前段时间做了一个关于ipsec L2L ***的有趣的实验,这个实验看起来貌似比较简单,但我个人觉得这个实验还是有一定技术含金量。如果思路不正确的话,解起来会很费劲!!我觉得做这个实验完全可以测试出对传统ipsec L2L配置的理解程度,大家可以先不看我贴的配置,先自己试试...
实验要求:
1、要求R1、R2、R3身后的网络互相通讯时被ipsec加密保护
2、任何1台设备的1条链路出现故障,不影响身后网络的通讯(ipsec加密保护)
3、使用传统ipsec L2L ×××实现(禁止使用SVTI、GRE Over Ipsec技术)
------------------------------------------------------------
R1的配置:
Current configuration : 1859 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key AB address 12.0.0.2
crypto isakmp key AB2 address 23.0.0.2
crypto isakmp key AC address 13.0.0.3
crypto isakmp key AC2 address 23.0.0.3
!
!
crypto ipsec transform-set ESP-T esp-des esp-md5-hmac
!
crypto map ×××-E0/1 10 ipsec-isakmp
set peer 12.0.0.2
set transform-set ESP-T
match address ×××1
crypto map ×××-E0/1 20 ipsec-isakmp
set peer 23.0.0.3
set transform-set ESP-T
match address ×××2
!
crypto map ×××-E0/3 10 ipsec-isakmp
set peer 13.0.0.3
set transform-set ESP-T
match address ×××2
crypto map ×××-E0/3 20 ipsec-isakmp
set peer 23.0.0.2
set transform-set ESP-T
match address ×××1
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
ip address 12.0.0.1 255.255.255.0
half-duplex
crypto map ×××-E0/1
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
ip address 13.0.0.1 255.255.255.0
half-duplex
crypto map ×××-E0/3
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
no ip http secure-server
!
!
!
!
ip access-list extended ×××1
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended ×××2
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
control-plane
!
!
!
alias exec sb sh run | b r b
alias exec so sh run | b r o
alias exec su sh run | in username
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
R2的配置:
Current configuration : 1859 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key AB2 address 13.0.0.1
crypto isakmp key AB address 12.0.0.1
crypto isakmp key BC address 23.0.0.3
crypto isakmp key BC2 address 13.0.0.3
!
!
crypto ipsec transform-set ESP-T esp-des esp-md5-hmac
!
crypto map ×××-E0/1 10 ipsec-isakmp
set peer 12.0.0.1
set transform-set ESP-T
match address ×××1
crypto map ×××-E0/1 20 ipsec-isakmp
set peer 13.0.0.3
set transform-set ESP-T
match address ×××2
!
crypto map ×××-E0/2 10 ipsec-isakmp
set peer 23.0.0.3
set transform-set ESP-T
match address ×××2
crypto map ×××-E0/2 20 ipsec-isakmp
set peer 13.0.0.1
set transform-set ESP-T
match address ×××1
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
ip address 12.0.0.2 255.255.255.0
half-duplex
crypto map ×××-E0/1
!
interface Ethernet0/2
ip address 23.0.0.2 255.255.255.0
half-duplex
crypto map ×××-E0/2
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
no ip http secure-server
!
!
!
!
ip access-list extended ×××1
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended ×××2
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
control-plane
!
!
!
alias exec sb sh run | b r b
alias exec so sh run | b r o
alias exec su sh run | in username
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
R3的配置:
Current configuration : 1859 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key AC address 13.0.0.1
crypto isakmp key AC2 address 12.0.0.1
crypto isakmp key BC address 23.0.0.2
crypto isakmp key BC2 address 12.0.0.2
!
!
crypto ipsec transform-set ESP-T esp-des esp-md5-hmac
!
crypto map ×××-E0/2 10 ipsec-isakmp
set peer 23.0.0.2
set transform-set ESP-T
match address ×××2
crypto map ×××-E0/2 20 ipsec-isakmp
set peer 12.0.0.1
set transform-set ESP-T
match address ×××1
!
crypto map ×××-E0/3 10 ipsec-isakmp
set peer 13.0.0.1
set transform-set ESP-T
match address ×××1
crypto map ×××-E0/3 20 ipsec-isakmp
set peer 12.0.0.2
set transform-set ESP-T
match address ×××2
!
!
!
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
ip address 23.0.0.3 255.255.255.0
half-duplex
crypto map ×××-E0/2
!
interface Ethernet0/3
ip address 13.0.0.3 255.255.255.0
half-duplex
crypto map ×××-E0/3
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
no ip http secure-server
!
!
!
!
ip access-list extended ×××1
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended ×××2
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
control-plane
!
!
!
alias exec sb sh run | b r b
alias exec so sh run | b r o
alias exec su sh run | in username
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
转载于:https://blog.51cto.com/mgqs007/593952