标签:hide timeout add list pass ado limit tran mit
一、IPSEC:二边静态和NAT-1-1Ipterm3:172.99.99.2/24 GW:172.99.99.1
Ipterm4:172.99.98.2/24 GW:172.99.98.1
R3:F0/0 10.0.0.1 /24 nat inside F0/1:172.99.99.1/24 nat outside
R4:F0/0 10.1.1.2 /24 nat inside F0/1:172.99.98.1/24 nat outside
Fortigate:port1 10.0.0.254/24 port2:10.1.1.254/24
term-3-eth0----f0/1 R3 f0/0---port1- Fortigate-port2-F0/0-R4-f0/1—eth0-term4
(in-NAT-out) (in-NAT-Out) (out-NAT-in)
Fortigate 10.1.1.1---?10.0.0.1 vip map
1.1 类型
IPSEC---outside-outside(GRE端点)
Tunnel—outside---outside(GRE)
R3:配置
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key ccie address 10.1.1.2
!
!
crypto ipsec transform-set GRETrans esp-des esp-md5-hmac
mode transport
!
crypto map mymap 10 ipsec-isakmp
set peer 10.1.1.2
set transform-set GRETrans
set pfs group2
match address 110
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Tunnel0
ip address 172.16.2.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 10.1.1.2
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.0.254
ip route 172.99.98.0 255.255.255.0 Tunnel0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit ip any any
access-list 110 permit gre host 10.0.0.1 host 10.1.1.2
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
!
R4:配置
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key ccie address 10.1.1.1
!
!
crypto ipsec transform-set GRETrans esp-des esp-md5-hmac
mode transport
!
crypto map mymap 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set GRETrans
set pfs group2
match address 110
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Tunnel0
ip address 172.16.2.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 10.1.1.1
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.98.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254
ip route 172.99.99.0 255.255.255.0 Tunnel0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny gre host 10.1.1.2 host 10.1.1.1
access-list 100 permit ip any any
access-list 110 permit gre host 10.1.1.2 host 10.1.1.1
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
1.2 类型
Term-1-eth0-F0/1-R1-F0/0-F0/0-R2-Term-2
in-NAT-out out-NAT-in
IPSEC—R1-loopback0-loopback0(GRE端点)-R2
Tunnel—R1-loopback0-loopback0(GRE端点)-R2(GRE)
R1:配置
!
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 123456 address 10.1.1.2
crypto isakmp nat keepalive 3600
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.1.1.2
set security-association lifetime seconds 28800
set transform-set set1
set pfs group2
match address 110
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel10
ip address 172.16.6.1 255.255.255.252
tunnel source Loopback0
tunnel destination 1.1.1.2
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254
ip route 172.99.98.0 255.255.255.0 Tunnel10
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny ip host 1.1.1.1 host 1.1.1.2
access-list 100 permit ip any any
access-list 110 permit ip host 1.1.1.1 host 1.1.1.2
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
!
!
end
R2:配置
!
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 123456 address 10.1.1.1
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.1.1.1
set security-association lifetime seconds 28800
set transform-set set1
set pfs group2
match address 110
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 1.1.1.2 255.255.255.255
!
interface Tunnel10
ip address 172.16.6.2 255.255.255.252
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.98.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254
ip route 172.99.99.0 255.255.255.0 Tunnel10
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny ip host 1.1.1.2 host 1.1.1.1
access-list 100 permit ip any any
access-list 110 permit ip host 1.1.1.2 host 1.1.1.1
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
!
!
end
1.3 类型(IPSEC NAT穿越)1.2类延伸
2.
Term-1-eth0-F0/1-R1-F0/0-port1-Fortigate-port2-F0/0-R2-Term-2
in-NAT-out in-NAT-out out-NAT-in
IPSEC—R1-loopback0-loopback0(GRE端点)-R2
Tunnel—R1-loopback0-loopback0(GRE端点)-R2(GRE)
R5配置:
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 123456 address 10.1.1.2
crypto isakmp nat keepalive 3600
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.1.1.2
set security-association lifetime seconds 28800
set transform-set set1
set pfs group2
match address 110
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel10
ip address 172.16.6.1 255.255.255.252
tunnel source Loopback0
tunnel destination 1.1.1.2
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.0.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny ip host 1.1.1.1 host 1.1.1.2
access-list 100 permit ip any any
access-list 110 permit ip host 1.1.1.1 host 1.1.1.2
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
!
!
end
R6:配置
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R6
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 123456 address 10.1.1.1
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.1.1.1
set security-association lifetime seconds 28800
set transform-set set1
set pfs group2
match address 110
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 1.1.1.2 255.255.255.255
!
interface Tunnel10
ip address 172.16.6.2 255.255.255.252
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.98.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254
ip route 172.99.99.0 255.255.255.0 Tunnel10
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny ip host 1.1.1.2 host 1.1.1.1
access-list 100 permit ip any any
access-list 110 permit ip host 1.1.1.2 host 1.1.1.1
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
!
!
end
二、IPSEC:一边静态、一边动态或没有NAT1-1
cisco GRE over ipsec -NAT环境(外网接口和loopback二种模式)
标签:hide timeout add list pass ado limit tran mit
原文地址:http://blog.51cto.com/372560/2177839