IPSec-based VPN configuration Experiment

 

1. Set up an experimental environment:

DynamipsGUI, SecureCRT, CiscoIOS image file for unzip-c3640-ik9o3s-mz.124-10.bin

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "282" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PV411-0.jpg" alt = "clip_image002" style = "border: 0px none;" title = "clip_image002"/>

R1 simulates the branch router, R2 simulates the Internet, and R3 simulates the Headquarters router.

And use the loopback interface on R1 and R3 to simulate their internal LAN hosts.

The specific IP address and route are as follows:
R1: fa0/0: 10. 1.1.1/30

Loopback1: 172.16.0.1/24

R2: fa/0: 10.1.1.2/30

Fa0/1:20. 2.2.2/30

R3: fa0/1:20. 2.2.1/30

Loopback1: 192.168.0.3/24

1, open the small DynamipsGUI settings interface, set the number of routers to 3, the device type is 3640, according to the type of selection of unzip-c3640-ik9o3s-mz.124-10.bin CiscoIOS image file, then is to calculate the idle value, click "Calculate idle. In the command prompt box that appears, press any key to start the vro and press Ctrl +] + I to calculate the idle value.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "331" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PSP0-1.jpg" alt = "clip_image004" style = "border: 0px none;" title = "clip_image004"/>

The calculation of the idle value is based on the computer hardware. To avoid errors and reduce memory utilization, it is recommended to calculate multiple times to retrieve the most frequently occurring values. Enter the obtained idle value in idle-pc, set the output directory to the specified location, and click "Next ".

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "496" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PQ440-2.jpg" alt = "clip_image006" style = "border: 0px none;" title = "clip_image006"/>

2. Select the port modules of the three routers and click Next.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "327" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PQF0-3.jpg" alt = "clip_image008" style = "border: 0px none;" title = "clip_image008"/>

3. Connect the ports of each vro. fa0/0 of Router1 is connected to fa0/0 of Router2. fa0/1 of Router2 is connected to fa0/1 of Router3 and generated by them. bat file, and then exit, OK! The three simulated routers have been successfully established, and SecrueCRT is used to connect the three routers.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "327" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PW222-4.jpg" alt = "clip_image010" style = "border: 0px none;" title = "clip_image010"/>

4. Of course, the first thing is to start three routers,

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "202" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PT1D-5.jpg" alt = "clip_image012" style = "border: 0px none;" title = "clip_image012"/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "352" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PQ923-6.jpg" alt = "clip_image014" style = "border: 0px none;" title = "clip_image014"/>

5. Open the main interface of SecureCRT and use Telnet to connect the three routers. The specific parameter is set to use the Telnet protocol, the host name is set to 127.0.0.1, The Router1 port is 2001, The Router2 port is 2002, and The Router3 port is 2003. The port number is the Console port. You can view the three ports when selecting the port modules of the three routers.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "362" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PTX5-7.jpg" alt = "clip_image016" style = "border: 0px none;" title = "clip_image016"/>

After the three routers are started, connect to and modify the hostname to R1, R2, and R3 through SecureCRT.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "358" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PSc5-8.jpg" alt = "clip_image018" style = "border: 0px none;" title = "clip_image018"/>

Ii. VPN experiment Configuration:

1,

Basic configurations of the R1 router:

Add the default route to 10.1.1.2

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "342" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PV218-9.jpg" alt = "clip_image020" style = "border: 0px none;" title = "clip_image020"/>

Basic configurations of the R2 router:

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "405" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PUM6-10.jpg" alt = "clip_image022" style = "border: 0px none;" title = "clip_image022"/>

Basic configurations of the R3 router:

Add the default route to route 2.2.2.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "383" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PVa7-11.jpg" alt = "clip_image024" style = "border: 0px none;" title = "clip_image024"/>

2. You can ping port 0/1 of R3 on R1, but cannot ping Port 1 of loopback. This is also the case on R3.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "174" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PQB9-12.jpg" alt = "clip_image026" style = "border: 0px none;" title = "clip_image026"/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "189" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PQ492-13.jpg" alt = "clip_image028" style = "border: 0px none;" title = "clip_image028"/>

3. Configure IKE on R1

Crypto isakmp enable // enable isakmp;

Crypto isakmp policy 10 // configure an IKE policy with a priority of 10. The smaller the number, the higher the priority.If you want to configure moreVPN, Can be writtenPolicy 2,Yy3 ......);

Encryption aes // specify the encryption algorithm as aes

Hash md5 // specify the hash algorithm as md5

Authentication pre-share // specify the authentication as pre-share

Group 2 // specify exchange key D-H algorithm key strength to group 2

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "230" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PS133-14.jpg" alt = "clip_image030" style = "border: 0px none;" title = "clip_image030"/>

4. Configure the peer's pre-shared key as linuxtro

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "371" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PR5a-15.jpg" alt = "clip_image032" style = "border: 0px none;" title = "clip_image032"/>

5. Configure the Ipsec conversion set

Crypto ipsec transform-set r1_to_r3 esp-aes // create a transformation set of r1_to_r3 and specify the transformation to esp-aes. Esp-aes is mainly used to provide encryption. However, authentication and integrity can also be provided.

