拓扑

实验01 - Static Crypto Map - 图1

步骤

IPsec

  • crypto ipsec transform-set MT_TS esp-sha256-hmac esp-aes 256 前半部分是 auth,后半部分是 cipher
  • ip access-list extended VPN_TRAFFIC permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 —— 其实设置的就是Proxy-ID
  1. !!!!!!!!R1
  2. crypto isakmp policy 1
  3.  encr aes 256
  4.  hash sha256
  5.  authentication pre-share
  6.  group 5
  9. crypto isakmp key CISCO address 10.23.1.3 
  11. crypto ipsec transform-set MT_TS esp-sha256-hmac esp-aes 256 
  12.  mode tunnel
  14. crypto map MY_CRYPTO 10 ipsec-isakmp 
  15.  set peer 10.23.1.3
  16.  set transform-set VPN_TS 
  17.  match address VPN_TRAFFIC
  21. !!!!!!!!!R3
  22. crypto isakmp policy 1
  23.  encr aes 256
  24.  hash sha256
  25.  authentication pre-share
  26.  group 5
  28. crypto isakmp key CISCO address 10.12.1.1  
  30. crypto ipsec transform-set MT_TS esp-sha256-hmac esp-aes 256 
  33. crypto map MY_CRYPTO_MAP 10 ipsec-isakmp 
  34.  set peer 10.12.1.1
  35.  set transform-set VPN_TS 
  36.  match address VPN_TRAFFIC
  39. !!!!!
  40. ip access-list extended VPN_TRAFFIC
  41.  permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 
  44. !!!!!
  45. interface GigabitEthernet0/0
  46.  crypto map MY_CRYPTO_MAP
  • ip access-list extended VPN_TRAFFIC permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 —— 这种配置方式,端口状态需要在有流量时才会被激活,当前是DOWN

实验01 - Static Crypto Map - 图2

  • show crypto ipsec sa —— 查看Phase2 的结果
    • Proxy-ID
    • 数据包数量
    • 建立IPsec 的地址/端口
    • inbound 和 outbound SA

实验01 - Static Crypto Map - 图3

  • show crypto isakmp sa —— 查看Phase1 的结果。此时状态为QM_IDLE (Phase 2的状态)

实验01 - Static Crypto Map - 图4

  • 我们在R3 上修改key 为 CISOC123,然后清理下缓存 (clear crypto session),就可以看到网络断开。

实验01 - Static Crypto Map - 图5