今天我们来测试下ipsec ***穿越nat技术,网络实验拓扑如下图,
1、配置各台路由器的IP地址,并且使用Ping命令确认各路由器的直连口的互通。
R1和R4做ipsec *** R2做nat设备,R1 lo1 172.16.10.1/24 R4 lo1 172.16.40.1/24,
R1:
crypto isakmp policy 1 定义IKE第一阶段的策略
hash md5
authentication pre-share
crypto isakmp key cisco address 34.1.1.4 定义预共享的密钥
crypto ipsec transform-set my_trans esp-des 定义IKE第二阶段的策略
crypto map ***_to_R4 10 ipsec-isakmp 定义map做配置汇总
set peer 34.1.1.4
set transform-set my_trans
match address 100 匹配上访问列表100
ip route 0.0.0.0 0.0.0.0 12.1.1.2
access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255 定义感兴趣的数据流
interface Serial1/0
ip address 12.1.1.1 255.255.255.0
serial restart-delay 0
crypto map ***_to_R4 在此接口调用map
同理R4做类似的配置,
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco address 23.1.1.2
crypto ipsec transform-set my_trans esp-des
crypto map ***_to_R1 10 ipsec-isakmp
set peer 23.1.1.2
set transform-set my_trans
match address 100
ip route 0.0.0.0 0.0.0.0 34.1.1.3
access-list 100 permit ip 172.16.40.0 0.0.0.255 172.16.10.0 0.0.0.255
interface Serial1/2
ip address 34.1.1.4 255.255.255.0
serial restart-delay 0
crypto map ***_to_R1
在R2上做nat配置
interface Serial1/0
ip address 12.1.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
serial restart-delay 0
interface Serial1/1
ip address 23.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
serial restart-delay 0
ip nat inside source list 1 interface Serial1/1 overload
ip route 0.0.0.0 0.0.0.0 23.1.1.3
ip route 172.16.10.0 255.255.255.0 12.1.1.1
接下来我们来测试下内网互通性,
可以看到已经通了,我们再来抓包看下,
转载于:https://blog.51cto.com/huaxin/886599