内网渗透案例以及安全问题的解决参考办法

http://zxy911.blog.51cto.com/464822/95994/

动态的CRYPTO－MAP
R2：
crypto isakmp policy 1
encr 3des[/b]
hash md5 [/b][/b]
authentication pre-share
group 5
crypto isakmp key 6 zxy address 0.0.0.0 0.0.0.0（设置的对等体为任意一个）
!
!
crypto ipsec transform-set zxy esp-des esp-sha-hmac
!
crypto dynamic-map cisco 15（先建立一个动态的MAP）
set transform-set zxy
set pfs group1 （不用访控列表）
!
crypto map cisco 15 ipsec-isakmp dynamic cisco （调用那个动态的! MAP
访控列表为CISCO 15 要先再一个静态的，在里面调用那个动态的再用在端口）
!
!interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex half
crypto map cisco
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip route 1.1.1.0 255.255.255.0 172.16.1.1
只有当R1访问R2时他们才会建立连续结，不能用动态的与拔叫静 态的。

[align=center]Ipsec over gre:[/align]
用管道来运载动态路由，因为IPSEC不支持动态路由。但一般都会用动态路由的，所 以采用管道技术：
其余操作一样，只是在起链路时要建 立两边的管 道，并动态发布出去。然后除了在接口上应用MAP外还要在管道下运用。就是这一点区别！！
r1#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: zzz, local addr 172.16.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
current_peer 172.16.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x1A3A32AE(440021678)

inbound esp sas:
spi: 0x3E7908F3(1048119539)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: zzz
sa timing: remaining key lifetime (k/sec): (4494433/3548)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x1A3A32AE(440021678)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: zzz
sa timing: remaining key lifetime (k/sec): (4494433/3547)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Tunnel1
Crypto map tag: zzz, local addr 172.16.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
current_peer 172.16.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x1A3A32AE(440021678)

inbound esp sas:
spi: 0x3E7908F3(1048119539)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: zzz
sa timing: remaining key lifetime (k/sec): (4494433/3546)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x1A3A32AE(440021678)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: zzz
sa timing: remaining key lifetime (k/sec): (4494433/3546)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE