溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點(diǎn)擊 登錄注冊 即表示同意《億速云用戶服務(wù)條款》

ISAKMP Profile技術(shù)應(yīng)用

發(fā)布時(shí)間:2020-08-02 02:15:09 來源:網(wǎng)絡(luò) 閱讀:2331 作者:超哥2018 欄目:安全技術(shù)

ISAKMP Profile技術(shù)應(yīng)用






ISAKMP Profile技術(shù)是IKE協(xié)商的一種新型配置方式。它主要的作用是映射我們第一階段ISAKMP參數(shù)到第

二階段IPSec隧道,可以實(shí)現(xiàn)一個(gè)設(shè)備和多個(gè)站點(diǎn)建立多個(gè)隧道。還可以很好的消除不同×××之間的影

響,讓第一階段策略和第二階段策略關(guān)聯(lián)的更加緊密。并且ISAKMP Profile普遍在EZ×××和VRF-ware 

IPSec ×××配置里邊被采用。


Site1

crypto keyring ccie 

  pre-shared-key address 61.128.1.1 key cisco

!

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp profile isaprof

   keyring ccie

   match identity address 61.128.1.1 255.255.255.255 

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto map ccie 10 ipsec-isakmp 

 set peer 61.128.1.1

 set transform-set myset 

 set isakmp-profile isaprof

 match address ***

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 202.100.1.1 255.255.255.0

 crypto map ccie

!      

ip route 0.0.0.0 0.0.0.0 202.100.1.10

!

ip access-list extended ***

 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255


Internet

interface FastEthernet0/0

 ip address 202.100.1.10 255.255.255.0

!

interface FastEthernet0/1

 ip address 61.128.1.10 255.255.255.0


end


Site2:

crypto keyring ccie 

  pre-shared-key address 202.100.1.1 key cisco

!

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp profile isaprof

   keyring ccie

   match identity address 202.100.1.1 255.255.255.255 

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto map ccie 10 ipsec-isakmp 

 set peer 202.100.1.1

 set transform-set myset 

 set isakmp-profile isaprof

 match address ***

!


interface Loopback0

 ip address 2.2.2.2 255.255.255.0

!

interface FastEthernet0/0

 ip address 61.128.1.1 255.255.255.0

 crypto map ccie

!     

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 61.128.1.10

!

ip access-list extended ***

 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

!

測試

Site1#ping 2.2.2.2 source lo0               


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1 

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 104/133/148 ms


Site1#show crypto ipsec sa


interface: FastEthernet0/0

    Crypto map tag: ccie, local addr 202.100.1.1


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)

   current_peer 61.128.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0


     local crypto endpt.: 202.100.1.1, remote crypto endpt.: 61.128.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x96AB8F14(2527825684)


     inbound esp sas:

      spi: 0xF41D2511(4095550737)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 1, flow_id: SW:1, crypto map: ccie

        sa timing: remaining key lifetime (k/sec): (4566332/2033)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:

      spi: 0x96AB8F14(2527825684)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: SW:2, crypto map: ccie

        sa timing: remaining key lifetime (k/sec): (4566332/2031)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE


     outbound ah sas:


     outbound pcp sas:


Site1#show crypto session 

Crypto session current status


Interface: FastEthernet0/0

Profile: isaprof

Session status: UP-ACTIVE     

Peer: 61.128.1.1 port 500 

  IKE SA: local 202.100.1.1/500 remote 61.128.1.1/500 Active 

  IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 2.2.2.0/255.255.255.0 

        Active SAs: 2, origin: crypto map


向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場,如果涉及侵權(quán)請(qǐng)聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI