cisco冗余GETVPN配置实例


GCKS(config)#do show run
Building configuration...


Current configuration : 3260 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GCKS
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login login local
!
!
aaa session-id common
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name mlp.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username ks1 privilege 15 secret 5 $1$BnK4$TJ5M6VaEhxh49WB.1rXon0
archive
 log config
  hidekeys
!
crypto keyring sk1-key
  pre-shared-key address 14.1.1.226 key sk
  pre-shared-key address 14.1.1.242 key sk
  pre-shared-key address 14.1.1.250 key sk
  pre-shared-key address 14.1.1.254 key sk
  pre-shared-key address 14.1.1.66 key sk
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp profile sk1-pro
   keyring sk1-key
   match identity address 14.1.1.226 255.255.255.255
   match identity address 14.1.1.242 255.255.255.255
   match identity address 14.1.1.250 255.255.255.255
   match identity address 14.1.1.254 255.255.255.255
   match identity address 14.1.1.66 255.255.255.255
!
!
crypto ipsec transform-set sk1-set esp-des esp-md5-hmac
!
crypto ipsec profile sk1-ipsec-pro
 set transform-set sk1-set
 set isakmp-profile sk1-pro
!
crypto gdoi group get-group1
 identity number 332266
 server local
  rekey algorithm aes 256
  rekey address ipv4 110
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa getvpnkey
 sa ipsec 1
   profile sk1-ipsec-pro
   match address ipv4 getvpn-traffic
   replay time window-size 2
  address ipv4 14.1.1.194
  redundancy
   local priority 100
   peer address ipv4 14.1.1.226
!
!
interface Loopback0
 ip address 1.10.4.1 255.255.255.0
 ip ospf network point-to-point
!
interface fastethernet 0/0


 ip address 39.1.100.1 255.255.255.0
 ip ospf network point-to-point
!
!
interface Serial1/0
 ip address 14.1.1.194 255.255.255.252
 serial restart-delay 0
!
!
router ospf 88
 router-id 1.10.4.1
 log-adjacency-changes
 network 39.1.100.0 0.0.0.255 area 0
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended getvpn-traffic
 permit ip 39.0.0.0 0.255.255.255 39.0.0.0 0.255.255.255
!
access-list 110 permit udp host 14.1.1.194 eq 848 host 239.0.10.10 eq 848
!
!
!
control-plane
!


gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication login
 stopbits 1
line aux 0
 stopbits 1
line vty 0 5
 login authentication login
!
end


-------------------------------------------------------------

KS2#show run
Building configuration...


Current configuration : 3235 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login login local
!
!
aaa session-id common
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name mlp.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username ks2 privilege 15 secret 5 $1$pvPr$JSZtEgOyVsVo9lexnXH0U.
archive
 log config
  hidekeys
!
crypto keyring sk2-key
  pre-shared-key address 14.1.1.194 key sk
  pre-shared-key address 14.1.1.242 key sk
  pre-shared-key address 14.1.1.250 key sk
  pre-shared-key address 14.1.1.254 key sk
  pre-shared-key address 14.1.1.66 key sk
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp profile sk2-isakmp-pro
   keyring sk2-key
   match identity address 14.1.1.194 255.255.255.255
   match identity address 14.1.1.242 255.255.255.255
   match identity address 14.1.1.250 255.255.255.255
   match identity address 14.1.1.254 255.255.255.255
   match identity address 14.1.1.66 255.255.255.255
!
!
crypto ipsec transform-set sk2-set esp-des esp-md5-hmac
!
crypto ipsec profile sk2-ipsec-pro
 set transform-set sk2-set
 set isakmp-profile sk2-isakmp-pro
!
crypto gdoi group get-group1
 identity number 332266
 server local
  rekey algorithm aes 256
  rekey address ipv4 110
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa getvpnkey
  sa ipsec 1
   profile sk2-ipsec-pro
   match address ipv4 getvpn-traffic
   replay time window-size 2
  address ipv4 14.1.1.226
  redundancy
   local priority 75
   peer address ipv4 14.1.1.194
!
!


