Configurazione di Hub e Spoke da router a router IPSec

Opzioni per il download

PDF (184.6 KB)
Visualizza con Adobe Reader su diversi dispositivi
ePub (93.0 KB)
Visualizza in diverse app su iPhone, iPad, Android, Sony Reader o Windows Phone
Mobi (Kindle) (124.9 KB)
Visualizza su dispositivo Kindle o tramite app Kindle su più dispositivi

Aggiornato:14 gennaio 2008

ID documento:14133

Linguaggio senza pregiudizi

La documentazione per questo prodotto è stata redatta cercando di utilizzare un linguaggio senza pregiudizi. Ai fini di questa documentazione, per linguaggio senza di pregiudizi si intende un linguaggio che non implica discriminazioni basate su età, disabilità, genere, identità razziale, identità etnica, orientamento sessuale, status socioeconomico e intersezionalità. Le eventuali eccezioni possono dipendere dal linguaggio codificato nelle interfacce utente del software del prodotto, dal linguaggio utilizzato nella documentazione RFP o dal linguaggio utilizzato in prodotti di terze parti a cui si fa riferimento. Scopri di più sul modo in cui Cisco utilizza il linguaggio inclusivo.

Informazioni su questa traduzione

Cisco ha tradotto questo documento utilizzando una combinazione di tecnologie automatiche e umane per offrire ai nostri utenti in tutto il mondo contenuti di supporto nella propria lingua. Si noti che anche la migliore traduzione automatica non sarà mai accurata come quella fornita da un traduttore professionista. Cisco Systems, Inc. non si assume alcuna responsabilità per l’accuratezza di queste traduzioni e consiglia di consultare sempre il documento originale in inglese (disponibile al link fornito).

Sommario

Introduzione

Prerequisiti

Requisiti

Componenti usati

Convenzioni

Configurazione

Esempio di rete

Configurazioni

Verifica

Risoluzione dei problemi

Comandi per la risoluzione dei problemi

Informazioni correlate

Introduzione

Questo documento mostra la crittografia hub e spoke tra un router (l'"hub") e altri tre router (gli "spoke"). Sul router hub è presente una mappa crittografica che specifica le reti dietro ognuno dei tre peer. Le mappe crittografiche su ciascuno dei router spoke specificano la rete dietro il router hub.

La crittografia viene effettuata tra le seguenti reti:

da rete 160.160.160.x a rete 170.170.170.x
da rete 160.160.160.x a rete 180.180.180.x
da rete 160.160.160.x a rete 190.190.190.x

Prerequisiti

Requisiti

Nessun requisito specifico previsto per questo documento.

Componenti usati

Le informazioni fornite in questo documento si basano sulle seguenti versioni software e hardware:

Software Cisco IOS® versione 12.0.7.T o successive
Cisco 2500 router

Le informazioni discusse in questo documento fanno riferimento a dispositivi usati in uno specifico ambiente di emulazione. Su tutti i dispositivi menzionati nel documento la configurazione è stata ripristinata ai valori predefiniti. Se la rete è operativa, valutare attentamente eventuali conseguenze derivanti dall'uso dei comandi.

Convenzioni

Per ulteriori informazioni sulle convenzioni usate, consultare il documento Cisco sulle convenzioni nei suggerimenti tecnici.

Configurazione

In questa sezione vengono presentate le informazioni necessarie per configurare le funzionalità descritte più avanti nel documento.

Nota: per ulteriori informazioni sui comandi menzionati in questo documento, usare lo strumento di ricerca dei comandi (solo utenti registrati).

Esempio di rete

Nel documento viene usata questa impostazione di rete:

Configurazioni

Nel documento vengono usate queste configurazioni:

configurazione dr_whoovie
Configurazione sam-I-am
Configurazione thidwick
Configurazione di Yertle

