先说下实验背景。远程用户希望通过×××技术,安全访问总部的内部服务器。实验拓扑图如下:Router1模拟总部路由,Router4模拟远程路由,Router3模拟分部路由。实验红色注解的地方,大家详看。PC0模拟内部服务器。理论部分见我的×××分类上篇博文)
实验结果验证:PC0 PING PC1(说明:在没有做×××之前,PC0是不能PINGPC1的,完成实验后,在PC0 PING PC1的开始阶段属于协商阶段会丢包,属于正常现象,等会就好了。)
PC0 IP:192.168.1.2 ga:192.168.1.1 PC1: IP:192.168.2.2 ga:192.168.2.1
实验结果验证:PC0 PINGPC1
实验结果附件已经上传。
 
Zongbu路由配置:
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#host zongbu
zongbu(config)#int f 0/0
zongbu(config-if)#ip add 100.1.1.1 255.255.255.0
zongbu(config-if)#no shut
zongbu(config-if)#exit
zongbu(config)#int f 0/1
zongbu(config-if)#ip add 200.1.1.1 255.255.255.0
zongbu(config-if)#no shut
zongbu(config-if)#exit
      
fengbu路由配置:
       Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#host fengbu
fengbu(config)#int f 0/1
fengbu(config-if)#ip add 192.168.1.1 255.255.255.0
fengbu(config-if)#no shut
fengbu(config-if)#exit
fengbu(config)#int f 0/0
fengbu(config-if)#ip add 100.1.1.2 255.255.255.0
fengbu(config-if)#no shut
fengbu(config)#crypto isakmp policy 10
fengbu(config-isakmp)#encryption 3des
fengbu(config-isakmp)#hash md5
fengbu(config-isakmp)#authentication pre-share
fengbu(config)#crypto isakmp key tom address 200.1.1.2
fengbu(config)#crypto ipsec transform-set jizhen esp-3des esp-md5-hmac
fengbu(config)#crypto map tom 10 ipsec-isakmp ?
fengbu(config-crypto-map)#set peer 200.1.1.2
fengbu(config-crypto-map)#set transform-set jizhen
fengbu(config-crypto-map)#match address 101
fengbu(config-crypto-map)#exit
fengbu(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
fengbu(config)#int f 0/0
fengbu(config-if)#crypto map tom
*Jan  3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
fengbu(config-if)#no shut
fengbu(config-if)#exit
fengbu(config)#ip route 0.0.0.0 0.0.0.0 100.1.1.1
 
yuancheng路由配置:
outer>en
Router#conf t
Router(config)#:host yuancheng
yuancheng(config)#int f 0/1
yuancheng(config-if)#ip add 200.1.1.2 255.255.255.0
yuancheng(config-if)#no shut
yuancheng(config-if)#exit
yuancheng(config)#int f 0/0
yuancheng(config-if)#ip add 192.168.2.1 255.255.255.0
yuancheng(config-if)#no shut
yuancheng(config-if)#exit
yuancheng(config)#crypto isakmp policy 10
yuancheng(config-isakmp)#encryption 3des
yuancheng(config-isakmp)#hash md5
yuancheng(config-isakmp)#authentication pre-share
yuancheng(config)#crypto isakmp key tom address 100.1.1.2
yuancheng(config)#crypto ipsec transform-set jizhen esp-3des esp-md5-hmac
yuancheng(config)#crypto map tom 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
yuancheng(config-crypto-map)#set transform-set jizhen
yuancheng(config-crypto-map)#set peer 100.1.1.2
yuancheng(config-crypto-map)#match address 101
yuancheng(config-crypto-map)#exit
yuancheng(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
yuancheng(config)#int f 0/1
yuancheng(config-if)#crypto map tom
*Jan  3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
yuancheng(config-if)#no shut
yuancheng(config-if)#exit
yuancheng(config)#ip route 0.0.0.0 0.0.0.0 200.1.1.1