溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
一句話神碼路由器的IPSEC很有特色
實驗環境:兩臺路由器直接相連一共3個網段192.168.0.0192.168.1.0192.168.2.0其中192.168.1.0模擬公網另外兩個網段模擬私有網絡通過啟用IPSEC ×××實現這兩個網段安全通信。
開始配置時兩個路由器配置文件如下
路由器R1
show running-config
Building configuration...
Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R1
crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.2
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More-- ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.2.0 255.255.255.0 192.168.1.2
!
ip access-list extended bendi
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ip access-list standard 123
permit ip any
!
ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#
路由器R2
show run
Building configuration...
Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R2
!
gbsc group default
!
crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.1
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More-- ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.0.0 255.255.255.0 192.168.1.1
!
ip access-list extended bendi
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
ip access-list standard 123
permit ip any !
ip nat inside source list 123 interface FastEthernet0/0
!
R2_config#
通過show crypto ipsec sa和show crypto iskmp sa發現不能正常建立IPSEC連接也就是IPSEC通道沒有激活啥問題檢查配置沒有錯誤啊。算了去掉NAT測試通過show crypto ipsec sa和show crypto iskmp sa發現能正常建立IPSEC連接。不理解了。。。。。。
經過撥打神碼400電話后更改配置如下
路由器R1
show running-config
Building configuration...
Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R1
crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.2
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More-- ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.2.0 255.255.255.0 192.168.1.2
!
ip access-list extended bendi
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ip access-list extended 123
deny ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
permit ip any any
!
ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#
路由器R2
show run
Building configuration...
Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R2
!
gbsc group default
!
crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.1
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More-- ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.0.0 255.255.255.0 192.168.1.1
!
ip access-list extended bendi
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
ip access-list extended 123
deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
permit ip any any
!
ip nat inside source list 123 interface FastEthernet0/0
!
R2_config#
也就是在上面的配置和初始的配置差別在NAT的訪問控制列表上面的配置中擴展的訪問控制列表先拒絕192.168.0.0和192.168.2.0網段數據進行NAT然后允許所有。經過這樣配置IPSEC的通道就能ACTIVE。
事后分析神碼路由的操作系統內部流程nat優先于IPSEC。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
