RRI反向路由注入

 

R1

 

!

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 202.100.2.3

!

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

crypto map cisco 10 ipsec-isakmp

 set peer 202.100.2.3

 set transform-set cisco

 match address 100

 reverse-route tag 11

!反向路由在加密图下通过命令reverse-route tag 11来实现,敲入此命令路由表不会马上发生变化(只有在R3pingR1后会自动注入,tag  11 表示注入的路由自动打上标记11,便于通过重分布对此路由进行控制)

!12.3只要知道对方的peer就会在路由表里写入,12.4只有拔入才有路由,如果在后面加上static,就会和12.3一样不拔入也会自动加入一条路由.

!

!

!

interface Loopback1

 ip address 1.1.1.1 255.255.255.0

!

!

interface Serial1/1

 ip address 202.100.1.1 255.255.255.0

 serial restart-delay 0

 crypto map cisco

!

!

ip route 202.100.2.3 255.255.255.255 202.100.1.2

!R1上加一个到202.100.2.3(对方加密点)的主机路由,,在这里不写到对方通信点的路由,这个路由拔通后自动注入

access-list 100 permit ip host 1.1.1.1 host 2.2.2.2

!

 

 

R3

 

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 202.100.1.1

!

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

crypto map cisco 10 ipsec-isakmp

 set peer 202.100.1.1

 set transform-set cisco

 match address 100

!

!

!

!

!

interface Loopback0

 ip address 2.2.2.2 255.255.255.0

!

!

interface Serial1/0

 ip address 202.100.2.3 255.255.255.0

 serial restart-delay 0

 crypto map cisco

!

ip route 1.1.1.1 255.255.255.255 202.100.2.2

ip route 202.100.1.1 255.255.255.255 202.100.2.2

!R3要知道对方加密点和通信点的路由

access-list 100 permit ip host 2.2.2.2 host 1.1.1.1

 

 

 

 

r3#ping 1.1.1.1 source 2.2.2.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

..!!!

Success rate is 60 percent (3/5), round-trip min/avg/max = 284/336/408 ms

r3#

 

r1#show ip route 2.2.2.2

Routing entry for 2.2.2.2/32

  Known via "static", distance 1, metric 0

  Tag 11

  Routing Descriptor Blocks:

  * 202.100.2.3

      Route metric is 0, traffic share count is 1

      Route tag 11

 

r1#

 

作访问控制列表放行×××

 

如果在R2上做访问控制列表,要放行加密点之间的IKEESP

 

access-list 101 permit udp host 202.100.1.1 host 202.100.2.3 eq isakmp

access-list 101 permit esp host 202.100.1.1 host 202.100.2.3

 

!

interface Serial1/0

 ip address 202.100.1.2 255.255.255.0

 ip access-group 101 in

 serial restart-delay 0

!

R3R2acl是一样的(12.4)

12.3+permit host 1.1.1.1 host 2.2.2.2 (它还要检查解密后的流量)

12.4下也可以实现解密后的流量的控控制,在加密图下:

 

r3(config)#crypto map cisco 10 ipsec-isakmp

r3(config-crypto-map)#set ip access-group 111 in