interface Loopback0
 ip address 1.10.5.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 39.1.101.1 255.255.255.0
 ip ospf network point-to-point
!
!
interface Serial1/0
 ip address 14.1.1.226 255.255.255.252
 serial restart-delay 0
!
!
router ospf 88
 router-id 1.10.5.1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended getvpn-traffic
 permit ip 39.0.0.0 0.255.255.255 39.0.0.0 0.255.255.255
!
access-list 110 permit udp host 14.1.1.226 eq 848 host 239.0.10.10 eq 848
!
!
control-plane
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication login
 stopbits 1
line aux 0
 stopbits 1
line vty 0 5
 login authentication login
!
end
---------------------------------------------------


GM1#show run
Building configuration...


Current configuration : 2276 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GM1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name mlp.com
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
archive
 log config
  hidekeys
!
crypto keyring gm1-key
  pre-shared-key address 14.1.1.194 key sk
  pre-shared-key address 14.1.1.226 key sk
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp profile gm1-isakmp-pro
   keyring gm1-key
   match identity address 14.1.1.194 255.255.255.255
   match identity address 14.1.1.226 255.255.255.255
!
!
crypto gdoi group get-group1
 identity number 332266
 server address ipv4 14.1.1.194
 server address ipv4 14.1.1.226
!
!
crypto map gm1 10 gdoi
 set group get-group1
 match address filter
!
!
interface Loopback0
 ip address 1.10.6.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 39.1.10.1 255.255.255.0
 ip ospf network point-to-point
!
!
interface Serial1/0
 ip address 14.1.1.242 255.255.255.252
 serial restart-delay 0
 clock rate 64000
 invert txclock
 crypto map gm1
!
!
!
router ospf 88
 router-id 1.10.6.1
 log-adjacency-changes
 network 39.1.10.0 0.0.0.255 area 1
 network 0.0.0.0 255.255.255.255 area 0
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip access-list extended filter
 deny   ip 39.1.10.0 0.0.0.255 39.1.100.0 0.0.0.255
 deny   ip 39.1.10.0 0.0.0.255 39.1.101.0 0.0.0.255
ip access-list extended getvpn-traffic
 permit ip 39.0.0.0 0.255.255.255 39.0.0.0 0.255.255.255
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end
----------------------------------


GCKS#show cry gdoi ks members


Group Member Information :


Number of rekeys sent for group get-group1 : 10


Group Member ID   : 14.1.1.242
Group ID          : 332266
Group Name        : get-group1
Key Server ID     : 14.1.1.194


Group Member ID   : 14.1.1.250
Group ID          : 332266
Group Name        : get-group1
Key Server ID     : 14.1.1.194


Group Member ID   : 14.1.1.254
Group ID          : 332266
Group Name        : get-group1
Key Server ID     : 14.1.1.194


 


GCKS#show cry gdoi ks rekey
Group get-group1 (Multicast)
    Number of Rekeys sent               : 10
    Number of Rekeys retransmitted      : 20
    KEK rekey lifetime (sec)            : 86400
        Remaining lifetime (sec)        : 53602
    Retransmit period                   : 10
    Number of retransmissions           : 2
    IPSec SA 1  lifetime (sec)          : 3600
        Remaining lifetime (sec)        : 3003
    Number of registrations after rekey : 3
    Multicast destination address       : 239.0.10.10


GCKS#show cry gdoi ks replay
Anti-replay Information For Group get-group1:
  Timebased Replay:
    Replay Value             : 92172.20 secs
    Remaining sync time      : 6574 secs


GCKS#show cry gdoi ks coop
Crypto Gdoi Group Name :get-group1
        Group handle: 2147483650, Local Key Server handle: 2147483650


        Local Address: 14.1.1.194
        Local Priority: 100
        Local KS Role: Primary   , Local KS Status: Alive
        Primary Timers:
                Primary Refresh Policy Time: 20
                Remaining Time: 14
                Antireplay Sequence Number: 1448


