實(shí)驗(yàn)手冊(cè)虛擬專(zhuān)網(wǎng)配置實(shí)例_第1頁(yè)
實(shí)驗(yàn)手冊(cè)虛擬專(zhuān)網(wǎng)配置實(shí)例_第2頁(yè)
實(shí)驗(yàn)手冊(cè)虛擬專(zhuān)網(wǎng)配置實(shí)例_第3頁(yè)
實(shí)驗(yàn)手冊(cè)虛擬專(zhuān)網(wǎng)配置實(shí)例_第4頁(yè)
實(shí)驗(yàn)手冊(cè)虛擬專(zhuān)網(wǎng)配置實(shí)例_第5頁(yè)
已閱讀5頁(yè),還剩127頁(yè)未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

虛擬專(zhuān)網(wǎng)()配置實(shí)絡(luò)相同的安全和功能保障。是對(duì)企業(yè)網(wǎng)的擴(kuò)展,他可以幫助用戶,公司分支機(jī)構(gòu)當(dāng)然技術(shù)的有很多種,目前最為安全的是IPSec加密技術(shù),他可以實(shí)現(xiàn)數(shù)據(jù)通信的性,完整性和不可否認(rèn)性。今天就由我為大家介紹通過(guò)IPSec加密技術(shù)構(gòu)建。配置實(shí)例:對(duì)內(nèi)網(wǎng)的方面。要在總公司和之間建立有效的連接。具體網(wǎng)絡(luò)拓?fù)淙鐖D1所示。路由器名為RT-BJ,通過(guò)/24接口和路由器連接,另一個(gè)接口連接公司的計(jì)算機(jī)/24;路由器名為RT-SH,通過(guò)/24接口和總公司路由器連接,另一個(gè)接口連接的計(jì)算機(jī)/24。配置命令:總公司路由器:cryptoisakmppolicy1 encryptiondes 指定ISAKMP策略使用DES進(jìn)行加密hashsha 指定ISAKMP策略使用MD5進(jìn)行HASH運(yùn)算authenticationpre-share group cryptoisakmpidentity cryptoisakmpkeycisco123address cryptomapbjmap1ipsec- setpeer settransform-set matchaddress intipaddressintipaddressnoipmroute-cachenofair-queueclockrate64000cryptomapbjmapaccess-list101permitip55access-list101permitip55cryptoisakmppolicy1 encryptiondeshash authenticationpre-share group cryptoisakmpidentity cryptoisakmpkeycisco123address cryptomapshmap1ipsec-isakmp 創(chuàng)建SAsetpeer settransform-set matchaddress intipaddressintipaddressnoipmroute-cachenofair-queueclockratecryptomap access-list101permitip55access-list101permitip55總結(jié):在總公司和的路由器按照上面介紹令設(shè)置完畢后,兩個(gè)公司之間就建立了連接,在總公司計(jì)算機(jī)就好象自己網(wǎng)絡(luò)中的計(jì)算機(jī)一樣簡(jiǎn)單方便,通過(guò)網(wǎng)絡(luò)傳輸?shù)臄?shù)據(jù)使用了IPSec技術(shù)進(jìn)行加密,任何使用諸如sniffer到的信實(shí)驗(yàn)一CiscoIOSSite-to-SitePre-share1 CISCO路由器倆臺(tái),IOS版本12.3帶1、R1路由器上連通性配置R1(config-if)#ipaddressR1(config-if)#noshutdownR1(config-if)#ipaddressR1(config-if)#noshutdownR1(config)#iproute2、R2路由器上連通性配置R2(config-if)#ipaddressR2(config-if)#noshutdownR2(config-if)#ipaddressR2(config-if)#noshutdownR2(config)#iproute3、R1路由器IpSec配置R1(config)#cryptoisakmpenable(optional)默認(rèn)啟用R1路由器IpSecisakmp配置(階段一的策略)R1(config)#cryptoisakmppolicy10R1(config-isakmp)#encryption3desR1(config-isakmp)#group2R1路由器Pre-Share認(rèn)證配置R1(config)#cryptoisakmpkeybluefoxlabaddressR1路由器IpSec變換集配置(階段二的策略R1(config)#cryptoipsectransform-setbluefoxlabesp-3desesp-md5-hmacR1(cfg-crypto-trans)#modetunnelR1路由器加密圖的配置R1(config)#cryptomapbluefoxlab10ipsec-isakmpR1(config-crypto-map)#setpeerR1(config-crypto-map)#settransform-setbluefoxlabR1(config-crypto-map)#matchaddress101R1路由器定義感流R1(config)#access-list101permitip55R1路由器加密圖綁定到接口R1(config-if)#cryptomap4、R2路由器IpSec配置R2(config)#cryptoisakmpenable(optional)默認(rèn)啟用R2路由器IpSecisakmp配置(階段一的策略)R2(config)#cryptoisakmppolicy10R2(config-isakmp)#encryption3desR2(config-isakmp)#group2R2路由器Pre-Share認(rèn)證配置R2(config)#cryptoisakmpkeybluefoxlabaddressR2路由器IpSec變換集配置(階段二的策略R2(config)#cryptoipsectransform-setbluefoxlabesp-3desesp-md5-hmacR2(cfg-crypto-trans)#modetunnelR2路由器加密圖的配置R2(config)#cryptomapcisco10ipsec-isakmpR2(config-crypto-map)#setpeerR2(config-crypto-map)#settransform-setbluefoxlabR2(config-crypto-map)#matchaddress101R2路由器定義感流R2(config)#access-list101permitip55R2路由器加密圖綁定到接口R2(config-if)#cryptomap source2、showcryptoipsec3、showcryptoengineconnectionsactive4、debugcryptoisakmp5、debugcrypto2 