IPSec VPN 设备 链路 冗余备份实验 交换机冗余链路



实践闯未来!本人FJXSUNMIT,初来报道,互相学习研究CISCO技术!

IPSec VPN设备链路冗余实验:(上为拓扑图)

基本实验配置:

R1:

R1#sh run

hostname R1

no ip domain lookup

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key sbb address 202.100.1.1

crypto isakmp key sbb address 61.128.128.1

crypto isakmp keepalive 10

!

crypto ipsec transform-set sbb esp-3des esp-md5-hmac

!

crypto map sbb 10 ipsec-isakmp

set peer 202.100.1.1

set peer 61.128.128.1【设置双peer】

set transform-set sbb

match address 100

!

interface Loopback0

ip address1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address10.1.1.1 255.255.255.0

duplex half

crypto map sbb【接口绑定加密图】

!

ip route0.0.0.0 0.0.0.0 FastEthernet0/0【指定静态路由】

access-list 100 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255【匹配VPN流量】

!line con 0

exec-timeout 0 0

R1#

R2:

hostname R2

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key sbb address0.0.0.0 0.0.0.0

crypto isakmp keepalive 10【Keepalive时间】

!

crypto ipsec transform-set sbb esp-3des esp-md5-hmac【加密方式】

!

crypto dynamic-map sbb 10

set transform-set sbb

reverse-route【RRI动态反向注入更细化静态路由,使数据那里进,那里出!】

!

crypto map sbb 10 ipsec-isakmp dynamic sbb

!

interface FastEthernet0/0

ip address 202.100.1.1 255.255.255.0

duplex half

crypto map sbb【接口绑定加密图】

!

router ospf 1

log-adjacency-changes

redistribute static subnets

network2.2.2.0 0.0.0.255 area 0

default-information originate

!

ip route0.0.0.0 0.0.0.0 FastEthernet0/0

line con 0

exec-timeout 0 0

R3:

hostname R3

crypto isakmp policy 10

authentication pre-share

crypto isakmp key sbb address0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

crypto ipsec transform-set sbb esp-3des esp-md5-hmac

!

crypto dynamic-map sbb 10

set transform-set sbb

reverse-route

!

crypto map sbb 10 ipsec-isakmp dynamic sbb

!

interface FastEthernet0/0

ip address 61.128.128.1 255.255.255.0

duplex half

crypto map sbb

!

interface Serial1/0

ip address2.2.2.3 255.255.255.0

serial restart-delay 0

!

router ospf 1

log-adjacency-changes

redistribute static subnets

network2.2.2.0 0.0.0.255 area 0

default-information originate

!

ip route0.0.0.0 0.0.0.0 FastEthernet0/0

line con 0

exec-timeout 0 0

R1#sh crypto isakmp sa

dstsrcstateconn-id slot

61.128.128.110.1.1.1QM_IDLE40

R1#sh crypto engine connections active

ID InterfaceIP-AddressStateAlgorithmEncryptDecrypt

4 FastEthernet0/010.1.1.1setHMAC_SHA+DES_56_CB00

2000 FastEthernet0/010.1.1.1setHMAC_MD5+3DES_56_C0251

2001 FastEthernet0/010.1.1.1setHMAC_MD5+3DES_56_C2510

R1#sh crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: sbb, local addr.10.1.1.1

protected vrf:

localident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)

current_peer: 61.128.128.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 1308, #pkts encrypt: 1308, #pkts digest 1308

#pkts decaps: 1268, #pkts decrypt: 1268, #pkts verify 1268

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 16, #recv errors 0

local crypto endpt.:10.1.1.1, remote crypto endpt.: 202.100.1.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local crypto endpt.:10.1.1.1, remote crypto endpt.: 61.128.128.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: E6FFCD15

inbound esp sas:

spi: 0x93B5E8F5(2478172405)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: sbb

IPSec VPN 设备 链路 冗余备份实验 交换机冗余链路
sa timing: remaining key lifetime (k/sec): (4425511/3307)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xE6FFCD15(3875523861)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: sbb

sa timing: remaining key lifetime (k/sec): (4425511/3307)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

R1#sh crypto isakmp policy

Global IKE policy

Protection suite of priority 10

encryption algorithm:DES - Data Encryption Standard (56 bit keys).

hash algorithm:Secure Hash Standard

authentication method:Pre-Shared Key

Diffie-Hellman group:#1 (768 bit)

lifetime:86400 seconds, no volume limit

Default protection suite

encryption algorithm:DES - Data Encryption Standard (56 bit keys).

hash algorithm:Secure Hash Standard

authentication method:Rivest-Shamir-Adleman Signature

Diffie-Hellman group:#1 (768 bit)

lifetime:86400 seconds, no volume limit

R1#

实验测试结果:

R1#ping2.2.2.3 source 1.1.1.1 repeat 500

Type escape sequence to abort.

Sending 500, 100-byte ICMP Echos to2.2.2.3, timeout is 2 seconds:

Packet sent with a source address of1.1.1.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.............!!!!!!!!!!!!【shutdown总部一接口时】

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!...

Success rate is 96 percent (484/500), round-trip min/avg/max = 44/107/1336 ms

R1#ping2.2.2.3 source 1.1.1.1 repeat 500

Type escape sequence to abort.

Sending 500, 100-byte ICMP Echos to2.2.2.3, timeout is 2 seconds:

Packet sent with a source address of1.1.1.1

..............!!

*Mar 15 14:36:51.599: %CRYPTO-4-IKMP_NO_SA: IKE message from 202.100.1.1has no SA and is not an initialization offer!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!.【顺利切换】

*Mar 15 14:37:10.283: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=10.1.1.1, prot=50, spi=0xF44B9632(-196372942), srcaddr=61.128.128.1.......!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  

爱华网本文地址 » http://www.aihuau.com/a/25101012/116433.html

更多阅读

Windows 7下VPN服务器架设攻略 ipsec vpn服务器架设

Windows 7下VPN服务器架设攻略——简介 由于工作经常出差的关系常常移动办公,因此资料的传递、与公司信息的及时交流或是累了想在异地打开公司或家里的电脑看看电影等等应用显得很头疼。这方面的应用也就是说要通过INTERNET进行安全

山石防火墙IPSecVPN两种模式的配置 山石ipsec vpn 配置

1. 创建 IPSecVPN【网络】>>【IPSec VPN】创建 IPsecVPN:第一阶段中,“接口“选择公网接口,提议和预共享密钥要求 VPN 两端设备保持一致。第二阶段中,使用“tunnel”模式,提议依然要求两端一致。在与其他厂商设备创建 IPSec VPN 连

葡萄酒之路迅雷下载 世界葡萄酒的中国之路

     《世界葡萄酒的中国之路》跨界高峰论坛于5月17日下午在深圳福田保税区腾邦大厦举办。中国酒类流通协会秘书长刘员;广东省酒类专卖局副局长、广东省酒类协会会长朱思旭;中酒协进口酒专业委员会(筹)副会长兼秘书长吴家保;中

奇瑞捷豹路虎官网 产品下探 捷豹路虎抢滩新兴市场

     7月24日,英国威廉王子和凯特王妃将他们刚出生不久的宝宝乔治王子接回家中,用来接送的座驾既不是皇室惯用的宾利,也不是阿斯顿·马丁,更不是劳斯莱斯,而是一辆新款路虎揽胜。  具有“皇室血统”的捷豹路虎,自2008年被印度人拉

声明:《IPSec VPN 设备 链路 冗余备份实验 交换机冗余链路》为网友恋爱达人分享!如侵犯到您的合法权益请联系我们删除