公司总部路由器R1,分部路由器R3,R2模拟互联网。拓扑如下
配置:
初始化所有的路由器:
en
conf t
no ip domain-lookup
line con 0
logg syn
exec-time 0 0
exit
r1
int serial 0/0
ip add 12.1.1.1 255.255.255.248
no shut
int fastEthernet 1/0
ip add 172.16.1.1 255.255.255.0
no shut
exit
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 s0/0
crypto isakmp policy 1
authentication pre-share
hash md5
group 1
encryption des
exit
crypto isakmp key 0 gabylinux address 23.1.1.1
crypto ipsec transform-set gaby esp-des esp-sha-hmac
### 定义名字为gaby的安全算法(采用ESP封装、DES加密、SHA完整性检测)###
exit
crypto map gaby*** 10 ipsec-isakmp
###建立名字为gaby***编号为10的ipsec策略,并且会话密钥由IKE动态产生###
set peer 23.1.1.1
set transform-set gaby
match address 100
exit
int serial 0/0
crypto map gaby***
r2
int serial 0/0
ip add 12.1.1.2 255.255.255.248
no shut
int serial 0/1
ip add 23.1.1.2 255.255.255.248
no shut

r3
int serial 0/1
ip add 23.1.1.1 255.255.255.248
no shut
int fastEthernet 1/0
ip add 172.16.2.1 255.255.255.0
no shut
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 s0/1
crypto isakmp policy 1
authentication pre-share
hash md5
group 1
encryption des
exit
crypto isakmp key 0 gabylinux address 12.1.1.1
crypto ipsec transform-set gaby esp-des esp-sha-hmac
exit
crypto map gaby*** 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set gaby
match address 100
exit
int serial 0/1
crypto map gaby***

测试(在r1上启个loopback口192.168.2.1)
R1#ping 172.16.2.1 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.....
Success rate is 0 percent (0/5)
R1#ping 172.16.2.1 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/89/124 m