拓撲圖:
配置參數:
<b>R1</b>
<b></b>
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 1.1.1.2
crypto isakmp key 123456 address 1.1.1.3
crypto ipsec transform-set myset esp-3des esp-md5-hmac //注意幀中繼也可以配置AH參數!可以測試成功的!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set myset
match address 100
crypto map mymap 20 ipsec-isakmp
set peer 1.1.1.3
match address 101
interface Serial0/0
ip address 1.1.1.1 255.255.255.0
encapsulation frame-relay IETF
frame-relay map ip 1.1.1.2 26
frame-relay map ip 1.1.1.3 27
no frame-relay inverse-arp
frame-relay lmi-type ansi
crypto map mymap
ip route 192.168.2.0 255.255.255.0 1.1.1.2
ip route 192.168.3.0 255.255.255.0 1.1.1.3
<b>R3</b>
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp key 123456 address 1.1.1.1
crypto ipsec transform-set myset esp-3des esp-md5-hmac
set peer 1.1.1.1
ip address 1.1.1.2 255.255.255.0
frame-relay map ip 1.1.1.1 36
frame-relay map ip 1.1.1.3 36
ip route 192.168.1.0 255.255.255.0 1.1.1.1
<b>R4</b>
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
ip address 1.1.1.3 255.255.255.0
frame-relay map ip 1.1.1.1 37
frame-relay map ip 1.1.1.2 37
<b>R2</b>
frame-relay switching
no ip address
serial restart-delay 0
frame-relay intf-type dce
frame-relay route 26 interface Serial0/1 36
frame-relay route 27 interface Serial0/2 37
interface Serial0/1
frame-relay route 36 interface Serial0/0 26
interface Serial0/2
frame-relay route 37 interface Serial0/0 27
測試:
<b>R2:</b>
r2#SH FRAM ROU
Input Intf Input Dlci Output Intf Output Dlci Status
Serial0/0 26 Serial0/1 36 active
Serial0/0 27 Serial0/2 37 active
Serial0/1 36 Serial0/0 26 active
Serial0/2 37 Serial0/0 27 active
<b>R1:</b>
r1#SH CRY IS SA
dst src state conn-id slot
1.1.1.1 1.1.1.2 QM_IDLE 1 0
1.1.1.1 1.1.1.3 QM_IDLE 2 0
<b>R3:</b>
r3#SH CRY IS SA
<b>R4:</b>
r4#SH CRY IS SA
1.1.1.1 1.1.1.3 QM_IDLE 1 0
<b>VPC:</b>
使用VPC進行測試
<b>VPC1:</b>
總部的内網可以PING通分部1和分部2
<b>VPC2:</b>
分部1可以PING通總部内網
<b>VPC3:</b>
分部2可以PING通總部内網
r1#sh cry ip sa
interface: Serial0/0
Crypto map tag: mymap, local addr. 1.1.1.1
protected vrf:
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
<b> </b>local crypto endpt.: 1.1.1.1, remote crypto endpt.:<b> 1.1.1.2</b><b></b>
path mtu 1500, media mtu 1500
current outbound spi: 6DA96143
<b> </b><b> inbound esp sas</b><b>:</b>
spi: 0x47E18A8B(<b>1205963403</b>)<b>------>IN</b><b>對應</b><b>R3</b><b>的</b><b>OUT</b><b></b>
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap
crypto engine type: Software, engine_id: 1
sa timing: remaining key lifetime (k/sec): (4561490/2009)
ike_cookies: 4212F6AE 2BE257C8 70AA7619 C7B2C848
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6DA96143(1839817027)
slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4561492/2008)
outbound ah sas:
outbound pcp sas:
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 1.1.1.3:500
local crypto endpt.: 1.1.1.1, remote crypto endpt.: <b>1.1.1.3</b>
current outbound spi: 935F895E
<b>inbound esp sas:</b>
spi: 0x189C7927(<b>412907815</b>)<b> ------>IN</b><b>對應</b><b>R4</b><b>的</b><b>OUT</b>
slot: 0, conn id: 2002, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4410147/2372)
ike_cookies: 0304C43A 22E2C670 2D431BA9 28CCCCBE
spi: 0x935F895E(2472511838)
slot: 0, conn id: 2003, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4410149/2372)
r1#
<b>r3#sh cry ip sa</b>
Crypto map tag: mymap, local addr. 1.1.1.2
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1:500
#send errors 6, #recv errors 0
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1
current outbound spi: 47E18A8B
inbound esp sas:
sa timing: remaining key lifetime (k/sec): (4434742/1960)
ike_cookies: 70AA7619 C7B2C848 4212F6AE 2BE257C8
<b> outbound esp sas:</b>
spi: 0x47E18A8B(<b>1205963403</b>)<b> ------>OUT</b><b>對應</b><b>R1</b><b>的</b><b>IN</b>
sa timing: remaining key lifetime (k/sec): (4434744/1960)
r3#
<b>r4#sh cry ip sa</b>
Crypto map tag: mymap, local addr. 1.1.1.3
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.3, remote crypto endpt.: 1.1.1.1
current outbound spi: 189C7927
sa timing: remaining key lifetime (k/sec): (4549234/2304)
ike_cookies: 2D431BA9 28CCCCBE 0304C43A 22E2C670
spi: 0x189C7927(<b>412907815</b>)<b> ------>OUT</b><b>對應</b><b>R1</b><b>的</b><b>IN</b>
sa timing: remaining key lifetime (k/sec): (4549236/2304)
r4#
本文轉自810105851 51CTO部落格,原文連結:http://blog.51cto.com/4708948/1134140,如需轉載請自行聯系原作者
![vulnhub DC-4靶機實戰0X01 環境部署[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)