Ipsec用于在数据传输过程中的加密协议

1. 搭建环境拓扑

拓扑

2. 配置第一阶段：isakmp协商

需要配置的有isakmp协商的加密算法、验证算法、验证方式和共享密钥及可选的group值和生存时间Lifetime
R1配置：

R1(config)#crypto isakmp policy 1 定义策略
R1(config-isakmp)#encryption 3des 加密算法为3des
R1(config-isakmp)#hash md5 验证算法为md5
R1(config-isakmp)#authentication pre-share 验证方式为预共享密钥
R1(config-isakmp)#group 5 组值
R1(config-isakmp)#lifetime 120 生存时间
R1(config)#crypto isakmp key 0 ruijie address 172.16.50.2 配置共享密钥ruijie

R2配置：

R2的isakmp配置与R1完全一致。
R2(config)#crypto isakmp key 0 ruijie address 172.16.50.1 配置共享密钥ruijie

3. 第二阶段：ipsec配置

R1配置：
定义IP数据的保护策略，主要是ESP还是AH、加密算法、验证算法、传输模式还是隧道模式，定义需要被Ipsec保护的数据，即感兴趣流

R1(config)#crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac 定义策略的名称为IPSEC，加密算法为esp-3des，验证算法为esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel 隧道模式
R1(config)#access-list 100 permit ip host 1.1.1.1 host 2.2.2.2 需要被保护的数据，即感兴趣流

R2配置：

此处配置与R1完全一致
R2(config)#access-list 100 permit ip host 2.2.2.2 host 1.1.1.1 需要被保护的数据，即感兴趣流

4. 定义crypto map

定义IPsec SA对段通信实体，调用配置的第二阶段IPsec SA策略、感兴趣流
R1配置：

R1(config)#crypto map MAP 1 ipsec-isakmp 定义map
% NOTE: This new crypto map will remain disabled until a peer
    and a valid access list have been configured.
R1(config-crypto-map)#set peer 172.16.50.2 对端体ip
R1(config-crypto-map)#set transform-set IPSEC 调用第二阶段的ipsec策略
R1(config-crypto-map)#match address 100 匹配感兴趣流

R2配置：

与R1配置完全一致
R2(config-crypto-map)#set peer 172.16.50.1 对端体ip

5. 将map应用在接口上

使需要被保护的数据流通过出口接口出去，则需要配置路由
R1配置：

R1(config)#ip route 2.2.2.2 255.255.255.255 172.16.50.2
R1(config)#int f0/0
R1(config-if)#crypto map MAP

R2配置：

R2(config)#ip route 1.1.1.1 255.255.255.255 172.16.50.1
R2(config)#int f0/0
R2(config-if)#crypto map MAP

6. 验证

使用扩展ping，分别查看isakmp sa和ipsec sa是否正常
show crypto isakmp sa
show crypto ipsec sa

R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/32 m

R1#show crypto isakmp sa 协商正常
dst             src             state          conn-id slot status
172.16.50.2     172.16.50.1     QM_IDLE              1    0 ACTIVE

R1#show crypto ipsec sa 

interface: FastEthernet0/0
    Crypto map tag: MAP, local addr 172.16.50.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
   current_peer 172.16.50.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 172.16.50.1, remote crypto endpt.: 172.16.50.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xEB9A4D72(3952758130)

     inbound esp sas:
      spi: 0xEE99A619(4003046937)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: MAP
        sa timing: remaining key lifetime (k/sec): (4467890/3527)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEB9A4D72(3952758130)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: MAP
        sa timing: remaining key lifetime (k/sec): (4467890/3526)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas: