此組態範例顯示三台路由器之間通過使用一個到兩個對等點後每個網路的加密對應來進行的全網狀加密。
加密的來源為:
160.160.160.x網路到170.170.170.x網路
160.160.160.x網路到180.180.180.x網路
170.170.170.x網路到180.180.180.x網路
本文件沒有特定需求。
本文中的資訊係根據以下軟體和硬體版本:
Cisco IOS®軟體版本12.2.7C和12.2.8(T)4
Cisco 2500和3600路由器
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
如需文件慣例的詳細資訊,請參閱思科技術提示慣例。
本節提供用於設定本文件中所述功能的資訊。
注意:要查詢有關本文檔中使用的命令的其他資訊,請使用命令查詢工具(僅限註冊客戶)。
本檔案會使用下圖中所示的網路設定。
本檔案會使用這些設定。
注意:這些配置最近使用文檔中的當前代碼(2003年11月)進行了測試。
Dr_Whovie配置 |
---|
Current configuration: ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname dr_whoovie ! enable secret 5 $1$KxKv$cbqKsZtQTLJLGPN.tErFZ1 enable password ww ! ip subnet-zero ! cns event-service server ! !--- Internet Key Exchange (IKE) Policies: crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 150.150.150.3 crypto isakmp key cisco123 address 150.150.150.2 ! !--- IPSec Policies: crypto ipsec transform-set 170cisco esp-des esp-md5-hmac crypto ipsec transform-set 180cisco esp-des esp-md5-hmac ! crypto map ETH0 17 ipsec-isakmp set peer 150.150.150.2 set transform-set 170cisco !--- Include the 160.160.160.x to 170.170.170.x network !--- in the encryption process. match address 170 crypto map ETH0 18 ipsec-isakmp set peer 150.150.150.3 set transform-set 180cisco !--- Include the 160.160.160.x to 180.180.180.x network !--- in the encryption process. match address 180 ! interface Ethernet0 ip address 150.150.150.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache no mop enabled crypto map ETH0 ! interface Ethernet1 no ip address no ip directed-broadcast shutdown ! interface Serial0 ip address 160.160.160.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache no fair-queue ! interface Serial1 no ip address no ip directed-broadcast clockrate 4000000 ! ip classless ip route 170.170.170.0 255.255.255.0 150.150.150.2 ip route 180.180.180.0 255.255.255.0 150.150.150.3 no ip http server ! !--- Include the 160.160.160.x to 170.170.170.x network !--- in the encryption process. access-list 170 permit ip 160.160.160.0 0.0.0.255 170.170.170.0 0.0.0.255 !--- Include the 160.160.160.x to 180.180.180.x network !--- in the encryption process. access-list 180 permit ip 160.160.160.0 0.0.0.255 180.180.180.0 0.0.0.255 dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 transport input none line aux 0 line vty 0 4 password ww login ! end |
Yertle配置 |
---|
Current configuration: ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname yertle ! enable secret 5 $1$me5Q$2kF5zKlPPTvHEBdGiEZ9m/ enable password ww ! ip subnet-zero ! cns event-service server ! !--- IKE Policies: crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 150.150.150.3 crypto isakmp key cisco123 address 150.150.150.1 ! !--- IPSec Policies: crypto ipsec transform-set 160cisco esp-des esp-md5-hmac crypto ipsec transform-set 180cisco esp-des esp-md5-hmac ! crypto map ETH0 16 ipsec-isakmp set peer 150.150.150.1 set transform-set 160cisco !--- Include the 170.170.170.x to 160.160.160.x network !--- in the encryption process. match address 160 crypto map ETH0 18 ipsec-isakmp set peer 150.150.150.3 set transform-set 180cisco !--- Include the 170.170.170.x to 180.180.180.x network !