To_site1_ipsec
- set transform-set cisco
- !
- interface Loopback0
- ip address 2.2.2.2 255.255.255.0
- !
- interface Tunnel0
- ip address 172.16.1.2 255.255.255.0
- tunnel source FastEthernet1/0
- tunnel destination 202.100.1.1
- tunnel mode ipsec ipv4
- tunnel protection ipsec profile To_site1_ipsec
- !
- interface FastEthernet0/0
- no ip address
- shutdown
- duplex auto
- speed auto
- !
- interface FastEthernet1/0
- ip address 61.128.1.1 255.255.255.0
- duplex auto
- speed auto
- !
- no ip http server
- no ip http secure-server
- !
- ip forward-protocol nd
- ip route 0.0.0.0 0.0.0.0 61.128.1.10
- Site2#
三,测试:
- Site1# ping 2.2.2.2 so 1.1.1.1
- Type escape sequence to abort.
- Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
- Packet sent with a source address of 1.1.1.1
- !!!!!
- Success rate is 100 percent (5/5), round-trip min/avg/max = 24/53/76 ms
- Site1#
四,状态查看命令:
- Site1#show crypto engi conn ac
- ID Interface IP-Address State Algorithm Encrypt Decrypt
- 4 FastEthernet0/0 202.100.1.1 set HMAC_MD5+3DES_56_C 0 0
- 2002 FastEthernet0/0 202.100.1.1 set DES+MD5 26 0
- 2004 FastEthernet0/0 202.100.1.1 set DES+MD5 0 25
- Site1#show crypto isakmp sa
- dst src state conn-id slot status
- 202.100.1.1 61.128.1.1 QM_IDLE 4 0 ACTIVE
- Site1#show crypto ipsec sa
- interface: Tunnel0
- Crypto map tag: Tunnel0-head-0, local addr 202.100.1.1
- protected vrf: (none)
- local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) #加密流为任意到任意
- remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
- current_peer 61.128.1.1 port 500
- PERMIT, flags={origin_is_acl,}
- #pkts encaps: 27, #pkts encrypt: 27, #pkts digest: 27
- #pkts decaps: 26, #pkts decrypt: 26, #pkts verify: 26
- #pkts compressed: 0, #pkts decompressed: 0
- #pkts not compressed: 0, #pkts compr. failed: 0
- #pkts not decompressed: 0, #pkts decompress failed: 0
- #send errors 0, #recv errors 0
- local crypto endpt.: 202.100.1.1, remote crypto endpt.: 61.128.1.1
- path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
- current outbound spi: 0xCA895958(3397998936)
- inbound esp sas:
- spi: 0x962F864(157481060)
- transform: esp-des esp-md5-hmac ,
- in use settings ={Tunnel, } #使用隧道模式
- conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
- sa timing: remaining key lifetime (k/sec): (4508692/3542)
- IV size: 8 bytes
- replay detection support: Y
- Status: ACTIVE
- inbound ah sas:
- inbound pcp sas:
- outbound esp sas:
- spi: 0xCA895958(3397998936)
- transform: esp-des esp-md5-hmac ,
- in use settings ={Tunnel, }
- conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
- sa timing: remaining key lifetime (k/sec): (4508692/3540)
- IV size: 8 bytes
- replay detection support: Y
- Status: ACTIVE
- outbound ah sas:
- outbound pcp sas:
- Site1#clear crypto sa #清除、新建IPSEC SA 安全关联。
- Site1#