0216_帧中继_ipsec-白红宇

0216_帧中继_ipsec

阅读量：7092 次

发布时间：2019-06-28

本文共 9299 字，大约阅读时间需要 30 分钟。

拓扑图：

配置参数：

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 1.1.1.2

crypto isakmp key 123456 address 1.1.1.3

crypto ipsec transform-set myset esp-3des esp-md5-hmac

注意帧中继也可以配置

参数！可以测试成功的！

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set myset

match address 100

crypto map mymap 20 ipsec-isakmp

set peer 1.1.1.3

set transform-set myset

match address 101

interface Serial0/0

ip address 1.1.1.1 255.255.255.0

encapsulation frame-relay IETF

frame-relay map ip 1.1.1.2 26

frame-relay map ip 1.1.1.3 27

no frame-relay inverse-arp

frame-relay lmi-type ansi

crypto map mymap

ip route 192.168.2.0 255.255.255.0 1.1.1.2

ip route 192.168.3.0 255.255.255.0 1.1.1.3

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 1.1.1.1

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 100

interface Serial0/0

ip address 1.1.1.2 255.255.255.0

encapsulation frame-relay IETF

frame-relay map ip 1.1.1.1 36

frame-relay map ip 1.1.1.3 36

no frame-relay inverse-arp

frame-relay lmi-type ansi

crypto map mymap

ip route 192.168.1.0 255.255.255.0 1.1.1.1

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 1.1.1.1

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 100

interface Serial0/0

ip address 1.1.1.3 255.255.255.0

encapsulation frame-relay IETF

frame-relay map ip 1.1.1.1 37

frame-relay map ip 1.1.1.2 37

no frame-relay inverse-arp

frame-relay lmi-type ansi

crypto map mymap

ip route 192.168.1.0 255.255.255.0 1.1.1.1

frame-relay switching

interface Serial0/0

no ip address

encapsulation frame-relay IETF

serial restart-delay 0

no frame-relay inverse-arp

frame-relay lmi-type ansi

frame-relay intf-type dce

frame-relay route 26 interface Serial0/1 36

frame-relay route 27 interface Serial0/2 37

interface Serial0/1

no ip address

encapsulation frame-relay IETF

serial restart-delay 0

no frame-relay inverse-arp

frame-relay lmi-type ansi

frame-relay intf-type dce

frame-relay route 36 interface Serial0/0 26

interface Serial0/2

no ip address

encapsulation frame-relay IETF

serial restart-delay 0

no frame-relay inverse-arp

frame-relay lmi-type ansi

frame-relay intf-type dce

frame-relay route 37 interface Serial0/0 27

测试：

R2:

r2#SH FRAM ROU

Input Intf Input Dlci Output Intf Output Dlci Status

Serial0/0 26 Serial0/1 36 active

Serial0/0 27 Serial0/2 37 active

Serial0/1 36 Serial0/0 26 active

Serial0/2 37 Serial0/0 27 active

R1:

r1#SH CRY IS SA

dst src state conn-id slot

1.1.1.1 1.1.1.2 QM_IDLE 1 0

1.1.1.1 1.1.1.3 QM_IDLE 2 0

R3:

r3#SH CRY IS SA

dst src state conn-id slot

1.1.1.1 1.1.1.2 QM_IDLE 1 0

R4:

r4#SH CRY IS SA

dst src state conn-id slot

1.1.1.1 1.1.1.3 QM_IDLE 1 0

VPC:

使用

VPC

进行测试

VPC1:

总部的内网可以

PING

通分部

和分部

VPC2:

分部

可以

PING

通总部内网

VPC3:

分部

可以

PING

通总部内网

测试：

r1#sh cry ip sa

interface: Serial0/0

Crypto map tag: mymap, local addr. 1.1.1.1

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 1.1.1.2:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.:

1.1.1.2

path mtu 1500, media mtu 1500

current outbound spi: 6DA96143

inbound esp sas

spi: 0x47E18A8B(

1205963403

)

------>IN

对应

的

OUT

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4561490/2009)

ike_cookies: 4212F6AE 2BE257C8 70AA7619 C7B2C848

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6DA96143(1839817027)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4561492/2008)

ike_cookies: 4212F6AE 2BE257C8 70AA7619 C7B2C848

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

current_peer: 1.1.1.3:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.:

1.1.1.3

path mtu 1500, media mtu 1500

current outbound spi: 935F895E

inbound esp sas:

spi: 0x189C7927(

412907815

)

------>IN

对应

的

OUT

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2002, flow_id: 3, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4410147/2372)

ike_cookies: 0304C43A 22E2C670 2D431BA9 28CCCCBE

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x935F895E(2472511838)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2003, flow_id: 4, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4410149/2372)

ike_cookies: 0304C43A 22E2C670 2D431BA9 28CCCCBE

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

r1#

r3#sh cry ip sa

interface: Serial0/0

Crypto map tag: mymap, local addr. 1.1.1.2

protected vrf:

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 1.1.1.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, media mtu 1500

current outbound spi: 47E18A8B

inbound esp sas:

spi: 0x6DA96143(1839817027)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4434742/1960)

ike_cookies: 70AA7619 C7B2C848 4212F6AE 2BE257C8

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x47E18A8B(

1205963403

)

------>OUT

对应

的

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4434744/1960)

ike_cookies: 70AA7619 C7B2C848 4212F6AE 2BE257C8

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

r3#

r4#sh cry ip sa

interface: Serial0/0

Crypto map tag: mymap, local addr. 1.1.1.3

protected vrf:

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 1.1.1.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 1.1.1.3, remote crypto endpt.: 1.1.1.1

path mtu 1500, media mtu 1500

current outbound spi: 189C7927

inbound esp sas:

spi: 0x935F895E(2472511838)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4549234/2304)

ike_cookies: 2D431BA9 28CCCCBE 0304C43A 22E2C670

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x189C7927(

412907815

)

------>OUT

对应

的

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4549236/2304)

ike_cookies: 2D431BA9 28CCCCBE 0304C43A 22E2C670

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

r4#

转载于:https://blog.51cto.com/4708948/1134140

你可能感兴趣的文章

Tiny Jpeg Decoder （JPEG解码程序）源代码分析 1：解码文件头

查看>>

windows Server2008 下部署nginx