VPN技术支持文档

2024年1月15日


思科路由器/交换机

<p>[TOC]</p> <h3>思科交换机命令行配置</h3> <h4>1、CISCO IKEV1配置IPSEC VPN</h4> <p>v1 示例配置---主模式:</p> <p>Cisco配置命令如下:(Cisco某些版本可能配置命令不一样,但过程一样)</p> <p>conf t                           //进入特权模式配置</p> <p>no crypto isakmp key 0 cisco address 10.162.151.107      //创建预共享密钥以及对端地址(当配置身份ID时这个不配置和keyring有冲突导致连接建立不起来)</p> <p>crypto isakmp policy 10                    //创建isakmp策略(第一阶段策略)</p> <p>hash md5                                 //配置hash算法</p> <p>encry 3des                                 //配置加密算法</p> <p>group 15                                  //配置DH群</p> <p>lifetime 600              //sa的生存时间为10000,超过后SA将重新协商</p> <p>auth pre-share                             //配置认证方式(预共享密钥)</p> <p>exit                                      //退出isakmp策略配置</p> <p> </p> <p>crypto keyring ikev1-keyring</p> <p>no pre-shared-key address 10.162.151.107 key cisco   //建立连接让对端和自己共用此秘钥</p> <p>no pre-shared-key address 10.162.151.115 key cisco //nat后的IP</p> <p> </p> <p>crypto isakmp profile ikev1-profile  //配置本端对端身份ID类型</p> <p>keyring ikev1-keyring</p> <p>match identity user-fqdn xiao.com   //支持对端address/group/host/user-fqdn</p> <p>self-identity user-fqdn hong.com    //支持本端address/fqdn/user-fqdn</p> <p>//match identity address 7.7.7.7 255.255.255.0</p> <p>//self-identity address 8.8.8.8 255.255.255.0</p> <p> </p> <p>access-list 100 permit ip 192.168.100.0 0.0.0.255 190.190.190.0 0.0.0.255    //创建ACL,类似我们的出入站策略,允许本端哪个网段出去到对端哪个网段</p> <p>crypto ipsec transform-set ipsecvpn esp-aes esp-md5-hmac    //创建变换集及策略</p> <p>mode tunnel                       //配置传输模式(隧道模式)我们只支持隧道模式</p> <p>exit                              //退出变换集</p> <p>crypto ipsec security-association lifetime seconds 1800 //定义生存周期为1800</p> <p> </p> <p>优先级(crypto maptest-map 1 ipsec-isakmp  优先级为1,可不设)</p> <p>crypto map ipsec 10 ipsec-isakmp             //创建IPsec策略(第二阶段)</p> <p>no set peer 10.162.151.107                            //配置对端地址</p> <p>//no set peer 10.162.151.115   //nat后的ip</p> <p>set transform-set ipsecvpn ipsecvpn2 ipsecvpn3 ipsecvpn4 ipsecvpn5                     /绑定变换集到映射图</p> <p>set isakmp-profile ikev1-profile                //引用</p> <p>set pfs group15   //配置密钥完美向前保护(请注意跟第一阶段DH群一样,这个没配对接是不会成功的)</p> <p>match address 100                           //配置映射图匹配的ACL策略</p> <p>exit                                       //退出配置映射图</p> <p> </p> <p>interface e0/1                               //进入Cisco外网口</p> <p>crypto map ipsec                            //将映射图绑定到接口</p> <p>exit                                       //退出接口配置</p> <h4>2、 CISCO IKVE2 配置对接:</h4> <h5>(1)cisco IOU1  V2配置:</h5> <p>cisco配置接口Ip:</p> <p>interface Ethernet0/0</p> <p> ip address 192.168.100.254 255.255.255.0</p> <p>!</p> <p>interface Ethernet0/1</p> <p> ip address 22.22.22.22 255.255.255.0</p> <p> crypto map ipsec</p> <p>!</p> <p>ip route 0.0.0.0 0.0.0.0 10.90.255.254</p> <p>ip route 0.0.0.0 0.0.0.0 22.22.22.21</p> <p> </p> <p>v2 ipsec vpn配置示例:</p> <p>配置proposal</p> <p>crypto ikev2 proposal ikev2-proposal</p> <p>encryption 3des</p> <p>integrity md5</p> <p>group 15</p> <p> </p> <p>配置policy  可选</p> <p>crypto ikev2 policy ikev2-policy</p> <p>proposal ikev2-proposal</p> <p> </p> <p>配置keyring</p> <p>crypto ikev2 keyring ikev2-keyring</p> <p>peer center-asa</p> <p>address 10.162.151.107</p> <p>pre-shared-key cisco</p> <p> </p> <p>配置profile</p> <p>crypto ikev2 profile ikev2-profile</p> <p>match identity remote address 7.7.7.7 255.255.255.0 对端ID/email/fqdn/address</p> <p>identity local address 8.8.8.8  本端身份ID/email/fqdn/address</p> <p>authentication remote pre-share   预共享秘钥认证</p> <p>authentication local pre-share</p> <p>keyring local ikev2-keyring</p> <p> </p> <p>配置transform-set 可选</p> <p>crypto ipsec transform-set ipsecvpn esp-aes esp-md5-hmac</p> <p>mode tunnel</p> <p>crypto ipsec transform-set ipsecvpn esp-3des esp-sha-hmac</p> <p>mode