configurazione dr_whoovie
Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname dr_whoovie ! enable secret 5 $1$KxKv$cbqKsZtQTLJLGPN.tErFZ1 enable password ww ! ip subnet-zero ! cns event-service server !--- Configure the Internet Key Exchange (IKE) !--- policy and preshared key for each peer: !--- IKE policy defined for peers. crypto isakmp policy 1 authentication pre-share !--- Preshared keys for different peers. crypto isakmp key cisco170 address 150.150.150.2 crypto isakmp key cisco180 address 150.150.150.3 crypto isakmp key cisco190 address 150.150.150.4 !--- Configure the IPSec parameters: !--- IPSec transform sets. crypto ipsec transform-set 170cisco esp-des esp-md5-hmac crypto ipsec transform-set 180cisco esp-des esp-md5-hmac crypto ipsec transform-set 190cisco esp-des esp-md5-hmac ! crypto map ETH0 17 ipsec-isakmp !--- Set the peer. set peer 150.150.150.2 !--- The IPSec transform set is used for this tunnel. set transform-set 170cisco !--- Interesting traffic for peer 150.150.150.2. match address 170 crypto map ETH0 18 ipsec-isakmp !--- Set the peer. set peer 150.150.150.3 !--- The IPSec transform set is used for this tunnel. set transform-set 180cisco !--- Interesting traffic for peer 150.150.150.3. match address 180 crypto map ETH0 19 ipsec-isakmp !--- Set the peer. set peer 150.150.150.4 !--- The IPSec transform set is used for this tunnel. set transform-set 190cisco !--- Interesting traffic for peer 150.150.150.4. match address 190 ! interface Ethernet0 ip address 150.150.150.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache no mop enabled !--- Apply crypto map on the interface. crypto map ETH0 ! interface Serial0 ip address 160.160.160.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache no fair-queue ! ip classless ip route 170.170.170.0 255.255.255.0 150.150.150.2 ip route 180.180.180.0 255.255.255.0 150.150.150.3 ip route 190.190.190.0 255.255.255.0 150.150.150.4 no ip http server ! !--- Access list that shows traffic to encryption from yertle. access-list 170 permit ip 160.160.160.0 0.0.0.255 170.170.170.0 0.0.0.255 !--- Access list that shows traffic to encryption from thidwick. access-list 180 permit ip 160.160.160.0 0.0.0.255 180.180.180.0 0.0.0.255 !--- Access list that shows traffic to encryption from sam-i-am. access-list 190 permit ip 160.160.160.0 0.0.0.255 190.190.190.0 0.0.0.255 dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 transport input none line aux 0 line vty 0 4 password ww login end

configurazione dr_whoovie

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname dr_whoovie
!
enable secret 5 $1$KxKv$cbqKsZtQTLJLGPN.tErFZ1
enable password ww
!
ip subnet-zero
!
cns event-service server

!--- Configure the Internet Key Exchange (IKE) !--- policy and preshared key for each peer: !--- IKE policy defined for peers.

crypto isakmp policy 1
authentication pre-share

!--- Preshared keys for different peers.

crypto isakmp key cisco170 address 150.150.150.2
crypto isakmp key cisco180 address 150.150.150.3
crypto isakmp key cisco190 address 150.150.150.4

!--- Configure the IPSec parameters: !--- IPSec transform sets.

crypto ipsec transform-set 170cisco esp-des esp-md5-hmac
crypto ipsec transform-set 180cisco esp-des esp-md5-hmac
crypto ipsec transform-set 190cisco esp-des esp-md5-hmac
!
crypto map ETH0 17 ipsec-isakmp

!--- Set the peer.

set peer 150.150.150.2

!--- The IPSec transform set is used for this tunnel.

set transform-set 170cisco

!--- Interesting traffic for peer 150.150.150.2.

match address 170
crypto map ETH0 18 ipsec-isakmp

!--- Set the peer.

set peer 150.150.150.3

!--- The IPSec transform set is used for this tunnel.

set transform-set 180cisco

!--- Interesting traffic for peer 150.150.150.3.

match address 180
crypto map ETH0 19 ipsec-isakmp

!--- Set the peer.

set peer 150.150.150.4

!--- The IPSec transform set is used for this tunnel.

set transform-set 190cisco

!--- Interesting traffic for peer 150.150.150.4.

match address 190
!
interface Ethernet0
ip address 150.150.150.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no mop enabled

!--- Apply crypto map on the interface.

crypto map ETH0
!
interface Serial0
ip address 160.160.160.1 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
ip classless
ip route 170.170.170.0 255.255.255.0 150.150.150.2
ip route 180.180.180.0 255.255.255.0 150.150.150.3
ip route 190.190.190.0 255.255.255.0 150.150.150.4
no ip http server
!

!--- Access list that shows traffic to encryption from yertle.

access-list 170 permit ip 160.160.160.0 0.0.0.255 170.170.170.0 0.0.0.255

!--- Access list that shows traffic to encryption from thidwick.

access-list 180 permit ip 160.160.160.0 0.0.0.255 180.180.180.0 0.0.0.255

!--- Access list that shows traffic to encryption from sam-i-am.

access-list 190 permit ip 160.160.160.0 0.0.0.255 190.190.190.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
end