CISCO路由器倆臺(tái),IOS版本12.3帶1、R1路由器上連通性配置R1(config-if)#ipaddressR1(config-if)#noshutdownR1(config-if)#ipaddressR1(config-if)#noshutdownR1(config)#iproute2、R2路由器上連通性配置R2(config-if)#ipaddressR2(config-if)#noshutdownR2(config-if)#ipaddressR2(config-if)#noshutdownR2(config)#iproute3、R1路由器上GRE配置R1(config-if)#ipaddressR1(config-if)#tunnelsourceR1(config-if)#tunneldestionationR1(config)#iproutetunnel04、R2路由器上GRE配置R2(config-if)#ipaddressR2(config-if)#tunnelsourceR2(config-if)#tunneldestionationR2(config)#iproutetunnel05、R1路由器上OSPF配置R1(config)#routerospfR1(config-router)#network55areaR1(config-router)#network55area6、R1路由器上OSPF配置R2(config)#routerospfR2(config-router)#network55areaR2(config-router)#network55area7、R1路由器IpSec配置R1(config)#cryptoisakmpenable(optional)默認(rèn)啟用R1路由器IpSecisakmp配置(階段一的策略)R1(config)#cryptoisakmppolicy10R1(config-isakmp)#encryption3desR1(config-isakmp)#group2R1路由器Pre-Share認(rèn)證配置R1(config)#cryptoisakmpkeybluefoxlabaddressR1路由器IpSec變換集配置(階段二的策略R1(config)#cryptoipsectransform-setbluefoxlabesp-3desesp-md5-hmacR1(cfg-crypto-trans)#modetransport(為什么用transport模式)R1路由器加密圖的配置R1(config)#cryptomapbluefoxlab10ipsec-isakmpR1(config-crypto-map)#setpeerR1(config-crypto-map)#settransform-setbluefoxlabR1(config-crypto-map)#matchaddress101R1路由器定義感流R1(config)#access-list101permitiphosthostR1路由器加密圖綁定到接口R1(config-if)#cryptomap8、R2路由器IpSec配置R2(config)#cryptoisakmpenable(optional)默認(rèn)啟用R2路由器IpSecisakmp配置(階段一的策略)R2(config)#cryptoisakmppolicy10R2(config-isakmp)#encryption3desR2(config-isakmp)#group2R2路由器Pre-Share認(rèn)證配置R2(config)#cryptoisakmpkeybluefoxlabaddressR2路由器IpSec變換集配置(階段二的策略R2(config)#cryptoipsectransform-setbluefoxlabesp-desesp-md5-hmacR2(cfg-crypto-trans)#modetransport(為什么用transport模式)R2路由器加密圖的配置R2(config)#cryptomapcisco10ipsec-isakmpR2(config-crypto-map)#setpeerR2(config-crypto-map)#settransform-setbluefoxlabR2(config-crypto-map)#matchaddress101R2路由器定義感流R2(config)#access-list101permitiphosthostR2路由器加密圖綁定到接口R2(config-if)#cryptomap1、showinttunnel2、showcryptoipsec3、showcryptoengineconnectionsactive4、debugcryptoisakmp5、debugcrypto6、showipospfneighbor7、debugipospfadj8、showip

PPPOE3 CISCO路由器倆臺(tái),IOS版本configtlinecon0ipname-server12(DNS)ipname-server8vpdnprotocolpppoeipaddressipnatinsidenoshutdownnoipaddresspppoepppoe-clientdial-pool-number1noshutdownipaddressnegotiatedipmtu1492ipnatoutsideppppapsent-usernamebluefoxpasswordbluefoxpppchaphostnamebluefoxpppchappasswordbluefoxdialerpool1iptcpadjust-mss1452ipnatinsidesourcelist1interfaceDialer1overloadaccess-list1permit55iproute基于固定IP的ADSL配置bridge! ipaddress54ipnatff0099 noipaddressnoatmilmi-keepalivepvc0/35!bundle-dsloperating-modeautobridge-group1!!配置ATM接口,把ATM0接口歸屬于bridge-group!interfaceipaddressipnat配置虛擬橋接組1做為NAT的外部接口!ipnatinsidesourcelist1interfaceBVI1ipnatinsidesourcestatictcp80ipiprouteaccess-list1permit55bridge1protocolieeebridge1route配置橋接協(xié)議和IPlineconhostnameADSL-dialer-usernamebluefoxpasswordbluefoxvpdnenableprotocolpppoepppoeenablemtuipunnumberedpeerdefaultipaddresspoolPPPOE_IP_POOLencapsulationppppppauthenticationpapiplocalpoolPPPOE_IP_POOL0ipaddressnoshutdown1、shipintbrief2、debugpppoeevent3、clearpppoeall4、shvpdnsession5、shiproute6、shipintdialer附:PIX7.0PPPOEhostname(config)#vpdngroupbluefoxlabrequestdialoutpppoehostname(config)#vpdngroupbluefoxlabpppauthenticationpaphostname(config)#vpdngroupbluefoxlablocalnameCSDXhostname(config)#vpdnusernameCSDXpasswordXXhostname(config)#interfacee0/0hostname(config-if)#ipaddresspppoehostname(config-if)#pppoeclientvpdngroupbluefoxlabhostname#showipaddressoutsidepppoehostname(config)#clearconfigurevpdngrouphostname(config)#clearconfigurevpdnusername4 