RRI反向路由注入
R1
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.2.3
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.100.2.3
set transform-set cisco
match address 100
reverse-route tag 11
!反向路由在加密图下通过命令reverse-route tag 11来实现,敲入此命令路由表不会马上发生变化(只有在R3ping通R1后会自动注入,tag 11 表示注入的路由自动打上标记11,便于通过重分布对此路由进行控制)
!12.3只要知道对方的peer就会在路由表里写入,12.4只有拔入才有路由,如果在后面加上static,就会和12.3一样不拔入也会自动加入一条路由.
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
!
interface Serial1/1
ip address 202.100.1.1 255.255.255.0
serial restart-delay 0
crypto map cisco
!
!
ip route 202.100.2.3 255.255.255.255 202.100.1.2
!在R1上加一个到202.100.2.3(对方加密点)的主机路由,,在这里不写到对方通信点的路由,这个路由拔通后自动注入
access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
!
R3
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.100.1.1
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set cisco
match address 100
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
!
interface Serial1/0
ip address 202.100.2.3 255.255.255.0
serial restart-delay 0
crypto map cisco
!
ip route 1.1.1.1 255.255.255.255 202.100.2.2
ip route 202.100.1.1 255.255.255.255 202.100.2.2
!R3要知道对方加密点和通信点的路由
access-list 100 permit ip host 2.2.2.2 host 1.1.1.1
r3#ping 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 284/336/408 ms
r3#
r1#show ip route 2.2.2.2
Routing entry for 2.2.2.2/32
Known via "static", distance 1, metric 0
Tag 11
Routing Descriptor Blocks:
* 202.100.2.3
Route metric is 0, traffic share count is 1
Route tag 11
r1#
作访问控制列表放行×××
如果在R2上做访问控制列表,要放行加密点之间的IKE和ESP
access-list 101 permit udp host 202.100.1.1 host 202.100.2.3 eq isakmp
access-list 101 permit esp host 202.100.1.1 host 202.100.2.3
!
interface Serial1/0
ip address 202.100.1.2 255.255.255.0
ip access-group 101 in
serial restart-delay 0
!
R3和R2的acl是一样的(12.4)
12.3+permit host 1.1.1.1 host 2.2.2.2 (它还要检查解密后的流量)
12.4下也可以实现解密后的流量的控控制,在加密图下:
r3(config)#crypto map cisco 10 ipsec-isakmp
r3(config-crypto-map)#set ip access-group 111 in
转载于:https://blog.51cto.com/sngyqd/624839