The OpenNET Project / Index page

[ новости/++ | форум | wiki | теги ]

Настройка IPsec в Cisco (cisco security crypt ipsec tunnel vpn)


<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>
Ключевые слова: cisco, security, crypt, ipsec, tunnel, vpn,  (найти похожие документы)
From: Rob Thomas <robt@cymru.com> Subject: Настройка IPsec в Cisco Configuring IPsec on Cisco routers Rob Thomas robt@cymru.com Оригинал документа: http://www.cymru.com/Documents/cisco-ipsec-howto.txt Структура сети: Sun SPARC 20 192.168.80.9/24 | 192.168.80.222/24 Cisco 2514 192.168.10.1/30 | 192.168.10.2/30 Cisco 2514 10.10.10.1/24 Работоспособность можно проверить через ping или telnet с хоста 192.168.0.9 на 10.10.10.1. Маршрутизация статическая. Настраиваем IPSEC туннель на маршрутизаторе, между точками 192.168.10.1 и 192.168.10.2 ! @(#)IPsec Cisco router configuration 10 MAY 2000 Rob Thomas robt@cymru.com ! crypto isakmp policy 1 ! Set the crypto policy to ISAKMP, priority 1. hash md5 ! Use MD5 as the authentication algorithm (instead ! of SHA, which is slower yet more secure). authentication pre-share ! Utilize the hard-coded key "123FOO123". ! crypto isakmp key 123FOO123 address 192.168.10.2 ! Set the key and the peer with whom to share the ! key. Be careful not to share this with anyone! ! crypto ipsec transform-set OURIPS esp-des esp-md5-hmac ! Create a transform set called OURIPS that utilizes ! ESP (Encapsulating Security Payload) encrypted with ! DES and authenticated with MD5. In this case, we ! will encrypt only the payload of the packet, not the ! header. ! crypto map IPSEC-TO-RMT local-address Ethernet0 ! Specify that the crypto map called IPSEC-TO-RMT ! will use the local-address on E0 for identification ! purposes. This is not always necessary, but makes ! for nice documentation. ! crypto map IPSEC-TO-RMT 1 ipsec-isakmp ! Map IPSEC-TO-RMT, sequence number 1, that uses ! ISAKMP for key exchange. set peer 192.168.10.2 ! Our remote peer set transform-set OURIPS ! Apply the proper transform set (q.v.) match address IPSEC-TUN ! Only IPSEC the packets that match the extended ! ACL named IPSEC-TUN ip access-list extended IPSEC-TUN ! Build an ACL to use for IPSEC. remark IPSEC ACL ! Comments are good. :-) permit ip any any ! This is a bit misleading. While it will attempt ! to ESP encrypt all packets, multicast packets can ! not be encrypted with IPSEC. For multicast pack- ! ets, a GRE tunnel must be used. Recall that most ! routing protocols use multicast (OSPF, RIP v2) for ! the routing updates. interface Ethernet0 ip address 192.168.10.1 255.255.255.252 no ip redirects no ip proxy-arp no ip mroute-cache crypto map IPSEC-TO-RMT ! Apply the crypto map IPSEC-TO-RMT to the e0 ! interface. Без использования IPSEC: 192.168.80.9 -> 10.10.10.1 ICMP Echo request 10.10.10.1 -> 192.168.80.9 ICMP Echo reply 192.168.80.9 -> 10.10.10.1 ICMP Echo request 10.10.10.1 -> 192.168.80.9 ICMP Echo reply 192.168.80.9 -> 10.10.10.1 ICMP Echo request 10.10.10.1 -> 192.168.80.9 ICMP Echo reply С применением IPSEC туннеля: 192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136, ID=243 192.168.10.2 -> 192.168.10.1 IP D=192.168.10.1 S=192.168.10.2 LEN=136, ID=625 192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136, ID=244 192.168.10.2 -> 192.168.10.1 IP D=192.168.10.1 S=192.168.10.2 LEN=136, ID=628 192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136, ID=245 Rob Thomas, robt@cymru.com http://www.enteract.com/~robt

<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>

Ваш комментарий
Имя:         
E-Mail:      
Заголовок:
Текст:





  Закладки на сайте
  Проследить за страницей
Created 1996-2017 by Maxim Chirkov  
ДобавитьРекламаВебмастеруГИД  
Hosting by Ihor