GW1:
crypto keyring cisco //配置預共享密鑰
pre-shared-key address 64.1.1.1 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile ikeprof
keyring cisco
match identity address 64.1.1.1 255.255.255.255
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto ipsec profile ipsecprof //配置ipsec profile
set transform-set SET
set pfs group5
set isakmp-profile ikeprof
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 12.1.1.1 255.255.255.0
tunnel source 202.1.1.1
tunnel mode ipsec ipv4 //配置隧道模式爲ipsec
tunnel destination 64.1.1.1
tunnel protection ipsec profile ipsecprof //應用ipsec profile
!
interface FastEthernet1/0
ip address 202.1.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
router-id 1.1.1.1
network 1.1.1.0 0.0.0.255 area 0
network 12.1.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 202.1.1.10
GW2:
crypto keyring cisco
pre-shared-key address 202.1.1.1 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile ikeprof
keyring cisco
match identity address 202.1.1.1 255.255.255.255
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto ipsec profile ipsecprof
set transform-set SET
set pfs group5
set isakmp-profile ikeprof
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Tunnel0
ip address 12.1.1.2 255.255.255.0
tunnel source 64.1.1.1
tunnel mode ipsec ipv4
tunnel destination 202.1.1.1
tunnel protection ipsec profile ipsecprof
!
interface FastEthernet1/0
ip address 64.1.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
router-id 2.2.2.2
network 2.2.2.0 0.0.0.255 area 0
network 12.1.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 64.1.1.10
能夠學到對端路由
路由協議的Hello包會自動觸發IPsec協商,並且OSPF的數據包是被加解密的.
