Ipsecvpn真实的应用中没有做过,但是实验倒是做了不少,包括真机。有木有?

 

首先将简要的实验拓扑图奉上:

 

cisco IPsecvpn_vpn_02

下面我的配置也是和拓扑图完全相符的,但是仅供参考~~

IPsecvpn的实验我是用小凡模拟器做的,拓扑图使用大凡画的,目的是让自己和别人能看的更清楚些。

做这个实验需要注意的有三点:

1.路由器两边的预共享密钥、crypto acl、isakmp策略、需要一致并且互为镜像。

2.两台路由器都需指定默认路由到internet。

3.在配置好crypto map之后,需在相应的外部接口上进行启用。(之前经常犯的错误)

三台路由器也就是核心的重要配置如下:


Router1的配置:

en
conf t
no ip domain lookup
line console 0
exec-timeout 0 0
logging syn
exit


interface e0/0
ip address 192.168.1.254 255.255.255.0
no shutdown
exit

interface e0/1
ip address 10.0.0.1 255.255.255.252
no shutdown
exit

ip route 0.0.0.0 0.0.0.0 10.0.0.2


配置IPsec vpn :

1.配置isakmp策略:

crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 2
exit


2.配置预共享密钥:

crypto isakmp key 0 huhu address 20.0.0.2

3.配置crypto acl:

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

4.配置数据连接传输集:

crypto ipsec transform-set aa esp-aes esp-sha-hmac
mode tunnel
exit

5.配置crypto map:

crypto map aa-map 1 ipsec-isakmp
match address 100
set peer 20.0.0.2
set transform-set aa
exit

6.在接口上启用crypto map:

inerface e0/1
crypto map aa-map
exit


Router2的配置:

en
conf t
no ip domain lookup
line console 0
exec-timeout 0 0
logging syn
exit


interface e0/1
ip address 10.0.0.2 255.255.255.252
no shutdown
exit


interface e0/0
ip address 20.0.0.1 255.255.255.252
no shutdown
exit


Router3的配置:


 

en
conf t
no ip domain lookup
line console 0
exec-timeout 0 0
logging syn
exit

interface e0/1
ip address 20.0.0.2 255.255.255.252
no shutdown
exit

interface e0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
exit

ip route 0.0.0.0 0.0.0.0 20.0.0.1

1.配置isakmp策略:

crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 2
exit


2.配置与共享密钥:

crypto isakmp key 0 huhu address 10.0.0.1

3.配置crypto acl:

access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

4.配置数据连接传输集:

crypto ipsec transform-set aa esp-aes esp-sha-hmac
mode tunnel
exit

5.配置crypto map:

crypto map aa-map 1 ipsec-isakmp
match address 100
set peer 10.0.0.1
set transform-set aa
exit

6.在接口上启用crypto map:

inerface e0/1
crypto map aa-map
exit

 

一般我在做试验的时候,会首先将配置写在一个记事本里,这样有利于排错和整理思路,所以以上的基本复制粘贴到配置界面中就可。但这些也仅限于我的实验环境。~~~