路由ipsec ***隧道模式配置

 资源来自网络视频,我做笔记       

 

视频教程请移步此处处http://www.verycd.com/topics/2802335/    

 

 

 

IPSec ×××路由的配置----隧道模式

 

 

图：

https://lh5.googleusercontent.com/-

 

wHTLifoMRdA/TmCkxJU0PvI/AAAAAAAAAxY/mFg3IWhFGZs/s800/IMG_2

 

0110902_173559.jpg%2B%2B2048%25C3%25971536.jpg

 

 

对于R1基本配置：

 

en

conf t

no ip domain-lookup 

ip classless

ip subnet-zero

hostname R1

 

int s1/0

ip addr 203.0.0.1 255.255.255.0

no shut

exi

int f0/0

ip addr 201.0.0.1 255.255.255.0

no shut

exi

 

int tunnel0

 

ip addr 192.168.100.1 255.255.255.0

no shut

exi

 

router rip

net 201.0.0.0

net 203.0.0.0

net 192.168.100.0

end

 

sh ip rou

 

 

对于R2基本配置：

 

en

conf t

no ip domain-lookup

ip classless

ip subnet-zero

hostname R2

 

int s1/0

ip addr 203.0.0.2 255.255.255.0

no shut

exi

 

int f0/0

ip addr 202.0.0.1 255.255.255.0

no shut

exi

 

int tunnel0

ip addr 192.168.100.2 255.255.255.0

no shut

exi

 

router rip

net 202.0.0.0

net 203.0.0.0

net 192.168.100.0

end

 

sh ip rou

 

 

对于R1的IPsec设置：

 

en

conf t

crypto isakmp enable

 

crypto isakmp policy 11

encryption 3des

hash sha

group 2

lifetime 5000

authentication pre-share

exi

 

crypto isakmp key cisco123 address 203.0.0.2

 

access-list 111 permit gre host 203.0.0.2 host 203.0.0.1

access-list 111 permit ip any any

 

crypto ipsec transform-set set1 ah-sha-hmac esp-3des esp-md5-hmac 

mode tunnel

exi

 

crypto map map1 10 ipsec-isakmp

match address 111

set transform-set set1

set peer 203.0.0.2

exi

 

int s1/0

crypto map map1

no shu

 

int tunnel0

tunnel source 203.0.0.1

tunnel destination 203.0.0.2

crypto map map1

no shut

end

 

sh crypto ipsec sa

 

 

 

 

对于R2的ipsec设置：

 

en

conf t

crypto isakmp enable

 

crypto isakmp policy 11

encryption 3des

hash sha

group 2

lifetime 5000

authentication pre-share

exit

 

crypto isakmp key cisco123 address 203.0.0.1

 

access-list 111 permit gre host 203.0.0.2 host 203.0.0.1

access-list 111 permit ip any any

 

crypto ipsec transform-set set1 ah-sha-hmac esp-3des esp-md5-hmac

mode tunnel

exi

 

crypto map map1 10 ipsec-isakmp

match address 111

set transform-set set1

set peer 203.0.0.1

exi

 

int s1/0

crypto map map1

no shu

 

int tunnel0

tunnel source 203.0.0.2

tunnel destination 203.0.0.1

crypto map map1

no shut

end

 

sh crypto ipsec sa

 

 

 

 

完成，互ping可通。

 

转载于:https://blog.51cto.com/wugai/660328