说明:
1.R2模拟为外网路由器.
2.R0,R1和R3,R4分别为异地两个分公司网络.
3.要求:
a.两个内网通过×××能够实现内网地址相互通讯
b.两个内网通过×××能够相互学习各自的网络.
4.使用静态p2p gre over ipsec实现
5.R0定义为10.1.1.0网段,R4定义为192.168.1.0网段
6.模拟外网段定义为100.100.100.0 和200.200.200.0
1.基本设置:
R0:
R0(config)#int fa0/0
R0(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
R0(config-if)#ip add 10.1.1.2 255.255.255.0
R0(config-if)#exi
R0(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1 \\开启端口,定义地址,
设置默认下一跳.
R1:
R1(config)#int fa0/0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R1(config-if)#exi
R1(config)#int fa0/1
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
R1(config-if)#ip add 100.100.100.2 255.255.255.0
R1(config-if)#exi
R1(config)#ip route 0.0.0.0 0.0.0.0 100.100.100.1
\\开启端口,定义地址,设置默认下一跳.
R2:
R2(config)#int fa0/1
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R2(config-if)#ip add 100.100.100.1 255.255.255.0
R2(config-if)#int fa0/0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
R2(config-if)#ip add 200.200.200.1 255.255.255.0
\\R2是模拟外网ROUTER 因此它只需要定义地址即可.
R3:
R3(config)#int fa0/0
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#ip add 200.200.200.2 255.255.255.0
R3(config-if)#int fa0/1
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
R3(config-if)#ip add 192.168.1.1 255.255.255.0
R3(config-if)#exi
R3(config)#ip route 0.0.0.0 0.0.0.0 200.200.200.1
\\开启端口,定义地址,设置默认下一跳.
R4:
R4(config)#int fa0/1
R4(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R4(config-if)#ip add 192.168.1.2 255.255.255.0
R4(config-if)#exi
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
\\开启端口,定义地址,设置默认下一跳.
2.测试下网络:
R0:
R0>ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 31/35/46 ms
R0>ping 100.100.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 15/28/32 ms
R0>ping 100.100.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R0>ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4:
R4#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 31/31/32 ms
R4#ping 200.200.200.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/31/32 ms
R4#ping 200.200.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1:
R1>ping 200.200.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/34/47 ms
R3:
R3#ping 100.100.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms
\\从以上测试结果,可以判断已经模拟出内外网.
3.建立GRE隧道
R1:
R1(config)#int tunnel 1
%LINK-5-CHANGED: Interface Tunnel1, changed state to up
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#tunnel source fa0/1
R1(config-if)#tunnel destination 200.200.200.2
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
R3:
R3(config)#int tunnel 2
%LINK-5-CHANGED: Interface Tunnel2, changed state to up
R3(config-if)#ip add 1.1.1.2 255.255.255.0
R3(config-if)#tunnel source fa0/0
R3(config-if)#tunnel destination 100.100.100.2
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
测试:
R1#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms
4:定义IPSEC参数
R1:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 2
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#exi
\\定义加密算法,密钥算法,hash算法,验证方法
R1(config)#crypto isakmp key 123 add 200.200.200.2
\\设置验证密码为 123
R1(config)#crypto ipsec transform-set gre ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
R1(config)#crypto ipsec transform-set gre esp-3des esp-sha-hmac
\\定义 transform-set gre为名称
R1(config)#access-list 100 permit gre host 100.100.100.2 host 200.200.200.2
\\定义感兴趣流量,,定义的感兴趣流量是双方用来建立GRE隧道的公网IP地址,并且协议为GRE,
而不是内网网段,因为内网网段是要靠路由协议来传递的。
R1(config)#crypto map |2| 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 200.200.200.2
R1(config-crypto-map)#set transform-set gre
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exi
\\定义map
R1(config)#int fa0/1
R1(config-if)#crypto map |2|
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#exi
R1(config)#
\\应用crypto map到端口
R3:
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 2
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#exi
R3(config)#crypto isakmp key 123 add 100.100.100.2
R3(config)#crypto ipsec transform-set gre esp-3des esp-sha-hmac
R3(config)#access-list 100 permit gre host 200.200.200.2 host 100.100.100.2
R3(config)#crypto map |2| 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 100.100.100.2
R3(config-crypto-map)#set transform-set gre
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exi
R3(config)#int fa0/0
R3(config-if)#crypto map |2|
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#exi
5.定义OSPF协议,使两个网络可以相互学习
R3:
R3(config)#router ospf 100
R3(config-router)#network 192.168.1.0 255.255.255.0 area 0
R3(config-router)#network 1.1.1.0 255.255.255.0 area 0
R1:
R1(config)#router ospf 110
R1(config-router)#network 10.1.1.0 255.255.255.0 area 0
R1(config-router)#network 1.1.1.0 255.255.255.0 area 0
R1(config-router)#exi
查看route
R1:
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 100.100.100.1 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Tunnel1
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.100.0 is directly connected, FastEthernet0/1
O 192.168.1.0/24 [110/1001] via 1.1.1.2, 00:00:14, Tunnel1
S* 0.0.0.0/0 [1/0] via 100.100.100.1
R3:
R3#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 200.200.200.1 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Tunnel2
10.0.0.0/24 is subnetted, 1 subnets
O 10.1.1.0 [110/1001] via 1.1.1.1, 00:01:48, Tunnel2
C 192.168.1.0/24 is directly connected, FastEthernet0/1
C 200.200.200.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 200.200.200.1
R3#
测试:
R4>
R4>ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 78/90/94 ms
R4>ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 109/120/125 ms
R0:
R0>ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 110/119/125 ms
到此,已经完成此实验.
