1.基本配置
R1
int g0/0
no swi
ip a 10.0.0.1 24
int l 0
ip a 192.168.1.1 24
ip route 0.0.0.0 0.0.0.0 10.0.0.2
R2
int g0/0
no swi
ip a 10.0.0.2 24
int g0/1
no swi
ip a 20.0.0.2 24
R3
int g0/0
no swi
ip a 20.0.0.1 24
int l 0
ip a 192.168.2.1 24
ip route 0.0.0.0 0.0.0.0 20.0.0.2
测试公网可达
ipsec配置
R1 总部
crypto isakmp policy 1 配置新的ipsec策略
encryption 3des #指定使用3DES进行加密
authentication pre-share #指定认证方式为“预共享秘钥”
crypto isakmp key 0 ruijie address 0.0.0.0 0.0.0.0 #配置预共享秘钥,对所有人都可以进行协商
crypto ipsec transform-set cs esp-des esp-md5-hmac #配置转换集,指定ipsec使用esp封装des加密、MD5检验
crypto dynamic-map cs 5 #指定动态加密模板
set transform-set cs #设置转换集
crypto map fz 10 ipsec-isakmp dynamic cs #将策略cs绑定在fz模板上
interface GigabitEthernet 0/0
crypto map fz #下发策略模板
R3 分支
ip access-list extended 101 #创建感兴趣流
10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp policy 1
encryption 3des
authentication pre-share
crypto isakmp key 0 ruijie address 10.0.0.1
crypto ipsec transform-set wh esp-des esp-md5-hmac
crypto map wh 5 ipsec-isakmp
set peer 10.0.0.1
set transform-set wh
match address 101
interface GigabitEthernet 0/0
crypto map wh