Mode transport // specify the ipsec transmission mode as transport

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "362" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PVF9-16.gif" alt = "clip_image033" style = "border: 0px none;" title = "clip_image033"/>

6. Configure the encrypted access list

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "77" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PR619-17.jpg" alt = "clip_image035" style = "border: 0px none;" title = "clip_image035"/>

7. Configure the encryption ing table

Set peer route 2.2.1 // specify the address of the peer

Set tran r1_to_r3 // specify the exchange Set

Match addred 100 // specify the encrypted access list

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "244" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PW934-18.jpg" alt = "clip_image037" style = "border: 0px none;" title = "clip_image037"/>

8. Apply the encrypted ing table to the fa0/0 interface.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "124" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PQ061-19.gif" alt = "clip_image038" style = "border: 0px none;" title = "clip_image038"/>

So far, the configuration of R1 is complete. The configuration of R3 is similar, with the following differences:

When data is encrypted through Ipsec, the IP address of the peer is 10.1.1.1.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "124" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PW316-20.jpg" alt = "clip_image040" style = "border: 0px none;" title = "clip_image040"/>

When configuring an Ipsec exchange set, create the exchange set named r3_to_r1

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "128" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PWG3-21.gif" alt = "clip_image041" style = "border: 0px none;" title = "clip_image041"/>

When configuring the encrypted access list, the source address and target address are different.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "128" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PV5A-22.jpg" alt = "clip_image043" style = "border: 0px none;" title = "clip_image043"/>

The specific configuration of R3 is as follows:

R3 # show running-config

Building configuration...

Current configuration: 1661 bytes

!

Version 12.4:

Service timestamps debug datetime msec

Service timestamps log datetime msec

No service password-encryption

!

Hostname R3

!

Boot-start-marker

Boot-end-marker

!

!

No aaa new-model

Memory-size iomem 5

!

!

Ip cef

No ip domain lookup

!

!

Crypto isakmp policy 10

Encr aes

Hash md5

Authentication pre-share

Group 2

Crypto isakmp key linuxtro address 10.1.1.1

!

Crypto ipsec transform-set r3_to_r1 esp-aes

Mode transport

!

Crypto map R3 100 ipsec-isakmp

Set peer 10.1.1.1

Set transform-set r3_to_r1

Match address 100

Interface Loopback1

Ip address 192.168.0.3 255.255.255.0

!

Interface FastEthernet0/0

!

Interface FastEthernet0/1

No switchport

Ip address 255.2.2.1 255.255.255.252

Crypto map R3

Ip route 0.0.0.0 0.0.0.0 255.2.2.2

!

!

Access-list 100 permit ip 192.168.0.0 0.0.255 172.16.0.0 0.0.255

!

Control-plane

Line con 0

Line aux 0

Line vty 0 4

!

!

End

Iii. VPN lab Verification

First, the loopback1 port of pingR3 is sent through loopback 1 on R1. The result shows that the ping is successful, indicating that the VPN is successfully established.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "223" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PT027-23.jpg" alt = "clip_image045" style = "border: 0px none;" title = "clip_image045"/>

Check whether the security associativity of the ike stage are successful. QM_IDLE indicates that it is successful.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "96" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PR238-24.gif" alt = "clip_image046" style = "border: 0px none;" title = "clip_image046"/>

Check the ipsec connection. The following details show that the IPSEC connection is successfully established.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "623" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PTQ9-25.jpg" alt = "clip_image048" style = "border: 0px none;" title = "clip_image048"/>

Test on R3: The experiment results are correct.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "208" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PW152-26.jpg" alt = "clip_image050" style = "border: 0px none;" title = "clip_image050"/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "80" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PU363-27.gif" alt = "clip_image051" style = "border: 0px none;" title = "clip_image051"/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'height = "557" border = "0" src = "http://www.bkjia.com/uploads/allimg/131227/040PSQ1-28.jpg" alt = "clip_image053" style = "border: 0px none;" title = "clip_image053"/>

This article is from the "linux on the way" blog, please be sure to keep this source http://linuxtro.blog.51cto.com/1239505/344197