cisco vpn 技术

VPN实例配置方案－中文注解

Router:sam-i-am(VPN Server)

Current configuration: !

version 12.2

service timestamps debug uptime service timestamps log up time no service password-encryption !

hostname sam-i-am !

ip subnet-zero

!--- IKE配置

sam-i-am(config)#crypto isakmp policy 1 //定义策略为1 sam-i-am(isakmp)#hash md5 //定义MD5散列算法

sam-i-am(isakmp)#authentication pre-share //定义为预共享密钥认证方式 sam-i-am(config)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!--- 配置预共享密钥为cisco123,对等端为所有IP

!--- IPSec协议配置

sam-i-am(config)#crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!--- 创建变换集 esp-des esp-md5-hmac

sam-i-am(config)#crypto dynamic-map rtpmap 10 //创建动态保密图rtpmap 10 san-i-am(crypto-map)#set transform-set rtpset //使用上面的定义的变换集rtpset san-i-am(crypto-map)#match address 115 //援引访问列表确定受保护的流量 sam-i-am(config)#crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap

!--- 将动态保密图集加入到正规的图集中 !

interface Ethernet0

ip address 10.2.2.3 255.255.255.0 no ip directed-broadcast ip nat inside

no mop enabled !

interface Serial0

ip address 99.99.99.1 255.255.255.0 no ip directed-broadcast ip nat outside

crypto map rtptrans //将保密映射应用到S0接口上 !

ip nat inside source route-map nonat interface Serial0 overload

!--- 这个NAT配置启用了路由策略，内容为10.2.2.0到10.1.1.0的访问不进行地址翻译 !--- 到其他网络的访问都翻译成SO接口的IP地址

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0 //配置静态路由协议 no ip http server !

access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 115 deny ip 10.2.2.0 0.0.0.255 any !

access-list 120 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 120 permit ip 10.2.2.0 0.0.0.255 any !

sam-i-am(config)#route-map nonat permit 10 //使用路由策略 sam-i-am(router-map)#match ip address 120 !

line con 0

transport input none line aux 0 line vty 0 4 password ww login ! end

Router:dr_whoovie(VPN Client)

Current configuration: !

version 12.2

service timestamps debug uptime service timestamps log uptime

no service password-encryption !

hostname dr_whoovie !

ip subnet-zero !

dr_whoovie(config)#crypto isakmp policy 1 //定义策略为1 dr_whoovie(isakmp)#hash md5 //定义MD5散列算法

dr_whoovie(isakmp)#authentication pre-share //定义为预共享密钥认证方式 dr_whoovie(config)#crypto isakmp key cisco123 address 99.99.99.1

!--- 配置预共享密钥为cisco123,对等端为服务器端IP99.99.99.1

!--- IPSec协议配置

dr_whoovie(config)#crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!--- 创建变换集 esp-des esp-md5-hmac

dr_whoovie(config)#crypto map rtp 1 ipsec-isakmp

!--- 使用IKE创建保密图rtp 1

dr_whoovie(crypto-map)#set peer 99.99.99.1 //确定远程对等端

dr_whoovie(crypto-map)#set transform-set rtpset //使用上面的定义的变换集rtpset dr_whoovie(crypto-map)#match address 115 //援引访问列表确定受保护的流量 !

interface Ethernet0

ip address 10.1.1.1 255.255.255.0 no ip directed-broadcast ip nat inside

no mop enabled !

interface Serial0

ip address negotiated //IP地址自动获取 no ip directed-broadcast ip nat outside

encapsulation ppp //S0接口封装ppp协议 no ip mroute-cache no ip route-cache

crypto map rtp //将保密映射应用到S0接口上

!

ip nat inside source route-map nonat interface Serial0 overload

!--- 这个NAT配置启用了路由策略，内容为10.1.1.0到10.2.2.0的访问不进行地址翻译 !--- 到其他网络的访问都翻译成SO接口的IP地址

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0 //配置静态路由协议 no ip http server !

access-list 115 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 access-list 115 deny ip 10.1.1.0 0.0.0.255 any

access-list 120 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 access-list 120 permit ip 10.1.1.0 0.0.0.255 any !

dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit

route-map nonat permit 10 //使用路由策略 match ip address 120 !

line con 0

transport input none line aux 0 line vty 0 4 password ww login ! end

-----------IKE配置----------------

IPSec VPN对等端为了建立信任关系，必须交换某种形式的认证密钥。

Internet 密钥交换(Internet Key Exchange，IKE)是一种为IPSec管理和交换密钥的标准方法。

一旦两个对等端之间的IKE协商取得成功，那么IKE就创建到远程对等端的安全关联(security association，SA)。SA是单向的；在两个对等端之间存在两 个SA。

