资源来自网络视频,我做笔记
视频教程请移步此处处http://www.verycd.com/topics/2802335/
IPSec ×××路由的配置----隧道模式
图:
https://lh5.googleusercontent.com/-
wHTLifoMRdA/TmCkxJU0PvI/AAAAAAAAAxY/mFg3IWhFGZs/s800/IMG_2
0110902_173559.jpg%2B%2B2048%25C3%25971536.jpg
对于R1基本配置:
en
conf t
no ip domain-lookup
ip classless
ip subnet-zero
hostname R1
int s1/0
ip addr 203.0.0.1 255.255.255.0
no shut
exi
int f0/0
ip addr 201.0.0.1 255.255.255.0
no shut
exi
int tunnel0
ip addr 192.168.100.1 255.255.255.0
no shut
exi
router rip
net 201.0.0.0
net 203.0.0.0
net 192.168.100.0
end
sh ip rou
对于R2基本配置:
en
conf t
no ip domain-lookup
ip classless
ip subnet-zero
hostname R2
int s1/0
ip addr 203.0.0.2 255.255.255.0
no shut
exi
int f0/0
ip addr 202.0.0.1 255.255.255.0
no shut
exi
int tunnel0
ip addr 192.168.100.2 255.255.255.0
no shut
exi
router rip
net 202.0.0.0
net 203.0.0.0
net 192.168.100.0
end
sh ip rou
对于R1的IPsec设置:
en
conf t
crypto isakmp enable
crypto isakmp policy 11
encryption 3des
hash sha
group 2
lifetime 5000
authentication pre-share
exi
crypto isakmp key cisco123 address 203.0.0.2
access-list 111 permit gre host 203.0.0.2 host 203.0.0.1
access-list 111 permit ip any any
crypto ipsec transform-set set1 ah-sha-hmac esp-3des esp-md5-hmac
mode tunnel
exi
crypto map map1 10 ipsec-isakmp
match address 111
set transform-set set1
set peer 203.0.0.2
exi
int s1/0
crypto map map1
no shu
int tunnel0
tunnel source 203.0.0.1
tunnel destination 203.0.0.2
crypto map map1
no shut
end
sh crypto ipsec sa
对于R2的ipsec设置:
en
conf t
crypto isakmp enable
crypto isakmp policy 11
encryption 3des
hash sha
group 2
lifetime 5000
authentication pre-share
exit
crypto isakmp key cisco123 address 203.0.0.1
access-list 111 permit gre host 203.0.0.2 host 203.0.0.1
access-list 111 permit ip any any
crypto ipsec transform-set set1 ah-sha-hmac esp-3des esp-md5-hmac
mode tunnel
exi
crypto map map1 10 ipsec-isakmp
match address 111
set transform-set set1
set peer 203.0.0.1
exi
int s1/0
crypto map map1
no shu
int tunnel0
tunnel source 203.0.0.2
tunnel destination 203.0.0.1
crypto map map1
no shut
end
sh crypto ipsec sa
完成,互ping可通。
转载于:https://blog.51cto.com/wugai/660328