tunnel</p> <p>//crypto ipsec transform-set ipsecvpn2 esp-des esp-sha256-hmac</p> <p>//mode tunnel</p> <p>//crypto ipsec transform-set ipsecvpn3 esp-3des esp-sha384-hmac</p> <p>//mode tunnel</p> <p>show crypto ipsec transform-set</p> <p>配置感兴趣流</p> <p>ip access-list extended 100</p> <p>permit ip 192.168.100.0 0.0.0.255 190.190.190.0 0.0.0.255</p> <p>配置crypto map</p> <p>crypto map ipsec 10 ipsec-isakmp             //创建IPsec策略(第二阶段)</p> <p>set peer 10.162.151.107                           //配置对端地址</p> <p>set transform-set ipsecvpn ipsecvpn2 ipsecvpn3                   /绑定变换集到映射图</p> <p>set ikev2-profile ikev2-profile</p> <p>set pfs group15   //配置密钥完美向前保护(请注意跟第一阶段DH群一样,这个没配对接是不会成功的)</p> <p>set security-association lifetime 900   //定义生存周期为900</p> <p>match address 100                           //配置映射图匹配的ACL策略</p> <p>exit</p> <p> </p> <p>调用接口</p> <p>int e0/1</p> <h5>(2)Cisco IOU2 V2配置:</h5> <p>cisco在中间路由配置NAT转换:</p> <p>配置接口Ip</p> <p>conf t</p> <p>int e0/0</p> <p>ip add 11.11.11.2 255.255.255.0</p> <p>no shutdown</p> <p>exit</p> <p>int e0/1</p> <p>ip address 13.13.13.1 255.255.255.0</p> <p>no shutdown</p> <p>exit</p> <p> </p> <p>配置静态源NAT策略</p> <p>ip nat inside source static 11.11.11.1 13.13.13.1</p> <p>进入接口e0/1</p> <p>int e0/1</p> <p>配置接口属性为NAT出接口</p> <p>ip nat outside</p> <p>exit</p> <p>接入接口e0/0</p> <p>int e0/0</p> <p>配置接口属性为NAT入接口</p> <p>ip nat inside</p> <p>Exit</p> <p>            </p> <h4>示例1</h4> <p>   interface Ethernet0/0</p> <p> ip address 22.22.22.21 255.255.255.0</p> <p> ip nat inside</p> <p> ip virtual-reassembly in</p> <p>!</p> <p>interface Ethernet0/1</p> <p> no ip address</p> <p> ip nat outside</p> <p> ip virtual-reassembly in</p> <p>!</p> <p>interface Ethernet0/2</p> <p> ip address 10.90.17.76 255.255.0.0</p> <p> ip nat outside</p> <p> ip virtual-reassembly in</p> <p>!</p> <p> </p> <p>ip nat pool hzl 10.90.9.77 10.90.9.77 netmask 255.255.255.255</p> <p>ip nat inside source list 14 interface Ethernet0/2 overload</p> <p>ip nat inside source list 15 interface Ethernet0/2 overload</p> <p>ip route 10.162.0.0 255.254.0.0 10.90.255.254</p> <p>ip route 192.168.100.0 255.255.255.0 22.22.22.22</p> <p>!</p> <p>access-list 14 permit 22.22.22.0 0.0.0.255</p> <p>access-list 15 permit 192.168.100.0 0.0.0.255</p> <p>access-list 16 permit 0.0.0.0</p> <p>crypto map ipsec</p> <p>exit</p> <h3>防火墙界面配置</h3> <h4>1、基础配置</h4> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=d340ec638dd475cc45811bb2cfd23443&amp;amp;file=file.png" alt="" /></p> <h4>2、IKE配置</h4> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=74c184543835bd2e2e2e7f5fd189454c&amp;amp;file=file.png" alt="" /></p> <h4>3、IPSEC配置</h4> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=4e209b38cf9b4b0f73c412dfb6be59f8&amp;amp;file=file.png" alt="" /></p> <h4>4、DLAN运营状态可以看到VPN对接成功</h4> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=82d9db00f4a294d27c7dcbc03f893559&amp;amp;file=file.png" alt="" /></p> <h3>思科设备常用命令</h3> <p>en进入</p> <p>conft 进入编辑模式(记得面积完sava保存,不然一重启所有配置都没有了)</p> <p>show ip route  //查看路由</p> <p>show ip int b  //查看ip配置</p> <p>show running-config  //查看ipsec vpn 配置</p> <p>int e0/0 </p> <p>crypto ikev2 ?  //后面加问号会有相对应的方法出来</p> <p>ip 1.1.1.1/24 1.1.1.2  //配置ip和子网掩码</p> <p>ip 1.1.1.1 255.255.255.0 1.1.1.2  //</p> <p>show ip 查看ip配置信息</p> <p>save  保存</p> <p>显示ISAKMP协商策略的结果--秘钥交换策略</p> <p>sh crypto isakmp policy</p> <p>查看管理连接SA的状态</p> <p>sh crypto isakmp sa  查看安全关联</p> <p>sh crypto ipsec transform-set</p> <p>显示ipsec加密变换集</p> <p>sh crypto ipsec transform-set</p> <p>显示数据连接SA的细节信息 查看+detail</p> <p>sh crypto ipsec sa</p> <p>显示crypto map的信息--加密映射图</p> <p>sh crypto map</p> <p>查看当前秘钥交换方式所使用的秘钥</p> <p>show crypto isakmp key</p> <p>查看已建立的对等体</p> <p>show crypto isakmp peers</p> <p>VPN状态show crypto session</p> <p>show ip nat statistics  查看NAT</p> <p>想要查看其它的直接在后面+ ?可以出来你想要找的配置命令</p> <h3>维护人:向西宇</h3>

页面列表

ITEM_HTML