IKE使用UDP端口500进行协商，确保端口500不被阻塞。 配置

1、（可选）启用或者禁用IKE (global)crypto isakmp enable 或者

(global)no crypto isakmp enable 默认在所有接口上启动IKE

2、创建IKE策略 (1)定义策略

(global)crypto isakmp policy priority

注释：policy 1表示策略1，假如想多配几个VPN，可以写成policy 2、policy3┅

(2)（可选）定义加密算法

(isakmp)encryption {des | 3des}

加密模式可以为56位的DES-CBC(des，默认值)或者168位的3DES(3des)

(3)（可选）定义散列算法 (isamkp)hash {sha | md5} 默认sha

(4)（可选）定义认证方式

(isamkp)authentication {rsa-sig | rsa-encr | pre-share} rsa-sig 要求使用CA并且提供防止抵赖功能；默认值 rsa-encr 不需要CA，提供防止抵赖功能 pre-share 通过手工配置预共享密钥

(5)（可选）定义Diffie-Hellman标识符 (isakmp)group {1 | 2}

注释：除非购买高端路由器，或是VPN通信比较少，否则最好使用group 1长度的密钥，group命令有两个参数值：1和2。参数值1表示密钥使用768位密钥，

参数值2表示密钥使用1024位密钥，显然后一种密钥安全性高，但消耗更多的CPU时间。

(6)（可选）定义安全关联的生命期 (isakmp)lifetime seconds

注释：对生成新SA的周期进行调整。这个值以秒为单位，默认值为86400，也就是一天。值得注意的是两端的路由器都要设置相同的SA周期，否则VPN在正 常初始化之后，将会在较短的一个SA周期到达中断。

3、(rsa-sig)使用证书授权(CA) (1)确保路由器有主机名和域名 (global)hostname hostname (global)ip domain-name domain

(2)产生RSA密钥

(global)crypto key generate rsa

(3)使用向IPSec对等端发布证书的CA －－设定CA的主机名

(global)crypto ca identity name －－设定联络CA所使用的URL (ca-identity)enrollment url url

URL应该采用http://ca-domain-nameort/cgi-bin-location的形式 －－（可选）使用RA模式

(ca-identity)enrollment mode ra (ca-identity)query url url

－－（可选）设定注册重试参数

(ca-identity)enrollment retry period minutes (ca-identity)enrollment retry count number

minutes(1到60；默认为1) number(1到100；默认为0，代表无穷次) －－（可选）可选的证书作废列表 (ca-identity)crl optional

(4)（可选）使用可信的根CA －－确定可信的根CA

(global)crypto ca trusted-root name －－（可选）从可信的根请求CRL (ca-root)crl query url －－定义注册的方法

(ca-root)root {CEP url | TFTP server file | PROXY url}

(5)认证CA

(global)crypto ca authenticate name

(6)用CA注册路由器

(global)crypto ca enroll name

4、(rsa-encr)手工配置RSA密钥（不使用CA） (1)产生RSA密钥

(global)crypto key generate rsa

(2)指定对等端的ISAKMP标识

(global)crypto isakmp identity {address | hostname}

(3)指定其他所有对等端的RSA密钥 －－配置公共密钥链

(global)crypto key pubkey-chain rsa

－－用名字或地址确定密钥

(pubkey-chain)named-key key-name [encryption | signature] (pubkey-chain)addressed-key key-name [encryption | signature]

－－（可选）手工配置远程对等端的IP地址 (pubkey-key)address ip-addr

－－指定远程对等端的公开密钥 (pubkey-key)key-string key-string

5、(preshare)配置预共享密钥

(global)crypto isakmp key key-string {addrss | hostname} {peer-address

|

peer-hostname}

注释：返回到全局设置模式确定要使用的预先共享密钥和指归VPN另一端路由器IP地址，即目的路由器IP地址。相应地在另一端路由器配置也和以上命令类 似

6、（可选）使用IKE模式

(1)定义要分发的“内部”或者受保护IP地址库

(global)ip local pool pool-name start-address end-address

(2)启动IKE模式协商

(global)crypto isakmp client configuration address-pool local pool-name

--------------IPSec配置----------------

IPSec 使用加密、数据完整性、源发鉴别以及拒绝重演分组来保护和认证网络层对等端之间的IP分组

IPSec对于构建内因网、外因网以及远程用户接入VPN来说非常有用处

IPSec支持以下标准

--Internet协议的安全体系结构 --IKE(Internet密钥交换) --DES(数据加密标准) --MD5 --SHA

--AH(Authentication Header，认证首部)数据认证和反重演(anti-reply)服务

--ESP(Encapsulation Security Payload，封装安全净荷)数据隐私、数据验证以及反重演(anti-reply)服务

敏感流量由访问列表所定义，并且通过crypto map(保密图)集被应用到接口上。 配置

1、为密钥管理配置IKE

2、（可选）定义SA的全局生命期

(global)crypto ipsec security-association lifetime seconds seconds (global)crypto ipsec security-association lifetime killobytes kilobytes

