Client的配置(Client是標準的lan to lan 的配置 peer是HSRP的虛擬的IP)
hostname client
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 123 address 200.100.2.100
crypto isakmp keepalive 10 periodic
!客戶端也要敲這個命令
crypto ipsec transform-set aa esp-des esp-md5-hmac
!
crypto map bb 1 ipsec-isakmp
set peer 200.100.2.100
set transform-set aa
match address 100
!
interface Loopback0
ip address1.1.1.1 255.255.255.0
!
!
interface Serial1/2
ip address 200.100.1.1 255.255.255.0
serial restart-delay 0
crypto map bb
!
ip route0.0.0.0 0.0.0.0 200.100.1.10
!
access-list 100 permit ip host1.1.1.1 2.2.2.0 0.0.0.255
!
Active配lan to lan
!
hostname ac
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 123 address 200.100.1.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set aa esp-des esp-md5-hmac
!
crypto map bb 10 ipsec-isakmp
set peer 200.100.1.1
set transform-set aa
match address 100
reverse-route tag 10
!peer是200.100.1.1
interface FastEthernet0/0
ip address2.2.2.1 255.255.255.0
duplex full
!
interface FastEthernet2/0
ip address 200.100.2.1 255.255.255.0
duplex full
standby 1 ip 200.100.2.100
standby 1 priority 130
standby 1 preempt
standby 1 name cl
crypto map bb redundancy cl
! Active和standby開啓HSRPà虛擬的IP要指向202.100.2.100
!定義名字是爲了下一個命令可以調用
router ospf 1
log-adjacency-changes
redistribute static subnets route-map sto
network2.2.2.0 0.0.0.255 area 0
!
ip route0.0.0.0 0.0.0.0 200.100.2.10
!
!
access-list 100 permit ip 2.2.2.0 0.0.0.255 host 1.1.1.1
!
!
route-map sto permit 10
match tag 10
!
Standby的配置和active是一樣的
!
hostname sd
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 123 address 200.100.1.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set aa esp-des esp-md5-hmac
!
crypto map bb 10 ipsec-isakmp
set peer 200.100.1.1
set transform-set aa
match address 100
reverse-route tag 10
!
interface FastEthernet0/0
ip address2.2.2.2 255.255.255.0
duplex full
!
interface FastEthernet2/0
ip address 200.100.2.2 255.255.255.0
duplex full
standby 1 ip 200.100.2.100
standby 1 preempt
standby 1 name cl
crypto map bb redundancy cl
!
router ospf 1
log-adjacency-changes
redistribute static subnets tag 10
network2.2.2.0 0.0.0.255 area 0
!
ip route0.0.0.0 0.0.0.0 200.100.2.10
!
access-list 100 permit ip 2.2.2.0 0.0.0.255 host 1.1.1.1
!
!
route-map sto permit 10
match tag 10
!
In的配置
!
hostname in
!
interface FastEthernet0/0
ip address2.2.2.10 255.255.255.0
speed auto
full-duplex
!
router ospf 1
log-adjacency-changes
network2.2.2.0 0.0.0.255 area 0
!
Inter的配置(模擬互聯網中的一個路由器,它只需要配好IP就可以了,不需要其它的任何配置)
!
hostname inter
!
interface FastEthernet0/0
ip address 200.100.2.10 255.255.255.0
duplex auto
speed auto
!
interface Serial1/2
ip address 200.100.1.10 255.255.255.0
serial restart-delay 0
!
一開始走的是active
in#
SHOw IP ROUteCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -OSPF,IA- OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 2.2.2.1, 00:01:03, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/0
in#
看切換
sh主動的***的接口
ac(config)#interface fastEthernet 2/0
ac(config-if)#sh
ac(config-if)#shutdown
*Jun 5 10:03:02.759: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 1 state Active ->
Init
ac(config-if)#
*Jun 5 10:03:04.791: %LINK-5-CHANGED: Interface FastEthernet2/0, changed state
to administratively down
ac(config-if)#
*Jun 5 10:03:04.795: %ENTITY_ALARM-6-INFO: ASSERT INFO Fa2/0PhysicalPortAdmi
nistrative State Down
ac(config-if)#
*Jun 5 10:03:05.791: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern
et2/0, changed state to down
ac(config-if)#
in#
SHOw IP ROUteCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -OSPF,IA- OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 2.2.2.2, 00:00:36, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/0
in#
no sh主動的***會再次的搶回
ac(config-if)#no sh
ac(config-if)#no shutdown
ac(config-if)#
*Jun 5 10:05:04.707: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state t
o up
ac(config-if)#
*Jun 5 10:05:04.711: %ENTITY_ALARM-6-INFO: CLEAR INFO Fa2/0PhysicalPortAdmin
istrative State Down
ac(config-if)#
*Jun 5 10:05:05.707: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern
et2/0, changed state to up
*Jun 5 10:05:05.903: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 1 state Listen ->
Active
ac(config-if)#
*Jun 5 10:05:08.135: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet ha
s invalid spi for destaddr=200.100.2.100, prot=50, spi=0x6D9CB3F0(1838986224), s
rcaddr=200.100.1.1
ac(config-if)#
ac(config-if)#
ac(config-if)#
*Jun 5 10:05:17.955: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.100.1.1 has no
SA and is not an initialization offer
ac(config-if)#
in#
SHOw IP ROUteCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -OSPF,IA- OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 2.2.2.1, 00:01:03, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/0
in#
從前到後在client上ping的結果
client#PING2.2.2.10 SOurce 1.1.1.1 repeat 10000
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.............!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!.....
*Jun 5 10:05:31.323: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.100.2.100 has n
o SA and is not an initialization offer...................!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
這個實驗中,***的流量也可心從in開始發起