本帖最后由 碧云天 于 2020-3-25 16:54 编辑 一.测试拓扑二.配置步骤
1.基本配置
A.PC1:interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
no shutdown
ip route 2.2.2.0 255.255.255.0 10.1.1.1
B.Site1:interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 202.100.1.1 255.255.255.0
no shutdown
ip route 1.1.1.0 255.255.255.0 10.1.1.10
ip route 2.2.2.0 255.255.255.0 202.100.1.10
ip route 61.128.1.1 255.255.255.255 202.100.1.10
C.Internet:
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 61.128.1.10 255.255.255.0
no shutdown
D.Site2:
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface Ethernet0/0
ip address 61.128.1.1 255.255.255.0
no shutdown
ip route 202.100.1.1 255.255.255.255 61.128.1.10
ip route 1.1.1.0 255.255.255.0 61.128.1.10
2.VPN配置
A.Site1:
第一阶段策略:crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakm key 0 Cisc0123 address 61.128.1.1
Site1第一阶段策略配置成 aggressive-mode
第一阶段策略:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp peer address 61.128.1.1
set aggressive-mode password Cisc0123
set aggressive-mode client-endpoint ipv4-address 202.100.1.1
备注:如果由Site1首先发起VPN流量,则第一阶段采用aggressive-mode,如果由Site2首先发起,第一阶段采用main-mode
第二阶段转换集:crypto ipsec transform-set transet esp-3des esp-md5-hmac
mode tunnel
配置感兴趣流:ip access-list extended VPN
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
配置crypto map并在接口应用:crypto map crymap 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set transet
match address VPN
interface Ethernet0/1
crypto map crymap
B.Site2:
第一阶段策略:crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakm key 0 Cisc0123 address 202.100.1.1
第二阶段转换集:crypto ipsec transform-set transet esp-3des esp-md5-hmac
mode tunnel
配置感兴趣流:ip access-list extended VPN
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
配置crypto map并在接口应用:crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set transet
match address VPN
interface Ethernet0/0
crypto map crymap
三.验证1.PC1主机ping对端地址,触发VPNPC1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
PC1#
2.查看Site1的isakmp saSite1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
61.128.1.1 202.100.1.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
3.查看Site1的加解密Site1# show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec 3DES+SHA512 0 4 4 202.100.1.1
2 IPsec 3DES+SHA512 4 0 0 202.100.1.1
1001 IKE SHA384+3DES 0 0 0 202.100.1.1
Site1#