和CISCO产品的IPsec相互连接设置例

通过IPsec(main mode)和cisco 2691进行连接

使用机型

  • YAMAHA RTX800(Rev 10.01.40)
  • CISCO 2691(IOS V12.4(11)T2)

网络构成

            PC2
             |
       ------+------ 192.168.1.0/24
             |.1
        +--------+
        | C 2691 | IOS Version 12.4(11)T2
        +--------+
  172.16.1.1 |          
             |          
            ~~~         
            ~~~         IPsec
             |          
             |          
             |          
  172.16.2.1 |          
        +---------+
        | RTX800  | Rev10.01.40
        +---------+
             |.1
       ------+------ 192.168.0.0/24
             |
            PC1

RTX800的设置

ip route default gateway 172.16.2.254
ip route 192.168.1.0/24 gateway tunnel 1
ip lan1 address 192.168.0.1/24
ip lan2 address 172.16.2.1/24
ip lan2 nat descriptor 1
tunnel select 1
 ipsec tunnel 101
  ipsec sa policy 101 1 esp aes-cbc sha-hmac local-id=192.168.0.0/24 remote-id=192.168.1.0/24 ...*1
  ipsec ike always-on 1 on
  ipsec ike duration isakmp-sa 1 28800    .......................................................*2
  ipsec ike encryption 1 aes-cbc          .......................................................*3
  ipsec ike group 1 modp1024              .......................................................*3
  ipsec ike hash 1 sha                    .......................................................*3
  ipsec ike local address 1 192.168.0.1   .......................................................*4
  ipsec ike pre-shared-key 1 text router  .......................................................*5
  ipsec ike remote address 1 172.16.1.1   .......................................................*6	
 ip tunnel tcp mss limit 1350
 tunnel enable 1
ipsec auto refresh on
  • *1 设置security・gateway的SA的policy。
  • *2 设置SA的有效时间。
  • *3 设置IKE的Phase1的条件。
  • *4 设置IKE使用的本方的源地址。
  • *5 设置PSK(预先共享密钥)。
  • *6 设置对方的security・gateway的IP地址。

C2691的设置

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
!
!
!
crypto isakmp policy 1       .................................................*7
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key router address 172.16.2.1     ..............................*8
!
!
crypto ipsec transform-set my_trans esp-aes esp-sha-hmac   ...................*9
!
crypto map vpn_to_yamaha 10 ipsec-isakmp        ..............................*10
 set peer 172.16.2.1
 set transform-set my_trans
 match address 100
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map vpn_to_yamaha                       ..............................*11
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.110.1
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

!
end
  • *7 设置密钥交换的方式。
  • *8 设置PSK(预先共享密钥)。
  • *9 设置security・gateway的SA的Policy。
  • *10 设置使用的SA的Policy
  • *11 将设置应用到接口上。

通过IPsec(aggressive mode)和cisco 2691进行连接

使用机型

  • YAMAHA RTX800(Rev 10.01.40)
  • CISCO 2691(IOS V12.4(11)T2)

网络构成

            PC2
             |
       ------+------ 192.168.1.0/24
             |.1
        +--------+
        | C 2691 | IOS Version 12.4(11)T2
        +--------+
  172.16.1.1 |          
             |          
            ~~~         
            ~~~         IPsec
             |          
             |          
             |          
        IPCP |          
        +---------+
        | RTX800  | Rev10.01.40
        +---------+
             |.1
       ------+------ 192.168.0.0/24
             |
            PC1

RTX800的设置

ip route default gateway pp 1
ip route 192.168.1.0/24 gateway tunnel 1
ip lan1 address 192.168.0.1/24
tunnel select 1
 ipsec tunnel 101
  ipsec sa policy 101 1 esp aes-cbc sha-hmac local-id=192.168.0.0/24 remote-id=192.168.1.0/24 ...*1
  ipsec ike always-on 1 on
  ipsec ike duration isakmp-sa 1 28800    .......................................................*2
  ipsec ike encryption 1 aes-cbc          .......................................................*3
  ipsec ike group 1 modp1024              .......................................................*3
  ipsec ike hash 1 sha                    .......................................................*3
  ipsec ike local name 1 user1@test user-fqdn   .................................................*4
  ipsec ike pre-shared-key 1 text router  .......................................................*5
  ipsec ike remote address 1 172.16.1.1   .......................................................*6	
 ip tunnel tcp mss limit 1350
 tunnel enable 1
ipsec auto refresh on
  • *1 设置security・gateway的SA的policy。
  • *2 设置SA的有效时间。
  • *3 设置IKE的Phase1的条件。
  • *4 设置IKE使用的本方的名称。
  • *5 设置PSK(预先共享密钥)。
  • *6 设置对方的security・gateway的IP地址。

C2691的设置

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
aaa user profile user1@test
!
aaa authorization network AGGRE local      .....................................*7
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto isakmp policy 1       ...................................................*8
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp client configuration group user1@test   ..........................*9
 key router           ..........................................................*10
!
!
crypto ipsec transform-set DEFAULT esp-aes esp-sha-hmac     ....................*11
!
crypto dynamic-map Dmap 10      ................................................*12
 set transform-set DEFAULT
 match address 100
!
!
crypto map LAB local-address FastEthernet0/0      ..............................*13
crypto map LAB isakmp authorization list AGGRE    ..............................*14
crypto map LAB 10 ipsec-isakmp dynamic Dmap       ..............................*15
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map LAB      ...........................................................*16
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
!
end
  • *7 设置将通过密钥交换得到的信息登录至路由器(通过"*9"、"*10"设置)。
  • *8 设置密钥交换的方式。
  • *9 设置对方的security・gateway的名称。
  • *10 设置"*9"的PSK。
  • *11 设置security・gateway的SA的Policy。
  • *12 设置和不固定IP地址的对方相连接。
  • *13 设置本方的IP地址。
  • *14 设置确认通过密钥交换得到的信息是否正确的方法(通过"*7"设置)。
  • *15 设置连接至IP地址不固定的对方。
  • *16 将设置应用到接口上。

返回顶部Return to Top