今天我们来测试下ipsec ***穿越nat技术,网络实验拓扑如下图,

 

1、配置各台路由器的IP地址,并且使用Ping命令确认各路由器的直连口的互通。

R1和R4做ipsec ***  R2做nat设备,R1 lo1 172.16.10.1/24   R4 lo1 172.16.40.1/24,

R1:

crypto isakmp policy 1                                      定义IKE第一阶段的策略
 hash md5
 authentication pre-share


crypto isakmp key cisco address 34.1.1.4          定义预共享的密钥
crypto ipsec transform-set my_trans esp-des       定义IKE第二阶段的策略
crypto map ***_to_R4 10 ipsec-isakmp             定义map做配置汇总
 set peer 34.1.1.4
 set transform-set my_trans
 match address 100                                            匹配上访问列表100

ip route 0.0.0.0 0.0.0.0 12.1.1.2          

access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255    定义感兴趣的数据流

interface Serial1/0
 ip address 12.1.1.1 255.255.255.0
 serial restart-delay 0
 crypto map ***_to_R4                                     在此接口调用map

同理R4做类似的配置,

crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key cisco address 23.1.1.2


crypto ipsec transform-set my_trans esp-des

crypto map ***_to_R1 10 ipsec-isakmp
 set peer 23.1.1.2
 set transform-set my_trans
 match address 100

ip route 0.0.0.0 0.0.0.0 34.1.1.3

access-list 100 permit ip 172.16.40.0 0.0.0.255 172.16.10.0 0.0.0.255

interface Serial1/2
 ip address 34.1.1.4 255.255.255.0
 serial restart-delay 0
 crypto map ***_to_R1

在R2上做nat配置

interface Serial1/0
 ip address 12.1.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 serial restart-delay 0

interface Serial1/1
 ip address 23.1.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 serial restart-delay 0

ip nat inside source list 1 interface Serial1/1 overload
ip route 0.0.0.0 0.0.0.0 23.1.1.3
ip route 172.16.10.0 255.255.255.0 12.1.1.1

接下来我们来测试下内网互通性,

 

可以看到已经通了,我们再来抓包看下,