全系列VPN技术集锦第一卷第2章(Site-to-SiteIPsecVPN)2

全系列VPN技术集锦第一卷第2章(Site-to-SiteIPsecVPN)作者：论坛整理zdnet网络安全CNETNews.com.cn2008-01-1913:29:21关键词：安全防护防火墙VPN实例研究使用预共享密钥作为认证机制的路由器到路由器的IPsec这是IPsecVPN中最基本最常用的类型.这种类型的VPN属于LAN-to-LAN.这里使用的认证方法是预共享密钥.以后的实例研究有更安全的认证方法的例子.在实例中我们将给出发起者路由器和响应者路由器的配置,同时也给出了DEBUG输出以及相关的SHOU命令输出,以便我们共同研究.例1作为IPsec协商的发起者的路由器配置hostnameInitiatorTheISAKMPpolicydefinestheattributeswhichwillbenegotiatedwithpeersfortheIKESA.cryptoisakmppolicy1TheencryptionmethoddefinedbelowisusedforencryptingtheIKEnegotiationpacketsusingSKEYID_eencr3desThehashalgorithmdefinedbelowisusedtogeneratethehasheswhichareusedforIKEauthetnicationpurposes.hashshaThelinebelowdefinestheauthenticationmethodaspre-sharedkeyauthenticationauthenticationpre-shareThelinebelowdefinesthepre-sharedkeyforthepeerattheIPaddress172.16.172.20.PleasenotethattheinitiatorwillsearchthroughitsconfigforthiskeyusingthesourceIPaddressoftheIKEnegotiationpacketsitisreceiving.cryptoisakmpkeyjw4ep9846804ijladdress172.16.172.20ThefollowinglinedefinesthetransformsetforusewithIPsec.Thistransformset!specifiesthenameofthetransformsetasmyset.Theencapsulationmethoddefined!isESPandtheencryptionalgorithmtouseis3DES(tripleDES).Thelastpartof!thiscommandspecifiesMD5astheESPintegritycheckinghash.cryptoipsectransform-setmysetesp-3desesp-md5-hmacThefollowingconfigurationisforthecryptomapnamedvpn.CryptomapsessentiallybindtheentireIPsecconfigurationtogether.VariouselementsofIPsecdefinedinvariousplacesintheconfigurationaretiedtogetherusingthecryptomap.10istheinstancenumberforthemaphere.Instancenumbersareusedtospecifytheorderinwhichmultiplecryptomapsareparsedinaconfig.Thekeywordipsec-isakmpisusedtospecifythatthisparticularcryptomapistobeusedforIPsecratherthanCET.cryptomapvpn10ipsec-isakmpThecommandlinebelowdefinestheIPaddressoftheIPsecpeer.setpeer172.16.172.20Thelinebelowdefinesthetransformsettouseforthiscryptomap.settransform-setmysetThelinebelowspecifiestheaccesslistwhichwillbedefinetrafficwhichwilleithertriggerIKEnegotiationorbeusedtoverifythattheproxyIdsbeingofferedduringanIKEnegotiationarevalid.matchaddress101interfaceEthernet0/0ipaddress?xml:namespaceprefix=st1ns=urn:schemas-microsoft-com:office:smarttags/10.1.1.1255.255.255.0interfaceEthernet1/0ipaddress172.16.172.10255.255.255.0ThelinebelowisusedasatoggleswitchtoturnonIPsecfunctionalityasdefinedbythecryptomapvpn.cryptomapvpnTheaccesslistdefinebelowisusedtospecifyinterestingtrafficforIPsec.access-list101permitip10.1.1.00.0.0.25510.1.2.00.0.0.255例2作为IPsec协商的响应者的路由器配置hostnameRespondercryptoisakmppolicy1encr3deshashshaauthenticationpre-sharecryptoisakmpkeyjw4ep9846804ijladdress172.16.172.10cryptoipsectransform-setmysetesp-3desesp-md5-hmaccryptomapvpn10ipsec-isakmpsetpeer172.16.172.10settransform-setmysetmatchaddress101interfaceEthernet0/0ipaddress10.1.2.1255.255.255.0interfaceEthernet1/0ipaddress172.16.172.20255.255.255.0cryptomapvpnaccess-list101permitip10.1.2.00.0.0.25510.1.1.00.0.0.255对debug的解释紧接着该解释对应的实际debug例3作为IPsec协商的发起者的路由器debugInitiator#showdebugCryptographicSubsystem:CryptoISAKMPdebuggingisonCryptoEnginedebuggingisonCryptoIPSECdebuggingisonA#pingProtocol[ip]:TargetIPaddress:10.1.2.1Repeatcount[5]:Datagramsize[100]:Timeoutinseconds[2]:Extendedcommands[n]:ySourceaddressorinterface:10.1.1.1Typeofservice[0]:SetDFbitinIPheader?[no]:Validatereplydata?[no]:Datapattern[0xABCD]:Loose,Strict,Record,Timestamp,Verbose[none]:Sweeprangeofsizes[n]:Typeescapesequencetoabort.Sending5,100-byteICMPEchosto10.1.2.1,timeoutis2seconds:ThepingsourceanddestinationaddressesmatchedthematchaddressaccesslistforthecryptomapVPN.localisthelocaltunnelendpoint,andremoteistheremotecryptoendpointasconfiguredinthemap.srcproxyisthesrcinterestingtrafficasdefinedbythematchaddressaccesslist.dstproxyisthedestinationinterestingtrafficasdefinedbythematchaddressaccesslist.00:04:10:IPSEC(sa_request):(keyeng.msg.)OUTBOUNDlocal=172.16.172.10,remote=172.16.172.20,local_proxy=10.1.1.0/255.255.255.0/0/0(type=4),remote_proxy=10.1.2.0/255.255.255.0/0/0(type=4),Theprotocolandthetransformsarespecifiedbythecryptomapthathasbeenhit,asarethelifetimesprotocol=ESP,transform=esp-3desesp-md5-hmac,lifedur=3600sand4608000kb,spi=0x8EAB0B22(2393574178),conn_id=0,keysize=0,flags=0x400CBeginsmainmodeexchange.ThefirsttwopacketsnegotiatephaseISAparameters.00:04:10:ISAKMP:receivedkemessage(1/1)00:04:10:ISAKMP:localport500,remoteport50000:04:10:ISAKMP(0:1):Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MMMMstandsformainmode,andQMstandsforquickmode.TheIKEdebugsshowwhichstageofIKEthenegotiationisin,suchasMM1.AsyousawinthediscussionofIKE,mainmodeisdividedintosixportionsormessages,andquickmodeintothree.OldState=IKE_READYNewState=IKE_I_MM100:04:10:ISAKMP(0:1):beginningMainModeexchange00:04:10:ISAKMP(0:1):sendingpacketto172.16.172.20(I)MM_NO_STATE00:04:10:ISAKMP(0:1):receivedpacketfrom172.16.172.20(I)MM_NO_STATE00:04:10:ISAKMP(0:1):Input=IKE_MESG_FROM_PEER,IKE_MM_EXCHOldState=IKE_I_MM1NewState=IKE_I_MM200:04:10:ISAKMP(0:1):processingSApayload.messageID=0ThepresharedkeyissearchedforandfoundbasedonthesourceIPaddressofIKEnegotiationpackets.00:04: