取消
显示结果 
搜索替代 
您的意思是: 
cancel
2303
查看次数
2
有帮助
2
评论
碧云天
Spotlight
Spotlight
本帖最后由 碧云天 于 2020-3-25 16:54 编辑
一.测试拓扑
165259jhs1khiuys1u2vss.png
二.配置步骤
1.基本配置
A.PC1:

interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
no shutdown
ip route 2.2.2.0 255.255.255.0 10.1.1.1
B.Site1:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 202.100.1.1 255.255.255.0
no shutdown
ip route 1.1.1.0 255.255.255.0 10.1.1.10
ip route 2.2.2.0 255.255.255.0 202.100.1.10
ip route 61.128.1.1 255.255.255.255 202.100.1.10
C.Internet:
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 61.128.1.10 255.255.255.0
no shutdown
D.Site2:
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface Ethernet0/0
ip address 61.128.1.1 255.255.255.0
no shutdown
ip route 202.100.1.1 255.255.255.255 61.128.1.10
ip route 1.1.1.0 255.255.255.0 61.128.1.10
2.VPN配置
A.Site1:
第一阶段策略:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakm key 0 Cisc0123 address 61.128.1.1

Site1第一阶段策略配置成 aggressive-mode
第一阶段策略:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp peer address 61.128.1.1
set aggressive-mode password Cisc0123
set aggressive-mode client-endpoint ipv4-address 202.100.1.1
备注:如果由Site1首先发起VPN流量,则第一阶段采用aggressive-mode,如果由Site2首先发起,第一阶段采用main-mode

第二阶段转换集:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
mode tunnel
配置感兴趣流:
ip access-list extended VPN
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set transet
match address VPN
interface Ethernet0/1
crypto map crymap
B.Site2:
第一阶段策略:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakm key 0 Cisc0123 address 202.100.1.1
第二阶段转换集:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
mode tunnel
配置感兴趣流:
ip access-list extended VPN
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set transet
match address VPN
interface Ethernet0/0
crypto map crymap
三.验证
1.PC1主机ping对端地址,触发VPN
PC1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
PC1#
2.查看Site1的isakmp sa
Site1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
61.128.1.1 202.100.1.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
3.查看Site1的加解密
Site1# show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec 3DES+SHA512 0 4 4 202.100.1.1
2 IPsec 3DES+SHA512 4 0 0 202.100.1.1
1001 IKE SHA384+3DES 0 0 0 202.100.1.1
Site1#
评论
one-time
Level 13
Level 13
感谢版主分享,谢谢~
likuo
Spotlight
Spotlight
拓扑图很好。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接