CISCO路由器倆臺(tái),IOS版本12.3帶1、R1路由器上連通性配置R1(config-if)#ipaddressR1(config-if)#noshutdownR1(config-if)#ipaddressR1(config-if)#noshutdownR1(config)#iproute2、R2路由器上連通性配置R2(config-if)#ipaddressR2(config-if)#noshutdownR2(config)#iproute3、R1路由器IpSec配置R1(config)#cryptoisakmpenable(optional)默認(rèn)啟用R1路由器IpSecisakmp配置(階段一的策略)R1(config)#cryptoisakmppolicy10R1(config-isakmp)#encryption3desR1(config-isakmp)#group2R1路由器Pre-Share認(rèn)證配置R1(config)#cryptoisakmpkeybluefoxlabaddressR1路由器IpSec變換集配置(階段二的策略R1(config)#cryptoipsectransform-setbluefoxlabesp-3desesp-md5-hmacR1(cfg-crypto-trans)#modetunnelR1路由器加密圖的配置R1(config)#cryptodynamic-mapbluefoxlab10R1(config-crypto-map)#settransform-setbluefoxlabR1(config-crypto-map)#matchaddress101(optional:觀察動(dòng)態(tài)map綁定到靜態(tài)map里面R1(config)#cryptomapbluefox10ipsec-isakmpdynamicR1路由器定義感流R1(config)#access-list101permitip55R1路由器加密圖綁定到接口R1(config)#interfacee0R1(config-if)#cryptomapbluefox4、R2路由器IpSec配置R2(config)#cryptoisakmpenable(optional)默認(rèn)啟用R2路由器IpSecisakmp配置(階段一的策略)R2(config)#cryptoisakmppolicy10R2(config-isakmp)#encryption3desR2(config-isakmp)#group2R2路由器Pre-Share認(rèn)證配置R2(config)#cryptoisakmpkeybluefoxlabaddressR2路由器IpSec變換集配置(階段二的策略R2(config)#cryptoipsectransform-setbluefoxlabesp-desesp-md5-hmacR2(cfg-crypto-trans)#modetunnelR2路由器加密圖的配置R2(config)#cryptomapcisco10ipsec-isakmpR2(config-crypto-map)#setpeerR2(config-crypto-map)#settransform-setbluefoxlabR2(config-crypto-map)#matchaddress101R2路由器定義感流R2(config)#access-list101permitip55R2路由器加密圖綁定到接口R2(config-if)#cryptomap source2、showcryptoipsec3、showcryptoengineconnectionsactive4、debugcryptoisakmp5、debugcryptoipsec6、shcryptosession

實(shí)驗(yàn)五路由器與PC的接1 CISCO路由器倆臺(tái),IOS版本12.3帶 R1(config)#usernameciscopasswordcisco(xauth用戶名和)R1(config)#aaanew-modelR1(config)#aaaauthenticationlogindefaultlocalR1(config)#aaaauthenticationloginez -authenticationlocalR1(config)#aaaauthorizationnetwork -authorizationR1(config)#iplocalpool -poolR1(config)#cryptoisakmppolicy10R1(config-isakmp)#encryption3desR1(config-isakmp)#hashsha (split-tunnelacl)R1(config)#cryptoisakmpclientconfigurationgroupmyezR1(config-isakmp-group)#keycisco1234R1(config-isakmp-group)#dns0(optional) .cn(optional)R1(config-isakmp-group)#poolez R1(config-isakmp-group)#acl101(split-tunnel)R1(config)#cryptoipsectransform-setccspesp-3desesp-sha-hmacR1(cfg-crypto-trans)#modetunnelR1(config)#cryptodynamic-m -dynamic-map10R1(config-crypto-map)#settransform-setccsp -authentication(xauth) -authorization(,ip地址下放)R1(config)#cryptomapciscoclientconfigurationaddressrespondR1(config)#cryptomapcisco10ipsec-isakmpdynamic R1(config)#intR1(config-if)#ipaddressR1(config-if)#cryptomapciscoR1(config)#intR1(config-if)#ipaddressR1(config)#iproutepc上面 client配置1、2、2、shcryptoipsecsa

