实验:
1.首先设置R1和Site2的环回口地址
R1(config)#int lo 0 -------设置R1环回口
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config-if)#no shutdown
SITE2(config)#int lo 0 -------设置SITE2环回口
SITE2(config-if)#ip address 2.2.2.2 255.255.255.0
SITE2(config-if)#no shutdown
2.配置各个接口的IP地址
R1(config)#int e0/0
R1(config-if)#ip address 10.1.1.10 255.255.255.0
R1(config-if)#no shutdown
SITE1(config)#int e0/0
SITE1(config-if)#ip address 10.1.1.1 255.255.255.0
SITE1(config-if)#no shutdown
SITE1(config-if)#exit
SITE1(config)#int e0/1
SITE1(config-if)#ip address 202.100.1.1 255.255.255.0
SITE1(config-if)#no shutdown
Internet(config)#int e0/0
Internet(config-if)#ip add
Internet(config-if)#ip address 202.100.1.10 255.255.255.0
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#int e0/1
Internet(config-if)#ip address 202.100.2.10 255.255.255.0
Internet(config-if)#no shutdown
SITE2(config-if)#int e0/0
SITE2(config-if)#ip address 202.100.2.2 255.255.255.0
SITE2(config-if)#no shutdown
3.设置静态路由
RRR(config)#ip route 2.2.2.2 255.255.255.255 10.1.1.1
SITE1(config)#ip route 2.2.2.2 255.255.255.255 202.100.1.10
SITE1(config)#ip route 202.100.2.0 255.255.255.0 202.100.1.10
SITE2(config)#ip route 1.1.1.0 255.255.255.0 202.100.2.10
SITE2(config)#ip route 202.100.1.0 255.255.255.0 202.100.2.10
SITE1(config)#ip route 1.1.1.0 255.255.255.255 10.1.1.10
4.设置IPset
SITE1(config)#crypto isakmp enable------------------------(路由器默认开启,防火墙默认关闭)
SITE1(config)#crypto isakmp policy 10
SITE1(config-isakmp)#encryption 3des ---------------------认证,对称加密
SITE1(config-isakmp)#hash md5 --------------------------保证完整性,需要秘钥
SITE1(config-isakmp)#group 5 --------------------------提供秘钥
SITE1(config-isakmp)#authentication pre-share
SITE1(config-isakmp)#exit
SITE1(config)#crypto isakmp key ccna123 address 202.100.2.1 --------------------用预共享秘钥,指到对面与ISP相连接口的地址
SITE2(config)#crypto isakmp policy 10 -----------10只是一个标志
SITE2(config-isakmp)#encryption 3des
SITE2(config-isakmp)#hash md5
SITE2(config-isakmp)#group 5
SITE2(config-isakmp)#authentication pre-share
SITE2(config-isakmp)#exit
SITE2(config)#crypto isakmp key ccna123 address 202.100.1.1
SITE1#show crypto isakmp policy -------------------------查看配置
Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit 老化时间
设置感兴趣流
SITE1(config)#ip access-list extended vpn --------------------------------------命名扩展ACL
SITE1(config-ext-nacl)#permit ip host 1.1.1.1 host 2.2.2.2
SITE2(config)#ip access-list extended vpn --------------------------------------VPN是个名字
SITE2(config-ext-nacl)#permit ip host 2.2.2.2 host 1.1.1.1
SITE1(config)#crypto ipsec transform-set vpn esp-des esp-md5-hmac -----------------VPN是个名字,hmac提供原认证
SITE1(cfg-crypto-trans)#mode tunnel -------------------------设置模式为tunnel
SITE2(config)#crypto ipsec transform-set vpn esp-des esp-md5-hmac
SITE2(cfg-crypto-trans)#mode tunnel
整合在一起
SITE1(config)#crypto map cry-map 10 ipsec-isakmp ---------------------定义的名字cry-map
SITE1(config-crypto-map)#match address vpn
SITE1(config-crypto-map)#set peer 202.100.2.1 ----------------------------对端地址
SITE1(config-crypto-map)#set transform-set vpn
SITE2(config)#crypto map cry-map 10 ipsec-isakmp
SITE2(config-crypto-map)#match address vpn
SITE2(config-crypto-map)#set transform-set vpn
SITE2(config-crypto-map)#set peer 202.100.1.1
最后一步调用
SITE1(config)#int e0/1 -------------与Internet相连的接口
SITE1(config-if)#crypot map cry-map
SITE2(config)#int e0/0
SITE2(config-if)#crypot map cry-map
查看命令
SITE2#show crypto isakmp sa --------------------------------------第一阶段的sa
SITE2#show crypto ipsec sa
