Configurando IPSec de IOS para IOS usando criptografia de AES

Opções de download

PDF (592.2 KB)
Ver no Adobe Reader em vários dispositivos
ePub (85.0 KB)
Ver em vários aplicativos no iPhone, iPad, Android, Sony Reader ou Windows Phone
Mobi (Kindle) (76.4 KB)
Ver no dispositivo Kindle ou no aplicativo Kindle em vários dispositivos

Atualizado:2 de fevereiro de 2006

ID do documento:43069

Linguagem imparcial

O conjunto de documentação deste produto faz o possível para usar uma linguagem imparcial. Para os fins deste conjunto de documentação, a imparcialidade é definida como uma linguagem que não implica em discriminação baseada em idade, deficiência, gênero, identidade racial, identidade étnica, orientação sexual, status socioeconômico e interseccionalidade. Pode haver exceções na documentação devido à linguagem codificada nas interfaces de usuário do software do produto, linguagem usada com base na documentação de RFP ou linguagem usada por um produto de terceiros referenciado. Saiba mais sobre como a Cisco está usando a linguagem inclusiva.

Sobre esta tradução

A Cisco traduziu este documento com a ajuda de tecnologias de tradução automática e humana para oferecer conteúdo de suporte aos seus usuários no seu próprio idioma, independentemente da localização. Observe que mesmo a melhor tradução automática não será tão precisa quanto as realizadas por um tradutor profissional. A Cisco Systems, Inc. não se responsabiliza pela precisão destas traduções e recomenda que o documento original em inglês (link fornecido) seja sempre consultado.

Introdução

Pré-requisitos

Requisitos

Componentes Utilizados

Conventions

Configurar

Configurações

Verificar

Troubleshooting

Comandos para Troubleshooting

Informações Relacionadas

Introdução

Este documento fornece um exemplo de configuração de um túnel IPSec IOS a IOS usando Padrão de criptografia avançado (AES).

Pré-requisitos

Requisitos

O suporte à criptografia AES foi introduzido no Cisco IOS® 12.2(13)T.

Componentes Utilizados

As informações neste documento são baseadas nestas versões de software e hardware:

Software Cisco IOS versão 12.3(10)
Roteadores Cisco 1721

As informações neste documento foram criadas a partir de dispositivos em um ambiente de laboratório específico. Todos os dispositivos utilizados neste documento foram iniciados com uma configuração (padrão) inicial. Se a sua rede estiver ativa, certifique-se de que entende o impacto potencial de qualquer comando.

Conventions

Para obter mais informações sobre convenções de documento, consulte as Convenções de dicas técnicas Cisco.

Configurar

Nesta seção, você encontrará informações para configurar os recursos descritos neste documento.

Observação: para encontrar informações adicionais sobre os comandos usados neste documento, use a ferramenta Command Lookup Tool (somente clientes registrados).

Configurações

Este documento utiliza as configurações mostradas aqui.

Router 1721-A
Router 1721-B

Router 1721-A
R-1721-A#show run Building configuration... Current configuration : 1706 bytes ! ! Last configuration change at 00:46:32 UTC Fri Sep 10 2004 ! NVRAM config last updated at 00:45:48 UTC Fri Sep 10 2004 ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R-1721-A ! boot-start-marker boot-end-marker ! ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip cef ! ! ! ip audit po max-events 100 no ip domain lookup no ftp-server write-enable ! ! ! ! !--- Define Internet Key Exchange (IKE) policy. crypto isakmp policy 10 !--- Specify the 256-bit AES as the !--- encryption algorithm within an IKE policy. encr aes 256 !--- Specify that pre-shared key authentication is used. authentication pre-share !--- Specify the shared secret. crypto isakmp key cisco123 address 10.48.66.146 ! ! !--- Define the IPSec transform set. crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac ! !--- Define crypto map entry name "aesmap" that will use !--- IKE to establish the security associations (SA). crypto map aesmap 10 ipsec-isakmp !--- Specify remote IPSec peer. set peer 10.48.66.146 !--- Specify which transform sets !--- are allowed for this crypto map entry. set transform-set aesset !--- Name the access list that determines which traffic !--- should be protected by IPSec. match address acl_vpn ! ! ! interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex A dsl linerate AUTO ! interface Ethernet0 ip address 192.168.100.1 255.255.255.0 ip nat inside half-duplex ! interface FastEthernet0 ip address 10.48.66.147 255.255.254.0 ip nat outside speed auto !--- Apply crypto map to the interface. crypto map aesmap ! ip nat inside source list acl_nat interface FastEthernet0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.48.66.1 ip route 192.168.200.0 255.255.255.0 FastEthernet0 no ip http server no ip http secure-server ! ip access-list extended acl_nat !--- Exclude protected traffic from being NAT'ed. deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any !--- Access list that defines traffic protected by IPSec. ip access-list extended acl_vpn permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 ! end R-1721-A#

