***的应用很广泛,也很灵活,我们要根据不同的需求创建不同的解决方案。
比如:如果分支机构的IP地址不固定,或者经常变动,或者其他原因,并且我要和总部建立IPSEC连接,这个问题怎么解决呢?
【拓扑
【步骤
R1:
crypto isakmp policy 10
 hash md5
 authentication pre-share
 lifetime 1000
!
crypto isakmp key cisco address 202.102.101.2
crypto isakmp key cisco address 202.102.102.2
!
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto dynamic-map mymap 10
 set transform-set tt 
 match address 100 
 ! 
 
crypto map cisco 1 ipsec-isakmp dynamic mymap
                                                          .......加入正规图集
interface Tunnel1
 ip address 10.0.0.2 255.255.255.0
 tunnel source Serial0/0/0
 tunnel destination 202.102.102.2
!
!
interface Tunnel2
 ip address 10.0.1.1 255.255.255.0
 tunnel source Serial0/0/0
 tunnel destination 202.102.101.2
!
!
interface FastEthernet0/0
 ip address 1.1.1.254 255.255.255.0
 duplex auto
 speed auto
 
interface Serial0/0/0
 ip address 202.102.100.2 255.255.255.252
crypto map cisco
 
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 3.3.3.0 255.255.255.0 10.0.0.1
ip route 2.2.2.0 255.255.255.0 10.0.1.2
!
access-list 100 permit ip host 202.102.100.2 any
!
R2:
crypto isakmp policy 10
 hash md5
 authentication pre-share
 lifetime 1000
!
crypto isakmp key cisco address 202.102.100.2
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 202.102.100.2
 set transform-set tt
 match address 100
access-list 100 permit ip host 202.102.101.2 host 202.102.100.2
ip route 1.1.1.0 255.255.255.0 10.0.1.1 ......一定注意
ip route 3.3.3.0 255.255.255.0 10.0.1.1...... 一定注意
 
interface Tunnel2
 ip address 10.0.1.2 255.255.255.0
 tunnel source Serial0/0/0
 tunnel destination 202.102.100.2
!
!
interface FastEthernet0/0
 ip address 2.2.2.254 255.255.255.0
 duplex auto
 speed auto
 
interface Serial0/0/0
 ip address 202.102.101.2 255.255.255.252
 crypto map mymap
 
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 1.1.1.0 255.255.255.0 10.0.1.1
ip route 3.3.3.0 255.255.255.0 10.0.1.1
 
R3:
crypto isakmp policy 10
 hash md5
 authentication pre-share
 lifetime 1000
!
crypto isakmp key cisco address 202.102.100.2
!
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 202.102.100.2
 set transform-set tt
 match address 100
access-list 100 permit ip host 202.102.102.2 host 202.102.100.2
ip route 1.1.1.0 255.255.255.0 10.0.0.2 ......一定注意
ip route 2.2.2.0 255.255.255.0 10.0.0.2 ......一定注意
 
interface Tunnel1
 ip address 10.0.0.1 255.255.255.0
 tunnel source Serial0/0/0
 tunnel destination 202.102.100.2
!
!
interface FastEthernet0/0
 ip address 3.3.3.254 255.255.255.0
 duplex auto
 speed auto
 
interface Serial0/0/0
 ip address 202.102.102.2 255.255.255.252
 crypto map mymap
 
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 1.1.1.0 255.255.255.0 10.0.0.2
ip route 2.2.2.0 255.255.255.0 10.0.0.2
【测试
【说明
可能还有点错误!你可以先试试。
这个和前面写的不同的是R1的配置!建立dynamip ***
然后加入正规图集!