一.概述
如下图所示,12.3(8)T前的版本物理接口上面的ACL同时会对ipsec加密流量和解密后的流量造成影响,因此,如果配置ACL的话,要保证ipsec VPN能通的话,需要同时放行IKE、ESP流量,以及感兴趣流之间的相关流量
二.测试拓扑
备注:Site1和Site2采用的是 IOS (tm) 3700 Software (C3725-IK9S-M), Version 12.2(15)T9
三.测试步骤
1.基本配置
①Inside路由器
interface Ethernet0/0
ip address 1.1.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 1.1.1.10
②Site1路由器
interface FastEthernet0/0
ip address 1.1.1.10 255.255.255.0
no shutdown
interface FastEthernet0/1
ip address 202.100.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.1.10
③Internet路由器
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 61.128.1.10 255.255.255.0
no shutdown
④Site2路由器
interface FastEthernet0/0
ip address 61.128.1.1 255.255.255.0
no shutdown
interface FastEthernet0/1
ip address 2.2.2.10 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 61.128.1.10
⑤Private路由器
interface Ethernet0/0
ip address 2.2.2.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 2.2.2.10
2.VPN配置
①Site1路由器
--第一阶段策略
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Cisc0123 address 61.128.1.1
--第二阶段转换集
crypto ipsec transform-set transet esp-3des esp-md5-hmac
--配置感兴趣流
ip access-list extended xll-vpn
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
--配置crypto map并在接口上应用
crypto map crymap 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set transet
match address xll-vpn
interface FastEthernet0/0
crypto map crymap
②Site2路由器
--第一阶段策略
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Cisc0123 address 202.100.1.1
--第二阶段转换集
crypto ipsec transform-set transet esp-3des esp-md5-hmac
--配置感兴趣流
ip access-list extended xll-vpn
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
--配置crypto map并在接口上应用
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set transet
match address xll-vpn
interface FastEthernet0/0
crypto map crymap
3.入方向ACL测试(只在Site1上测试)
①配置ACL
ip access-list extended Site1.Inbound
permit udp host 61.128.1.1 eq isakmp host 202.100.1.1 eq isakmp
permit esp host 61.128.1.1 host 202.100.1.1
deny ip any any
②在出接口上面配置入方向ACL
interface FastEthernet0/1
ip access-group Site1.Inbound in
③此时Inside路由器ping不通Private路由器,site1查看ACL拒绝有匹配的流量
Inside#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Inside#
Site1#show ip access-lists Site1.Inbound
Extended IP access list Site1.Inbound
10 permit udp host 61.128.1.1 eq isakmp host 202.100.1.1 eq isakmp
20 permit esp host 61.128.1.1 host 202.100.1.1 (5 matches)
30 deny ip any any (10 matches)
Site1#
④修改ACL增加icmp流量放行
Site1#show ip access-lists Site1.Inbound
Extended IP access list Site1.Inbound
10 permit udp host 61.128.1.1 eq isakmp host 202.100.1.1 eq isakmp
20 permit esp host 61.128.1.1 host 202.100.1.1 (5 matches)
21 permit icmp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
30 deny ip any any (10 matches)
Site1#
⑤此时Inside路由器能ping通Private路由器,site1查看ACL有匹配的流量
Inside#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/43 ms
Inside#
Site1#show ip access-lists Site1.Inbound
Extended IP access list Site1.Inbound
10 permit udp host 61.128.1.1 eq isakmp host 202.100.1.1 eq isakmp
20 permit esp host 61.128.1.1 host 202.100.1.1 (10 matches)
21 permit icmp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 (6 matches)
30 deny ip any any (10 matches)
Site1#
crypto map crymap
4.出方向ACL测试(只在Site1上测试)
①配置ACL
ip access-list extended Site1.Outbound
permit udp host 202.100.1.1 eq isakmp host 61.128.1.1 eq isakmp
permit esp host 202.100.1.1 host 61.128.1.1
deny ip any any
②在出接口上面配置出方向ACL
interface FastEthernet0/1
ip access-group Site1.Outbound out
③此时Inside路由器ping不通Private路由器,site1查看ACL拒绝有匹配的流量
Inside#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Inside#
Site1#show ip access-lists Site1.Outbound
Extended IP access list Site1.Outbound
10 permit udp host 202.100.1.1 eq isakmp host 61.128.1.1 eq isakmp
20 permit esp host 202.100.1.1 host 61.128.1.1
30 deny ip any any (8 matches)
④修改ACL增加icmp流量放行
Site1#show ip access-lists Site1.Outbound
Extended IP access list Site1.Outbound
10 permit udp host 202.100.1.1 eq isakmp host 61.128.1.1 eq isakmp
20 permit esp host 202.100.1.1 host 61.128.1.1
21 permit icmp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
30 deny ip any any (8 matches)
Site1#
⑤此时Inside路由器能ping通Private路由器,site1查看ACL有匹配的流量
Inside#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/37/44 ms
Inside#
Site1#show ip access-lists Site1.Outbound
Extended IP access list Site1.Outbound
10 permit udp host 202.100.1.1 eq isakmp host 61.128.1.1 eq isakmp
20 permit esp host 202.100.1.1 host 61.128.1.1
21 permit icmp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (5 matches)
30 deny ip any any (8 matches)
Site1#
备注:从上面也可以看到esp流量不会被匹配,从而可以确定是先匹配ACL,只有ACL放行之后,匹配了感兴趣流才会被加密。