實(shí)驗(yàn)六CiscoIOS2 CISCO路由器倆臺(tái),IOS版本12.3帶 R1(config)#usernameciscopasswordcisco(xauth用戶名和)R1(config)#aaanew-modelR1(config)#aaaauthenticationlogindefaultlocalR1(config)#aaaauthenticationloginez -authenticationlocalR1(config)#aaaauthorizationnetwork -authorizationR1(config)#iplocalpool -poolR1(config)#cryptoisakmppolicy10R1(config-isakmp)#encryption3desR1(config-isakmp)#hashsha (split-tunnelacl)R1(config)#cryptoisakmpclientconfigurationgroupmyezR1(config-isakmp-group)#keycisco1234R1(config-isakmp-group)#dns0(optional) .cn(optional)R1(config-isakmp-group)#poolez R1(config-isakmp-group)#acl101(split-tunnel)R1(config)#cryptoipsectransform-setccspesp-3desesp-sha-hmacR1(cfg-crypto-trans)#modetunnelR1(config)#cryptodynamic-m -dynamic-map10R1(config-crypto-map)#settransform-setccsp -authentication(xauth) -authorization(,ip地址下放)R1(config)#cryptomapciscoclientconfigurationaddressrespondR1(config)#cryptomapcisco10ipsec-isakmpdynamic R1(config)#intR1(config-if)#ipaddressR1(config-if)#cryptomapciscoR1(config)#intR1(config-if)#ipaddressR1(config)#iproute cryptoipsecclientez connectautogroupmyez keycisco1234modeclientpeerusernameciscopasswordciscoxauthuseridmodelocal!interfaceipaddresscryptoipsecclientez newlabinside!interfaceipaddresscryptoipsecclient 1、Remote端配置ezclient#shBuildingCurrentconfiguration:1134!versionservicetimestampsdebugdatetimemsecservicetimestampslogdatetimemsecnoservicepassword-encryption!hostname!!enablepassword!noaaanew-!resource!ip!cryptoipsecclientez connectautogroupmyez keycisco1234modenetwork-pluspeerusernameciscopasswordciscoxauthuseridmodelocal!interfaceipaddress!interfaceipaddressduplexautospeedcryptoipsecclient mylab!noipaddressspeedauto!interfaceipaddressclockratecryptoipsecclient !noipaddressclockrate!iproute!!noiphttpnoiphttpsecure-!!lineconlineauxlinevty0exec-timeout00passwordcisco!schedulerallocate2000010002、Sever端配置:ezserver#shBuildingCurrentconfiguration:1715!versionservicetimestampsdebugdatetimemsecservicetimestampslogdatetimemsecnoservicepassword-encryption!hostname!!enablepassword!aaanew-!aaaauthenticationlogindefaultaaaauthenticationloginez -authenticationlocalaaaauthorizationnetwork -authorization!aaasession-id!resource!ip!usernameciscopassword0!cryptoisakmppolicy10encr3desgroup2!cryptoisakmpclientconfigurationgroupmyezkeycisco1234 acl101!cryptoipsectransform-setccspesp-3desesp-sha-!cryptodynamic-m -dynamic-map10settransform-setccsp!cryptomapciscoclientauthenticationlistez cryptomapciscoisakmpauthorizationlistez cryptomapciscoclientconfigurationaddressrespondcryptomapcisco10ipsec-isakmpdynamic !interfaceipaddressspeedauto!interfacenoipaddressduplexautospeedauto!interfaceipaddressclockrate64000cryptomap!noipaddressclockrate!iplocal -pooliproute!noiphttpnoiphttpsecure-!access-list101permitip55!!000exec-timeout00passwordcisco!scheduler200003、Client模式:ezclient#shipYESdown YESdownNOezclient#shcryipsecclientez RemotePhase:4Tunnelname:Insideinterfacelist:FastEthernet0/0Outsideinterface:Serial0/0/0CurrentState:IPSEC_ACTIVELastEvent:SOCKET_UPAddress:Mask: SavePassword:AllowedSplitTunnelList:1 : : SourcePort:0DestPort:0Current Peer:EasyRemote端會(huì)出現(xiàn)loopback口,當(dāng)有用戶需要EasyServer后面的主機(jī)時(shí),EasyRemote會(huì)自動(dòng)用loopback接口的地PATServer上設(shè)置splittunnel,當(dāng)Remote后面有用戶需要Internet主機(jī)時(shí),EasyRemote會(huì)自動(dòng)用外PAT。