一.概述:
   L2L ×××第一阶段可以配置成aggressive-mode,因为aggressive-mode没有Main-mode安全,所以一般用在客户端拨号中。
参考链接:
二.基本思路:
A.测试路由器与防火墙以第一阶段aggressive-mode建立 L2L ×××
B.通过抓包确认协商过程中是否带有主机名
三.测试拓扑:
思路路由器与ASA防火墙第一阶段以aggressive-mode建立×××测试
四.基本配置:
A.R1:
interface Ethernet0/0
     ip address 192.168.1.1 255.255.255.0
     no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.2
B.R2:
interface Ethernet0/0
     ip address 192.168.1.2 255.255.255.0
     ip nat inside
     no shut
interface Ethernet0/1
     ip address 202.100.1.2 255.255.255.0
     ip nat outside
     no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.3
ip access-list extended PAT
     deny   ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
     permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/1 overload
C.R3:
interface Ethernet0/0
     ip address 202.100.1.3 255.255.255.0
     no shut
interface Ethernet0/1
     ip address 202.100.2.3 255.255.255.0
     no shut
D.ASA842:
interface GigabitEthernet0
     nameif Inside
     security-level 100
     ip address 172.16.1.10 255.255.255.0
     no shut
interface GigabitEthernet1
     nameif Outside
     security-level 0
     ip address 202.100.2.10 255.255.255.0
     no shut
route Outside 0.0.0.0 0.0.0.0 202.100.2.3
object network Inside_net
     subnet 172.16.1.0 255.255.255.0
     nat (Inside,Outside) dynamic interface
policy-map global_policy
     class inspection_default
           inspect icmp
E.R4:
interface Ethernet0/0
     ip address 172.16.1.4 255.255.255.0
     no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.10
五.×××配置:
A.R2:
①第一阶段策略:
crypto isakmp policy 10
     encr 3des
     hash md5
     authentication pre-share
     group 2
crypto isakmp key cisco123 hostname ASA842  (这个是多余的,不需要配置)
crypto isakmp identity hostname
crypto isakmp keepalive 10 periodic
crypto isakmp peer address 202.100.2.10
     set aggressive-mode password cisco123
     set aggressive-mode client-endpoint ipv4-address 202.100.1.2 (这个必须有,否则无法从路由器这侧主动发起×××)
②第二阶段策略:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流:
ip access-list extended ×××
     permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
④配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
     set peer 202.100.2.3
     set transform-set transet
     set pfs group2
     match address ×××
     reverse-route
B.ASA842:
①第一阶段策略:
crypto ikev1 policy 10
     authentication pre-share
     encryption 3des
     hash md5
     group 2
crypto isakmp identity hostname
tunnel-group 202.100.1.2 type ipsec-l2l
tunnel-group 202.100.1.2 ipsec-attributes
     ikev1 pre-shared-key cisco123
②第二阶段策略:
crypto ipsec ikev1 transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流并做NAT免除:
access-list ××× extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
object network Inside_net
     subnet 172.16.1.0 255.255.255.0
object network Remote_net
     subnet 192.168.1.0 255.255.255.0
nat (Inside,Outside) source static Inside_net Inside_net destination static Remote_net Remote_net
③配置crypto map 并在接口调用:
crypto map crymap 10 match address ×××
crypto map crymap 10 set pfs
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set ikev1 phase1-mode aggressive
crypto map crymap 10 set ikev1 transform-set transet
crypto map crymap 10 set reverse-route
crypto map crymap interface Outside
④在接口启用IKEV1:
crypto ikev1 enable Outside  
六.抓包测试:

A.第一阶段,aggressive mode一共三个包,第三个包才是加密的

思路路由器与ASA防火墙第一阶段以aggressive-mode建立×××测试

B.路由器 set aggressive-mode client-endpoint设置的是fqdn还是IP地址,只能决定路由器主动发起连接时使用的是什么

-----如果防火墙侧主动发起,路由器都是以自己的主机名作为回复,而部署配置中的FQDN或IP

思路路由器与ASA防火墙第一阶段以aggressive-mode建立×××测试

C.路由器如果client-endpoint用的是IP,则路由器主动发起aggressive mode时用的是IP地址
D.路由器如果client-endpoint用的是fqdn,则路由器主动发起aggressive mode时用的是设置的FQDN地址
E.不管client-endpoint用的是fqdn,还是IP,如果由防火墙侧主动发起,路由器回复的identity都是自己的主机名
七.PIX8.0的配置:
---如果将ASA842改为PIX8.0,PIX的配置如下:
A.基本配置:
interface Ethernet0
     nameif Inside
     security-level 100
     ip address 172.16.1.10 255.255.255.0
     no shut
interface Ethernet1
     nameif Outside
     security-level 0
     ip address 202.100.2.10 255.255.255.0
     no shut
route Outside 0.0.0.0 0.0.0.0 202.100.2.3
access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
access-list OUTSIDE extended permit icmp any any  
access-group OUTSIDE in interface Outside
B.×××配置:
①第一阶段策略:
crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash md5
     group 2
crypto isakmp identity hostname
tunnel-group 202.100.1.2 type ipsec-l2l
tunnel-group 202.100.1.2 ipsec-attributes
     pre-shared-key cisco
---备注:tunnel-group也可以用对方的FQDN,
②第二阶段策略:
crypto map crymap 10 set transform-set transet
③配置感兴趣流并做NAT免除:
access-list ××× extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (Inside) 0 access-list NONAT
配置crypto map 并在接口调用:
crypto map crymap 10 match address ×××
crypto map crymap 10 set pfs
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set transform-set transet
crypto map crymap 10 set phase1-mode aggressive group2(group2为默认值,show不会出现)
crypto map crymap 10 set reverse-route
crypto map crymap interface Outside
⑤在接口启用isakmp
crypto isakmp enable Outside