[CCIE那點事]原創:第一集:手把手交你配置VPN之L2L站點到站點VPN

來源:本站原創 CISCO 超過2,383 views圍觀 0條評論

實驗環境:

前幾天到網上逛,發現個好東西,才100多M,不需要像模擬器那樣對硬件要求高.

這玩意能完成很多實驗了,VPN就是其中一個.話不多說.這玩意叫 cisco packet tracer

硬件 5臺2811路由器分別對應現實中的,總公司路由器,分公司VPN路由器.

PC1 PC2由2811來做模擬.

不會用的同學們可以看這個

本文標題:原創:思科Packet Tracer 6.0漢化模擬器及使用說明

本文鏈接:http://www.qdxgqk.live/?p=1834轉載請注明轉自CCIE那點事

拓撲如下 :

clipboard[6]

實驗目的:

讓總部和南方分公司之間 網段 1.1.1.0/24 與 2.2.2.0/24可以互相訪問.

1.1.1.0 網段和2.2.2.0網段 上網時候流量都從自己公司的 internet 線路出去.特別說這點是因為

有各別公司所有的上網流量都讓從總部走.原因是什么呢.當然了你要是下個電影神馬的就要小心了.

這個拓撲是所有有分公司的,對IT技術有要求的老板首選.掌握這個玩意后,老板再也不用擔心你們不會干活了.

題外話題外話,為毛我把分公司標成南方分公司.這是有深意的以后再說.

設計思路:

像這種情況最好是有L2L 了.當然也有人會說EZVPN不是也可以達到這樣的效果嗎. 當然了都行.一個一個來,不要急.哥一個來滿足.

上配置.精簡版.不必要的全扔.

總部路由器的VPN配置

hostname hub?? 配置主機名

!

————–第一階段配置IKE協商說白了就是配置建立tunnel的信息———-

crypto isakmp policy 10??? 配置isa策略

encr 3des???????????????? 加密模式3des

authentication pre-share? 秘鑰驗證方式

group 2?????????????????? 這個玩意自己看說明.

!

crypto isakmp key cisco123 address 10.2.2.1? 這個太明顯了 密碼 和 對端VPN的地址

!

————–第二階段配置加密方式,對流量進行加密———-

crypto ipsec transform-set newset esp-3des esp-md5-hmac???? 對連接過程進行加密

!

crypto map map1 5 ipsec-isakmp????????????????????????????? 配置加密圖

set peer 10.2.2.1????????????????????????????????????????? 配置對端VPN IP

set transform-set newset?????????????????????????????????? 綁定到加密圖

match address VPN_BO1????????????????????????????????????? 進行遂道分離(就是對上網的流量不進行加密)

!

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0????????? 這個自己看..

ip nat outside???????????????????????????? NAT的流量出口.

crypto map map1??????????????????????????? 應用加密圖(最要)

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON 上條配置完會有這處提示.請注意

!

interface FastEthernet0/1

ip address 1.1.1.1 255.255.255.0?????????? 方便連接PC1

ip nat inside????????????????????????????? NAT的流量入口

ip nat inside source list OUT interface FastEthernet0/0 overload??? 所有ACL OUT流量都走F0/0

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.2

!

!

ip access-list extended VPN_BO1????? 到南方公司的2.2.2.0的流量不走 NAT.即上網通道.

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

ip access-list extended OUT????????? NAT調用的ACL

deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255???? 必須

deny ip host 10.1.1.1 host 10.2.2.1???????????? 別看就好.

permit ip any any?????????????????? 這個別忘了.

!

END.

驗證方式

用PC1 ping PC2的地址,激活VPN

pc1>ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/15 ms

pc1>

激前是醬紫的

hub#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst???????????? src???????????? state????????? conn-id slot status

IPv6 Crypto ISAKMP SA

激活后是醬紫

hub#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst???????????? src???????????? state????????? conn-id slot????????? status

10.2.2.1??????? 10.1.1.1??????? QM_IDLE?????????? 1056??? 0??? ACTIVE 注意必段是這樣

IPv6 Crypto ISAKMP SA

其它配置我就不做詳解了.

南方分公司路由器配置

!

hostname b01

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp key cisco123 address 10.1.1.1

!

!

crypto ipsec transform-set newset esp-3des esp-md5-hmac

!

crypto map map1 5 ipsec-isakmp

set peer 10.1.1.1

set transform-set newset

match address VPN_HUB

interface FastEthernet0/0

ip address 2.2.2.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.2.2.1 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map map1

ip nat inside source list OUT interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.2.2.2

!

!

ip access-list extended VPN_HUB

permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

ip access-list extended OUT

deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

deny ip host 10.2.2.1 host 10.1.1.1

permit ip any any

!

end

驗證

b01#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst???????????? src???????????? state????????? conn-id slot status

10.1.1.1??????? 10.2.2.1??????? QM_IDLE?????????? 1055??? 0 ACTIVE? 必須是這樣子.

IPv6 Crypto ISAKMP SA

b01#

正常.這是開了debug ip icmp的,請無視

pc2>ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!

ICMP: echo reply rcvd, src 1.1.1.1, dst 2.2.2.2

!

ICMP: echo reply rcvd, src 1.1.1.1, dst 2.2.2.2

!

ICMP: echo reply rcvd, src 1.1.1.1, dst 2.2.2.2

!

ICMP: echo reply rcvd, src 1.1.1.1, dst 2.2.2.2

!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

pc2>

ICMP: echo reply rcvd, src 1.1.1.1, dst 2.2.2.2

排錯.當然了,不可能配置第一次就成功了.那尼瑪還真怪胎了.所以有了以下教程.

