DMVPN+GETVPN測試

R1：

interface Loopback0

ip address 192.168.1.1 255.255.255.0

interface FastEthernet0/0

ip address 202.100.1.1 255.255.255.0

no shut

R2：

ip address 202.100.1.2 255.255.255.0

R3：

ip address 192.168.3.3 255.255.255.0

ip address 202.100.1.3 255.255.255.0

R4：

ip address 192.168.4.4 255.255.255.0

ip address 202.100.1.4 255.255.255.0

3.mGRE隧道配置：

①R1(GM1-Hub）：

interface Tunnel0

ip address 172.16.1.1 255.255.255.0

ip mtu 1400

ip nhrp map multicast dynamic

ip nhrp network-id 10

ip nhrp redirect

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 12345

②R3(GM2-Spoke1）：

ip address 172.16.1.3 255.255.255.0

ip mtu 1400

ip nhrp map 172.16.1.1 202.100.1.1

ip nhrp map multicast 202.100.1.1

ip nhrp nhs 172.16.1.1

ip nhrp shortcut

③R4(GM3-Spoke2）：

ip address 172.16.1.4 255.255.255.0

④測試NHRP:

R4#ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/42/52 ms

R4#ping 172.16.1.3

Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:

!!.!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 36/95/236 ms

R4#

R1#show ip nhrp

172.16.1.3/32 via 172.16.1.3, Tunnel0 created 00:02:58, expire 01:59:45

Type: dynamic, Flags: router nat used

NBMA address: 202.100.1.3

172.16.1.4/32 via 172.16.1.4, Tunnel0 created 00:00:36, expire 01:59:44

Type: dynamic, Flags: router nat

NBMA address: 202.100.1.4

4.靜态路由配置：

R1(config)#ip route 192.168.3.0 255.255.255.0 172.16.1.3

R1(config)#ip route 192.168.4.0 255.255.255.0 172.16.1.4

R3(config)#ip route 192.168.0.0 255.255.0.0 172.16.1.1

R4(config)#ip route 192.168.0.0 255.255.0.0 172.16.1.1

5.GETVPN配置：

①密鑰伺服器産生密鑰：

R2(KS):

ip domain name yuntian.com

crypto key generate rsa modulus 1024 label getvpnkey

②第一階段：

R2(KS)：

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 202.100.1.1

crypto isakmp key cisco address 202.100.1.3

crypto isakmp key cisco address 202.100.1.4

R1、R3、R4（GM1、2、3）：

crypto isakmp key cisco address 202.100.1.2

②配置感興趣流：

ip access-list extended ALL-DMVPN-Traffic

permit gre any any

③第二階段政策并建立ipsec profile與其關聯：

crypto ipsec transform-set getvpn-set esp-des esp-sha-hmac

exit

crypto ipsec profile getvpn-profile

set transform-set getvpn-set

④GETVPN組配置：

crypto gdoi group getvpngroup

identity number 12345678

server local

address ipv4 202.100.1.2

rekey algorithm aes 256

rekey authentication mypubkey rsa getvpnkey

rekey transport unicast

sa ipsec 1

profile getvpn-profile

match address ipv4 ALL-DMVPN-Traffic

server address ipv4 202.100.1.2

⑤成員伺服器配置Crypto map:

crypto map getvpnmap 10 gdoi

set group getvpngroup

crypto map getvpnmap

6.驗證：

①檢視密鑰伺服器群組成員GETVPN狀态

R2#show crypto gdoi group getvpngroup

Group Name : getvpngroup (Unicast)

Group Identity : 12345678

Group Members : 3

IPSec SA Direction : Both

Active Group Server : Local

Group Rekey Lifetime : 86400 secs

Group Rekey

Remaining Lifetime : 86352 secs

Rekey Retransmit Period : 10 secs

Rekey Retransmit Attempts: 2

Group Retransmit

Remaining Lifetime : 0 secs

IPSec SA Number : 1

IPSec SA Rekey Lifetime: 3600 secs

Profile Name : getvpn-profile

Replay method : Count Based

Replay Window Size : 64

SA Rekey

Remaining Lifetime : 3553 secs

ACL Configured : access-list ALL-DMVPN-Traffic

Group Server list : Local

R1#show crypto gdoi group getvpngroup

Group Name : getvpngroup

Rekeys received : 0

Active Group Server : 202.100.1.2

Group Server list : 202.100.1.2

GM Reregisters in : 3473 secs

Rekey Received : never

Rekeys received

Cumulative : 0

After registration : 0

Rekey Acks sent : 0

ACL Downloaded From KS 202.100.1.2:

access-list permit gre any any

KEK POLICY:

Rekey Transport Type : Unicast

Lifetime (secs) : 86399

Encrypt Algorithm : AES

Key Size : 256

Sig Hash Algorithm : HMAC_AUTH_SHA

Sig Key Length (bits) : 1024

TEK POLICY:

FastEthernet0/0:

IPsec SA:

sa direction:inbound

spi: 0x8EAF909E(2393870494)

transform: esp-des esp-sha-hmac

sa timing:remaining key lifetime (sec): (3527)

Anti-Replay : Disabled

sa direction:outbound

R3#show crypto gdoi group getvpngroup

GM Reregisters in : 3437 secs

Lifetime (secs) : 86387

sa timing:remaining key lifetime (sec): (3495)

R4#show crypto gdoi group getvpngroup

GM Reregisters in : 3408 secs

Lifetime (secs) : 86380

sa timing:remaining key lifetime (sec): (3465)

②檢視密鑰伺服器上注冊的成員：

R2#show crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group getvpngroup : 0

Group Member ID : 202.100.1.1

Group ID : 12345678

Group Name : getvpngroup

Key Server ID : 202.100.1.2

Rekeys sent : 0

Rekey Acks Rcvd : 0

Rekey Acks missed : 0

Sent seq num : 0 0 0 0

Rcvd seq num : 0 0 0 0

Group Member ID : 202.100.1.3

Group Member ID : 202.100.1.4

④組成員上測試GETVPN的加解密：

第一步:在R1(GM1)測試前檢視加解密狀況

R1#show crypto engine connections active

Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address

1 Fa0/0 IPsec DES+SHA 0 0 0.0.0.0

2 Fa0/0 IPsec DES+SHA 0 0 0.0.0.0

1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.1

1002 <none> IKE SHA+AES256 0 0

第二步:R1(GM1)上通過Ping産生加密的感興趣流

R1#ping 192.168.3.3 source 192.168.1.1 repeat 100

Sending 100, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (100/100), round-trip min/avg/max = 68/101/344 ms

第三步:在R1(GM1)檢視加解密狀況

1 Fa0/0 IPsec DES+SHA 0 100 0.0.0.0

2 Fa0/0 IPsec DES+SHA 100 0 0.0.0.0

⑤第一階段的安全關聯：

R1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

202.100.1.1 202.100.1.2 GDOI_REKEY 1002 0 ACTIVE

202.100.1.2 202.100.1.1 GDOI_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#show crypto isakmp sa

202.100.1.2 202.100.1.4 GDOI_IDLE 1003 0 ACTIVE

202.100.1.2 202.100.1.3 GDOI_IDLE 1002 0 ACTIVE

R3#show crypto isakmp sa

202.100.1.3 202.100.1.2 GDOI_REKEY 1002 0 ACTIVE

202.100.1.2 202.100.1.3 GDOI_IDLE 1001 0 ACTIVE

R4#show crypto isakmp sa

202.100.1.2 202.100.1.4 GDOI_IDLE 1001 0 ACTIVE

202.100.1.4 202.100.1.2 GDOI_REKEY 1002 0 ACTIVE

⑤第二階段的安全關聯：

1002 <none> IKE SHA+AES256 0 0

R2#show crypto engine connections active

1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.2

1002 Fa0/0 IKE SHA+DES 0 0 202.100.1.2

1003 Fa0/0 IKE SHA+DES 0 0 202.100.1.2

R3#show crypto engine connections active

1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.3

R4#ping 192.168.3.3 source 192.168.4.4

Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.4.4

Success rate is 100 percent (5/5), round-trip min/avg/max = 88/94/112 ms

R4#show crypto engine connections active

1 Fa0/0 IPsec DES+SHA 0 10 0.0.0.0

2 Fa0/0 IPsec DES+SHA 10 0 0.0.0.0

1001 Fa0/0 IKE SHA+DES 0 0 202.100.1.4

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/96/116 ms

1 Fa0/0 IPsec DES+SHA 0 15 0.0.0.0

2 Fa0/0 IPsec DES+SHA 15 0 0.0.0.0

本文轉自碧雲天 51CTO部落格，原文連結：http://blog.51cto.com/333234/847163，如需轉載請自行聯系原作者

DMVPN+GETVPN測試

繼續閱讀

RSA數字簽名和加解密

Java 實作RSA非對稱加密算法的簽名與驗簽

網絡協定之網頁資料包到伺服器的傳輸過程

【守網絡洪閘，還大運會一片安全】截止到8月5日，國家能源集團數智科技公司所屬大資料公司作為重點網絡安全服務保障機關，盛會

圖解HTTP八：确認通路使用者身份的認證

【圖解HTTP】——確定Web安全的HTTPSHTTPS小結

網絡攻防技術（2021期末考試）

軟體設計師筆記-----系統安全分析與設計五、系統安全分析與設計

軟考-軟體設計師筆記五（系統安全分析與設計）資訊系統安全屬性對稱加密技術非對稱加密技術資訊摘要數字簽名數字信封與PGP各個網絡層次的安全保障網絡威脅與攻擊防火牆技術

初談驗證碼與驗證碼設計

内網滲透1一、資訊收集二、一些概念三、提權四、擷取目前機器下各類密碼四、用到的工具

DOG（4）：解析器的部分實作細節先來說說parser一些可能迷惑的地方結果如何傳回?pcd其實是一回事最後的一點說明

Kali的安裝、配置和換國内源KALI的安裝、配置

在一個非套接字上嘗試了一個操作

網絡空間安全中高職業院校職技能大賽——Telnet弱密碼滲透測試

Bugku-WEB-web33