请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器

思科路由器入方向crypto map对流量处理测试

热度 1已有 71 次阅读2020-1-5 14:40 |个人分类:VPN| vpn, crypto map

一.概述
    思科路由器入方向crypto map对流量处理如下表格所示:

用语言描述,是这样的:
    1.如果流量是目标为自己的加密流量,并且接口有map,那么会解密流量
    2.如果接口有map,感兴趣流的明文流量会被drop掉
    3.如果接口没有map,感兴趣流的明文流量会被转发
    4.即使接口没有map,如果流量是目标为自己的加密流量,也会被解密
第一种应该就是正常的一个VPN流量,不用进行测试,主要是测试后面3种情况。

二.测试拓扑

三.基本配置
1.Site1
interface Loopback0
    ip address 1.1.1.1 255.255.255.0
interface Ethernet0/0
    ip address 202.100.1.1 255.255.255.0
    no shutdown
interface Ethernet0/1
    ip address 202.100.2.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.1.10
2.Internet1
interface Ethernet0/0
    ip address 202.100.1.10 255.255.255.0
    no shutdown
interface Ethernet0/1
    ip address 61.128.1.10 255.255.255.0
    no shutdown
interface Ethernet0/2
    ip address 137.78.1.1 255.255.255.0
    no shutdown
3.Internet2
interface Ethernet0/0
    ip address 202.100.2.10 255.255.255.0
    no shutdown
interface Ethernet0/1
    ip address 61.128.2.10 255.255.255.0
    no shutdown
interface Ethernet0/2
    ip address 137.78.1.2 255.255.255.0
    no shutdown
4.Site2
interface Loopback0
    ip address 2.2.2.2 255.255.255.0
interface Ethernet0/0
    ip address 61.128.1.1 255.255.255.0
    no shutdown
interface Ethernet0/1
    ip address 61.128.2.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 61.128.1.10
三.VPN配置
1.Site1
①第一阶段策略
crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
crypto isakmp key Cisc0123 address 61.128.1.1     
②第二阶段转换集
crypto ipsec transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流
ip access-list extended vpn
    permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
④配置crypto map并在接口应用
crypto map crymap 10 ipsec-isakmp
    set peer 61.128.1.1
    set transform-set transet
    match address vpn
interface Ethernet0/0
     crypto map crymap
2.Site2
①第一阶段策略
crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
crypto isakmp key Cisc0123 address 202.100.1.1
②第二阶段转换集
crypto ipsec transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流
ip access-list extended vpn
    permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 
④配置crypto map并在接口应用
crypto map crymap 10 ipsec-isakmp
    set peer 202.100.1.1
    set transform-set transet
    match address vpn
interface Ethernet0/0
     crypto map crymap
3.验证vpn
Site1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/6 ms
Site1#
四.验证如果接口有map,感兴趣流的明文流量会被drop掉
通过设置site2,internet2,interter1的路由,让site2从e0/1接口发出感兴趣流的明文流量,通过Internet2和Internet1,最终到达site1的e0/0口
1.site2添加路由
ip route 1.1.1.0 255.255.255.0 61.128.2.10
2.Internet2添加路由
ip route 1.1.1.0 255.255.255.0 137.78.1.1
3.Internet1添加路由
ip route 1.1.1.0 255.255.255.0 202.100.1.1
4.site1开启debug
Site1#debug ip icmp
ICMP packet debugging is on
5.site2发出感兴趣流明文流量,ping不通
Site2#ping 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)
Site2#
6.此时site1的debug有日志,说明icmp包已经到达,但是被drop,所以不会回复
Site1#
*Jan  5 05:36:34.094: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /1.1.1.1, src_addr= 2.2.2.2, prot= 1
Site1#
五.验证如果接口没有map,感兴趣流的明文流量会被转发
通过设置site2,internet2的路由,让site2从e0/1接口发出感兴趣流的明文流量,通过Internet2,最终到达site1的e0/1口
1.site2添加路由
ip route 1.1.1.0 255.255.255.0 61.128.2.10
2.Internet2取消之前的路由,添加新的路由
no ip route 1.1.1.0 255.255.255.0 137.78.1.1
ip route 1.1.1.0 255.255.255.0 202.100.2.1
3.site1开启debug
Site1#debug ip icmp
ICMP packet debugging is on
4.site2发出感兴趣流明文流量,此时能ping通
Site2#ping 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Site2#
5.此时site1的debug有日志,说明icmp已经回包,因为site1只有默认路由,所以返回的流量走E0/0口,从而被加密
Site1#
*Jan  5 05:44:10.886: ICMP: echo reply sent, src 1.1.1.1, dst 2.2.2.2, topology BASE, dscp 0 topoid 0
*Jan  5 05:44:10.886: ICMP: echo reply sent, src 1.1.1.1, dst 2.2.2.2, topology BASE, dscp 0 topoid 0
*Jan  5 05:44:10.886: ICMP: echo reply sent, src 1.1.1.1, dst 2.2.2.2, topology BASE, dscp 0 topoid 0
*Jan  5 05:44:10.887: ICMP: echo reply sent, src 1.1.1.1, dst 2.2.2.2, topology BASE, dscp 0 topoid 0
*Jan  5 05:44:10.887: ICMP: echo reply sent, src 1.1.1.1, dst 2.2.2.2, topology BASE, dscp 0 topoid 0
Site1#
六.验证即使接口没有map,如果流量是目标为自己的加密流量,也会被解密
通过设置internet1和internet2的路由,让site2从e0/0接口发出加密流量,通过Internet1和Internet2,最终到达site1的e0/1口
1.先清除所有设备之前配置的,除默认路由之外的其他静态路由
2.Internet1添加路由
ip route 202.100.1.1 255.255.255.255 137.78.1.2
3.Internet2添加路由
ip route 202.100.1.1 255.255.255.255 202.100.2.1
4.提前用wireshark抓Site1接口的E0/1的包
5.Site1发出感兴趣流明密文流量,此时能ping通
Site1# ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
Site1#
6.通过查看warshark只有返回方向的ESP加密流量,实际Site1的E0/1接口没有应用crypto map
7.此时如果清除vpn连接重新ping,也能ping通
Site1#clear crypto session       
Site1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/5 ms
Site1#
8.wireshark能抓到包
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)

路过

鸡蛋
1

鲜花

握手

雷人

刚表态过的朋友 (1 人)

评论 (0 个评论)

facelist

您需要登录后才可以评论 思科 CCO 登录 | 思科 CCO 注册   

Archiver | 思科社区  

GMT+8, 2020-1-18 08:23 , Processed in 0.090364 second(s), 23 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

返回顶部