忘记密码   免费注册 查看新帖 |

ChinaUnix.net

  平台 论坛 博客 文库 频道自动化运维 虚拟化 储存备份 C/C++ PHP MySQL 嵌入式 Linux系统
最近访问板块 发新帖
查看: 34849 | 回复: 1

CISCO+IPSEC+NAT配置实例 [复制链接]

论坛徽章:
0
发表于 2009-07-01 10:32 |显示全部楼层
CISCO+IPSEC+NAT配置实例

一、理论基础
 IPSec VPN即指采用IPSec协议来实现远程接入的一种VPN技术,IPSec是IETF(Internet Engineer Task Force)正在完善的安全标准,IPSec协议是一个范围广泛、开放的虚拟专用网安全协议,它提供所有在网络层上的数据保护,提供透明的安全通信。IPSec是基于网络层的,不能穿越通常的NAT、防火墙。
首先先具体介绍一下IPsec协议:
  IP_SECURITY协议(IPSec),通过相应的隧道技术,可实现VPN。IPSec有两种模式:隧道模式和传输模式。IPSec 协议不是一个单独的协议,它给出了应用于IP层上网络数据安全的一整套体系结构,包括网络认证协议 Authentication Header(AH)、封装安全载荷协议Encapsulating Security Payload(ESP)、密钥管理协议Internet Key Exchange (IKE)和用于网络认证及加密的一些算法等。IPSec 规定了如何在对等层之间选择安全协议、确定安全算法和密钥交换,向上提供了访问控制、数据源认证、数据加密等网络安全服务。
  IPSec的安全特性主要有:
  不可否认性:"不可否认性"可以证实消息发送方是唯一可能的发送者,发送者不能否认发送过消息。"不可否认性"是采用公钥技术的一个特征,当使用公钥技术时,发送方用私钥产生一个数字签名随消息一起发送,接收方用发送者的公钥来验证数字签名。由于在理论上只有发送者才唯一拥有私钥,也只有发送者才可能产生该数字签名,所以只要数字签名通过验证,发送者就不能否认曾发送过该消息。但"不可否认性"不是基于认证的共享密钥技术的特征,因为在基于认证的共享密钥技术中,发送方和接收方掌握相同的密钥。
  反重播性:"反重播"确保每个IP包的唯一性,保证信息万一被截取复制后,不能再被重新利用、重新传输回目的地址。该特性可以防止攻击者截取破译信息后,再用相同的信息包冒取非法访问权(即使这种冒取行为发生在数月之后)。
  数据完整性:防止传输过程中数据被篡改,确保发出数据和接收数据的一致性。IPSec利用Hash函数为每个数据包产生一个加密检查和,接收方在打开包前先计算检查和,若包遭篡改导致检查和不相符,数据包即被丢弃。
  数据可靠性(加密):在传输前,对数据进行加密,可以保证在传输过程中,即使数据包遭截取,信息也无法被读。该特性在IPSec中为可选项,与IPSec策略的具体设置相关。  
  认证:数据源发送信任状,由接收方验证信任状的合法性,只有通过认证的系统才可以建立通信连接。
二、网络实例图




三、路由器配置
router1:
r1#show run
Building configuration...

Current configuration : 725 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
interface FastEthernet0/0
ip address 10.10.11.1 255.255.255.0
duplex full
!
interface POS1/0
ip address 10.10.10.1 255.255.255.0
encapsulation ppp
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
interface FastEthernet3/0
no ip address
shutdown
duplex half
!
ip classless
no ip http server
no ip http secure-server
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end

r1#


router2:
r2#show run
Building configuration...

*Sep  3 14:10:46.631: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 1359 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!

r2# show run
Building configuration...

Current configuration : 1359 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key abc2001 address 10.10.10.2
!
!
crypto ipsec transform-set abc-des esp-des esp-sha-hmac
!
crypto map abc local-address FastEthernet0/0
crypto map abc 20 ipsec-isakmp
set peer 10.10.10.2
set transform-set abc-des
match address 105
!
!
!
!
interface FastEthernet0/0
ip address 10.10.11.2 255.255.255.0
ip nat outside
duplex full
crypto map abc
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
!
interface FastEthernet2/0
ip address 10.10.12.1 255.255.255.0
ip nat inside
duplex full
!
interface POS3/0
no ip address
shutdown
!
ip nat inside source route-map abc interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.11.1
no ip http server
no ip http secure-server
!
!
access-list 105 permit ip host 4.4.4.4 host 5.5.5.5
access-list 150 deny   ip host 4.4.4.4 host 5.5.5.5
access-list 150 permit ip host 4.4.4.4 any
!
route-map abc permit 10
match ip address 150
!
router3:
r3#show run
Building configuration...

Current configuration : 1409 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
                          !
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key abc2001 address 10.10.11.2
!
!
crypto ipsec transform-set abc-des esp-des esp-sha-hmac
mode transport
!
crypto map abc local-address POS3/0
crypto map abc 20 ipsec-isakmp
set peer 10.10.11.2
set transform-set abc-des
match address 105
!
!
!
!
interface FastEthernet0/0
ip address 10.10.9.1 255.255.255.0
ip nat inside
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
interface POS3/0
ip address 10.10.10.2 255.255.255.0
ip nat outside
encapsulation ppp
crypto map abc
!
ip nat inside source route-map abc interface POS3/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 5.5.5.5 255.255.255.255 10.10.9.2
no ip http server
no ip http secure-server
!
!
access-list 105 permit ip host 5.5.5.5 host 4.4.4.4
access-list 150 deny   ip host 5.5.5.5 host 4.4.4.4
access-list 150 permit ip any any
!
route-map abc permit 10
match ip address 150
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end

r3#

router4:

r4#show run
Building configuration...

Current configuration : 788 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.12.2 255.255.255.0
duplex full
!
interface POS1/0
no ip address
shutdown
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
interface FastEthernet3/0
no ip address
shutdown
duplex half
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.12.1
no ip http server
no ip http secure-server
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end

r4#

router5:
r5#show run
Building configuration...

Current configuration : 786 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.9.2 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
interface POS3/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.9.1
no ip http server
no ip http secure-server
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end

四、业务测试
r5#ping
Protocol [ip]:
Target IP address: 4.4.4.4
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 5.5.5.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 504/1323/1936 ms
r5#

r4#ping
Protocol [ip]:
Target IP address: 5.5.5.5
Repeat count [5]: 10
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 4.4.4.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
.!!!.!!!!!
Success rate is 80 percent (8/10), round-trip min/avg/max = 872/1371/1872 ms


r4#ping
Protocol [ip]:
Target IP address: 10.10.11.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 4.4.4.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.11.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/419/1288 ms
r4#ping

r5#ping
Protocol [ip]:
Target IP address: 10.10.11.2
Repeat count [5]: 10
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 5.5.5.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 10.10.11.2, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 376/1158/1656 ms
r5#



本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/17811/showart_1982501.html

论坛徽章:
0
发表于 2015-07-01 10:32 |显示全部楼层
本帖最后由 a49410335 于 2015-07-01 10:32 编辑

简单明了,配置清晰
您需要登录后才可以回帖 登录 | 注册

本版积分规则

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号 北京市公安局海淀分局网监中心备案编号:11010802020122
广播电视节目制作经营许可证(京) 字第1234号 中国互联网协会会员  联系我们:wangnan@it168.com
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP