以下内容摘自正在全面热销的最新网络设备图书“豪华四件套”之一《Cisco路由器配置与管理完全手册》(第二版)(其余三本分别是:《Cisco交换机配置与管理完全手册》(第二版)、《H3C交换机配置与管理完全手册》(第二版) 和《H3C路由器配置与管理完全手册》(第二版) )。目前在京东网上购买该套装仅需236元了(共优惠100元:先减30元,领取优惠券后再减70元,相当于仅5.4折了):。当当网上也可直减30元:
从15.1.9节介绍的Easy ×××服务器工作原理可以得出,Easy ×××服务器至少需要进行如下四方面的配置任务(还有一些要根据实际的功能需求所进行的选择配置任务):l 建立用于IKE第一阶段设备认证的IKE策略:也是一个或多个包括加密算法、哈希算法、认证方法和DH组类型组合的建议,也即我们在本书第13章中介绍的IKE策略中所需的加密映射、变换集条目等。
l 配置用于IKE第二阶段Xauth扩展用户认证的AAA策略:其中包括所采用的AAA认证、授权或者计帐(此功能为可选配置)方法。
l 配置模式配置推送功能:其中包括定义可用于模式配置推送的IPSec组或用户属性(包括要推送给Easy ×××客户端的内部本地地址),启用模式配置推送功能,指定推送URL。
l 配置RRI(反向路由注入)功能:为每个分配给Easy ×××客户端内部IP地址或子网自动创建静态路由。
15.8.3 Cisco Easy ×××综合配置示例
本示例拓扑结构如图15-15所示。本示例使用Cisco 831路由器作为Easy ×××远端设备,使用Cisco 1751路由器作为Easy ×××服务器设备。本示例中,Cisco 1751路由器和Cisco 831路由器的WAN接口IP地址都是静态公网IP地址。Easy ×××远端Cisco 831路由器采用Client模式,使用NAT/PAT技术对来自Easy ×××客户端主机的通信进行地址转换,在Easy ×××服务器端进行Xauth用户认证。
图15-15 Cisco Easy ×××配置示例拓扑结构
在本示例中,Easy ×××远端Cisco 831路由器工作在Client模式,因为该系列路由器默认是以Ethernet0作为NAT/PAT内部接口的,所以无需额外指定NAT/PAT内部接口,也无需额外应用Easy ×××远端配置。Easy ×××远端所连接的私有网络通过NAT/PAT转换为由Easy ×××服务器模式配置功能推送的全局IP地址。因为采用的是Client模式,所以仅允许×××客户端网络用户访问×××服务器端网络,禁止来自Easy ×××服务器访问Cisco 831路由器的通信。
1. Easy ×××远端CISCO 831路由器的配置
(1)基本全局配置。
Router(config)#hostname Cisco831
Cisco831(config)#enablepassword cisco
Cisco831(config)#username cisco password 0 cisco
Cisco831(config)#ipsubnet-zero
Cisco831(config)#noipdomain-lookup
Cisco831(config)#ipdomain-name cisco.com
Cisco831(config)#ipsshtime-out 120
Cisco831(config)#ip sshauthentication-retries 3
Cisco831(config)#ipclassless
Cisco831(config)#iproute 0.0.0.0 0.0.0.0 Ethernet1 !---配置通过WAN接口的默认路由
Cisco831(config)#iproute 30.30.30.0 255.255.255.0 Ethernet1 !---配置通过WAN接口到达Easy ×××服务器端私有网络的静态路由
Cisco831(config)#iphttpserver
Cisco831(config)#ippimbidir-enable
Cisco831(config)#linecon 0
Cisco831(config-line)#exec-timeout 120 0
Cisco831(config-line)#stopbits 1
Cisco831(config-line)#exit
Cisco831(config)#linevty 0 4
Cisco831(config-line)#exec-timeout 0 0
Cisco831(config-line)#nologin
Cisco831(config-line)#exit
(2)DHCP服务器配置(用于为Easy ×××客户端主机提供自动IP地址分配)。
Cisco831(config)#ipdhcpexcluded-address 10.10.10.1
Cisco831(config)#ipdhcppool CLIENT
Cisco831(dhcp-config)#importall
Cisco831(dhcp-config)#network 10.10.10.0 255.255.255.0
Cisco831(dhcp-config)#default-router 10.10.10.1
Cisco831(dhcp-config)#dns-server 30.30.30.60
Cisco831(dhcp-config)#exit
(3)Easy ×××远端配置。
Cisco831(config)#cryptoipsecclientez*** hw-client
Cisco831(config-crypto-ez***)#group hw-client-groupname key hw-client-password
Cisco831(config-crypto-ez***)#modeclient
Cisco831(config-crypto-ez***)#peer 20.20.20.2
Cisco831(config-crypto-ez***)#exit
Cisco831(config)#interface Ethernet0
Cisco831(config-if)#description connected to BRANCH LAN
Cisco831(config-if)#ipaddress 10.10.10.1 255.255.255.0
Cisco831(config-if)#nocdpenable
Cisco831(config-if)#exit
