In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
In a word, the IPSEC of Shenma router is very special.
Experimental environment: two routers are directly connected to a total of three network segments 192.168.0.0192.198.1.0192.168.2.0, of which 192.168.1.0 simulates the other two network segments of the public network and simulates the private network by enabling IPSEC × × to achieve secure communication between the two network segments.
At the beginning of the configuration, the two router configuration files are as follows
Router R1
Show running-config
Building configuration...
Current configuration:
!
! version 1.3.3H
Service timestamps log date
Service timestamps debug date
No service password-encryption
!
Hostname R1
Crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
Crypto isakmp policy 10
Hash md5
!
Crypto ipsec transform-set one
Transform-type esp-des esp-md5-hmac
!
Crypto map my 10 ipsec-isakmp
Mode aggressive
Set peer 192.168.1.2
Set transform-set one
Match address bendi
!
!
Interface FastEthernet0/0
Ip address 192.168.1.1 255.255.255.0
No ip directed-broadcast
Crypto map my
Ip nat outside
!
Interface FastEthernet0/3
-- More-- ip address 192.168.0.1 255.255.255.0
No ip directed-broadcast
Ip nat inside
!
Interface Serial0/1
No ip address
No ip directed-broadcast
!
Interface Serial0/2
No ip address
No ip directed-broadcast
!
Interface Async0/0
No ip address
No ip directed-broadcast
!
Ip route 192.168.2.0 255.255.255.0 192.168.1.2
!
Ip access-list extended bendi
Permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
Ip access-list standard 123
Permit ip any
!
Ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#
Router R2
Show run
Building configuration...
Current configuration:
!
! version 1.3.3H
Service timestamps log date
Service timestamps debug date
No service password-encryption
!
Hostname R2
!
Gbsc group default
!
Crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
Crypto isakmp policy 10
Hash md5
!
Crypto ipsec transform-set one
Transform-type esp-des esp-md5-hmac
!
Crypto map my 10 ipsec-isakmp
Mode aggressive
Set peer 192.168.1.1
Set transform-set one
Match address bendi
!
!
Interface FastEthernet0/0
Ip address 192.168.1.2 255.255.255.0
No ip directed-broadcast
Crypto map my
Ip nat outside
!
Interface FastEthernet0/3
-- More-- ip address 192.168.2.1 255.255.255.0
No ip directed-broadcast
Ip nat inside
!
Interface Serial0/1
No ip address
No ip directed-broadcast
!
Interface Serial0/2
No ip address
No ip directed-broadcast
!
Interface Async0/0
No ip address
No ip directed-broadcast
!
Ip route 192.168.0.0 255.255.255.0 192.168.1.1
!
Ip access-list extended bendi
Permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
Ip access-list standard 123
Permit ip any!
Ip nat inside source list 123 interface FastEthernet0/0
!
R2_config#
Through show crypto ipsec sa and show crypto iskmp sa, it is found that the IPSEC connection cannot be established properly, that is, the IPSEC channel is not activated. Check that there is no error in the configuration. Forget the NAT test through show crypto ipsec sa and show crypto iskmp sa found that a normal IPSEC connection can be established. I don't understand.
After dialing Shenma 400, change the configuration as follows
Router R1
Show running-config
Building configuration...
Current configuration:
!
! version 1.3.3H
Service timestamps log date
Service timestamps debug date
No service password-encryption
!
Hostname R1
Crypto isakmp key 123456789 192.168.1.2 255.255.255.255
!
!
Crypto isakmp policy 10
Hash md5
!
Crypto ipsec transform-set one
Transform-type esp-des esp-md5-hmac
!
Crypto map my 10 ipsec-isakmp
Mode aggressive
Set peer 192.168.1.2
Set transform-set one
Match address bendi
!
!
Interface FastEthernet0/0
Ip address 192.168.1.1 255.255.255.0
No ip directed-broadcast
Crypto map my
Ip nat outside
!
Interface FastEthernet0/3
-- More-- ip address 192.168.0.1 255.255.255.0
No ip directed-broadcast
Ip nat inside
!
Interface Serial0/1
No ip address
No ip directed-broadcast
!
Interface Serial0/2
No ip address
No ip directed-broadcast
!
Interface Async0/0
No ip address
No ip directed-broadcast
!
Ip route 192.168.2.0 255.255.255.0 192.168.1.2
!
Ip access-list extended bendi
Permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!
Ip access-list extended 123
Deny ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
Permit ip any any
!
Ip nat inside source list 123 interface FastEthernet0/0
!
R1_config#
Router R2
Show run
Building configuration...
Current configuration:
!
! version 1.3.3H
Service timestamps log date
Service timestamps debug date
No service password-encryption
!
Hostname R2
!
Gbsc group default
!
Crypto isakmp key 123456789 192.168.1.1 255.255.255.255
!
!
Crypto isakmp policy 10
Hash md5
!
Crypto ipsec transform-set one
Transform-type esp-des esp-md5-hmac
!
Crypto map my 10 ipsec-isakmp
Mode aggressive
Set peer 192.168.1.1
Set transform-set one
Match address bendi
!
!
Interface FastEthernet0/0
Ip address 192.168.1.2 255.255.255.0
No ip directed-broadcast
Crypto map my
Ip nat outside
!
Interface FastEthernet0/3
-- More-- ip address 192.168.2.1 255.255.255.0
No ip directed-broadcast
Ip nat inside
!
Interface Serial0/1
No ip address
No ip directed-broadcast
!
Interface Serial0/2
No ip address
No ip directed-broadcast
!
Interface Async0/0
No ip address
No ip directed-broadcast
!
Ip route 192.168.0.0 255.255.255.0 192.168.1.1
!
Ip access-list extended bendi
Permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
!
Ip access-list extended 123
Deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
Permit ip any any
!
Ip nat inside source list 123 interface FastEthernet0/0
!
R2_config#
That is, in the difference between the above configuration and the initial configuration, the extended access control list in the configuration above the NAT access control list first rejects the 192.168.0.0 and 192.168.2.0 network segment data for NAT and then allows all. The channel with IPSEC configured in this way can be ACTIVE.
After analyzing the operating system internal flow of Shenma routing, nat takes precedence over IPSEC.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
