![](https://i-blog.csdnimg.cn/blog_migrate/34f07082f3f354710fc9d87d4d9344d9.bmp)
r7#sh run
Building configuration...
Building configuration...
hostname r7
!
!
crypto isakmp policy 100
authentication pre-share
crypto isakmp key 6 cisco1234 address 218.94.129.34
!
!
crypto ipsec transform-set myset esp-des
!
crypto map mymap 110 ipsec-isakmp
set peer 218.94.129.34
set transform-set myset
match address 120
!
!
!
!
!
interface Loopback0
ip address 7.1.1.1 255.255.255.0
!
interface Ethernet1/0
ip address 17.1.1.2 255.255.255.0
duplex half
crypto map mymap
!
router ospf 10
log-adjacency-changes
network 17.1.1.0 0.0.0.255 area 0
!
ip route 172.10.2.0 255.255.255.0 17.1.1.1
!
!
logging alarm informational
access-list 120 permit ip 7.1.1.0 0.0.0.255 172.10.2.0 0.0.0.255
!
!
~~~~~~~~~~~~~~~~~~
R5×××#sh run
Building configuration...
Building configuration...
Current configuration : 1217 bytes
!
hostname R5×××
!
!
!
crypto isakmp policy 100
authentication pre-share
crypto isakmp key 6 cisco1234 address 17.1.1.2
!
!
crypto ipsec transform-set myset esp-des
!
crypto map mymap 110 ipsec-isakmp
set peer 17.1.1.2
set transform-set myset
match address 120
!
!
interface Ethernet2/0
ip address 218.94.129.34 255.255.255.0
duplex half
crypto map mymap
!
interface Ethernet2/1
ip address 172.10.2.253 255.255.255.0
duplex half
!
ip route 0.0.0.0 0.0.0.0 218.94.129.33
!
!
!
access-list 120 permit ip 172.10.2.0 0.0.0.255 7.1.1.0 0.0.0.255
!
!
!
!
hostname R5×××
!
!
!
crypto isakmp policy 100
authentication pre-share
crypto isakmp key 6 cisco1234 address 17.1.1.2
!
!
crypto ipsec transform-set myset esp-des
!
crypto map mymap 110 ipsec-isakmp
set peer 17.1.1.2
set transform-set myset
match address 120
!
!
interface Ethernet2/0
ip address 218.94.129.34 255.255.255.0
duplex half
crypto map mymap
!
interface Ethernet2/1
ip address 172.10.2.253 255.255.255.0
duplex half
!
ip route 0.0.0.0 0.0.0.0 218.94.129.33
!
!
!
access-list 120 permit ip 172.10.2.0 0.0.0.255 7.1.1.0 0.0.0.255
!
!
!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
步骤:
crypto isakmp policy 100 起用IKE,使用预共享密钥做为认证方法,创建一个优先权为100的IKE策略
authentication pre-share
crypto isakmp key 6 cisco1234 address 192.168.191.2 配置预共享密钥和对等体地址
show crypto isakmp policy
crypto isakmp policy 100 起用IKE,使用预共享密钥做为认证方法,创建一个优先权为100的IKE策略
authentication pre-share
crypto isakmp key 6 cisco1234 address 192.168.191.2 配置预共享密钥和对等体地址
show crypto isakmp policy
access-list 120 permit ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.0.255 要封装分组
crypto ipsec transform-set myset esp-des 配置IPSEC转换集,指定DES来加密分组
crypto map mymap 110 ipsec-isakmp 使用一个名为MYMAP的映射和值为110的序列号来配置一个IPSEC密码映射
match address 120 匹配条件
set transform-set myset 设置转换集myset
set peer 192.168.191.2 设置对等体
match address 120 匹配条件
set transform-set myset 设置转换集myset
set peer 192.168.191.2 设置对等体
interface Serial1/2
crypto map mymap 将密码映射mymap作用到R3接口上
crypto map mymap 将密码映射mymap作用到R3接口上
show crypto ipsec sa
debug crypto ipsec
debug crypto isakmp
clear crypto sa
clear crypto isakmp
show crypto isakmp sa
debug crypto ipsec
debug crypto isakmp
clear crypto sa
clear crypto isakmp
show crypto isakmp sa
r7#ping 172.10.2.253 source 7.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.10.2.253, timeout is 2 seconds:
Packet sent with a source address of 7.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/125/228 ms
r7#
Sending 5, 100-byte ICMP Echos to 172.10.2.253, timeout is 2 seconds:
Packet sent with a source address of 7.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/125/228 ms
r7#
转载于:https://blog.51cto.com/czywf/189819