Router 1721-A

R-1721-A#show run
Building configuration...

Current configuration : 1706 bytes
!
! Last configuration change at 00:46:32 UTC Fri Sep 10 2004
! NVRAM config last updated at 00:45:48 UTC Fri Sep 10 2004
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R-1721-A
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!
!
!

!--- Define Internet Key Exchange (IKE) policy.

crypto isakmp policy 10

!--- Specify the 256-bit AES as the !--- encryption algorithm within an IKE policy.

encr aes 256

!--- Specify that pre-shared key authentication is used.

authentication pre-share

!--- Specify the shared secret.

crypto isakmp key cisco123 address 10.48.66.146
!
!

!--- Define the IPSec transform set.

crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
!

!--- Define crypto map entry name "aesmap" that will use !--- IKE to establish the security associations (SA).

crypto map aesmap 10 ipsec-isakmp

!--- Specify remote IPSec peer.

set peer 10.48.66.146

!--- Specify which transform sets !--- are allowed for this crypto map entry.

set transform-set aesset

!--- Name the access list that determines which traffic !--- should be protected by IPSec.

match address acl_vpn
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface Ethernet0
ip address 192.168.100.1 255.255.255.0
ip nat inside
half-duplex
!
interface FastEthernet0
ip address 10.48.66.147 255.255.254.0
ip nat outside
speed auto

!--- Apply crypto map to the interface.

crypto map aesmap
!
ip nat inside source list acl_nat interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.48.66.1
ip route 192.168.200.0 255.255.255.0 FastEthernet0
no ip http server
no ip http secure-server
!

ip access-list extended acl_nat

!--- Exclude protected traffic from being NAT'ed.

deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any

!--- Access list that defines traffic protected by IPSec.

ip access-list extended acl_vpn
permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end

R-1721-A#

Router 1721-B
R-1721-B#show run Building configuration... Current configuration : 1492 bytes ! ! Last configuration change at 14:11:41 UTC Wed Sep 8 2004 ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R-1721-B ! boot-start-marker boot-end-marker ! ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip cef ! ! ! ip audit po max-events 100 no ip domain lookup no ftp-server write-enable ! ! ! ! ! !--- Define IKE policy. crypto isakmp policy 10 !--- Specify the 256-bit AES as the !--- encryption algorithm within an IKE policy. encr aes 256 !--- Specify that pre-shared key authentication is used. authentication pre-share !--- Specify the shared secret. crypto isakmp key cisco123 address 10.48.66.147 ! ! !--- Define the IPSec transform set. crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac ! !--- Define crypto map entry name "aesmap" that uses !--- IKE to establish the SA. crypto map aesmap 10 ipsec-isakmp !--- Specify remote IPSec peer. set peer 10.48.66.147 !--- Specify which transform sets !--- are allowed for this crypto map entry. set transform-set aesset !--- Name the access list that determines which traffic !--- should be protected by IPSec. match address acl_vpn ! ! ! interface Ethernet0 ip address 192.168.200.1 255.255.255.0 ip nat inside half-duplex ! interface FastEthernet0 ip address 10.48.66.146 255.255.254.0 ip nat outside speed auto !--- Apply crypto map to the interface. crypto map aesmap ! ip nat inside source list acl_nat interface FastEthernet0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.48.66.1 ip route 192.168.100.0 255.255.255.0 FastEthernet0 no ip http server no ip http secure-server ! ip access-list extended acl_nat !--- Exclude protected traffic from being NAT'ed. deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.200.0 0.0.0.255 any !--- Access list that defines traffic protected by IPSec. ip access-list extended acl_vpn permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 ! end R-1721-B#

Router 1721-B

R-1721-B#show run
Building configuration...