3、定义保密访问列表来定义受保护的流量 (global)access-list access-list-number .... 或者

(global)ip access-list extended name

扩展的访问列表必须定义由IPSec保护哪种IP流量。保密图(crypto map)援引这个访问列表

来确定在接口上要保护的流量。

4、定义IPSec交换集 (1)创建变换集

(global)crypto ipsec transform-set name [transform1 | transform2 | transform3] 可以在一个保密图(crypto map)中定义多个变换集。如果没有使用IKE，那么只能定义一种变换集。用户能够选择多达三种变换。 （可选）选择一种AH变换 --ah-md5-hmac --ah-sha-hmac --ah-rfc-1828

（可选）选择一种ESP加密编号 --esp-des --esp-3des --esp-rfc-1829 --esp-null

以及这些验证方法之一 --esp-md5-hmac --esp-sha-hmac （可选）选择IP压缩变换 --comp-lzs

(2)（可选）选择变换集的模式

(crypto-transform)mode {tunnel | transport}

5、使用IPSec策略定义保密映射

保密图(crypto map)连接了保密访问列表，确定了远程对等端、本地地址、变换集和协商方法。

(1)（可选）使用手工的安全关联（没有IKE协商） --创建保密图

(global)crypto map map-name sequence ipsec-manual

--援引保密访问列表来确定受保护的流量 (crypto-map)match address access-list

--确定远程的IPSec对等端

(crypto-map)set peer {hostname | ip_addr}

--指定要使用的变换集

(crypto-map)set transform-set name 变换集必须和远程对等端上使用的相同

--（仅适用于AH验证）手工设定AH密钥

(crypto-map)set session-key inbound ah spi hex-key-data

(crypto-map)set session-key outbound ah spi hex-key-data

--（仅适用于ESP验证）手工设定ESP SPI和密钥

(crypto-map)set session-key inbound ah spi hex-key-data [authenticator hex-key-data]

(crypto-map)set session-key outbound ah spi hex-key-data [authenticator hex-key-data]

(2)（可选）使用IKE建立的安全关联 --创建保密图

(global)crypto map map-name sequence ipsec-isakmp

--援引保密访问列表来确定受保护的流量 (crypto-map)match address access-list

--确定远程的IPSec对等端

(crypto-map)set peer {hostname | ip_addr}

--指定要使用的变换集

(crypto-map)set transform-set name 变换集必须和远程对等端上使用的相同

--（可选）如果SA生命期和全局默认不同，那么定义它：

(crypto-map)set security-association lifetime seconds seconds (crypto-map)set security-association lifetime kilobytes kilobytes

--（可选）为每个源/目的主机对使用一个独立的SA (crypto-map)set security-association level per-host

--（可选）对每个新的SA使用完整转发安全性 (crypto-map)set pfs [group1 | group2]

(3)（可选）使用动态安全关联 --创建动态的保密图

(global)crypto dynamic-map dyn-map-name dyn-seq-num

--（可选）援引保密访问列表确定受保护的流量 (crypto-map)match address access-list

--（可选）确定远程的IPSec对等端

(crypto-map)set peer {hostname | ip_addr}

--（可选）指定要使用的变换集

(crypto-map)set transform-set tranform-set-name

--（可选）如果SA生命期和全局默认不同，那么定义它：

(crypto-map)set security-association lifetime seconds seconds (crypto-map)set security-association lifetime kilobytes kilobytes

--（可选）对每个新的SA使用完整转发安全性 (crypto-map)set pfs [group1 | group2]

--将动态保密图集加入到正规的图集中

(global)crypto map map-name sequence ipsec-isakmp dynamic dyn-map-name [discover]

--（可选）使用IKE模式的客户机配置

(global)crypto map map-name client configuration address [initiate | respond]

--（可选）使用来自AAA服务器的预共享IKE密钥

(global)crypto map map-name isakmp authorization list list-name

6、将保密映射应用到接口上

(1)指定要使用的保密映射

(interface)crypto map map-name

(2)（可选）和其他接口共享保密映射

(global)crypto map map-name local-address interface-id

pix虚拟防火墙配置实例

PIXFW(config)# sh run

: Saved :

PIX Version 7.0(2) !

interface Ethernet0

speed 1920

duplex full !

interface Ethernet0.1 vlan 5 !

interface Ethernet0.2 vlan 6 !

interface Ethernet1 !

interface Ethernet2 !

interface Ethernet3

shutdown !

interface Ethernet4

shutdown !

interface Ethernet5

shutdown !

enable password 8Ry2YjIyt7RRXU24 encrypted

hostname PIXFW

ftp mode passive

pager lines 24

no failover

no asdm history enable

arp timeout 14400

console timeout 0

admin-context OA

context OA

allocate-interface Ethernet0.1

allocate-interface Ethernet1

config-url flash:/OA.cfg !

context FMIS

allocate-interface Ethernet0.2

allocate-interface Ethernet2

config-url flash:/FMIS.cfg !

