安全与 VPN : IPSec 协商/IKE 协议

在专用网络之间配置 IPSec 路由器到路由器、预共享和 NAT 过载

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 22 日) | 反馈


目录


简介

本示例配置显示如何使用 IPSec 在二个专用网络(10.50.50.x 和 10.103.1.x)之间加密数据流。网络根据它们的专用地址来相互辨认。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco IOS�软件版本12.3.1a

  • Cisco 2691 路由器

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 要查找本文档所用命令的其他信息,请使用命令查找工具仅限注册用户)。

网络图

本文档使用此图所示的网络设置。

/image/gif/paws/7276/overload_private.gif

配置

本文档使用以下配置。

路由器 A
Router_A#write terminal
Building configuration...
Current configuration : 1638 bytes 
! 
version 12.3 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname Router_A 
! 
boot system flash:c2691-ik9o3s-mz.123-1a.bin 
! 
ip subnet-zero 
! 
ip audit notify log 
ip audit po max-events 100 
no ftp-server write-enable 
! 
crypto isakmp policy 1 
hash md5  
authentication pre-share 
crypto isakmp key cisco123 address 95.95.95.2 
! 
crypto ipsec transform-set rtpset esp-des esp-md5-hmac  
! 
crypto map rtp 1 ipsec-isakmp  
set peer 95.95.95.2 
set transform-set rtpset  

!--- Include the private network to private network traffic 
!--- in the encryption process. 

match address 115 
! 
no voice hpi capture buffer 
no voice hpi capture destination  
!  
interface FastEthernet0/0 
ip address 99.99.99.2 255.255.255.0 
ip nat outside 
duplex auto 
speed auto 
crypto map rtp 
! 
interface FastEthernet0/1 
ip address 10.50.50.50 255.255.255.0 
ip nat inside 
duplex auto 
speed auto 
! 

!--- Except the private network traffic from the 
!--- Network Address Translation (NAT) process. 

ip nat inside source route-map nonat interface FastEthernet0/0 overload 
ip http server 
no ip http secure-server 
ip classless 
ip route 0.0.0.0 0.0.0.0 99.99.99.1 
! 

!--- Except the private network traffic from the NAT process.
 
access-list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255 
access-list 110 permit ip 10.50.50.0 0.0.0.255 any 

!--- Include the private network to private network traffic 
!--- in the encryption process. 

access-list 115 permit ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255 
! 

!--- Except the private network traffic from the NAT process. 

route-map nonat permit 10 
match ip address 110 
! 
dial-peer cor custom 
! 
line con 0 
exec-timeout 0 0 
line aux 0 
line vty 0 4 
login 
! 
end  
  
Router_A#

路由器 B
Router_B#write terminal
Building configuration...
Current configuration : 1394 bytes 
! 
version 12.3 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname Router_B 
! 
boot system flash:c2691-ik9o3s-mz.123-1a.bin 
! 
ip subnet-zero 
! 
ip audit notify log 
ip audit po max-events 100 
no ftp-server write-enable 
! 
crypto isakmp policy 1 
hash md5  
authentication pre-share 
crypto isakmp key cisco123 address 99.99.99.2 
! 
crypto ipsec transform-set rtpset esp-des esp-md5-hmac 
! 
crypto map rtp 1 ipsec-isakmp  
set peer 99.99.99.2 
set transform-set rtpset  

!--- Include the private network to private network traffic 
!--- in the encryption process.
 
match address 115 
! 
no voice hpi capture buffer 
no voice hpi capture destination  
! 
interface FastEthernet0/0 
ip address 95.95.95.2 255.255.255.0 
ip nat outside 
duplex auto 
speed auto 
crypto map rtp 
! 
interface FastEthernet0/1 
ip address 10.103.1.75 255.255.255.0 
ip nat inside 
duplex auto 
speed auto 
! 

!--- Except the private network traffic from the NAT process.
 
ip nat inside source route-map nonat interface FastEthernet0/0 overload 
ip http server 
no ip http secure-server 
ip classless 
ip route 0.0.0.0 0.0.0.0 95.95.95.1 
! 

!--- Except the private network traffic from the NAT process. 

access-list 110 deny ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255 
access-list 110 permit ip 10.103.1.0 0.0.0.255 any 

!--- Include the private network to private network traffic 
!--- in the encryption process. 

access-list 115 permit ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255 
! 

!--- Except the private network traffic from the NAT process. 

route-map nonat permit 10 
match ip address 110 
! 
dial-peer cor custom 
! 
line con 0 
exec-timeout 0 0 
line aux 0 
line vty 0 4 
login 
! 
end 
Router_B# 

验证

当前没有可用于此配置的验证过程。

故障排除

故障排除命令

命令输出解释程序工具仅限注册用户)支持某些 show 命令,使用此工具可以查看对 show 命令输出的分析。

注意: 在发出 debug 命令之前,请参阅有关 Debug 命令的重要信息

  • debug crypto ipsec sa - 显示第 2 阶段的 IPSec 协商。

  • debug crypto isakmp sa - 显示第 1 阶段的 Internet 安全连接和密钥管理协议 (ISAKMP) 协商。

  • debug crypto engine — 显示加密会话。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 7276