[R1]int g0/0/02
[R1-GigabitEthernet0/0/2]ip add 10.0.0.1 24
[R1-GigabitEthernet0/0/2]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 100.0.0.1 24
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 100.0.0.2 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 200.0.0.2 24
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 200.0.0.3 24
[R3-GigabitEthernet0/0/1]int g 0/0/02
[R3-GigabitEthernet0/0/2]ip add 20.0.0.1 24
配置ospf使路由可达
[R1]ospf 1 r 1.1.1.1
[R1-ospf-1]are 0
[R1-ospf-1-area-0.0.0.0] net 100.0.0.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]net 10.0.0.1 0.0.0.0
[R2]ospf 1 r 2.2.2.2
[R2-ospf-1]are 0
[R2-ospf-1-area-0.0.0.0]net 100.0.0.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]net 200.0.0.2 0.0.0.0
[R3]ospf 1 r 3.3.3.3
[R3-ospf-1]are 0
[R3-ospf-1-area-0.0.0.0]net 200.0.0.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]net 20.0.0.1 0.0.0.0
测试pc1到pc2的连通性,配置ipsec
**R1配置**
[R1]acl 3000 //创建访问控制列表规则
[R1-acl-adv-3000]rule 5 permit ip source 10.0.0.1 0.0.0.255 destination 20.0.0.1 0.0.0.255
[R1]ipsec proposal ipsec_r1 //配置一个ipsec安全提议
[R1-ipsec-proposal-ipsec_r1]transform esp //配置IPSEC安全协议为ESP
[R1-ipsec-proposal-ipsec_r1]encapsulation-mode tunnel //封装方式采用隧道
[R1-ipsec-proposal-ipsec_r1]esp authentication-algorithm sha1 //配置ESP协议认证算法
[R1-ipsec-proposal-ipsec_r1]esp encryption-algorithm aes-128 /配置ESP协议加密算法
[R1]ike proposal 1 //配置一个安全提议
[R1-ike-proposal-1]q
[R1]ike peer ike_r1 v2 //创建一个IKE对等体名字为ike_r1
[R1-ike-peer-ike_r1]ike-proposal 1 //调用ike安全提议
[R1-ike-peer-ike_r1]pre-shared-key simple 123 //配置预共享密钥
[R1-ike-peer-ike_r1]remote-address 200.0.0.3 //配置对等体IP地址
[R1]ipsec policy policy_r1 1 isakmp //创建一个安全策略
[R1-ipsec-policy-isakmp-policy_r1-1]proposal ipsec_r1 //调用IPsec安全提议
[R1-ipsec-policy-isakmp-policy_r1-1]ike-peer ike_r1 //调用ike对等体
[R1-ipsec-policy-isakmp-policy_r1-1]security acl 3000 //引用访问控制列表
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ipsec policy policy_r1 //在接口中引用IPSec安全策略
**R3配置**
[R3]acl 3000 //创建访问控制列表规则
[R3-acl-adv-3000]rule 5 permit ip so 20.0.0.1 0.0.0.255 de 10.0.0.1 0.0.0.255
[R3]ipsec proposal ipsec_r3 //创建ipsec安全提议
[R3-ipsec-proposal-ipsec_r3]transform esp //配置安全协议为esp
[R3-ipsec-proposal-ipsec_r3]encapsulation-mode tunnel //封装方式采用隧道
[R3-ipsec-proposal-ipsec_r3]esp authentication-algorithm sha1 //配置ESP协议认证算法
[R3-ipsec-proposal-ipsec_r3]esp encryption-algorithm aes-128 //配置ESP协议加密算法
[R3]ike pro 1 //创建IKE安全提议
[R3-ike-proposal-1]q
[R3]ike peer ike_r3 v2 /创建一个IKE对等体名字为ike_r3
[R3-ike-peer-ike_r3]ike-proposal 1 //调用ike安全提议
[R3-ike-peer-ike_r3]pre-shared-key simple 123 //配置预共享密钥
[R3-ike-peer-ike_r3]remote-address 100.0.0.1 //配置对等体IP地址
[R3]ipsec policy policy_r3 1 isakmp //创建一个安全策略
[R3-ipsec-policy-isakmp-policy_r3-1]proposal ipsec_r3 //调用IPsec安全提议
