Site-to-Site IPSec-××× 实验配置

1.拓扑图

  

2.各路由器基本配置 和 静态路由配置

  R1:

int f0/0

ip add 172.16.12.1 255.255.255.0

no shut

int lo0

ip add 10.10.1.1 255.255.255.0

ip route 10.10.2.0 255.255.255.0 172.16.12.2

ip route 172.16.23.0 255.255.255.0 172.16.12.2

  R2:

int f0/0

ip add 172.16.12.2 255.255.255.0

no shut

int f1/0

ip add 172.16.23.2 255.255.255.0

no shut

ip route 10.10.2.0 255.255.255.0 172.16.23.3 

ip route 10.10.1.0 255.255.255.0 172.16.12.1

  R3:

int f0/0

ip add 172.16.23.3 255.255.255.0

no shut

int lo0

ip add 10.10.2.2 255.255.255.0

ip route 10.10.1.0 255.255.255.0 172.16.23.2 

ip route 172.16.12.0 255.255.255.0 172.16.23.2

   验证：

 

3.在R1和R3上配置IPSec-×××

  R1：

crypto isakmp policy 10

encryption 3des

hash sha

authentication pre-share

group 2

crypto isakmp key ccna-ccnp add 172.16.23.3

access-list 110 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255

crypto ipsec transform-set ccie esp-3des esp-sha-hmac

crypto map ××× 10 ipsec-isakmp

match add 110

set peer 172.16.23.3

set transform-set ccie

exit

int f0/0

crypto map ×××

   R2:

crypto isakmp policy 10

encryption 3des

hash sha

authentication pre-share

group 2

crypto isakmp key ccna-ccnp add 172.16.12.1

access-list 110 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255

crypto ipsec transform-set ccie esp-3des esp-sha-hmac

crypto map ××× 10 ipsec-isakmp

match add 110

set peer 172.16.12.1

set transform-set ccie

exit

int f0/0

crypto map ×××

4.在R2上以10.10.1.1为源地址ping10.10.2.2

 5.show run 

   以R1为例:

r1# show run

Building configuration...

Current configuration : 1064 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

!

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key ccna-ccnp address 172.16.23.3

!

!

crypto ipsec transform-set ccie esp-3des esp-sha-hmac

!

crypto map ××× 10 ipsec-isakmp

 set peer 172.16.23.3

 set transform-set ccie

 match address 110

!

!

interface Loopback0

 ip address 10.10.1.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 172.16.12.1 255.255.255.0

 duplex auto

 speed auto

 crypto map ×××

!

ip http server

no ip http secure-server

ip route 10.10.2.0 255.255.255.0 172.16.12.2

ip route 172.16.23.0 255.255.255.0 172.16.12.2

!

!

access-list 110 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255

!

!

control-plane

!

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

!

!

end