動態對靜態

 

中以站點的配置:

 

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!策略的數字最好是用大的,地址對應8個0非常不安全

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

crypto dynamic-map dymap 10

 set transform-set cisco

!只有傳輸集用cisco其它的情況協商,對方說什麼就是什麼

!

crypto map cisco 10 ipsec-isakmp dynamic dymap

!將它應用到接口,動態map一般應用在最後,數字儘量的大,感興趣流和peer都不用寫

 

interface Ethernet0/1

 ip address 202.102.1.1 255.255.255.0

 half-duplex

 crypto map cisco

!

ip route 0.0.0.0 0.0.0.0 202.102.1.2

 

R2是標準的l2l的配置

 

R2

 

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 202.102.1.1

!

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

crypto map cisco 10 ipsec-isakmp

 set peer 202.102.1.1

 set transform-set cisco

 match address 100

!

!

interface Ethernet0/0

 ip address 202.102.1.2 255.255.255.0

 half-duplex

 crypto map cisco

!

ip route 0.0.0.0 0.0.0.0 202.102.1.1

 

access-list 100 permit ip host 2.2.2.2 host 1.1.1.1

 

 

 

 

由中心到分支開始發起的流量失敗的.(中心被動接受,拔了以後,可以實現雙向的ping )

r1#ping 2.2.2.2 source 1.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.....

Success rate is 0 percent (0/5)

r1#

 

 

由分支到中心開始發起的流量是可以的.

 

r2#ping 1.1.1.1 source 2.2.2.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 88/132/144 ms

r2#

 

r2#show crypto ipsec sa

 

interface: Ethernet0/0

    Crypto map tag: cisco, local addr. 202.102.1.2

 

   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255

   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255

   current_peer: 202.102.1.1

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14

    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify 14

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts deco

    #send errors 1, #recv errors 0

 

     local crypto endpt.: 202.102.1.2, remote crypto endpt.: 20

     path mtu 1500, ip mtu 1500, ip mtu interface Ethernet0/0

     current outbound spi: 45F1EEF3

 

     inbound esp sas:

      spi: 0x96655438(2523223096)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2000, flow_id: 1, crypto map: cisco

 --More--

 

由分支到中心開始發起的以後,中心就可以到分支了

r1#ping 2.2.2.2 source 1.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 52/152/276 ms

r1#