实验
思路与配置
1.配置AR1
0端口ip:172.16.10.254 255.255.255.0
1端口ip:100.0.0.1 255.255.255.252
配置默认路由:
ip route-static 0.0.0.0 0.0.0.0 100.0.0.2
2.配置AR2
0端口ip:100.0.0.2 255.255.255.252
1端口ip:200.0.0.2 255.255.255.252
3.配置AR3
0端口ip:200.0.0.1 255.255.255.252
1端口ip:10.10.33.254 255.255.255.0
配置默认路由
ip route-static 0.0.0.0 0.0.0.0 200.0.0.2
4.配置AR1
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
authentication-method pre-share
dh group2
ike peer 200.0.0.1 v1
pre-shared-key simple tedu
ike-proposal 1
remote-address 200.0.0.1
配置ACL
acl number 3000
rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 10.10.33.0 0.0.0.255
ipsec proposal 1
transform ah-esp
ipsec policy yf 1 isakmp
security acl 3000
ike-peer 200.0.0.1
proposal 1
将映射集应用在端口
interface g0/0/1
ipsec policy yf
5.配置AR3
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
authentication-method pre-share
dh group2
ike peer 100.0.0.1 v1
pre-shared-key simple tedu
ike-proposal 1
remote-address 100.0.0.1
acl number 3000
rule 5 permit ip source 10.10.33.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
ipsec proposal 1
transform ah-esp
ipsec policy yf 1 isakmp
security acl 3000
ike-peer 100.0.0.1
proposal 1
interface g0/0/0
ipsec policy yf
6.验证:
AR1
display ike sa
display ipsec sa
AR3
display ike sa
display ipsec sa
测试:
pc1pingpc2