--- in the encryption process. match address 180 ! interface Ethernet0 ip address 150.150.150.2 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache no mop enabled crypto map ETH0 ! interface Serial0 no ip address no ip directed-broadcast no ip mroute-cache shutdown no fair-queue ! interface Serial1 ip address 170.170.170.1 255.255.255.0 no ip directed-broadcast ! ip classless ip route 160.160.160.0 255.255.255.0 150.150.150.1 ip route 180.180.180.0 255.255.255.0 150.150.150.3 no ip http server ! !--- Include the 170.170.170.x to 160.160.160.x network !--- in the encryption process. access-list 160 permit ip 170.170.170.0 0.0.0.255 160.160.160.0 0.0.0.255 !--- Include the 170.170.170.x to 180.180.180.x network !--- in the encryption process. access-list 180 permit ip 170.170.170.0 0.0.0.255 180.180.180.0 0.0.0.255 dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 transport input none line aux 0 line vty 0 4 password ww login ! end |
Thidwick配置 |
---|
Current configuration: ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname thidwick ! enable secret 5 $1$Pcpo$fj4FNS1dEDY9lGg3Ne6FK1 enable password ww ! ip subnet-zero ! isdn switch-type basic-5ess isdn voice-call-failure 0 cns event-service server ! !--- IKE Policies: crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco123 address 150.150.150.1 crypto isakmp key cisco123 address 150.150.150.2 ! !--- IPSec Policies: crypto ipsec transform-set 160cisco esp-des esp-md5-hmac crypto ipsec transform-set 170cisco esp-des esp-md5-hmac ! crypto map ETH0 16 ipsec-isakmp set peer 150.150.150.1 set transform-set 160cisco !--- Include the 180.180.180.x to 160.160.160.x network !--- in the encryption process. match address 160 crypto map ETH0 17 ipsec-isakmp set peer 150.150.150.2 set transform-set 170cisco !--- Include the 180.180.180.x to 170.170.170.x network !--- in the encryption process. match address 170 ! interface Ethernet0 ip address 150.150.150.3 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache no mop enabled crypto map ETH0 ! interface Serial0 no ip address no ip directed-broadcast no ip mroute-cache no fair-queue clockrate 4000000 ! interface Serial1 ip address 180.180.180.1 255.255.255.0 no ip directed-broadcast clockrate 4000000 ! interface BRI0 no ip address no ip directed-broadcast shutdown isdn switch-type basic-5ess ! ip classless ip route 160.160.160.0 255.255.255.0 150.150.150.1 ip route 170.170.170.0 255.255.255.0 150.150.150.2 no ip http server ! !--- Include the 180.180.180.x to 160.160.160.x network !--- in the encryption process. access-list 160 permit ip 180.180.180.0 0.0.0.255 160.160.160.0 0.0.0.255 !--- Include the 180.180.180.x to 170.170.170.x network !--- in the encryption process. access-list 170 permit ip 180.180.180.0 0.0.0.255 170.170.170.0 0.0.0.255 dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 transport input none line aux 0 line vty 0 4 password ww login ! end |
本節提供的資訊可用於確認您的組態是否正常運作。
輸出直譯器工具(僅供註冊客戶使用)支援某些show命令,此工具可讓您檢視show命令輸出的分析。
show crypto ipsec sa — 顯示當前[IPSec]安全關聯使用的設定。
show crypto isakmp sa — 顯示對等體上的所有當前IKE安全關聯。
本節提供的資訊可用於對組態進行疑難排解。
注意:發出debug命令之前,請參閱有關Debug命令的重要資訊。
debug crypto ipsec — 顯示第2階段的IPSec協商。
debug crypto isakmp — 顯示第1階段的網際網路安全關聯和金鑰管理協定(ISAKMP)協商。
debug crypto engine — 顯示加密的流量。
clear crypto isakmp — 清除與第1階段相關的安全關聯。
clear crypto sa — 清除與第2階段相關的安全關聯。
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
17-Feb-2005 |
初始版本 |