0216_帧中继_ipsec

拓扑图：

配置参数：

R1

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 1.1.1.2

crypto isakmp key 123456 address 1.1.1.3

crypto ipsec transform-set myset esp-3des esp-md5-hmac //注意帧中继也可以配置AH参数！可以测试成功的！

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set myset

match address 100

crypto map mymap 20 ipsec-isakmp

set peer 1.1.1.3

match address 101

interface Serial0/0

ip address 1.1.1.1 255.255.255.0

encapsulation frame-relay IETF

frame-relay map ip 1.1.1.2 26

frame-relay map ip 1.1.1.3 27

no frame-relay inverse-arp

frame-relay lmi-type ansi

crypto map mymap

ip route 192.168.2.0 255.255.255.0 1.1.1.2

ip route 192.168.3.0 255.255.255.0 1.1.1.3

R3

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp key 123456 address 1.1.1.1

crypto ipsec transform-set myset esp-3des esp-md5-hmac

set peer 1.1.1.1

ip address 1.1.1.2 255.255.255.0

frame-relay map ip 1.1.1.1 36

frame-relay map ip 1.1.1.3 36

ip route 192.168.1.0 255.255.255.0 1.1.1.1

R4

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

ip address 1.1.1.3 255.255.255.0

frame-relay map ip 1.1.1.1 37

frame-relay map ip 1.1.1.2 37

R2

frame-relay switching

no ip address

serial restart-delay 0

frame-relay intf-type dce

frame-relay route 26 interface Serial0/1 36

frame-relay route 27 interface Serial0/2 37

interface Serial0/1

frame-relay route 36 interface Serial0/0 26

interface Serial0/2

frame-relay route 37 interface Serial0/0 27

测试：

R2:

r2#SH FRAM ROU

Input Intf Input Dlci Output Intf Output Dlci Status

Serial0/0 26 Serial0/1 36 active

Serial0/0 27 Serial0/2 37 active

Serial0/1 36 Serial0/0 26 active

Serial0/2 37 Serial0/0 27 active

R1:

r1#SH CRY IS SA

dst src state conn-id slot

1.1.1.1 1.1.1.2 QM_IDLE 1 0

1.1.1.1 1.1.1.3 QM_IDLE 2 0

R3:

r3#SH CRY IS SA

R4:

r4#SH CRY IS SA

1.1.1.1 1.1.1.3 QM_IDLE 1 0

VPC:

使用VPC进行测试

VPC1:

总部的内网可以PING通分部1和分部2

VPC2:

分部1可以PING通总部内网

VPC3:

分部2可以PING通总部内网

r1#sh cry ip sa

interface: Serial0/0

Crypto map tag: mymap, local addr. 1.1.1.1

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 1.1.1.2:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2

path mtu 1500, media mtu 1500

current outbound spi: 6DA96143

inbound esp sas:

spi: 0x47E18A8B(1205963403)------>IN对应R3的OUT

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap

crypto engine type: Software, engine_id: 1

sa timing: remaining key lifetime (k/sec): (4561490/2009)

ike_cookies: 4212F6AE 2BE257C8 70AA7619 C7B2C848

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6DA96143(1839817027)

slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4561492/2008)

outbound ah sas:

outbound pcp sas:

remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

current_peer: 1.1.1.3:500

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.3

current outbound spi: 935F895E

inbound esp sas:

spi: 0x189C7927(412907815) ------>IN对应R4的OUT

slot: 0, conn id: 2002, flow_id: 3, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4410147/2372)

ike_cookies: 0304C43A 22E2C670 2D431BA9 28CCCCBE

spi: 0x935F895E(2472511838)

slot: 0, conn id: 2003, flow_id: 4, crypto map: mymap

sa timing: remaining key lifetime (k/sec): (4410149/2372)

r1#

r3#sh cry ip sa

Crypto map tag: mymap, local addr. 1.1.1.2

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 1.1.1.1:500

#send errors 6, #recv errors 0

local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1

current outbound spi: 47E18A8B

inbound esp sas:

sa timing: remaining key lifetime (k/sec): (4434742/1960)

ike_cookies: 70AA7619 C7B2C848 4212F6AE 2BE257C8

outbound esp sas:

spi: 0x47E18A8B(1205963403) ------>OUT对应R1的IN

sa timing: remaining key lifetime (k/sec): (4434744/1960)

r3#

r4#sh cry ip sa

Crypto map tag: mymap, local addr. 1.1.1.3

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

#send errors 1, #recv errors 0

local crypto endpt.: 1.1.1.3, remote crypto endpt.: 1.1.1.1

current outbound spi: 189C7927

sa timing: remaining key lifetime (k/sec): (4549234/2304)

ike_cookies: 2D431BA9 28CCCCBE 0304C43A 22E2C670

spi: 0x189C7927(412907815) ------>OUT对应R1的IN

sa timing: remaining key lifetime (k/sec): (4549236/2304)

r4#

本文转自810105851 51CTO博客，原文链接：http://blog.51cto.com/4708948/1134140，如需转载请自行联系原作者

0216_帧中继_ipsec

继续阅读

针对802.11网络攻击的个人心得

vulnhub DC-4靶机实战0X01 环境部署

提高物联网可靠性的三种方法！增强物联网可靠性，包括建立更安全的网络来对抗网络威胁和基于数据的存储和计算。为智慧城市实施可

Hydra-口令破解神器

BurpSuite2021系列（七）Repeater详解

黑客攻击你的机器，往往用的源IP都不是自己的，都是伪装打扮后，来攻击你，这样，你根本找不到他的位置，也就谈不上抓了，那么

常用汇编指令（七大类）常用汇编指令

cisco交换机命令汇总

高防服务器、高防IP与高防CDN的区别

（网络安全）nmap可实现的功能以及使用方法1X01：主机扫描1X02：扫描技巧1X04：服务和版本探测1X05：脚本扫描1X06：操作系统探测

nmap –script 使用：nmap-vulners 和 vulscan出现错误 ‘/usr/bin/../share/nmap/scripts/vulscan’ found, but will

网络流量分析之流量采集到流量还原

RSA数字签名和加解密

【守网络洪闸，还大运会一片安全】截止到8月5日，国家能源集团数智科技公司所属大数据公司作为重点网络安全服务保障单位，盛会

网络空间安全中高职业院校职技能大赛——Telnet弱口令渗透测试

Bugku-WEB-web33