说明:动态的crypto map 配置的IPSCE ×××,通常用在中心站点为固定IP地址,分支站点为动态IP地址的场合,这种配置也通常用在一方为思科设备,另一方为非思科设备的情况。
一,Center中心站点配置说明:
Center#
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp key cisco address 0.0.0.0 0.0.0.0 #8个0指匹配任意IP地址。!crypto ipsec transform-set cisco esp-des esp-md5-hmac!crypto dynamic-map dymap 10 #动态CRYPTO MAP 只需设置转换集,任意PEER和感兴趣流都可以被中心站点接受,中心站点也不用设备PEER和感兴趣流 set transform-set cisco!crypto map To_branch 10000 ipsec-isakmp dynamic dymap #一般动态序号配置为最大,是为了序号小的明细的静态crypto map 优先。!interface Loopback0 ip address 1.1.1.1 255.255.255.0!interface FastEthernet0/0 ip address 202.100.1.1 255.255.255.0 duplex auto speed auto crypto map To_branch #crypto map 应用于接口。!no ip http serverno ip http secure-server!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 202.100.1.10!control-plane!line con 0 exec-timeout 0 0 privilege level 15 logging synchronousline aux 0 exec-timeout 0 0 privilege level 15 logging synchronousline vty 0 4 login!!endCenter#
二,Branch分支机构配置:
Branch#
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp key cisco address 202.100.1.1!
!crypto ipsec transform-set cisco esp-des esp-md5-hmac!crypto map To_center 10 ipsec-isakmp set peer 202.100.1.1 #设置为中心站点的固定IP地址。 set transform-set cisco match address ***!interface Loopback0 ip address 2.2.2.2 255.255.255.0!interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface FastEthernet1/0 ip address dhcp duplex auto speed auto crypto map To_center #IPSEC crypto map 应用于接口。!no ip http serverno ip http secure-server!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 61.128.1.10!ip access-list extended *** #分支站点需要定义感兴趣流 permit ip host 2.2.2.2 host 1.1.1.1!control-plane!line con 0 exec-timeout 0 0 privilege level 15 logging synchronousline aux 0 exec-timeout 0 0 privilege level 15 logging synchronousline vty 0 4 login!!endBranch#
三,配置测试:
Branch#ping 1.1.1.1 so 2.2.2.2 #动态Crypto map 只能由分支站点向中心站点先发起感兴趣流。
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:Packet sent with a source address of 2.2.2.2!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/59/112 msBranch#
四,配置信息查看:
Branch#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitBranch#show crypto engine conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet1/0 61.128.1.12 set HMAC_MD5+3DES_56_C 0 02001 FastEthernet1/0 61.128.1.12 set DES+MD5 17 02002 FastEthernet1/0 61.128.1.12 set DES+MD5 0 17Branch#show crypto isakmp sa
dst src state conn-id slot status202.100.1.1 61.128.1.12 QM_IDLE 1 0 ACTIVEBranch#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: To_center, local addr 61.128.1.12protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0) #感兴趣流 remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0) #感兴趣流 current_peer 202.100.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36 #pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 12, #recv errors 0local crypto endpt.: 61.128.1.12, remote crypto endpt.: 202.100.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0 current outbound spi: 0x37062F6B(923152235)inbound esp sas:
spi: 0x5909C929(1493813545) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: SW:2, crypto map: To_center sa timing: remaining key lifetime (k/sec): (4525079/2552) IV size: 8 bytes replay detection support: Y Status: ACTIVEinbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x37062F6B(923152235) transform: esp-des esp-md5-hmac , in use settings ={Tunnel, } #采用隧道模式 conn id: 2001, flow_id: SW:1, crypto map: To_center sa timing: remaining key lifetime (k/sec): (4525079/2544) IV size: 8 bytes replay detection support: Y Status: ACTIVEoutbound ah sas:
outbound pcp sas:
Branch#