        Peer Sessions:
        Session 1:
                Server handle: 2147483651
                Peer Address: 14.1.1.226
                Peer Priority: 75
                Peer KS Role: Secondary , Peer KS Status: Alive
                Antireplay Sequence Number: 22


                IKE status: Established
                Counters:
                    Ann msgs sent: 861
                    Ann msgs sent with reply request: 34
                    Ann msgs recv: 3
                    Ann msgs recv with reply request: 1
                    Packet sent drops: 519
                    Packet Recv drops: 1
                    Total bytes sent: 496477
                    Total bytes recv: 2164


GCKS#show cry gdoi ks policy
Key Server Policy:
For group get-group1 (handle: 2147483650) server 14.1.1.194 (handle: 2147483650):


  # of teks : 1  Seq num : 40
  KEK POLICY (transport type : Multicast)
    spi : 0x2B21792B99AFF504C66CADEF160DEB6
    management alg     : disabled    encrypt alg       : AES
    crypto iv length   : 16          key size          : 32
    orig life(sec): 86400       remaining life(sec): 53514
    sig hash algorithm : enabled     sig key length    : 162
    sig size           : 128
    sig key name       : getvpnkey


  TEK POLICY (encaps : ENCAPS_TUNNEL)
    spi                : 0x9DF4A86A    access-list           : getvpn-tra
    # of transforms    : 0             transform             : ESP_DES
    hmac alg           : HMAC_AUTH_MD5
    alg key size       : 8             sig key size          : 16
    orig life(sec)     : 3600          remaining life(sec)   : 2915
    tek life(sec)      : 3600          elapsed time(sec)     : 685
    antireplay window size: 2


  Replay Value 92232.63 secs
For group get-group1 (handle: 2147483650) server 14.1.1.226 (handle: 2147483651):


GCKS#show cry gdoi
GROUP INFORMATION


    Group Name               : get-group1 (Multicast)
    Group Identity           : 332266
    Group Members            : 3
    IPSec SA Direction       : Both
    Active Group Server      : Local
    Redundancy               : Configured
        Local Address        : 14.1.1.194
        Local Priority       : 100
        Local KS Status      : Alive
        Local KS Role        : Primary
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 53452 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs


      IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : sk1-ipsec-pro
      Replay method          : Time Based
      Replay Window Size     : 2
      SA Rekey
         Remaining Lifetime  : 2853 secs
      ACL Configured         : access-list getvpn-traffic


    Group Server list        : Local


 


GM1# show cry gdoi
GROUP INFORMATION


    Group Name               : get-group1
    Group Identity           : 332266
    Rekeys received          : 0
    IPSec SA Direction       : Both
    Active Group Server      : 14.1.1.194
    Group Server list        : 14.1.1.194
                               14.1.1.226


    GM Reregisters in        : 2671 secs
    Rekey Received           : never



    Rekeys received
         Cumulative          : 0
         After registration  : 0


 ACL Downloaded From KS 14.1.1.194:
   access-list  permit ip 39.0.0.0 0.255.255.255 39.0.0.0 0.255.255.255


KEK POLICY:
    Rekey Transport Type     : Multicast
    Lifetime (secs)          : 53875
    Encrypt Algorithm        : AES
    Key Size                 : 256
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024


TEK POLICY:
  Serial1/0:
    IPsec SA:
        sa direction:inbound
        spi: 0x9DF4A86A(2650056810)
        transform: esp-des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (2732)
        Anti-Replay(Time Based) : 2 sec interval


    IPsec SA:
        sa direction:outbound
        spi: 0x9DF4A86A(2650056810)
        transform: esp-des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (2732)
        Anti-Replay(Time Based) : 2 sec interval


 


 GM1# show cry gdoi gm
Group Member Information For Group get-group1:
    IPSec SA Direction       : Both
    ACL Received From KS     : gdoi_group_get-group1_temp_acl
    Re-register
        Remaining time       : 2631 secs


