0216_帧中继_ipsec-阿里云开发者社区

拓扑图：

配置参数：

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 1.1.1.2

crypto isakmp key 123456 address 1.1.1.3

crypto ipsec transform-set myset esp-3des esp-md5-hmac // 注意帧中继也可以配置 AH 参数！可以测试成功的！

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set myset

match address 100

crypto map mymap 20 ipsec-isakmp

set peer 1.1.1.3

set transform-set myset

match address 101

interface Serial0/0

ip address 1.1.1.1 255.255.255.0

encapsulation frame-relay IETF

frame-relay map ip 1.1.1.2 26

frame-relay map ip 1.1.1.3 27

no frame-relay inverse-arp

frame-relay lmi-type ansi

crypto map mymap

ip route 192.168.2.0 255.255.255.0 1.1.1.2

ip route 192.168.3.0 255.255.255.0 1.1.1.3

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 1.1.1.1

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 100

interface Serial0/0

ip address 1.1.1.2 255.255.255.0

encapsulation frame-relay IETF

frame-relay map ip 1.1.1.1 36

frame-relay map ip 1.1.1.3 36

no frame-relay inverse-arp

frame-relay lmi-type ansi

crypto map mymap

ip route 192.168.1.0 255.255.255.0 1.1.1.1

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 1.1.1.1

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 100

interface Serial0/0

ip address 1.1.1.3 255.255.255.0

encapsulation frame-relay IETF

frame-relay map ip 1.1.1.1 37

frame-relay map ip 1.1.1.2 37

no frame-relay inverse-arp

frame-relay lmi-type ansi

crypto map mymap

ip route 192.168.1.0 255.255.255.0 1.1.1.1

frame-relay switching

interface Serial0/0

no ip address

encapsulation frame-relay IETF

serial restart-delay 0

no frame-relay inverse-arp

frame-relay lmi-type ansi

frame-relay intf-type dce

frame-relay route 26 interface Serial0/1 36

frame-relay route 27 interface Serial0/2 37

interface Serial0/1

no ip address

encapsulation frame-relay IETF

serial restart-delay 0

no frame-relay inverse-arp

frame-relay lmi-type ansi

frame-relay intf-type dce

frame-relay route 36 interface Serial0/0 26

interface Serial0/2

no ip address

encapsulation frame-relay IETF

serial restart-delay 0

no frame-relay inverse-arp

frame-relay lmi-type ansi

frame-relay intf-type dce

frame-relay route 37 interface Serial0/0 27

测试：

R2:

r2#SH FRAM ROU

Input Intf Input Dlci Output Intf Output Dlci Status

Serial0/0 26 Serial0/1 36 active

Serial0/0 27 Serial0/2 37 active

Serial0/1 36 Serial0/0 26 active

Serial0/2 37 Serial0/0 27 active

R1:

r1#SH CRY IS SA

dst src state conn-id slot

1.1.1.1 1.1.1.2 QM_IDLE 1 0

1.1.1.1 1.1.1.3 QM_IDLE 2 0

R3:

r3#SH CRY IS SA

dst src state conn-id slot

1.1.1.1 1.1.1.2 QM_IDLE 1 0

R4:

r4#SH CRY IS SA

dst src state conn-id slot

1.1.1.1 1.1.1.3 QM_IDLE 1 0

VPC:

使用 VPC 进行测试

VPC1:

总部的内网可以 PING 通分部 1 和分部 2

VPC2:

分部 1 可以 PING 通总部内网

VPC3:

分部 2 可以 PING 通总部内网

测试：

r1#sh cry ip sa

interface: Serial0/0

Crypto map tag: mymap, local addr. 1.1.1.1

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 1.1.1.2:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2

path mtu 1500, media mtu 1500

current outbound spi: 6DA96143

inbound esp sas :

spi: 0x47E18A8B( 1205963403 ) ------>IN 对应 R3 的 OUT

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4561490/2009)

ike_cookies: 4212F6AE 2BE257C8 70AA7619 C7B2C848

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6DA96143(1839817027)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4561492/2008)

ike_cookies: 4212F6AE 2BE257C8 70AA7619 C7B2C848

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

current_peer: 1.1.1.3:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.3

path mtu 1500, media mtu 1500

current outbound spi: 935F895E

inbound esp sas:

spi: 0x189C7927( 412907815 ) ------>IN 对应 R4 的 OUT

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2002, flow_id: 3, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4410147/2372)

ike_cookies: 0304C43A 22E2C670 2D431BA9 28CCCCBE

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x935F895E(2472511838)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2003, flow_id: 4, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4410149/2372)

ike_cookies: 0304C43A 22E2C670 2D431BA9 28CCCCBE

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

r1#

r3#sh cry ip sa

interface: Serial0/0

Crypto map tag: mymap, local addr. 1.1.1.2

protected vrf:

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 1.1.1.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, media mtu 1500

current outbound spi: 47E18A8B

inbound esp sas:

spi: 0x6DA96143(1839817027)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4434742/1960)

ike_cookies: 70AA7619 C7B2C848 4212F6AE 2BE257C8

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x47E18A8B( 1205963403 ) ------>OUT 对应 R1 的 IN

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4434744/1960)

ike_cookies: 70AA7619 C7B2C848 4212F6AE 2BE257C8

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

r3#

r4#sh cry ip sa

interface: Serial0/0

Crypto map tag: mymap, local addr. 1.1.1.3

protected vrf:

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 1.1.1.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 1.1.1.3, remote crypto endpt.: 1.1.1.1

path mtu 1500, media mtu 1500

current outbound spi: 189C7927

inbound esp sas:

spi: 0x935F895E(2472511838)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4549234/2304)

ike_cookies: 2D431BA9 28CCCCBE 0304C43A 22E2C670

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x189C7927( 412907815 ) ------>OUT 对应 R1 的 IN

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4549236/2304)

ike_cookies: 2D431BA9 28CCCCBE 0304C43A 22E2C670

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

r4#

本文转自810105851 51CTO博客，原文链接：http://blog.51cto.com/4708948/1134140 ，如需转载请自行联系原作者

0216_帧中继_ipsec

热门文章

最新文章

相关电子书