运用预同享密钥装备站点到站点的IPsec51CTO博客 - 亚美娱乐

运用预同享密钥装备站点到站点的IPsec51CTO博客

2019年02月24日11时44分18秒 | 作者: 辰龙 | 标签: 装备,密钥,加密 | 浏览: 566

一、首要让咱们去了解一下IKE的两个阶段的洽谈进程:   1、Phase I :IKE的第1阶段 (IKE的SA 又称为:ISAKMP的SA) a. 对两个对等体之间供给认证 b. 双向SA(安全相关)参数的洽谈 c. 作业在两种形式:首要形式和粗野形式 阐明:IKE的第1阶段并不直接用来供给数据的加密   2、Phase II:IKE的第2阶段 (IPsec的SA) a. 针对于ESP或AH的参数洽谈 b. 作业在:快速形式 阐明:IKE的第2阶段真实用来为数据供给加密   二、下面经过试验来看一下IPSEC的装备以及剖析IKE阶段1和阶段2的洽谈进程:

1、拓扑图:     2、装备各路由器的接口IP,并分别在R1和R3写上默许路由,以使网络能够连通:
R1(config)#ip route 0.0.0.0 0.0.0.0 202.102.48.66 R3(config)#ip route 0.0.0.0 0.0.0.0 211.64.135.33   R1(config)#do ping 211.64.135.34   Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 211.64.135.34, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/72 ms R1(config)#

3、在R1上进入IKE战略修改形式,装备IKE第一阶段洽谈并指定密钥:
R1(config)#crypto isakmp key 0 cisco address 211.64.135.34(指定同享密钥及地址,0为非加密) R1(config)#crypto isakmp policy 1 (进入IKE战略修改形式,1代表优先级) R1(config-isakmp)#authentication pre-share (指定运用预同享密钥) R1(config-isakmp)#encryption 3des (加密方法为3des) R1(config-isakmp)#hash md5 (装备散列算法,默许为sha,路由器不行强壮就用md5) R1(config-isakmp)#group 1 (运用Diffie-Hellman 组1进行密钥交流) R1(config-isakmp)#lifetime 1000 (IKE SA生命周期,默许为86400秒,也就是一天)
  4、进入IKE第二阶段IPsecSA洽谈:
  A:装备IPsec改换集,指定洽谈的加密参数对数据的交流进行加密:
R1(config)#crypto ipsec transform-set TEST esp-3des esp-md5-hmac (装备IPsec改换集,对数据的交流进行加密)
  B:装备拜访操控列表和加密映射表。设定对等体以及感兴趣的数据流。用于指出哪些数据流是需求加密的:
R1(config)#access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 R1(config)#crypto map R1_***_R3 10 ipsec-isakmp (装备加密映射表) R1(config-crypto-map)#set peer 211.64.135.34 (设置对等体IP) R1(config-crypto-map)#set transform-set TEST (引证之前设置的IPsec改换集) R1(config-crypto-map)#match address 100 (匹配ACL 100 对其数据流进行维护)
  C:将加密映射表应用到需求树立地道接口上:
R1(config-crypto-map)#int s1/1 R1(config-if)#crypto map R1_***_R3 (进入接口,挂接映射表)
  5、同理装备R3,以树立站点到站点的IPsec
R3(config)#crypto isakmp key 0 cisco address 202.102.48.65 R3(config)#crypto isakmp policy 1 R3(config-isakmp)#authentication pre-share R3(config-isakmp)#encryption 3des R3(config-isakmp)#hash md5 R3(config-isakmp)#group 1 R3(config-isakmp)#lifetime 1000 R3(config)#crypto ipsec transform-set TEST esp-3des esp-md5-hmac R3(config)#access-list 100 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255 R3(config)#crypto map R3_***_R1 10 IPSec-ISakmp R3(config-crypto-map)#set peer 202.102.48.65 R3(config-crypto-map)#set transform-set TEST R3(config-crypto-map)#match address 100 R3(config-crypto-map)#int s1/0 R3(config-if)#crypto map R3_***_R1 R3(config-if)# *Mar  1 04:54:57.322: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON  (装备完之后状况提示就为ON)
  三、验证一下试验的作用:
1、运用扩展ping 一下对端内网地址:
R1#ping Protocol [ip]: Target IP address: 192.168.1.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]:  Extended commands [n]: y Source address or interface: 172.16.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 .!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/35/68 ms R1#
  2、检查一下isakmp 战略
R1#sh crypto isakmp policy   Global IKE policy Protection suite of priority 1 (能够看到咱们界说的加密战略,装备要和R3保持共同。洽谈才干成功)         encryption algorithm:   Three key triple DES         hash algorithm:         Message Digest 5         authentication method:  Pre-Shared Key         Diffie-Hellman group:   #1 (768 bit)         lifetime:               1000 seconds, no volume limit Default protection suite     (仍然存在体系默许的加密战略)         encryption algorithm:   DES - Data Encryption Standard (56 bit keys).         hash algorithm:         Secure Hash Standard         authentication method:  Rivest-Shamir-Adleman Signature         Diffie-Hellman group:   #1 (768 bit)         lifetime:               86400 seconds, no volume limit  
  3、由于之前界说的是0表明未加密的密钥,所以用show crypto isakmp key 能够检查到密钥,并且看到R1R3是共同的:
R1#sh crypto isakmp key Keyring               Hostname/Address                   Preshared Key   default               211.64.135.34                      cisco   R3#sh crypto isakmp key Keyring               Hostname/Address                   Preshared Key   default               202.102.48.65                      cisco
  4、检查到IPsec 的改换集默许是以地道形式传输的:
R3#sh crypto ipsec transform-set Transform set TEST: { esp-3des esp-md5-hmac  }    will negotiate = { Tunnel,  },   
  5、检查一下IKE阶段一的安全相关信息:
R1#sh crypto isakmp sa dst             src             state          conn-id slot status 202.102.48.65   211.64.135.34   QM_IDLE              1    0 ACTIVE (isakmp的sa处于活动状况)
  6、检查一下IKE阶段二的安全相关信息:
R1#sh crypto ipsec sa   interface: Serial1/1     Crypto map tag: R1_***_R3, local addr 202.102.48.65 (能够看到本地的加密图符号)      protected vrf: (none)    local  ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)    remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)    current_peer 211.64.135.34 port 500      PERMIT, flags={origin_is_acl,}     #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9     #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9     #pkts compressed: 0, #pkts decompressed: 0     #pkts not compressed: 0, #pkts compr. failed: 0     #pkts not decompressed: 0, #pkts decompress failed: 0     #send errors 0, #recv errors 0        local crypto endpt.: 202.102.48.65, remote crypto endpt.: 211.64.135.34      path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1      current outbound spi: 0x5C97AB5B(1553443675)        inbound esp sas:       spi: 0x454D5992(1162697106)         transform: esp-3des esp-md5-hmac ,         in use settings ={Tunnel, }         conn id: 2001, flow_id: SW:1, crypto map: R1_***_R3         sa timing: remaining key lifetime (k/sec): (4434675/3031)         IV size: 8 bytes         replay detection support: Y         Status: ACTIVE        inbound ah sas:        inbound pcp sas:        outbound esp sas:       spi: 0x5C97AB5B(1553443675)         transform: esp-3des esp-md5-hmac ,         in use settings ={Tunnel, }         conn id: 2002, flow_id: SW:2, crypto map: R1_***_R3         sa timing: remaining key lifetime (k/sec): (4434675/3030)         IV size: 8 bytes         replay detection support: Y         Status: ACTIVE        outbound ah sas:        outbound pcp sas: R1#
    7、我们也能够用debug crypto isakmpdebug crypto ipsec 来看一下IKE第一和第二阶段的信息。    
 
版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表亚美娱乐立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章