GM1#ping 39.1.20.1 so 39.1.10.1 re 10


Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 39.1.20.1, timeout is 2 seconds:
Packet sent with a source address of 39.1.10.1
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 156/186/228 ms


GM1#ping 39.1.100.1 so 39.1.10.1 re 10


Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 39.1.100.1, timeout is 2 seconds:
Packet sent with a source address of 39.1.10.1
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 12/31/104 ms


GM1#show cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
14.1.1.194      14.1.1.242      GDOI_IDLE         1021    0 ACTIVE
239.0.10.10     14.1.1.194      GDOI_REKEY        1022    0 ACTIVE


IPv6 Crypto ISAKMP SA



 


GM1#show cry ipsec sa


interface: Serial1/0
    Crypto map tag: gm1, local addr 14.1.1.242


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (39.0.0.0/255.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (39.0.0.0/255.0.0.0/0/0)
   current_peer  port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 77, #pkts encrypt: 77, #pkts digest: 77
    #pkts decaps: 70, #pkts decrypt: 70, #pkts verify: 70
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0


     local crypto endpt.: 14.1.1.242, remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
     current outbound spi: 0x9DF4A86A(2650056810)


     inbound esp sas:
      spi: 0x9DF4A86A(2650056810)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 39, flow_id: SW:39, crypto map: gm1
        sa timing: remaining key lifetime (sec): (2448)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 2
        Status: ACTIVE


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x9DF4A86A(2650056810)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 40, flow_id: SW:40, crypto map: gm1
        sa timing: remaining key lifetime (sec): (2448)
        IV size: 8 bytes
        replay detection support: Y  replay window size: 2
        Status: ACTIVE


     outbound ah sas:


     outbound pcp sas:



 GM1#show cry engine connections active
Crypto Engine Connections


   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   39 Se1/0      IPsec DES+MD5                   0       20 39.0.0.0
   40 Se1/0      IPsec DES+MD5                  20        0 39.0.0.0
 1021 Se1/0      IKE   SHA+DES                   0        0 14.1.1.242
 1022 <none>     IKE   SHA+AES256                0        0


GM1#show cry gdoi
GROUP INFORMATION


    Group Name               : get-group1
    Group Identity           : 332266
    Rekeys received          : 0
    IPSec SA Direction       : Both
    Active Group Server      : 14.1.1.194
    Group Server list        : 14.1.1.194
                                            14.1.1.226


    GM Reregisters in        : 2242 secs
    Rekey Received           : never



    Rekeys received
         Cumulative          : 0
         After registration  : 0


 ACL Downloaded From KS 14.1.1.194:
   access-list  permit ip 39.0.0.0 0.255.255.255 39.0.0.0 0.255.255.255


KEK POLICY:
    Rekey Transport Type     : Multicast
    Lifetime (secs)          : 53875
    Encrypt Algorithm        : AES
    Key Size                 : 256
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024


TEK POLICY:
  Serial1/0:
    IPsec SA:
        sa direction:inbound
        spi: 0x9DF4A86A(2650056810)
        transform: esp-des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (2302)
        Anti-Replay(Time Based) : 2 sec interval


    IPsec SA:
        sa direction:outbound
        spi: 0x9DF4A86A(2650056810)
        transform: esp-des esp-md5-hmac
        sa timing:remaining key lifetime (sec): (2302)
        Anti-Replay(Time Based) : 2 sec interval


http://pan.baidu.com/s/1bns376R


(责任编辑:admin)

cisco冗余GETVPN配置实例,布布扣,bubuko.com

时间: 2024-10-29 08:49:53

cisco冗余GETVPN配置实例的相关文章

Cisco 3800 路由器配置实例

en conf t hostname Cisco3800 interface Loopback0 ip address 6.6.6.6 255.255.255.0 interface FastEthernet0/0 description WAN ip address 119.200.27.50 255.255.255.252 ip nat ouside interface FastEthernet0/1 description LAN ip address 192.168.6.1 255.25