Configurazione sam-I-am
Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Sam-I-am ! enable secret 5 $1$HDyw$qubSJdqfIC0f1VLvHmg/P0 enable password ww ! ip subnet-zero ! isdn switch-type basic-5ess isdn voice-call-failure 0 cns event-service server !--- Configure the IKE policy and preshared key for the hub: crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco190 address 150.150.150.1 !--- Configure the IPSec parameters: !--- IPSec transform set. crypto ipsec transform-set 190cisco esp-des esp-md5-hmac !--- Crypto map definition for the hub site. crypto map ETH0 19 ipsec-isakmp !--- Set the peer. set peer 150.150.150.1 !--- IPSec transform set. set transform-set 190cisco !--- Interesting traffic for peer 150.150.150.1 (hub site). match address 190 ! interface Ethernet0 ip address 150.150.150.4 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache no mop enabled !--- Apply crypto map on the interface. crypto map ETH0 ! interface Serial0 ip address 190.190.190.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache no fair-queue ! ip classless ip route 160.160.160.0 255.255.255.0 150.150.150.1 no ip http server !--- Access list that shows traffic to encryption !--- for the hub site (dr_whoovie). access-list 190 permit ip 190.190.190.0 0.0.0.255 160.160.160.0 0.0.0.255 dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 transport input none line aux 0 line vty 0 4 password ww login ! end

Configurazione sam-I-am

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Sam-I-am
!
enable secret 5 $1$HDyw$qubSJdqfIC0f1VLvHmg/P0
enable password ww
!
ip subnet-zero
!
isdn switch-type basic-5ess
isdn voice-call-failure 0
cns event-service server

!--- Configure the IKE policy and preshared key for the hub:

crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco190 address 150.150.150.1 

!--- Configure the IPSec parameters: !--- IPSec transform set.

crypto ipsec transform-set 190cisco esp-des esp-md5-hmac 

!--- Crypto map definition for the hub site.

crypto map ETH0 19 ipsec-isakmp

!--- Set the peer. 

set peer 150.150.150.1

!--- IPSec transform set.

set transform-set 190cisco

!--- Interesting traffic for peer 150.150.150.1 (hub site).
 
match address 190
!
interface Ethernet0
ip address 150.150.150.4 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no mop enabled

!--- Apply crypto map on the interface.

crypto map ETH0
!
interface Serial0
ip address 190.190.190.1 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
ip classless
ip route 160.160.160.0 255.255.255.0 150.150.150.1
no ip http server

!--- Access list that shows traffic to encryption !--- for the hub site (dr_whoovie).

access-list 190 permit ip 190.190.190.0 0.0.0.255 160.160.160.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
!
end

Configurazione thidwick
Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname thidwick ! enable secret 5 $1$Pcpo$fj4FNS1dEDY9lGg3Ne6FK1 enable password ww ! ip subnet-zero ! isdn switch-type basic-5ess isdn voice-call-failure 0 cns event-service server !--- Configure the IKE policy and preshared key for the hub: crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco180 address 150.150.150.1 !--- Configure the IPSec parameters: !--- IPSec transform set. crypto ipsec transform-set 180cisco esp-des esp-md5-hmac !--- Crypto map definition for the hub site. crypto map ETH0 18 ipsec-isakmp !--- Set the peer. set peer 150.150.150.1 !--- IPSec transform set. set transform-set 180cisco !--- Interesting traffic for peer 150.150.150.1 (hub site). match address 180 ! interface Ethernet0 ip address 150.150.150.3 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache no mop enabled !--- Apply crypto map on the interface. crypto map ETH0 ! interface Serial1 ip address 180.180.180.1 255.255.255.0 no ip directed-broadcast clockrate 4000000 ! interface BRI0 no ip address no ip directed-broadcast shutdown isdn switch-type basic-5ess ! ip classless ip route 160.160.160.0 255.255.255.0 150.150.150.1 no ip http server !--- Access list that shows traffic to encryption !--- for the hub site (dr_whoovie). access-list 180 permit ip 180.180.180.0 0.0.0.255 160.160.160.0 0.0.0.255 dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 transport input none line aux 0 line vty 0 4 password ww login ! end

Configurazione thidwick

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname thidwick
!
enable secret 5 $1$Pcpo$fj4FNS1dEDY9lGg3Ne6FK1
enable password ww
!
ip subnet-zero
!
isdn switch-type basic-5ess
isdn voice-call-failure 0
cns event-service server

!--- Configure the IKE policy and preshared key for the hub:

crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco180 address 150.150.150.1 

!--- Configure the IPSec parameters: !--- IPSec transform set.

crypto ipsec transform-set 180cisco esp-des esp-md5-hmac 

!--- Crypto map definition for the hub site.

crypto map ETH0 18 ipsec-isakmp

!--- Set the peer.
 
set peer 150.150.150.1

!--- IPSec transform set.

set transform-set 180cisco

!--- Interesting traffic for peer 150.150.150.1 (hub site).
 
match address 180
!
interface Ethernet0
ip address 150.150.150.3 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no mop enabled

!--- Apply crypto map on the interface.