ezserver#shipCodes:C-connected,S-static,R-RIP,M-mobile,B-D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltype2i-IS-IS,su-IS-ISsummary,L1-IS-ISlevel-1,L2-IS-ISlevel-2ia-IS-ISinterarea,*-candidatedefault,U-per-userstatico-ODR,P-periodicdownloadedstaticGatewayoflastresortistonetwork/24issubnetted,1 isdirectlyconnected,FastEthernet0/0/30issubnetted,1subnets isdirectlyconnected,Serial0/0/0/32issubnetted,1subnets [1/0]via /0[1/0]via由于做了Revers-route,Server上會(huì)創(chuàng)建指向Remooopback接口的靜態(tài)路由4、network-extensionezclient#shipint模式:downdownYES downdownYESunsetNOezclient#shcryipsecclientezEasyRemotePhase:4Tunnelname:Insideinterfacelist:FastEthernet0/0Outsideinterface:Serial0/0/0CurrentState:IPSEC_ACTIVELastEvent:SOCKET_UPSavePassword:AllowedSplitTunnelList:1 : : SourcePort:0DestPort:0CurrentEzPeer:ezserver#shiprouteCodes:C-connected,S-static,R-RIP,M-mobile,B--EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltype2i-IS-IS,su-IS-ISsummary,L1-IS-ISlevel-1,L2-IS-ISlevel-2ia-IS-ISinterarea,*-candidatedefault,U-per-userstatico-ODR,P-periodicdownloadedstaticGatewayoflastresortistonetwork/24issubnetted,1 isdirectlyconnected,FastEthernet0/0/30issubnetted,1subnets isdirectlyconnected,Serial0/0/0/24issubnetted,1subnets [1/0]via /0[1/0]via由于做了Revers-route,Server上會(huì)創(chuàng)建指向Remote網(wǎng)絡(luò)的靜態(tài)路由。6、network-plus模式:ezclient#shipint YESdown YESdownNOezclient#shcryipsecclientezEasyRemotePhase:4Tunnelname:Insideinterfacelist:FastEthernet0/0Outsideinterface:Serial0/0/0CurrentState:IPSEC_ACTIVELastEvent:SOCKET_UPAddress:Mask:SavePassword:AllowedSplitTunnelList:1 : : SourcePort:0DestPort:0CurrentEzPeer:Remote端依然會(huì)創(chuàng)建loopback是這個(gè)接口此時(shí)僅用于troubleshootingezserver#shipCodes:C-connected,S-static,R-RIP,M-mobile,B--EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltype2i-IS-IS,su-IS-ISsummary,L1-IS-ISlevel-1,L2-IS-ISlevel-2ia-IS-ISinterarea,*-candidatedefault,U-per-userstatico-ODR,P-periodicdownloadedstaticGatewayoflastresortistonetwork/24issubnetted,1 isdirectlyconnected,FastEthernet0/0/30issubnetted,1subnets isdirectlyconnected,Serial0/0/0/24issubnetted,1subnets [1/0]via/32issubnetted,1subnets [1/0]via /0[1/0]via由于做了Revers-route,Server上會(huì)創(chuàng)建指向Remooopback接口和網(wǎng)絡(luò)的靜態(tài)路3 CISCO路由器倆c2620-1(config)#routerripc2620-1(config-router)#ver2c2500(config-router)#ver2c2620-2(config-router)#ver2IOS(tm)C2600Software(C2600-IK9O3S-M),Version12.2(29),TechnicalSupport:ht Copyright(c)1986-2005byciscoSystems,Inc.CompiledWed11-May-0517:27byIOS(tm)C2600Software(C2600-IK9O3S3-M),Version12.3(12a),RELEASESOFTWARE(fc2)TechnicalSupport:ht Copyright(c)1986-2005byciscoSystems,Inc.CompiledThu13-Jan-0518:06byIOS。c2620-1#clockset9:51:001aug2005c2620-1#conft c2620-1(config)#cryptokeygeneratersaThenameforthekeyswillbe:Choosethesizeofthekeymodulusintherangeof360to2048foryourGeneralPurposeKeys.Choosingakeymodulusgreaterthan512maytakeafewminutes.Howmanybitsinthemodulus[512]:1024GeneratingRSAkeys...c2620-1#shcryptokeymypubkey%Keypairwasgeneratedat:00:27:55UTCMar11993Keyname:Usage:GeneralPurposeKeyKeyData:F365333E4192C91610EE40EDF970F2C4B55DCDD04C8CE845055646C6DCD00BC24B73DB38860CE2558190090F7DD2B2673D48135CA2E48749BFDE287DB0756B7DCFCF9BA603EAF01D3CC65B4C71CF96F217D441DFDB0203010001%Keypairwasgeneratedat:00:28:01UTCMar11993Keyname: Usage:EncryptionKeyKeyData:307C300D06092A864886F70D0101010500036B003068026100AAC8FABE1DED99D779486392D568EB45F0965C07B92E024AEE3DBD02DC0341配置CA的參數(shù)(此命令在IOS12.3中為cryptocatrustpoint)c2620-1(config)#cryptocaidentityccsp-lab-vpcc2620-1(ca-identity)#enrollmenturlc2620-1(config)#cryptocaauthenticateccsp-lab-vpchasthefollowingattributes:%Doyouaccept ?[yes/no]:c2620-1#shcryptoca RASignatureStatus:SerialNumber:113B85F5000000000002KeyUsage:SignatureEA=waCN=itanyOU=techO=itanyL=NJC=CRLDistributionValidity