Cisco 的基本配置实例之六----常排错命令

TEST#terminal monitor # 排除网络故障以前,请打开这一命令以便实时的接收到交换机的提示信息. TEST# TEST#sh run #显示所有的配置清单,可将这些配置保存成文本作为交换机的配置备份. Building configuration... Current configuration : 9200 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamp

Cisco 的基本配置实例之四----vlan的规划及配置(核心交换机)

4.vlan的规划及配置 在本节中我们讲解vlan的规划及具体的配置命令.在此例中我们用的是vtp(VLAN Trunking Protocol)server的模式,在这种模式中我们需要配置核心交换机的vtp模式为server,各接入交换机的vtp模式为cilent,那么配置完成后接入交换机就会通过trunk口自动从核心交换机学习到所有的vlan配置信息.在接入交换机中只需要添加相应的端口即可,这样易于管理与部署.具体的配置命令我们通过两小节来演示: 4.1 核心交换机的相关配置 (这是一台已经

Cisco 的基本配置实例之四----vlan的规划及配置(接入交换机)

4.2 接入交换机的相关配置 ## 在此例中,我们联入的是一台接入交换机,此交换机的gi0/1口上联至核心交换机.也就意味着我们需要配置gi0/1为trunk口.具体的配置如下: D-2960-3(config)#int gi0/1 D-2960-3(config-if)#sw D-2960-3(config-if)#switchport mo D-2960-3(config-if)#switchport mode ? access   Set trunking mode to ACCESS u

Cisco DMVPN和GETVPN混合配置实例

KS#show runBuilding configuration... Current configuration : 2641 bytes!upgrade fpd autoversion 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname KS!boot-start-markerboot-end-marker!

Cisco路由器上配置L2L IPSec VPN实例

实例一 Cisco路由器实现L2L IPSecVPN(--自明教教主) 拓扑图: 描述: 通讯点:PC1的1.1.1.1和Site2的2.2.2.2 加密点:Site1的202.100.1.1和Site2的61.128.1.1 要求:通信点间通过IPSEC VPN实现安全通信 PC1: 基础配置: en config t no ip domain-lookup line vty 0 15 logging synchronous exec-timeout 0 0 password cisco ex

Keepalived 配置实例

Keepalived 是一款轻量级HA集群应用,它的设计初衷是为了做LVS集群的HA,即探测LVS健康情况,从而进行主备切换,不仅如此,还能够探测LVS代理的后端主机的健康状况,动态修改LVS转发规则. 当LVS进行主备切换的时候,对外提供服务的IP是如何做到切换的呢?这就依赖于keepalived 所应用的vrrp协议,即Virtual Reduntant  Routing Protocol,虚拟冗余路由协议.简单来讲,此协议是将IP设置在虚拟接口之上,根据一定的规则实现IP在物理主机上流动,

IPSEC VPN 的配置实例

詹柱美 一.实验拓扑: 二.实验要求: 保证两个站点的路由没问题. 在站点A与站点B间配置VPN,保障企业的网络通过互联网连接起来. 三.实验的配置: R1的全部配置: r1#show running-config Building configuration... Current configuration : 597 bytes ! version 12.4 no service timestamps log datetime msec no service timestamps debug

详解“FTP文件传输服务”安装配置实例

"FTP文件传输服务"安装配置实例 家住海边喜欢浪:zhang789.blog.51cto.com 目录 简介 ftp工作原理 常见的FTP服务 Vsftpd服务器的安装 Vsftpd.conf配置文件详解 配置FTP服务器实例 实例:配置匿名用户 实例:配置本地用户登录 实例:配置虚拟用户登录(MySQL认证) 实例:控制用户登录 实例:设置欢迎信息 分析vsftpd日志管理 FTP服务器配置与管理 简介 FTP 是File Transfer Protocol(文件传输协议)的英文简