Cisco831(config)#interface Ethernet1
Cisco831(config-if)#description connected to INTERNET
Cisco831(config-if)#ipaddress 20.20.20.1 255.255.255.0
Cisco831(config-if)#nocdpenable
Cisco831(config-if)#cryptoipsecclientez*** hw-client !---在作为NAT/PAT外部接口的WAN接口上应用前面创建的Easy ×××远端配置hw-client
Cisco831(config-if)#exit
可通过show crypto ipsec client ez***命令查看Easy ×××远端基本配置。
Cisco831#show crypto ipsec client ez***
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 30.30.30.2
Mask: 255.255.255.255
DNS Primary: 30.30.30.10
DNS Secondary: 30.30.30.11
NBMS/WINS Primary: 30.30.30.12
NBMS/WINS Secondary: 30.30.30.13
Default Domain: cisco.com
可通过show crypto ipsec sa命令查看Easy ×××远端设备上IPSec SA协商使用的配置。
Cisco831#show crypto ipsec sa
interface: Ethernet1
Crypto map tag: Ethernet1-head-0, local addr. 20.20.20.1
local ident (addr/mask/prot/port): (30.30.30.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 20.20.20.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest 26
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 20.20.20.1, remote crypto endpt.: 20.20.20.2
path mtu 1500, media mtu 1500
current outbound spi: 7C1E9826
inbound esp sas:
spi: 0x54C859CF(1422416335)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: Ethernet1-head-0
sa timing: remaining key lifetime (k/sec): (4607999/3404)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7C1E9826(2082379814)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: Ethernet1-head-0
sa timing: remaining key lifetime (k/sec): (4607996/3395)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
2. Easy ×××服务器CISCO 1751V路由器配置
(1)基本全局配置。
Router(config)#hostname Cisco1751
Cisco1751(config)#ipclassless
Cisco1751(config)#iproute 0.0.0.0 0.0.0.0 Ethernet0/0 !---配置以WAN接口Ethernet0/0为出接口的默认路由
Cisco1751(config)#noiphttpserver
Cisco1751(config)#ippimbidir-enable
Cisco1751(config)#no ip source-route !---禁止对包括源路由选项的数据包进行处理
Cisco1751(config)#linevty 0 4
Cisco1751(config-line)#password cisco
Cisco1751(config-line)#login
Cisco1751(config-line)#exit
(2)启用AAA查找配置。
Cisco1751(config)#aaanew-model
Cisco1751(config)#aaaauthenticationlogin userlist local !---定义一个名为userlist的用户登录认证AAA服务器列表,采用本地认证方法
Cisco1751(config)#aaaauthorizationnetwork hw-client-groupname local !---定义一个名为hw-client-groupname的网络授权AAA服务器列表,采用本地授权方法
Cisco1751(config)#aaasession-idcommon
Cisco1751(config)#enablepassword cisco
Cisco1751(config)#username winda password 0 cisco !---配置用于本认证的用户名和密码
Cisco1751(config)#ipdomain-name cisco.com
(3)IKE策略配置。
Cisco1751(config)#cryptoisakmppolicy 1
Cisco1751(config-isakmp)#encryption 3des
Cisco1751(config-isakmp)#authenticationpre-share
Cisco1751(config-isakmp)#group 2
Cisco1751(config-isakmp)#exit
Cisco1751(config)#cryptoipsectransform-set transform-1 esp-3des esp-sha-hmac
Cisco1751(config-crypto-tran)#exit
Cisco1751(config)#cryptodynamic-map dynmap 1