Current configuration : 1492 bytes
!
! Last configuration change at 14:11:41 UTC Wed Sep 8 2004
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R-1721-B
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!
!
! 
!

!--- Define IKE policy.

crypto isakmp policy 10

!--- Specify the 256-bit AES as the !--- encryption algorithm within an IKE policy.

 encr aes 256

!--- Specify that pre-shared key authentication is used.

 authentication pre-share


!--- Specify the shared secret.

crypto isakmp key cisco123 address 10.48.66.147
!
!

!--- Define the IPSec transform set.

crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac 
!

!--- Define crypto map entry name "aesmap" that uses !--- IKE to establish the SA.

crypto map aesmap 10 ipsec-isakmp 

!--- Specify remote IPSec peer.

 set peer 10.48.66.147

!--- Specify which transform sets !--- are allowed for this crypto map entry.

 set transform-set aesset 

!--- Name the access list that determines which traffic !--- should be protected by IPSec.

 match address acl_vpn
!
!
!
interface Ethernet0
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 half-duplex
!
interface FastEthernet0
 ip address 10.48.66.146 255.255.254.0
 ip nat outside
 speed auto

!--- Apply crypto map to the interface.

 crypto map aesmap
!
ip nat inside source list acl_nat interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.48.66.1
ip route 192.168.100.0 255.255.255.0 FastEthernet0
no ip http server
no ip http secure-server
!
ip access-list extended acl_nat

!--- Exclude protected traffic from being NAT'ed.

 deny   ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.200.0 0.0.0.255 any



!--- Access list that defines traffic protected by IPSec.

ip access-list extended acl_vpn
 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
end

R-1721-B#

Verificar

Esta seção fornece informações que você pode usar para confirmar se sua configuração está funcionando adequadamente.

A Output Interpreter Tool (somente clientes registrados) oferece suporte a determinados comandos show, o que permite exibir uma análise da saída do comando show.

show crypto isakmp sa—Exibe o estado do SA do protocolo ISAKMP.

Router 1721-A
R-1721-A#show crypto isakmp sa dst src state conn-id slot 10.48.66.147 10.48.66.146 QM_IDLE 1 0

Router 1721-B
R-1721-B#show crypto isakmp sa dst src state conn-id slot 10.48.66.147 10.48.66.146 QM_IDLE 1 0

show crypto ipsec sa — Exibe as estatísticas nos túneis ativos.

Router 1721-A
R-1721-A#show crypto ipsec sa interface: FastEthernet0 Crypto map tag: aesmap, local addr. 10.48.66.147 protected vrf: local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0) current_peer: 10.48.66.146:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30 #pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.48.66.147, remote crypto endpt.: 10.48.66.146 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0 current outbound spi: 2EB0BA1A inbound esp sas: spi: 0xFECA28BC(4274661564) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4554237/2895) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2EB0BA1A(783333914) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4554237/2894) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: R-1721-A#

Router 1721-A

R-1721-A#show crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: aesmap, local addr. 10.48.66.147

   protected vrf: 
   local  ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
   current_peer: 10.48.66.146:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30
    #pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.48.66.147, remote crypto endpt.: 10.48.66.146
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 2EB0BA1A

     inbound esp sas:
      spi: 0xFECA28BC(4274661564)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: aesmap
        sa timing: remaining key lifetime (k/sec): (4554237/2895)
        IV size: 16 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2EB0BA1A(783333914)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: aesmap
        sa timing: remaining key lifetime (k/sec): (4554237/2894)
        IV size: 16 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:
R-1721-A#

Router 1721-B
R-1721-B#show crypto ipsec sa interface: FastEthernet0 Crypto map tag: aesmap, local addr. 10.48.66.146 protected vrf: local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0) current_peer: 10.48.66.147:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30 #pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 5, #recv errors 0 local crypto endpt.: 10.48.66.146, remote crypto endpt.: 10.48.66.147 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0 current outbound spi: FECA28BC inbound esp sas: spi: 0x2EB0BA1A(783333914) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4583188/2762) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xFECA28BC(4274661564) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4583188/2761) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: R-1721-B#

Router 1721-B

R-1721-B#show crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: aesmap, local addr. 10.48.66.146

   protected vrf: 
   local  ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
   current_peer: 10.48.66.147:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30
    #pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 10.48.66.146, remote crypto endpt.: 10.48.66.147
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: FECA28BC

     inbound esp sas:
      spi: 0x2EB0BA1A(783333914)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: aesmap
        sa timing: remaining key lifetime (k/sec): (4583188/2762)
        IV size: 16 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xFECA28BC(4274661564)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: aesmap
        sa timing: remaining key lifetime (k/sec): (4583188/2761)
        IV size: 16 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:
R-1721-B#

show crypto engine connections ative — Exibe o total de criptografias/descriptografias por SA.

Router 1721-A
R-1721-A#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 FastEthernet0 10.48.66.147 set HMAC_SHA+AES_256_C 0 0 2000 FastEthernet0 10.48.66.147 set HMAC_SHA+AES_256_C 0 30 2001 FastEthernet0 10.48.66.147 set HMAC_SHA+AES_256_C 30 0

Router 1721-A

R-1721-A#show crypto engine connections active 

  ID Interface       IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet0   10.48.66.147    set    HMAC_SHA+AES_256_C        0        0
2000 FastEthernet0   10.48.66.147    set    HMAC_SHA+AES_256_C        0       30
2001 FastEthernet0   10.48.66.147    set    HMAC_SHA+AES_256_C       30        0

Router 1721-B
R-1721-B#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 FastEthernet0 10.48.66.146 set HMAC_SHA+AES_256_C 0 0 2000 FastEthernet0 10.48.66.146 set HMAC_SHA+AES_256_C 0 30 2001 FastEthernet0 10.48.66.146 set HMAC_SHA+AES_256_C 30 0

Router 1721-B

R-1721-B#show crypto engine connections active 

  ID Interface       IP-Address      State  Algorithm           Encrypt  Decrypt
   1 FastEthernet0   10.48.66.146    set    HMAC_SHA+AES_256_C        0        0
2000 FastEthernet0   10.48.66.146    set    HMAC_SHA+AES_256_C        0       30
2001 FastEthernet0   10.48.66.146    set    HMAC_SHA+AES_256_C       30        0

Troubleshooting

Esta seção fornece informações que podem ser usadas para o troubleshooting da sua configuração.

Comandos para Troubleshooting

Observação: antes de emitir comandos debug, consulte Informações importantes sobre comandos debug.

debug crypto ipsec — Exibe eventos de IPSec.
debug crypto isakmp — Exibe mensagens sobre eventos de IKE.
debug crypto engine — Exibe informações a partir do cripto mecanismo.

Informações adicionais sobre Troubleshooting de IPSec podem ser encontradas em Troubleshooting de Segurança de IP - Compreendendo e Utilizando os comandos debug.

Informações Relacionadas

Histórico de revisões

Revisão	Data de publicação	Comentários
1.0	28-May-2003	Versão inicial

Este documento lhe foi útil?

Feedback

Contate a Cisco

Abrir um caso de suporte
(É necessário um Contrato de Serviço da Cisco)

Configurando IPSec de IOS para IOS usando criptografia de AES

Opções de download

Linguagem imparcial

Sobre esta tradução

Contents

Introdução

Pré-requisitos

Requisitos

Componentes Utilizados

Conventions

Configurar

Configurações

Verificar

Troubleshooting

Comandos para Troubleshooting

Informações Relacionadas

Histórico de revisões

Este documento lhe foi útil?

Contate a Cisco

Este documento se refere a estes produtos