資源描述:
《ipsecVPN配置詳解》由會員上傳分享����,免費在線閱讀��,更多相關內(nèi)容在教育資源-天天文庫���。
1����、IpsecVPN的詳細建立及傳輸方式:一、數(shù)據(jù)從1.1.1.1發(fā)送時����,根據(jù)自己的默認網(wǎng)關,發(fā)送到路由器R1�。二、到R1時�����,路由會將此數(shù)據(jù)包轉發(fā)�����,正常情況下會根據(jù)自己的路由表�,查找然后轉發(fā),但是這是接口s0/0有map的存在���,此時路由會查找路由的感興趣流�,如果符合感興趣流的話,就會觸發(fā)路由的Ipsec策略�,三、當觸發(fā)Ipsec的策略時���,此時會協(xié)商IpsecSA��,在協(xié)商Ipsecsa時首先會協(xié)商isakmp�,當isakmp到qm-idle狀態(tài)時�����,協(xié)商Ipsec策略���,協(xié)商Ipsec的spi值��,四���、當協(xié)商成功時,封裝上ESP頭部��,封裝R1出口的spi值����,發(fā)送(此時根
2���、據(jù)默認路由)。五���、當數(shù)據(jù)包到達R2時���,根據(jù)自己的入接口的spi值�,查看是否與數(shù)據(jù)包中的spi值對應,如果對應則�,根據(jù)Iv接口數(shù)據(jù)包。發(fā)送的本地內(nèi)網(wǎng)�����。ESP頭部原始Ip頭Spi序列號Iv內(nèi)網(wǎng)ip頭數(shù)據(jù)Md5Ipsec的lESP的封裝方法transport和tunnel方式��,當實用transport方式時���,是通過封裝ESP頭部���,封裝兩層ip�,透明的在公網(wǎng)傳輸��。根據(jù)上面的配置來解釋本圖:原始ip頭:指的是原來的ipv4的的頭部�,Spi:是雙方的sa協(xié)商出來的,決定了雙發(fā)加密���,散列的參數(shù)和方法�����。序列號:等同于ip中的序列號Iv:des算法最后一個64bit塊����,算出來
3���、的值���,作為傳輸?shù)綄Ψ铰酚善鞯慕饷艿囊粋€種子。內(nèi)網(wǎng)ip頭:ESP加密中的要建立通信的ip頭數(shù)據(jù):要傳輸?shù)臄?shù)據(jù)Md5:傳輸?shù)臄?shù)據(jù)的加密方式ipsecVPNRouter1S0/0<---->Router2S0/0Router2S0/1<---->Router3S0/0R1的配置方式:version12.4servicetimestampsdebugdatetimemsecservicetimestampslogdatetimemsecnoservicepassword-encryptionhostnameR1boot-start-markerboot-end-ma
4����、rkernoaaanew-modelmemory-sizeiomem5ipcefnoipdomainlookupcryptoisakmppolicy1hashmd5authenticationpre-sharecryptoisakmpkey6ciscoaddress192.168.2.2cryptoipsectransform-setciscoesp-desesp-md5-hmacmodetransportcryptomapcisco10ipsec-isakmpsetpeer192.168.2.2settransform-setciscomatchaddre
5、ss101interfaceLoopback1ipaddress1.1.1.1255.255.255.0interfaceSerial0/0ipaddress192.168.1.1255.255.255.0serialrestart-delay0cryptomapciscointerfaceSerial0/1noipaddressshutdownserialrestart-delay0interfaceSerial0/2noipaddressshutdownserialrestart-delay0interfaceSerial0/3noipaddresssh
6、utdownserialrestart-delay0iphttpservernoiphttpsecure-serveriproute0.0.0.00.0.0.0192.168.1.2access-list101permitiphost1.1.1.1host2.2.2.2control-planelinecon0exec-timeout00lineaux0linevty04endR2的配置方式:version12.4servicetimestampsdebugdatetimemsecservicetimestampslogdatetimemsecnoservi
7�����、cepassword-encryptionhostnameR2boot-start-markerboot-end-markernoaaanew-modelmemory-sizeiomem5ipcefnoipdomainlookupinterfaceSerial0/0ipaddress192.168.1.2255.255.255.0serialrestart-delayinterfaceSerial0/1ipaddress192.168.2.1255.255.255.0serialrestart-delay0interfaceSerial0/2noipaddr
8����、essshutdownserialrestart-d
