Cisco路由器配置IPSCE动态加密

实验环境:

A公司总部路由器A要和分支机构路由器B进行×××通信,采用三层IPSEC-×××,现由于分支机构采用DLINK ×××设备,无法设置IP,总部决定部署动态IPSEC加密,现拓扑如下:1.1.1.0/24模拟总部内部网络网段,2.2.2.0/24模拟分支机构内部网络网段。
 

1、总部配置:
interface Loopback0
ip address 1.1.1.1 255.255.255.0       //设置通信点IP
interface Serial0/0
ip address 218.16.1.1 255.255.255.0
no shut
crypto map ccnp
ip route 0.0.0.0 0.0.0.0 218.16.1.2     //加密点之间必须要能相互通信
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 ciscoh3c address 0.0.0.0 0.0.0.0  
//中心有固定的IP地址,而分支机构由于设备原因无固定IP,密钥必须匹配
crypto ipsec transform-set ccna esp-3des esp-md5-hmac
mode tunnel
crypto dynamic-map ccnp 10     //动态加密配置
set transform-set ccna 
//中心不设置感兴趣流和PEER,而采取自动协商策略,后续测试网络必须从分支机构开始,否则无法测试成功。     
crypto map ccnp 10 ipsec-isakmp dynamic ccnp
 
2、互联网路由器配置:
int s0/0
ip add 218.16.1.2 255.255.255.0
no shut
int s0/1
ip add 222.16.1.2 255.255.255.0
no shut
 
3、分支机构:
int loopback 0
ip add 2.2.2.2 255.255.255.0
int s0/1
ip add 222.16.1.1 255.255.255.0
no shut
crypto map ccnp
ip route 0.0.0.0 0.0.0.0 222.16.1.2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 ciscoh3c address 218.16.1.1 
//分支机构必须有到总部的IP地址,不能像总部一样采取全0,否则两端无法协商
crypto ipsec transform-set ccna esp-3des esp-md5-hmac
mode tunnel
crypto map ccnp 10 ipsec-isakmp     //常规IPSEC的配置
set peer 218.16.1.1
set transform-set ccna
match address 101
access-list 101 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
//分支机构需配置感兴趣流
 
4、测试:
(1)总部PING分支机构:
R1#ping 2.2.2.2 source 1.1.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
......................................................................
..............................
Success rate is 0 percent (0/100)
//因为总部不知道如何与分支机构协商,没有分支机构的IP
 
(2)分支机构PING总部:
R3#ping 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.!!!!           //可以PING通,因为之间已经协商好了策略
 
(3)总部再PING分支机构:
R1#ping 2.2.2.2 source 1.1.1.1 repeat 50
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
//PING通了,因为策略已经协商完成
 
(4)显示ISAKMP关联协商:
R1#show crypto isakmp sa
dst             src             state          conn-id slot status
218.16.1.1      222.16.1.1      QM_IDLE              1    0 ACTIVE
(5)显示IPSEC关联协商:
R1#show crypto ipsec sa
interface: Serial0/0
    Crypto map tag: ccnp, local addr 218.16.1.1
 protected vrf: (none)
   local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
   current_peer 222.16.1.1 port 500
     PERMIT, flags={}
    #pkts encaps: 139, #pkts encrypt: 139, #pkts digest: 139
    #pkts decaps: 139, #pkts decrypt: 139, #pkts verify: 139
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 local crypto endpt.: 218.16.1.1, remote crypto endpt.: 222.16.1.1
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x94AE7A86(2494462598)
    inbound esp sas:
      spi: 0xB64162(11944290)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: 1, crypto map: ccnp
        sa timing: remaining key lifetime (k/sec): (4563637/3497)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
    inbound ah sas:
    inbound pcp sas:
       outbound esp sas:
      spi: 0x94AE7A86(2494462598)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: 2, crypto map: ccnp
        sa timing: remaining key lifetime (k/sec): (4563637/3490)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
    outbound ah sas:
    outbound pcp sas:
 
(6)显示接口加解密情况:
R1# show crypto engine connections active
 ID Interface         IP-Address      State Algorithm           Encrypt Decrypt 1 Serial0/0            218.16.1.1      set    HMAC_MD5+3DES_56_C        0        0
2001 Serial0/0        218.16.1.1      set    3DES+MD5                 0      139
2002 Serial0/0         218.16.1.1      set    3DES+MD5                139        0