拓扑图
实验目的:
实现R1网段:172.16.10.0/24与R2网段172.17.10.0/24通信加密。
配置思路:
路由
通过ACL设置感兴趣流
配置IKE第一阶段
配置IKE第二阶段
新建MAP,并应用于接口
配置:
R1:
配置默认路由和接口IP信息
interface Loopback0 ip address 172.16.10.1 255.255.255.0 no shu exit interface FastEthernet0/0 ip address 200.1.1.1 255.255.255.0 no shut exit ip route 0.0.0.0 0.0.0.0 200.1.1.2
配置ACL
ip access-list extended ipsec-acl-1 permit ip 172.16.10.0 0.0.0.255 172.17.10.0 0.0.0.255 log exit
配置IKE第一阶段
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 5 lifetime 86400 exit
配置IKE第一阶段密码
crypto isakmp key 6 tommy address 200.1.1.2 //由于是模拟器上操作了,实际路由器可能不需要key后面的6 exit
配置IKE第二阶段
crypto ipsec transform-set SET-1 esp-3des esp-md5-hmac mode tunnel exit
配置MAP
crypto map MAP-1 10 ipsec-isakmp set peer 200.1.1.2 set transform-set SET-1 match address ipsec-acl-1 exit
将MAP应用于接口
interface FastEthernet0/0 crypto map MAP-1 exit
R2:
配置默认路由和接口IP信息
interface Loopback0 ip address 172.17.10.1 255.255.255.0 no shu exit interface FastEthernet0/0 ip address 200.1.1.2 255.255.255.0 no shut exit ip route 0.0.0.0 0.0.0.0 200.1.1.1
配置ACL
ip access-list extended ipsec-acl-1 permit ip 172.17.10.0 0.0.0.255 172.16.10.0 0.0.0.255 log exit
配置IKE第一阶段
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 5 lifetime 86400 exit
配置IKE第一阶段密码
crypto isakmp key 6 tommy address 200.1.1.1 //由于是模拟器上操作了,实际路由器可能不需要key后面的6 exit
配置IKE第二阶段
crypto ipsec transform-set SET-1 esp-3des esp-md5-hmac mode tunnel exit
配置MAP
crypto map MAP-1 10 ipsec-isakmp
set peer 200.1.1.1 set transform-set SET-1 match address ipsec-acl-1 exit
将MAP应用于接口
interface FastEthernet0/0 crypto map MAP-1 exit
此时配置完毕。
验证:
ping包
R1#ping 172.17.10.1 source 172.16.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.17.10.1, timeout is 2 seconds: Packet sent with a source address of 172.16.10.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 64/69/76 ms R1#
抓包:
IPsec ×××配置成功。
转载于:https://blog.51cto.com/tommyking/1955906