crypto map ETH0
!
interface Serial1
ip address 180.180.180.1 255.255.255.0
no ip directed-broadcast
clockrate 4000000
!
interface BRI0
no ip address
no ip directed-broadcast
shutdown
isdn switch-type basic-5ess
!
ip classless
ip route 160.160.160.0 255.255.255.0 150.150.150.1
no ip http server

!--- Access list that shows traffic to encryption !--- for the hub site (dr_whoovie).

access-list 180 permit ip 180.180.180.0 0.0.0.255 160.160.160.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
!
end

Configurazione di Yertle
Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname yertle ! enable secret 5 $1$me5Q$2kF5zKlPPTvHEBdGiEZ9m/ enable password ww ! ip subnet-zero ! cns event-service server !--- Configure the IKE policy and preshared key for the hub: crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco170 address 150.150.150.1 !--- Configure the IPSec parameters: !--- IPSec transform set. crypto ipsec transform-set 170cisco esp-des esp-md5-hmac !--- Crypto map definition for the hub site. crypto map ETH0 17 ipsec-isakmp !--- Set the peer. set peer 150.150.150.1 !--- IPSec transform set. set transform-set 170cisco !--- Interesting traffic for peer 150.150.150.1 (hub site). match address 170 ! interface Ethernet0 ip address 150.150.150.2 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache no mop enabled !--- Apply crypto map on the interface. crypto map ETH0 ! interface Serial0 no ip address no ip directed-broadcast no ip mroute-cache shutdown no fair-queue ! interface Serial1 ip address 170.170.170.1 255.255.255.0 no ip directed-broadcast ! ip classless ip route 160.160.160.0 255.255.255.0 150.150.150.1 no ip http server !--- Access list that shows traffic to encryption for !--- the hub site (dr_whoovie). access-list 170 permit ip 170.170.170.0 0.0.0.255 160.160.160.0 0.0.0.255 dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! tftp-server flash:/c2500-jos56i-l.120-7.T tftp-server flash:c2500-jos56i-l.120-7.T tftp-server flash: ! line con 0 transport input none line aux 0 line vty 0 4 password ww login ! end

Configurazione di Yertle

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname yertle
!
enable secret 5 $1$me5Q$2kF5zKlPPTvHEBdGiEZ9m/
enable password ww
!
ip subnet-zero
!
cns event-service server

!--- Configure the IKE policy and preshared key for the hub:

crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco170 address 150.150.150.1 

!--- Configure the IPSec parameters: !--- IPSec transform set.

crypto ipsec transform-set 170cisco esp-des esp-md5-hmac

!--- Crypto map definition for the hub site.

crypto map ETH0 17 ipsec-isakmp 

!--- Set the peer.
 
set peer 150.150.150.1

!--- IPSec transform set.

set transform-set 170cisco

!--- Interesting traffic for peer 150.150.150.1 (hub site).
 
match address 170
!
interface Ethernet0
ip address 150.150.150.2 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no mop enabled

!--- Apply crypto map on the interface.

crypto map ETH0
!
interface Serial0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no fair-queue
!
interface Serial1
ip address 170.170.170.1 255.255.255.0
no ip directed-broadcast
!
ip classless
ip route 160.160.160.0 255.255.255.0 150.150.150.1
no ip http server

!--- Access list that shows traffic to encryption for !--- the hub site (dr_whoovie).

access-list 170 permit ip 170.170.170.0 0.0.0.255 160.160.160.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
tftp-server flash:/c2500-jos56i-l.120-7.T
tftp-server flash:c2500-jos56i-l.120-7.T
tftp-server flash:
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
!
end

Verifica

Le informazioni contenute in questa sezione permettono di verificare che la configurazione funzioni correttamente.

Alcuni comandi show sono supportati dallo strumento Output Interpreter (solo utenti registrati); lo strumento permette di visualizzare un'analisi dell'output del comando show.

show crypto ipsec sa: visualizza le associazioni di sicurezza della fase 2.
show crypto isakmp sa: visualizza le associazioni di sicurezza della fase 1.

Risoluzione dei problemi

Le informazioni contenute in questa sezione permettono di risolvere i problemi relativi alla configurazione.

Comandi per la risoluzione dei problemi

Nota: prima di usare i comandi di debug, consultare le informazioni importanti sui comandi di debug.

debug crypto ipsec: visualizza le negoziazioni IPSec della fase 2.
debug crypto isakmp: visualizza le negoziazioni ISAKMP della fase 1.
debug crypto engine: visualizza il traffico crittografato.
clear crypto isakmp: cancella le associazioni di sicurezza correlate alla fase 1.
clear crypto sa: cancella le associazioni di sicurezza correlate alla fase 2.

Informazioni correlate

Questo documento ti è stato utile?

Feedback

Contattaci

Apri una richiesta di assistenza
(Occorre un contratto di servizio Cisco)