startdate:09:09:46UTCJul29 date:09:19:46UTCJul292006AssociatedIdentity:ccsp-lab-vpcRAKeyEncipherStatus:AvailableSerialNumber:113B8790000000000003KeyUsage:EncryptionEA=waCN=itanyOU=techO=itanyL=NJC=CRLDistribution.crlValidityDate:startdate:09:09:47UTCJul29 date:09:19:47UTCJul292006AssociatedIdentity:ccsp-lab-vpcCAKeyUsage:SignatureCNCRLDistribution.crlValidityDate:startdate:15:30:35UTCJul2 date:15:38:16UTCJul22007AssociatedIdentity:ccsp-lab-vpc開(kāi)始向CA%%Startenrollment%Createachallengepassword.YouwillneedtoverballyprovidethispasswordtotheCAAdministratorinordertorevokeyour.Forsecurityreasonsyourpasswordwillnotbesavedintheconfiguration.Pleasemakeanoteofit.Re-enter需要拿一臺(tái)能夠連接到CA的PC,在其瀏覽器中輸入“”;之后CA會(huì)返回一個(gè)框<如下圖>,請(qǐng)pass),有效期為60分鐘。用戶將此口令粘貼到剛才的口令提示處即可完成。%Thesubjectnamein will%Includetherouterserialnumberinthesubjectname?[yes/no]:%IncludeanIPaddressinthesubjectname?[yes/no]: ertificatefromCA?[yes/no]:% tto%Therequestfingerprintwillbe%The'showcryptoca'commandwillalsoshowthec2620-1#shcryptocasRASignatureStatus:SerialNumber:113B85F5000000000002KeyUsage:SignatureEA=waCN=itanyOU=techO=itanyL=NJC=CRLDistribution.crlValidityDate:startdate:09:09:46UTCJul29 date:09:19:46UTCJul292006AssociatedIdentity:ccsp-lab-vpcRAKeyEncipherStatus:AvailableSerialNumber:113B8790000000000003KeyUsage:EncryptionEA=waCN=itanyOU=techO=itanyL=NJC=CRLDistribution.crlValidityDate:startdate:09:09:47UTCJul29 date:09:19:47UTCJul292006AssociatedIdentity:ccsp-lab-vpcCAKeyUsage:SignatureCNCRLDistribution.crlValidityDate:startdate:15:30:35UTCJul2 date:15:38:16UTCJul22007AssociatedIdentity:ccsp-lab-vpcSubjectNameStatus:KeyUsage:GeneralFingerprint:6C9511EF1F589E8A1BF11473c2620-1#shcryptoca Status:SerialNumber:1F18A48B000000000004KeyUsage:GeneralPurposeCNSubjectNameContains:CRLDistribution.crlValidityDate:startdate:01:53:34UTCAug1 date:02:03:34UTCAug12006AssociatedIdentity:ccsp-lab-vpcRASignatureStatus:AvailableSerialNumber:113B85F5000000000002KeyUsage:SignatureEA=waCN=itanyOU=techO=itanyL=NJC=CRLDistribution.crlValidityDate:startdate:09:09:46UTCJul29 date:09:19:46UTCJul292006AssociatedIdentity:ccsp-lab-vpcRAKeyEncipherStatus:AvailableSerialNumber:113B8790000000000003KeyUsage:EncryptionEA=waCN=itanyOU=techO=itanyL=NJC=CRLDistributionValidity

startdate:09:09:47UTCJul29 date:09:19:47UTCJul292006AssociatedIdentity:ccsp-lab-vpcCAKeyUsage:SignatureCNCRLDistribution.crlValidityDate:startdate:15:30:35UTCJul2 date:15:38:16UTCJul22007AssociatedIdentity:ccsp-lab-vpcc2620-1(config)#cryptoisakmpenablec2620-1(config)#cryptoisakmppolicy10c2620-1(config-isakmp)#encryption3desc2620-1(config-isakmp)#group2c2620-1(config)#cryptoipsectransform-setciscoesp-3desesp-sha-hmacc2620-1(cfg-crypto-trans)#modetunnelc2620-1(config)#access-l101perip55%NOTE:Thisnewcryptomapwillremaindisableduntilerandavalidaccesslisthavebeenconfigured.c2620-1(config-crypto-map)#matchaddress101c2620-1(config-crypto-map)#settransform-setciscoc2620-1(config-crypto-map)#setpfsgroup2c2620-2#clockset10:15:001aug2005c2620-2(config)#hostnamec2620-2 