溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

關(guān)于神州數(shù)碼路由器IPSEC不得不說的事

發(fā)布時(shí)間:2020-07-15 11:07:02 來源:網(wǎng)絡(luò) 閱讀:1319 作者:crazy_qiao 欄目:安全技術(shù)

      一句話神碼路由器的IPSEC很有特色

     實(shí)驗(yàn)環(huán)境:兩臺(tái)路由器直接相連一共3個(gè)網(wǎng)段192.168.0.0192.168.1.0192.168.2.0其中192.168.1.0模擬公網(wǎng)另外兩個(gè)網(wǎng)段模擬私有網(wǎng)絡(luò)通過啟用IPSEC ×××實(shí)現(xiàn)這兩個(gè)網(wǎng)段安全通信。

開始配置時(shí)兩個(gè)路由器配置文件如下

路由器R1

show running-config
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R1
crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.2
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--         ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.2.0 255.255.255.0 192.168.1.2

!
ip access-list extended bendi
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ip access-list standard 123
permit ip any
!
ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#

路由器R2

show run
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R2

!
gbsc group default
!    

crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.1
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--         ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.0.0 255.255.255.0 192.168.1.1  
!
ip access-list extended bendi
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
ip access-list standard 123
permit ip any !

ip nat inside source list 123 interface FastEthernet0/0

!
R2_config#

通過show crypto ipsec sa和show crypto iskmp sa發(fā)現(xiàn)不能正常建立IPSEC連接也就是IPSEC通道沒有激活啥問題檢查配置沒有錯(cuò)誤啊。算了去掉NAT測(cè)試通過show crypto ipsec sa和show crypto iskmp sa發(fā)現(xiàn)能正常建立IPSEC連接。不理解了。。。。。。


經(jīng)過撥打神碼400電話后更改配置如下

路由器R1

show running-config
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R1
crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.2
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--         ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.2.0 255.255.255.0 192.168.1.2

!
ip access-list extended bendi
permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
ip access-list extended 123
deny   ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
permit ip any any

!
ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#

路由器R2

show run
Building configuration...

Current configuration:
!
!version 1.3.3H
service timestamps log date
service timestamps debug date
no service password-encryption
!
hostname R2

!
gbsc group default
!    

crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set one
transform-type esp-des esp-md5-hmac
!
crypto map my 10 ipsec-isakmp
mode aggressive
set peer 192.168.1.1
set transform-set one
match address bendi
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
crypto map my
ip nat outside
!
interface FastEthernet0/3
--More--         ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0/1
no ip address
no ip directed-broadcast
!
interface Serial0/2
no ip address
no ip directed-broadcast
!
interface Async0/0
no ip address
no ip directed-broadcast
!
ip route 192.168.0.0 255.255.255.0 192.168.1.1  
!
ip access-list extended bendi
permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
ip access-list extended 123
deny   ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
permit ip any any
!

ip nat inside source list 123 interface FastEthernet0/0

!
R2_config#

      也就是在上面的配置和初始的配置差別在NAT的訪問控制列表上面的配置中擴(kuò)展的訪問控制列表先拒絕192.168.0.0和192.168.2.0網(wǎng)段數(shù)據(jù)進(jìn)行NAT然后允許所有。經(jīng)過這樣配置IPSEC的通道就能ACTIVE。

     事后分析神碼路由的操作系統(tǒng)內(nèi)部流程nat優(yōu)先于IPSEC。

向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI