Tweet
Ghi chú: Trong mô hình đám mây Internet là Switch Layer 3 hoặc Router chỉ cấu hình IP kết nối với các Router R1, R2.
A) Cấu hình Router HUB
Building configuration...
Current configuration: 2098 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HUB
!
no aaa new-model
!
ip cef
!
no ip domain lookup
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp cache non-authoritative
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 192.168.90.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3/0
no ip address
shutdown
clock rate 2000000
!
!
router eigrp 90
network 1.1.1.0 0.0.0.255
network 192.168.1.0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent
!
ip http server
no ip http secure-server
!
control-plane
!
!
end
B) Cấu hình Router Spoke 1
Building configuration...
Current configuration: 1668 bytes
!
version 12.4
!
hostname Spoke1
!
no aaa new-model
!
no ip domain lookup
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
interface Loopback0
ip address 192.168.20.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 192.168.90.3
ip nhrp map multicast 192.168.90.3
!
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 192.168.90.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/3/0
no ip address
shutdown
clock rate 2000000
!
network 192.168.1.0
network 192.168.20.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.90.3
ip route 3.3.3.0 255.255.255.0 Tunnel0
!
ip http server
no ip http secure-server
!
control-plane
!
!
end
C) Cấu hình Router Spoke 2
show run
Building configuration...
Current configuration: 1878 bytes
!
version 12.3
!
hostname Router
!
!
no ip dhcp use vrf connected
!
no ip domain lookup
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
no crypto isakmp ccm
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 192.168.90.3
ip nhrp map multicast 192.168.90.3
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.90.2 255.255.255.0
duplex auto
speed auto
!
!
router eigrp 90
network 3.3.3.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.90.3
ip route 192.168.20.0 255.255.255.0 Tunnel0
!
ip http server
no ip http secure-server
!
control-plane
!
end
D) Debug quá trình mã khóa
Router#debug crypto ipsec
Crypto IPSEC debugging is on
Router#
*Jun 30 11:57:46.067: IPSEC(key_engine): got a queue event with 1 kei messages
*Jun 30 11:57:46.067: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Jun 30 11:57:46.067: IPSEC(key_engine_delete_sas): delete SA with spi 0x5988066E proto 50 for 192.168.90.1
*Jun 30 11:57:46.067: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 192.168.90.2, sa_proto= 50,
sa_spi= 0xF502D036(4110602294),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 3009,
(identity) local= 192.168.90.2, remote= 192.168.90.1,
local_proxy= 192.168.90.2/255.255.255.255/47/0 (type=1),
remote_proxy= 192.168.90.1/255.255.255.255/47/0 (type=1)
Router#
*Jun 30 11:57:46.071: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 192.168.90.1, sa_proto= 50,
sa_spi= 0x5988066E(1502086766),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 3010,
(identity) local= 192.168.90.2, remote= 192.168.90.1,
local_proxy= 192.168.90.2/255.255.255.255/47/0 (type=1),
remote_proxy= 192.168.90.1/255.255.255.255/47/0 (type=1)
*Jun 30 11:57:46.071: IPSec: Flow_switching Deallocated flow for sibling 80000014
Router#
*Jun 30 11:57:51.075: IPSEC(key_engine): got a queue event with 1 kei messages
Router#
*Jun 30 11:58:02.923: IPSEC(key_engine): got a queue event with 1 kei messages
*Jun 30 11:58:02.931: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.90.2, remote= 192.168.90.1,ex
local_proxy= 192.168.90.2/255.255.255.255/47/0 (type=1),
remote_proxy= 192.168.90.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Jun 30 11:58:02.931: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
*Jun 30 11:58:02.931: Crypto mapdb: proxy_match
src addr: 192.168.90.2
dst addr: 192.168.90.1
protocol: 47
src port: 0
dst port: 0
*Jun 30 11:58:02.935: IPSEC(key_engine): got a queue event with 1 kei messages
*Jun 30 11:58:02.935: IPSEC(spi_response): getting spi 529711881 for SA
from 192.168.90.2 to 192.168.90.1 for prot 3
*Jun 30 11:58:02.935: IPSEC(key_engine): got a queue event with 2 kei messages
*Jun 30 11:58:02.939: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 192.168.90.2, remote= 192.168.90.1,
local_proxy= 192.168.90.2/0.0.0.0/47/0 (type=1),
remote_proxy= 192.168.90.1/0.0.0.0/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 120s and 4608000kb,
spi= 0x1F92C309(529711881), conn_id= 0, keysize= 0, flags= 0x2
*Jun 30 11:58:02.939: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 192.168.90.2, remote= 192.168.90.1,
local_proxy= 192.168.90.2/0.0.0.0/47/0 (type=1),
remote_proxy= 192.168.90.1/0.0.0.0/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 120s and 4608000kb,
spi= 0x936B3ED8(2473279192), conn_id= 0, keysize= 0, flags= 0xA
*Jun 30 11:58:02.939: Crypto mapdb: proxy_match
src addr: 192.168.90.2
dst addr: 192.168.90.1
protocol: 47
src port: 0
dst port: 0
*Jun 30 11:58:02.939: IPSEC(cryp
Router#to_ipsec_sa_find_ident_head): reconnecting with the same proxies and 192.168.90.1
*Jun 30 11:58:02.939: IPSec: Flow_switching Allocated flow for sibling 80000016
*Jun 30 11:58:02.939: IPSEC(policy_db_add_ident): src 192.168.90.2, dest 192.168.90.1, dest_port 0
*Jun 30 11:58:02.939: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.90.2, sa_proto= 50,
sa_spi= 0x1F92C309(529711881),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 3010
*Jun 30 11:58:02.939: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.90.1, sa_proto= 50,
sa_spi= 0x936B3ED8(2473279192),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 3009
*Jun 30 11:58:02.943: IPSEC(key_engine): got a queue event with 1 kei messages
*Jun 30 11:58:02.943: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jun 30 11:58:02.943: IPSEC(key_engine_enable_outbound): enable SA with spi 2473279192/50