c2620-2(config)#cryptokeygeneratersaThenameforthekeyswillbe:Choosethesizeofthekeymodulusintherangeof360to2048foryourGeneralPurposeKeys.Choosingakeymodulusgreaterthan512maytakeafewminutes.Howmanybitsinthemodulus[512]:%Generating1024bitRSAkeysc2620-2(config)#iphostcisco-vpc1c2620-2(config)#cryptocatrustpointccsp-lab-vpcc2620-2(ca-trustpoint)#enrollmentmoderac2620-2(ca-trustpoint)#enrollmenturlc2620-2(config)#cryptocaauthenticateccsp-lab-vpchasthefollowingattributes:%Doyouacceptthis ?[yes/no]:yesTrustpointCA %% enrollment%Createachallengepassword.YouwillneedtoverballyprovidethispasswordtotheCAAdministratorinordertorevokeyour Forsecurityreasonsyourpasswordwillnotbesavedintheconfiguration.Pleasemakeanoteofit.Re-enter%Thesubjectnamein willinclude:CN=c2620-2%Thefully- namein will%Thesubjectnamein will%Includetherouterserialnumberinthesubjectname?[yes/no]:%IncludeanIPaddressinthesubjectname?[no]:n ertificatefromCA?[yes/no]:yes% tto%Therequestfingerprintwillbe%The'showcryptoca'commandwillalsoshowthec2620-2(config)#cryptoisakmpenablec2620-2(config)#cryptoisakmppolicy10c2620-2(config-isakmp)#encryption3desc2620-2(config-isakmp)#group2c2620-2(config-isakmp)#hashshac2620-2(config)#cryptoipsectransform-setciscoesp-3desesp-sha-hmacc2620-2(cfg-crypto-trans)#modetunnelc2620-2(config)#access-l101perip55%NOTE:Thisnewcryptomapwillremaindisableduntilerandavalidaccesslisthavebeenconfigured.c2620-2(config-crypto-map)#matchaddress101c2620-2(config-crypto-map)#setpfsgroup2c2620-2(config-crypto-map)#settransform-setciscoc2620-2(config-crypto-map)#setpeer實(shí)驗(yàn)拓?fù)洌?/p>

CISCO配置:r1#shruhostnamer1!cryptoisakmppolicy10encr3desgroup2cryptoisakmpkeycisco1234address!cryptoipsectransform-setccieesp-3desesp-sha-hmacmodetransport!cryptoipsecprofileciscosettransform-setccie!interfaceipaddressnoipnoipnext-hop-selfeigrp100ipnhrpauthenticationciscoipnhrpmapmulticastdynamicipnhrpnetwork-id10000noipsplit-horizoneigrp100tunnelsourceSerial0/0tunnelmodegremultipointtunnelkey10000tunnelprotectionipsecprofile!interfaceipaddress!interfaceipaddress!routereigrpnoauto-summaryiprouter2#shrunhostnamer2!cryptoisakmppolicy10encr3desgroup2cryptoisakmpkeycisco1234address!cryptoipsectransform-setccieesp-3desesp-sha-hmacmodetransport!cryptoipsecprofileciscosettransform-setccie!interfaceipaddressnoipipnhrpauthenticationipnhrpmapmulticastipnhrpmapipnhrpnetwork-id10000ipnhrpnhstunnelsourceSerial0/0tunnelmodegremultipointtunnelkeytunnelprotectionipsecprofile!interfaceipaddress!interfaceipaddress!routereigrpnoauto-summaryiprouter3#shrunhostnamer3!cryptoisakmppolicy10encr3desgroup2cryptoisakmpkeycisco1234address!cryptoipsectransform-setccieesp-3desesp-sha-hmacmodetransport!cryptoipsecprofileciscosettransform-setccie!interfaceipaddressnoipipnhrpauthenticationipnhrpmapmulticastipnhrpmapipnhrpnetwork-id10000ipnhrpnhstunnelsourceFastEthernet0/0tunnelmodegremultipointtunnelkey10000tunnelprotectionipsecprofile!interfaceipaddress!interfaceipaddressduplexautospeedauto!routereigrpnoauto-summary!iproute實(shí)驗(yàn)九CiscoIOStoCiscoASAlan-to-lanPre-sharewithhostname!cryptoisakmppolicy10encr3deshashshagroupcryptoisakmpkeycisco1234address!cryptoipsectransform-setccspesp-3desesp-sha-hmacmodetunnel!cryptomapcisco10ipsec-isakmpsetpeersettransform-setccspmatchaddress102!interfaceipaddressipnatinside!interfaceipaddressipnatoutsidecryptomapcisco!iproute!ipnatinsidesourcelist101interfacee0!!hostname!nameifoutsidesecurity-level0ipaddress!nameifinsidesecurity-level100ipaddress!access-listper-icmpextendedpermiticmpanyanyaccess-groupper-icmpininterfaceoutside! pnextendedpermitip!global(outside)1nat(inside)0access-listpnnat(inside)!routeoutside!cryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryption3desgroup2lifetime!tunnel-grouptypeipsec-l2ltunnel-groupipsec-attributespre-shared-key*!pix/asa7.x新命令,在此處配置預(yù)共享密鑰 類(lèi)型,值得注意的是,當(dāng)配置lan2lan!cryptoipsectransform-setccspesp-3desesp-sha-hmaccryptomapcisco10matchaddress cryptomapcisco10setpeercryptomapcisco10settransform-setccspcryptomapciscointerfaceoutside

實(shí)驗(yàn)十和PC的接1 CISCO路由器倆臺(tái),IOS版本12.3帶nameifoutsidesecurity-level0ipaddress!nameifinsidesecurity-level100ipaddress!access-listper-icmpextendedpermiticmpanyanyaccess-groupper-icmpininterfaceoutside!nat(inside)global(outside)1!routeoutside! pnextendedpermitipnat(inside)0access-list!cryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryption3desgroup2lifetime!iplocal -pool-!tunnel-groupmyez typeipsec-ratunnel-groupmyez authentication-server-group(outside)LOCAL tunnel-groupmyez pre-shared-key*!usernamewanglinlinpasswordkc0imQBKBLfYhNFb!cryptoipsectransform-setccspesp-3desesp-sha-cryptodynamic-m -dynamic-map10settransform-setccspcryptodynamic-m -dynamic-map10setreverse-routecryptomapcisco10ipsec-isakmpdynamicez !cryptomapciscointerface2、隧道分離配置access-listsplit-tunnel-aclextendedpermitip!group-policymypolicy!group-policymypolicyattributes!tunnel-groupmyez default-group-policymypolicy實(shí)驗(yàn)十一PPTP/L2TP撥號(hào)實(shí)一 路由器PPTP撥號(hào)實(shí)1PAC準(zhǔn)備工作。PAC(config-if)#ipaddressPAC(config-if)#noshutdownPAC(config-if)#ipaddressPAC(config-if)#noshutdownPAC(config)#iproutePAC(config)#usernameciscopassword0PAC(config)#vpdnenablePAC(config)#vpdn-groupmypptpPAC(config-if)#ipunnumberede0PAC(config-if)#encapsulationpppPAC(config-if)#peerdefaultipaddresspoolpptp-userPAC(config-if)#pppencryptmppe40requiredPAC(config-if)#pppauthenticationms-chapPAC(config)#iplocalpoolpptp-user0從隧道走的那條metric最小。routedeleterouteaddmaskIPmetricrouteaddmask[internet_gateway]metric 路由器L2TP撥號(hào)實(shí)驗(yàn)ENT_LNS(config-if)#ipaddressENT_LNS(config-if)#noshutdownENT_LNS(config-if)#ipaddress52ENT_LNS(config-if)#noshutdownENT_LNS(config)#iproute2、在企業(yè)端配置L2TPENT_LNS(config)#usernameciscopassword0ENT_LNS(config)#vpdnenableENT_LNS(config)#vpdn-groupmyl2tpENT_LNS(config-vpdn-acc-in)#protocoll2tpENT_LNS(config-vpdn)#nol2tptunnelENT_LNS(config-if)#ipunnumberede0ENT_LNS(config-if)#encapsulationpppENT_LNS(config-if)#peerdefaultipaddresspooll2tp-userENT_LNS(config-if)#pppauthenticationchapENT_LNS(config)#iplocalpooll2tp-user03、Windows客戶端設(shè)置。Windows2000/xp/2003的L2TP缺省啟動(dòng)方式的IPSEC,因此必須向Windows添ProhibitIpSec表值,以防止創(chuàng)建用于L2TP/IPSec通信的自動(dòng)篩選器ProhibitIpSec表值設(shè)置為1時(shí),基于Windows2000的計(jì)算機(jī)不會(huì)創(chuàng)建使用CA驗(yàn)證的自動(dòng)篩選器,而是檢查本地IPSec策略或ActiveDirectoryIPSec策略。三、路由器和的L2TP/IPSEC配置:1、在企業(yè)端配置L2TP準(zhǔn)備工作。ENT_LNS(config

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

評(píng)論

0/150

提交評(píng)論