1.配置完后為毛PING不通.

主要情況.

ACL匹配出錯.

尼妹的要是IP配錯了就直接去跪釘板

VPN未建立完成.

show cry isa sa? 后出來這個

hub#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst???????????? src???????????? state????????? conn-id slot????????? status

10.2.2.1??????? 10.1.1.1??????? QM_IDLE?????????? 1056??? 0??? ACTIVE (DELETE)

這個樣子看起來很牛B呢.但這說明的抖動或建立未完成.不要以為看到ACTIVE就OK了.早著呢.

不用看了.肯定是配錯了

來個debug cry isa吧

——省略號—-

觀察后發這個.? New State = IKE_P1_COMPLETE?? //第一階段完成.

然后就沒有然后了…

叼了吧,說明第二階段配置有問題.故障能定位那就自己解決吧.

提供正常狀態的過程

正常DEBUG過程? debug crypto isa

ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE???? //主模式

ISAKMP:(0):Old State = IKE_I_MM2? New State = IKE_I_MM2

ISAKMP:(0): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) MM_SA_SETUP??? //UDP 500必須放開

ISAKMP:(0):Sending an IKE IPv4 Packet.

ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(0):Old State = IKE_I_MM2? New State = IKE_I_MM3

ISAKMP (0:0): received packet from 10.2.2.1 dport 500 sport 500 Global (I) MM_SA_SETUP

ISAKMP:(0):found peer pre-shared key matching 10.2.2.1

ISAKMP (1072): His hash no match – this node outside NAT

ISAKMP:(1072):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP (0:1072): ID payload

next-payload : 8

type???????? : 1

address????? : 10.1.1.1

protocol???? : 17

port???????? : 500

length?????? : 12

ISAKMP:(1072): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

ISAKMP (0:1072): ID payload

next-payload : 8

type???????? : 1

address????? : 10.2.2.1

protocol???? : 17

port???????? : 500

length?????? : 12

ISAKMP:(1072):SA has been authenticated with 10.2.2.1

ISAKMP: Trying to insert a peer 10.1.1.1/10.2.2.1/500/,? and inserted successfully 47CA9F80.

ISAKMP:(1072):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(1072):Old State = IKE_I_MM6? New State = IKE_I_MM6

ISAKMP:(1072):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(1072):Old State = IKE_I_MM6? New State = IKE_P1_COMPLETE?? //第一階段完成.

ISAKMP:(1072):beginning Quick Mode exchange, M-ID of 69859174

ISAKMP:(1072):QM Initiator gets spi

ISAKMP:(1072): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) QM_IDLE

ISAKMP:(1072):Sending an IKE IPv4 Packet.

ISAKMP:(1072):Node 69859174, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

ISAKMP:(1072):Old State = IKE_QM_READY? New State = IKE_QM_I_QM1

ISAKMP:(1072):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

ISAKMP:(1072):Old State = IKE_P1_COMPLETE? New State = IKE_P1_COMPLETE

ISAKMP (0:1072): received packet from 10.2.2.1 dport 500 sport 500 Global (I) QM_IDLE

ISAKMP:(1072): processing HASH payload. message ID = 69859174

ISAKMP:(1072): processing SA payload. message ID = 69859174

ISAKMP:(1072):Checking IPSec proposal 1

ISAKMP: transform 1, ESP-3DES

ISAKMP:?? attributes in transform:

ISAKMP:????? encaps is 1 (Tunnel)

ISAKMP:????? SA life type in seconds

ISAKMP:????? SA life duration (basic) of 3600

ISAKMP:????? SA life type in kilobytes

ISAKMP:????? SA life duration (VPI) of? 0x0 0x46 0x50 0x0

ISAKMP:????? group is 5

ISAKMP:????? authenticator is HMAC-SHA

ISAKMP:(1072):atts are acceptable.

ISAKMP:(1072): processing NONCE payload. message ID = 69859174

ISAKMP:(1072): processing KE payload. message ID = 69859174

ISAKMP:(1072): processing ID payload. message ID = 69859174

ISAKMP:(1072): processing ID payload. message ID = 69859174

ISAKMP:(1072): Creating IPSec SAs

inbound SA from 10.2.2.1 to 10.1.1.1 (f/i)? 0/ 0

(proxy 2.2.2.0 to 1.1.1.0)

has spi ox468F5A25 and conn_id 0

lifetime of 3600 seconds

lifetime of 4608000 kilobytes

outbound SA from 10.1.1.1 to 10.2.2.1 (f/i) 0/0

(proxy 1.1.1.0 to 2.2.2.0)

has spi? 0x5CE902D8 and conn_id 0

lifetime of 3600 seconds

lifetime of 4608000 kilobytes

ISAKMP:(1072): sending packet to 10.2.2.1? my_port 500 peer_port 500 (I) QM_IDLE

ISAKMP:(1072):Sending an IKE IPv4 Packet.

ISAKMP:(1072):deleting node 69859174 error FALSE reason “No Error”

ISAKMP:(1072):Node 69859174, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

ISAKMP:(1072):Old State = IKE_QM_I_QM1? New State = IKE_QM_PHASE2_COMPLETE?? 第二階段完成VPN建立成功.

hub#

 

全套配置及拓撲下載?http://pan.baidu.com/share/link?shareid=521690&uk=4144237329

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文鏈接:http://www.qdxgqk.live/?p=1862轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
上篇文章:
?
?
萌宠夺宝游戏