實驗
實驗拓撲圖:
實驗要求:
在上海和北京兩家分公司網關做IPsec***,能夠互相訪問內部局域網,分公司網關指一條通向ISP運營商的默認路由。
實驗步驟:
配置各設備的IP地址:
AR1:
[shanghai]int g0/0/1
[shanghai-GigabitEthernet0/0/1]ip add 192.168.1.1 24
[shanghai-GigabitEthernet0/0/1]un shut
[shanghai-GigabitEthernet0/0/1]int g0/0/0
[shanghai-GigabitEthernet0/0/0]ip add 12.0.0.1 24
[shanghai-GigabitEthernet0/0/0]un shut
ISP:
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip add 12.0.0.2 24
[ISP-GigabitEthernet0/0/0]un shut
[ISP-GigabitEthernet0/0/0]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip add 13.0.0.1 24
[ISP-GigabitEthernet0/0/1]un shut
AR2:
[beijing]int g0/0/0
[beijing-GigabitEthernet0/0/0]ip add 13.0.0.2 24
[beijing-GigabitEthernet0/0/0]int g0/0/1
[beijing-GigabitEthernet0/0/1]ip add 10.0.0.1 24
[beijing-GigabitEthernet0/0/1]un shut
PC1:
PC2:
默認路由的配置:
[shanghai]ip route-static 0.0.0.0 0.0.0.0 12.0.0.2
[beijing]ip route-static 0.0.0.0 0.0.0.0 13.0.0.1
配置IPsec***:
上海分公司網關:
[shanghai]acl number 3000 //配置訪問控制列表
[shanghai-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 10.0.0.0 0.0.0.255 //指定允許通過的流量
[shanghai-acl-adv-3000]rule deny ip source any destination any //拒絕其他所有流量
[shanghai-acl-adv-3000]q
[shanghai]ipsec proposal transform1 //創建名爲transform1的傳輸集
[shanghai-ipsec-proposal-transform1]encapsulation-mode tunnel //指定隧道模式
[shanghai-ipsec-proposal-transform1]transform esp //安全協議採用ESP協議
[shanghai-ipsec-proposal-transform1]esp encryption-algorithm des //選擇算法
[shanghai-ipsec-proposal-transform1]esp authentication-algorithm sha1 //指定設備驗證方式
[shanghai-ipsec-proposal-transform1]q
[shanghai]ike peer bj v2 //配置IKE對等體
[shanghai-ike-peer-bj]pre-shared-key cipher benet //配置爲加密型共享密鑰
[shanghai-ike-peer-bj]remote-address 13.0.0.2 //對等體北京分公司網關IP
[shanghai-ike-peer-bj]q
[shanghai]ipsec policy map1 10 isakmp //創建一條安全策略,協商方式爲isakmap
[shanghai-ipsec-policy-isakmp-map1-10]security acl 3000 //調用訪問控制列表
[shanghai-ipsec-policy-isakmp-map1-10]proposal transform1 //調用安全協議
[shanghai-ipsec-policy-isakmp-map1-10]ike-peer bj //調用對等體
[shanghai-ipsec-policy-isakmp-map1-10]q
[shanghai]int g0/0/0 //在接口啓用IPsec策略
[shanghai-GigabitEthernet0/0/0]ipsec policy map1
北京分公司:
[beijing]acl number 3000
[beijing-acl-adv-3000]rule permit ip source 10.0.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[beijing-acl-adv-3000]rule deny ip source any destination any
[beijing-acl-adv-3000]q
[beijing]ipsec proposal transform1
[beijing-ipsec-proposal-transform1]encapsulation-mode tunnel
[beijing-ipsec-proposal-transform1]transform esp
[beijing-ipsec-proposal-transform1]esp encryption-algorithm des
[beijing-ipsec-proposal-transform1]esp authentication-algorithm sha1
[beijing-ipsec-proposal-transform1]q
[beijing]ike peer sh v2
[beijing-ike-peer-sh]pre
[beijing-ike-peer-sh]pre-shared-key cipher benet
[beijing-ike-peer-sh]remote-address 12.0.0.1 //指定對等體上海網關IP
[beijing-ike-peer-sh]q
[beijing]ipsec policy map1 10 isakmp
[beijing-ipsec-policy-isakmp-map1-10]security acl 3000
[beijing-ipsec-policy-isakmp-map1-10]proposal transform1
[beijing-ipsec-policy-isakmp-map1-10]ike-peer sh
[beijing-ipsec-policy-isakmp-map1-10]q
[beijing]int g0/0/0
[beijing-GigabitEthernet0/0/0]ipsec policy map1
測試使用上海分公司訪問北京分公司:
實驗完成