! Site-To-Site IPSec VPN Cisco. VPN , (, ). VPN , , .

, Cisco VPN - IP Security (IPSec) . , Cisco IP-.
ISAKMP (Internet Security Association and and Key Management Protocol) IPSec VPN-. ISAKMP, IKE (Internet Key Exchange) , (negotiation protocol), , IPsec. ISAKMP : 1 2.
1 , ISAKMP. 2 , . IPSec , .
IPSec VPN
:
- ISAKMP ( 1 ISAKMP)
- IPSec ( 2 ISAKMP, ACL, Crypto MAP)
, , IP-, . 1 10.10.10.0/24, 2 20.20.20.0/24. , LAN - .

ISAKMP (IKE) - ISAKMP Phase 1
IKE SA (Security Association) IPsec. , IKE SA (ISAKMP SA) (peer).
R1 . ISAKMP Phase 1:
R1(config)# crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# lifetime 86400
:
- 3DES - , 1
- MD5 -
- Pre-Share - (PSK)
- Group 2 - -,
- 86400 - . ( ), . .
, ISAKMP Phase 1 . , ISAKMP Phase 1 ( ), , VPN- , , .
Pre-Shared ( R2) :
R1(config)# crypto isakmp key merionet address 1.1.1.2
Pre-Shared merionet, IP- - 1.1.1.2. , R1 VPN- R2 (1.1.1.2), .
IPSec 4
IPSec :
- ACL
- IPSec Transform
- (Crypto Map)
- (public)
.
1: ACL
access-list ( Extended ACL ) VPN-. 10.10.10.0/24 20.20.20.0/24. crypto access-list interesting traffic access-list.
R1(config)# ip access-list extended VPN-TRAFFIC R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
2: IPSec Transform
(Transform Set), . TS.
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
:
- ESP-3DES -
- MD5 -
3: Crypto Map
Crypto Map ISAKMP IPSec:
R1(config)# crypto map CMAP 10 ipsec-isakmp R1(config-crypto-map)# set peer 1.1.1.2 R1(config-crypto-map)# set transform-set TS R1(config-crypto-map)# match address VPN-TRAFFIC
CMAP. ipsec-isakmp , IPsec. (1.1.1.2) , .
4:
- , . FastEthernet 0/1.
R1(config)# interface FastEthernet0/1 R1(config- if)# crypto map CMAP
, .
, , , isakmp : ISAKMP is ON.
IPSec VPN 1.
2 VPN. R2 , IP- ACL.
R2(config)# crypto isakmp policy 1 R2(config-isakmp)# encr 3des R2(config-isakmp)# hash md5 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)# lifetime 86400 R2(config)# crypto isakmp key merionet address 1.1.1.1 R2(config)# ip access-list extended VPN-TRAFFIC R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac R2(config)# crypto map CMAP 10 ipsec-isakmp R2(config-crypto-map)# set peer 1.1.1.1 R2(config-crypto-map)# set transform-set TS R2(config-crypto-map)# match address VPN-TRAFFIC R2(config)# interface FastEthernet0/1 R2(config- if)# crypto map CMAP
(NAT) VPN- IPSec
(NAT), , . VPN- Site-To-Site NAT (deny NAT) , VPN.
, deny NAT, :
:
R1(config)# ip nat inside source list 100 interface fastethernet0/1 overload R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
:
R2(config)# ip nat inside source list 100 interface fastethernet0/1 overload R2(config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 R2(config)# access-list 100 permit ip 20.20.20.0 0.0.0.255 any
VPN- IPSec
, VPN- . VPN-, VPN, , - :
R1# ping 20.20.20.1 source fastethernet0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds: Packet sent with a source address of 10.10.10.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 44/47/48 ms
- icmp (ping) -, , . , VPN-, 2 , .
VPN-, show crypto session:
R1# show crypto session Crypto session current status Interface: FastEthernet0/1 Session status: UP-ACTIVE Peer: 1.1.1.2 port 500 IKE SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0 Active SAs: 2, origin: crypto map
! Site-To-Site IPSEC VPN Cisco!