L2L虛擬專用網絡項目實踐
實驗拓撲
實驗步驟
1、根據拓撲配置 IP 地址,保證直連聯通;
2、R2 和 R4 配置 NAT, R1 和 R5 配置默認路由,要求 R1 和 R5 能夠訪問互聯網 R3(3.3.3.3/32) ;
R2:
ip access-list extended NAT
permit ip 10.1.12.0 0.0.0.255 any
interface f0/0
ip nat inside
interface f1/0
ip nat outside
ip nat inside source list NAT interface f1/0 overload
R4:
ip access-list extended NAT
permit ip 10.1.45.0 0.0.0.255 any
interface f1/0
ip nat inside
interface f0/0
ip nat outside
ip nat inside source list NAT interface f0/0 overload
R1/R5:
ip route 0.0.0.0 0.0.0.0 10.1.12.2
ip route 0.0.0.0 0.0.0.0 10.1.45.4
3、在 R2 和 R4 上面配置 IPsec 虛擬專用網絡,共享密碼爲 pinginglab;
R2:
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
hash sha
crypto isakmp key 0 pinginglab address 100.1.34.4
crypto ipsec transform-set I2ltrans esp-3des esp-sha-hmac
ip access-list extended l2lacl
permit ip 10.1.12.0 0.0.0.255 10.1.45.0 0.0.0.255
crypto map l2lmap 1 ipsec-isakmp
set peer 100.1.34.4
set transform-set l2ltrans
match address l2lacl
interface f1/0
crypto map l2lmap
R4:
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
hash sha
crypto isakmp key 0 pinginglab address 100.1.23.2
crypto ipsec transform-set I2ltrans esp-3des esp-sha-hmac
ip access-list extended l2lacl
permit ip 10.1.45.0 0.0.0.255 10.1.12.0 0.0.0.255
crypto map l2lmap 1 ipsec-isakmp
set peer 100.1.23.2
set transform-set l2ltrans
match address l2lacl
interface f0/0
crypto map l2lmap
ip access-list extended NAT
5 deny 10.1.12.0 0.0.0.255 10.1.45.0 0.0.0.255
10 permit ip 10.1.45.0 0.0.0.255 any
4、R1 和 R5 通過虛擬專用網絡實現聯通,最終通過 wireshark 抓包(互聯網鏈路)得到加密數據。