[R3-ipsec-policy-isakmp-policy_r3-1]ike-peer ike_r3 //调用ike对等体
[R3-ipsec-policy-isakmp-policy_r3-1]security acl 3000 //引用访问控制列表
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]ipsec policy policy_r3 //在接口中引用IPSec安全策略
测试IPSec
再次使用ping命令,以激活ike,使用"display ike sa"查看运行情况:
- nat + IPsec
1.配置接口ip
[R1]int g0/0/02
[R1-GigabitEthernet0/0/2]ip add 10.0.0.1 24
[R1-GigabitEthernet0/0/2]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 100.0.0.1 24
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 100.0.0.2 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 200.0.0.2 24
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 200.0.0.3 24
[R3-GigabitEthernet0/0/1]int g 0/0/02
[R3-GigabitEthernet0/0/2]ip add 20.0.0.1 24
2配置静态路由
[r1]ip route-static 0.0.0.0 0.0.0.0 100.0.0.2
[r3]ip route-static 0.0.0.0 0.0.0.0 200.0.0.2
3. 配置NAT
排除ipsec 感兴趣流(内网地址之间连接,禁止nat转化)
[r1]acl 3000
[r1-acl-adv-3000]rule 1 deny ip source 10.0.0.1 0.0.0.255 destination 20.0.0.1 0.0.0.255
[r1-acl-adv-3000]rule 5 permit ip //允许其他流量nat转换
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]nat outbound 3000
[r3]acl 3000
ny ip source 20.0.0.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
[r3-acl-adv-3000]ru 5 per ip
[r3]int g0/0/1
[r3-GigabitEthernet0/0/1]nat outbound 3000
4. 配置Ipsec
[r1]ike proposal 1 //配置ike 提议
[r1-ike-proposal-1]encryption-algorithm aes-cbc-128 //配置加密算法
[r1-ike-proposal-1]authentication-algorithm md5 //配置认证算法
//配置ike 对等体
[r1]ike peer test v2
[r1-ike-peer-test]ike-proposal 1 //调用ike 提议
[r1-ike-peer-test]pre-shared-key simple admin
[r1-ike-peer-test]remote-address 200.0.0.3
[r1-ike-peer-test]local-address 100.0.0.1
//匹配 ipsec 感兴趣流
[r1]acl 3001
[r1-acl-adv-3001]rule 1 permit ip source 10.0.0.1 0.0.0.255 destination 20.0.0.1 0.0.0.255
//配置 ipsec 安全提议
[r1]ipsec proposal trans
[r1-ipsec-proposal-trans]encapsulation-mode tunnel //模式
[r1-ipsec-proposal-trans]esp encryption-algorithm aes-128
[r1-ipsec-proposal-trans]esp authentication-algorithm md5
//配置ipsec 策略
[r1]ipsec policy r1-r3 10 isakmp
[r1-ipsec-policy-isakmp-r1-r3-10]ike-peer test //调用 ike 对等体
[r1-ipsec-policy-isakmp-r1-r3-10]proposal trans //调用 安全提议
[r1-ipsec-policy-isakmp-r1-r3-10]security acl 3001 //调用 感兴趣流
//接口上调用
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ipsec policy r1-r3
//r3 配置
ipsec proposal ip_r1
ipsec proposal trans
esp encryption-algorithm aes-128
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm md5
ike peer test v2
pre-shared-key simple admin
ike-proposal 1
local-address 200.0.0.3
remote-address 100.0.0.1
ipsec policy r1-r3 10 isakmp
security acl 3001
ike-peer test
proposal trans
acl number 3001
rule 1 permit ip source 20.0.0.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
interface GigabitEthernet0/0/1
ipsec policy r1-r3
//查看 dis ipsec sa