IPSEC ***
一、實驗拓撲:
二、實驗要求:
保證兩個站點的路由沒問題。
在站點A與站點B間配置***,保障企業的網絡通過互聯網連接起來。
三、實驗的配置:
R1的全部配置:
r1#show running-config
Building configuration...
Current configuration : 597 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname r1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.2.1
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
siteA的全部配置:
siteA# show running-config
Building configuration...
Current configuration : 1184 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname siteA
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco address 61.128.1.1
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
crypto map map 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set cisco
match address ***
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 202.100.1.1 255.255.255.0
crypto map map
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.100.1.10
ip route 192.168.0.0 255.255.255.0 192.168.2.3
ip route 192.168.1.0 255.255.255.0 202.100.1.10
!
!
ip access-list extended ***
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Internet的全部配置:
Internet#show running-config
Building configuration...
Current configuration : 708 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Internet
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FTX15245R08
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 202.100.1.10 255.255.255.0
clock rate 64000
!
interface Serial0/0/1
ip address 61.128.1.10 255.255.255.0
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
siteB的全部配置:
siteB#show running-config
Building configuration...
Current configuration : 1183 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname siteB
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco address 202.100.1.1
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
crypto map map 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set cisco
match address ***
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/0/1
ip address 61.128.1.1 255.255.255.0
crypto map map
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 61.128.1.10
ip route 192.168.0.0 255.255.255.0 61.128.1.10
ip route 192.168.2.0 255.255.255.0 61.128.1.10
!
!
ip access-list extended ***
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end