Cisco1751(config-crypto-map)#settransform-set transform-1
Cisco1751(config-crypto-map)#reverse-route
Cisco1751(config-crypto-map)#exit
(4)配置模式配置组策略信息。
Cisco1751(config)#cryptoisakmpclientconfigurationgroup hw-client-groupname
Cisco1751(config-isakmp-group)#key hw-client-password
Cisco1751(config-isakmp-group)#dns 30.30.30.10 30.30.30.11
Cisco1751(config-isakmp-group)#wins 30.30.30.12 30.30.30.13
Cisco1751(config-isakmp-group)#domain cisco.com
Cisco1751(config-isakmp-group)#pool dynpool
Cisco1751(config)#cryptoisakmpclientconfigurationaddress-poollocal dynpool !---指定在组配置中要推送的本地地址池名为dynpool
Cisco1751(config)#ip local pool dynpool 30.30.30.20 30.30.30.30 !---配置用于为Easy ×××客户端推送的内部全局IP地址池
(5)应用模式配置和Xauth认证。
Cisco1751(config)#cryptomap dynmap clientauthenticationlist userlist
Cisco1751(config)#cryptomap dynmap isakmpauthorizationlist hw-client-groupname
Cisco1751(config)#cryptomap dynmap clientconfigurationaddressrespond
Cisco1751(config)#cryptomap dynmap 1 ipsec-isakmpdynamic dynmap
Cisco1751(config)#interface Ethernet0/0
Cisco1751(config-if)#descriptionconnected to INTERNET
Cisco1751(config-if)#ipaddress 20.20.20.2 255.255.255.0
Cisco1751(config-if)#half-duplex
Cisco1751(config-if)#nocdpenable
Cisco1751(config-if)#cryptomap dynmap !---应用前面在IKE策略中创建的名为dynmap的动态加密映射
Cisco1751(config-if)#exit
Cisco1751(config)#interface FastEthernet0/0
Cisco1751(config-if)#description connected to HQ LAN
Cisco1751(config-if)#ipaddress 30.30.30.1 255.255.255.0
Cisco1751(config-if)#speedauto
Cisco1751(config-if)#nocdpenable
Cisco1751(config-if)#exit
同样可以通过命令查看Easy ×××服务器端的IPSec SA协商所用的配置。总体上与在Easy ×××远端查看的IPSec SA协商配置差不多。
Cisco1751#show crypto ipsec sa
interface: Ethernet0/0
Crypto map tag: dynmap, local addr. 20.20.20.2
protected vrf:
local ident (addr/mask/prot/port): (30.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (30.30.30.20/255.255.255.255/0/0)
current_peer: 20.20.20.1:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 20.20.20.2, remote crypto endpt.: 20.20.20.1
path mtu 1500, media mtu 1500
current outbound spi: 239C766E
inbound esp sas:
spi: 0xE89E6649(3902694985)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 200, flow_id: 1, crypto map: dynmap
sa timing: remaining key lifetime (k/sec): (4458452/3335)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x239C766E(597456494)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 201, flow_id: 2, crypto map: dynmap
sa timing: remaining key lifetime (k/sec): (4458454/3335)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
可以使用show crypto engine connections active命令显示加密引擎活动的连接汇总。最前面的数字是指对应的连接ID。
Cisco1751#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Ethernet0/0 20.20.20.2 set HMAC_SHA+3DES_56_C 0 0
200 Ethernet0/0 20.20.20.2 set HMAC_SHA+3DES_56_C 0 538
201 Ethernet0/0 20.20.20.2 set HMAC_SHA+3DES_56_C 133 0