配置接口IP地址:
RouterA(confing)#interface ethernet 0/0
RouterA(confing-if)#ip add 50.50.50.50 255.255.255.0
RouterA(confing)#interface serial 0/0
RouterA(confing-if)#ip add 20.20.20.21 255.255.255.0
RouterB(confing)#interface ethernet 0/0
RouterB(confing-if)#ip add 60.60.60.60 255.255.255.0
RouterB(confing)#interface serial 0/0
RouterB(confing-if)#ip add 20.20.20.20. 255.255.255.0

配置静态路由:
RouterA(confing)#ip add route 0.0.0.0 0.0.0.0 20.20.20.20
RouterB(confing)#ip add route 0.0.0.0 0.0.0.0 20.20.20.21

配置IKE协商:
RouterA(confing)#crypto isakmp policy 1
RouterA(confing-isakmp)#hash md5
RouterA(confing-isakmp)#authentication pre-share
RouterA(confing)#crypto isakmp key benet-password address 20.20.20.20
RouterB(confing)#crypto isakmp policy 1
RouterB(confing-isakmp)#hash md5
RouterB(confing-isakmp)#authentication pre-share
RouterB(confing)#crypto isakmp key benet-password address 20.20.20.21

配置IPSec相关参数:
RouterA(confing)#crypto ipsec transform-set benetset ah-md5-hmac esp-des
RouterA(confing)#access-list 101 permit ip 50.50.50.0 0.0.0.255 60.60.60.0 0.0.0.255
RouterB(confing)#crypto ipsec transform-set benetset ah-md5-hmac esp-des
RouterB(confing)#access-list 101 permit ip 60.60.60.0 0.0.0.255 50.50.50.0 0.0.0.255

配置端口应用:
RouterA(confing)#crypto map benetmap 1 ipsec-isakmp
RouterA(confing-crypto-map)#set peer 20.20.20.20
RouterA(confing-crypto-map)#set transform-set benetset
RouterA(confing-crypto-map)#match address 101
RouterA(confing)#interface serial 0/0
RouterA(confing-if)#crypto map benetmap
RouterB(confing)#crypto map benetmap 1 ipsec-isakmp
RouterB(confing-crypto-map)#set peer 20.20.20.21
RouterB(confing-crypto-map)#set transform-set benetset
RouterB(confing-crypto-map)#match address 101
RouterB(confing)#interface serial 0/0
RouterB(confing-if)#crypto map benetmap

查看相关配置信息:
RouterA#show crypto isakmp sa
RouterA#show crypto isakmp policy

====================================================================

启用IKE:
Router(confing)#crypto isakmp enable                         激活IKE

建立IKE协商策略:
Router(confing)#crypto isakmp policy 编号(1~10000)      
                                                                                        建立IKE(编号越低,优先级越高)

配置IKE协商参数:
Router(confing-isakmp)#hash { md5 | sha1 }                  
                                                                                       hash命令设置密钥认证所使用的算法,
                                                                                       包括MD5、SHA-1。
                                                                                        SHA-1比MD5安全性更高
Router(confing-isakmp)#encryption { des | 3des }            
                                                                                       encryption命令设置加密所使用算法,  
                                                                                       包括3DES、DES
                                                                                       3DES比DES强度更大,不易被破解
Router(confing-isakmp)# authentication pre-share            
                                                                                       告诉路由器要使用预先共享的密钥,
                                                                                       此密码是手工指定的。

Router(confing-isakmp)#lifetime seconds                     
                                                                                       声明了SA的生存时间,超过时间后,
                                                                                       SA将被重新协商

设置共享密钥和对端地址:
Router(confing)#crypto isakmp key (keystring) adderss peer-adderss
                                                             SA是单向的,
                                                             此命令来设置预先共享的密码和对端的IP地址,
                                                             设置密码时,×××链路两端的密码必须匹配。

指定Crypto访问列表
Router(confing)#access-list access-list-number {deny|permit} protocol source source-wildcard destination destination-wildcard
                           
Router(confing)#access-list     101              permit     ip host 192.168.10.38    host 192.168.10.66
                                                 —               ———    —————————    ————————
                               crypto访问列表编号     加密                    源地址                        目标地址
                                                                  
                                            所有从192.168.10.38发往192.168.10.66的报文全部加密
 
配置IPSec传输模式
Router(confing)#crypto ipsec transform-set transform-set-name    transform1     {[transform2]     [transform3]}
Router(confing)#crypto ipsec transform-set       benetset       ah-md5-hmac        esp-des         esp-md5-hma               
                                                                                传输模式名称
                                                                                  AH验证采用MD5算法
                                                                                    ESP加密采用DES算法     
                                                                                      ESP验证采用MD5算法
                                                            
                                    可选择参数     AH验证参数:ah-md5-hmac、ah-sha-hmac
                                                            ESP加密参数:esp-des、esp-3des、esp-null
                                                            ESP验证参数:esp-md5-hma、esp-sha-hmac

配置端口的应用
创建Crypto Map
Router(confing)#crypto map map-name seq-num ipsec-isakmp
                                              
                                                     seq-num:表示map的优先级(1~65535)越小优先级越高
                                             ipsec-isakmp:表明此链接采用IKE自动协商
配置Crypto Map
Router(confing-crypto-map)#match address access-list-number                
                                            match address:指定Crypto Map的使用的访问控制列表
                                     access-list-number:访问控制列表编号(同之前配置一样的编号)
  
Router(confing-crypto-map)#set peer ip-address
                         
                                                      set peer:指定Crypto Map所对应×××链路对端的IP地址
                                                  ip-address:同IKE中配置的对端IP地址相同
Router(confing)#set transform-set name
                                           
                        set transform-set:指定Crypto Map所使用的传输模式,在配置IPSec时已经定义
                                           name:是使用命令crypto ipsec transform-set配置的名称
应用Crypto Map到端口
Router(confing)#interface interface slot/port
Router(confing-if)#crypto map map-name