温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

ISAKMP Profile技术应用

发布时间:2020-08-02 02:15:09 来源:网络 阅读:2332 作者:超哥2018 栏目:安全技术

ISAKMP Profile技术应用






ISAKMP Profile技术是IKE协商的一种新型配置方式。它主要的作用是映射我们第一阶段ISAKMP参数到第

二阶段IPSec隧道,可以实现一个设备和多个站点建立多个隧道。还可以很好的消除不同×××之间的影

响,让第一阶段策略和第二阶段策略关联的更加紧密。并且ISAKMP Profile普遍在EZ×××和VRF-ware 

IPSec ×××配置里边被采用。


Site1

crypto keyring ccie 

  pre-shared-key address 61.128.1.1 key cisco

!

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp profile isaprof

   keyring ccie

   match identity address 61.128.1.1 255.255.255.255 

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto map ccie 10 ipsec-isakmp 

 set peer 61.128.1.1

 set transform-set myset 

 set isakmp-profile isaprof

 match address ***

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 202.100.1.1 255.255.255.0

 crypto map ccie

!      

ip route 0.0.0.0 0.0.0.0 202.100.1.10

!

ip access-list extended ***

 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255


Internet

interface FastEthernet0/0

 ip address 202.100.1.10 255.255.255.0

!

interface FastEthernet0/1

 ip address 61.128.1.10 255.255.255.0


end


Site2:

crypto keyring ccie 

  pre-shared-key address 202.100.1.1 key cisco

!

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp profile isaprof

   keyring ccie

   match identity address 202.100.1.1 255.255.255.255 

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto map ccie 10 ipsec-isakmp 

 set peer 202.100.1.1

 set transform-set myset 

 set isakmp-profile isaprof

 match address ***

!


interface Loopback0

 ip address 2.2.2.2 255.255.255.0

!

interface FastEthernet0/0

 ip address 61.128.1.1 255.255.255.0

 crypto map ccie

!     

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 61.128.1.10

!

ip access-list extended ***

 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

!

测试

Site1#ping 2.2.2.2 source lo0               


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1 

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 104/133/148 ms


Site1#show crypto ipsec sa


interface: FastEthernet0/0

    Crypto map tag: ccie, local addr 202.100.1.1


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)

   current_peer 61.128.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0


     local crypto endpt.: 202.100.1.1, remote crypto endpt.: 61.128.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x96AB8F14(2527825684)


     inbound esp sas:

      spi: 0xF41D2511(4095550737)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 1, flow_id: SW:1, crypto map: ccie

        sa timing: remaining key lifetime (k/sec): (4566332/2033)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:

      spi: 0x96AB8F14(2527825684)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: SW:2, crypto map: ccie

        sa timing: remaining key lifetime (k/sec): (4566332/2031)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE


     outbound ah sas:


     outbound pcp sas:


Site1#show crypto session 

Crypto session current status


Interface: FastEthernet0/0

Profile: isaprof

Session status: UP-ACTIVE     

Peer: 61.128.1.1 port 500 

  IKE SA: local 202.100.1.1/500 remote 61.128.1.1/500 Active 

  IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 2.2.2.0/255.255.255.0 

        Active SAs: 2, origin: crypto map


向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI