IPsec VPN点到点的实验
配置防火墙IPsec
1.在安全策略中放行IPsec的第一阶段和第二阶段流量
2.放行感兴趣流的流量
DSVPN多层分支实验
R1为总公司,R3和R4为分公司,R5和R6为R3的分公司,R7和R8为R4的分公司。
要求:所有公司之间使用DSVPN通信,使用基础MGRE建立隧道,IPESC加密数据;
配置:
R3:
#
ipsec proposal yyy
encapsulation-mode transport
transform ah-esp
ah authentication-algorithm sha1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm aes-cbc-128
dh group5
authentication-algorithm md5
sa duration 3600
#
ike peer yyy v1
exchange-mode aggressive
pre-shared-key simple 999
ike-proposal 1
local-id-type name
remote-name kkk
#
ipsec profile yyy
ike-peer yyy
proposal yyy
#
interface Tunnel0/0/0
ip address 172.16.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
gre key 123
ospf network-type p2mp
ipsec profile yyy
nhrp redirect
nhrp shortcut
nhrp entry multicast dynamic
nhrp network-id 100
nhrp entry 172.16.1.1 100.1.12.2 register
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 10.3.3.3 0.0.0.0
network 172.16.1.0 0.0.0.255
#
ike local-name kkk