Cryptochecksum:53517dcd4fe74fdcb51a1d24e90b1469

: end

PIXFW(config)# sh interface

Interface Ethernet0 \

Hardware is i82559, BW 1920 Mbps

Full-Duplex(Full-duplex), 1920 Mbps(1920 Mbps)

Available for allocation to a context

MAC address 0015.f9a9.02ea, MTU not set

IP address unassigned

525 packets input, 83359 bytes, 0 no buffer

Received 83 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

1935 packets output, 150750 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/12 software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

Interface Ethernet0.1 \

VLAN identifier 5

Available for allocation to a context

Interface Ethernet0.2 \

VLAN identifier 6

Available for allocation to a context

Interface Ethernet1 \

Hardware is i82559, BW 1920 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(1920 Mbps)

Available for allocation to a context

MAC address 0015.f9a9.02eb, MTU not set

IP address unassigned

2757 packets input, 225620 bytes, 0 no buffer

Received 1869 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

159 packets output, 12400 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/12 software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

Interface Ethernet2 \

Hardware is i82559, BW 1920 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(1920 Mbps)

Available for allocation to a context

MAC address 0005.5d18.3021, MTU not set

IP address unassigned

1672 packets input, 127807 bytes, 0 no buffer

Received 798 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

117 packets output, 9158 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/12 software (0/2)

output queue (curr/max blocks): hardware (0/1) software (0/1)

Interface Ethernet3 \

Hardware is i82559, BW 1920 Mbps

Auto-Duplex, Auto-Speed

Available for allocation to a context

MAC address 0005.5d18.3023, MTU not set

IP address unassigned

1192 packets input, 14154 bytes, 0 no buffer

Received 1926 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

129 packets output, 8296 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/12 software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

Interface Ethernet4 \

Hardware is i82559, BW 1920 Mbps

Auto-Duplex, Auto-Speed

Available for allocation to a context

MAC address 0005.5d18.3020, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/12 software (0/0)

output queue (curr/max blocks): hardware (0/0) software (0/0)

Interface Ethernet5 \

Hardware is i82559, BW 1920 Mbps

Auto-Duplex, Auto-Speed

Available for allocation to a context

MAC address 0005.5d18.3022, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/12 software (0/0)

output queue (curr/max blocks): hardware (0/0) software (0/0)

PIXFW(config)# chang context OA

PIXFW/OA(config)# sh run

: Saved :

PIX Version 7.0(2) names !

interface Ethernet0.1

nameif outside

security-level 0

ip address 192.130.6.49 255.255.255.252 !

interface Ethernet1

nameif inside

security-level 1920

ip address 192.193.166.238 255.255.255.0 !

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname OA

access-list PING extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

monitor-interface inside

no asdm history enable

arp timeout 14400

nat (inside) 0 192.193.166.0 255.255.255.0

access-group PING in interface outside

route outside 0.0.0.0 0.0.0.0 192.130.6.50 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:192:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:192:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5 !

class-map inspection_default

match default-inspection-traffic ! !

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp !

service-policy global_policy global

Cryptochecksum:46ffeba4d29c11a248523371c9666379 : end

PIXFW/OA(config)#

PIXFW/OA(config)# chang context FMIS

PIXFW/FMIS(config)# sh run

: Saved :

PIX Version 7.0(2) names !

interface Ethernet0.2

nameif outside

security-level 0

ip address 192.135.178.65 255.255.255.252 !

interface Ethernet2

nameif inside

security-level 1920

ip address 192.135.181.126 255.255.255.128 !

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname FMIS

access-list 1921 extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

monitor-interface inside

no asdm history enable

arp timeout 14400

nat (inside) 0 192.135.181.0 255.255.255.128

access-group 1921 in interface outside

route outside 0.0.0.0 0.0.0.0 192.135.178.66 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:192:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:192:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5 !

class-map inspection_default

match default-inspection-traffic ! !

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp !

service-policy global_policy global

Cryptochecksum:5854ffa0a5401e033e1ce88731ebf452 : end

PIXFW/FMIS# chang context sys

PIXFW#

本文来源：https://www.bwwdw.com/article/sjn3.html