中以站点的配置:
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!策略的数字最好是用大的,地址对应8个0非常不安全
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto dynamic-map dymap 10
set transform-set cisco
!只有传输集用cisco其它的情况协商,对方说什么就是什么
!
crypto map cisco 10 ipsec-isakmp dynamic dymap
!将它应用到接口,动态map一般应用在最后,数字尽量的大,感兴趣流和peer都不用写
interface Ethernet0/1
ip address 202.102.1.1 255.255.255.0
half-duplex
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 202.102.1.2
R2是标准的l2l的配置
R2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.102.1.1
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.102.1.1
set transform-set cisco
match address 100
!
!
interface Ethernet0/0
ip address 202.102.1.2 255.255.255.0
half-duplex
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 202.102.1.1
access-list 100 permit ip host 2.2.2.2 host 1.1.1.1
由中心到分支开始发起的流量失败的.(中心被动接受,拔了以后,可以实现双向的ping )
r1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)
r1#
由分支到中心开始发起的流量是可以的.
r2#ping 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/132/144 ms
r2#
r2#show crypto ipsec sa
interface: Ethernet0/0
Crypto map tag: cisco, local addr. 202.102.1.2
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255
current_peer: 202.102.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts deco
#send errors 1, #recv errors 0
local crypto endpt.: 202.102.1.2, remote crypto endpt.: 20
path mtu 1500, ip mtu 1500, ip mtu interface Ethernet0/0
current outbound spi: 45F1EEF3
inbound esp sas:
spi: 0x96655438(2523223096)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: cisco
--More--
由分支到中心开始发起的以后,中心就可以到分支了
r1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/152/276 ms
r1#
