实验拓扑图:
实验要求:
在上海和北京两家分公司网关做IPsec×××,能够互相访问内部局域网,分公司网关指一条通向ISP运营商的默认路由。
实验步骤:
配置各设备的IP地址:
AR1:
[shanghai]int g0/0/1
[shanghai-GigabitEthernet0/0/1]ip add 192.168.1.1 24
[shanghai-GigabitEthernet0/0/1]un shut
[shanghai-GigabitEthernet0/0/1]int g0/0/0
[shanghai-GigabitEthernet0/0/0]ip add 12.0.0.1 24
[shanghai-GigabitEthernet0/0/0]un shut
ISP:
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip add 12.0.0.2 24
[ISP-GigabitEthernet0/0/0]un shut
[ISP-GigabitEthernet0/0/0]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip add 13.0.0.1 24
[ISP-GigabitEthernet0/0/1]un shut
AR2:
[beijing]int g0/0/0
[beijing-GigabitEthernet0/0/0]ip add 13.0.0.2 24
[beijing-GigabitEthernet0/0/0]int g0/0/1
[beijing-GigabitEthernet0/0/1]ip add 10.0.0.1 24
[beijing-GigabitEthernet0/0/1]un shut
PC1:
PC2:
默认路由的配置:
[shanghai]ip route-static 0.0.0.0 0.0.0.0 12.0.0.2
[beijing]ip route-static 0.0.0.0 0.0.0.0 13.0.0.1
配置IPsec×××:
上海分公司网关:
[shanghai]acl number 3000 //配置访问控制列表
[shanghai-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255 //指定允许通过的流量
[shanghai-acl-adv-3000]rule deny ip source any destination any //拒绝其他所有流量
[shanghai-acl-adv-3000]q
[shanghai]ipsec proposal transform1 //创建名为transform1的传输集
[shanghai-ipsec-proposal-transform1]encapsulation-mode tunnel //指定隧道模式
[shanghai-ipsec-proposal-transform1]transform esp //安全协议采用ESP协议
[shanghai-ipsec-proposal-transform1]esp encryption-algorithm des //选择算法
[shanghai-ipsec-proposal-transform1]esp authentication-algorithm sha1 //指定设备验证方式
[shanghai-ipsec-proposal-transform1]q
[shanghai]ike peer bj v2 //配置IKE对等体
[shanghai-ike-peer-bj]pre-shared-key cipher benet //配置为加密型共享密钥
[shanghai-ike-peer-bj]remote-address 13.0.0.2 //对等体北京分公司网关IP
[shanghai-ike-peer-bj]q
[shanghai]ipsec policy map1 10 isakmp //创建一条安全策略,协商方式为isakmap
[shanghai-ipsec-policy-isakmp-map1-10]security acl 3000 //调用访问控制列表
[shanghai-ipsec-policy-isakmp-map1-10]proposal transform1 //调用安全协议
[shanghai-ipsec-policy-isakmp-map1-10]ike-peer bj //调用对等体
[shanghai-ipsec-policy-isakmp-map1-10]q
[shanghai]int g0/0/0 //在接口启用IPsec策略
[shanghai-GigabitEthernet0/0/0]ipsec policy map1
北京分公司:
[beijing]acl number 3000
[beijing-acl-adv-3000]rule permit ip source 10.0.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[beijing-acl-adv-3000]rule deny ip source any destination any
[beijing-acl-adv-3000]q
[beijing]ipsec proposal transform1
[beijing-ipsec-proposal-transform1]encapsulation-mode tunnel
[beijing-ipsec-proposal-transform1]transform esp
[beijing-ipsec-proposal-transform1]esp encryption-algorithm des
[beijing-ipsec-proposal-transform1]esp authentication-algorithm sha1
[beijing-ipsec-proposal-transform1]q
[beijing]ike peer sh v2
[beijing-ike-peer-sh]pre
[beijing-ike-peer-sh]pre-shared-key cipher benet
[beijing-ike-peer-sh]remote-address 12.0.0.1 //指定对等体上海网关IP
[beijing-ike-peer-sh]q
[beijing]ipsec policy map1 10 isakmp
[beijing-ipsec-policy-isakmp-map1-10]security acl 3000
[beijing-ipsec-policy-isakmp-map1-10]proposal transform1
[beijing-ipsec-policy-isakmp-map1-10]ike-peer sh
[beijing-ipsec-policy-isakmp-map1-10]q
[beijing]int g0/0/0
[beijing-GigabitEthernet0/0/0]ipsec policy map1
测试使用上海分公司访问北京分公司:
实验完成
此实验是配置在单客户端的情况下,只需配置网关即可,不需要配置VLAN,如果是多个客户端情况下,可以配置VLAN。