多点IPSec ×××的配置实例
R1(config)#crypto isakmp policy 1
R1(config-isakmap)#encryption 3des
R1(config-isakmap)#hash sha
R1(config-isakmap)#authentication pre-share
R1(config-isakmap)#group 2
R1(config)#crypto isakmp key 0 baba-001 address 102.0.0.1 R1(config)#access-list 102 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 R1(config)#crypto ipsec transform-set baba-set esp-des esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto map baba-map 1 ipsec-isakmp
R1(config-crypto-map)#set peer 102.0.0.1 R1(config-crypto-map)#set transform-set baba-set
R1(config-crypto-map)#match address 102
R1(config)#interface f0/0
R1(config-if)#crypto map baba-map
配置R1-R2之间的IPSec ×××
添加R1-R3的预共享密钥
添加R1-R3的Crypto ACL
配置新的Crypto Map,要求映射名相同,而序号不同
R1(config)#crypto isakmp key 0 baba-002 address 103.0.0.1
R1(config)#access-list 103 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
R1(config)#crypto map baba-map 2 ipsec-isakmp
R1(config-crypto-map)#set peer 103.0.0.1
R1(config-crypto-map)#set transform-set baba-set
R1(config-crypto-map)#match address 103
R2、R3关键配置
R2(config)#crypto isakmp key 0 baba-001address 101.0.0.1
R2(config)#access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 R2(config)#crypto map baba-map 2 ipsec-isakmp
R2(config-crypto-map)#set peer 101.0.0.1
R2(config-crypto-map)#set transform-set baba-set
R2(config-crypto-map)#match address 101
R3(config)#crypto isakmp key 0 baba-002 address 101.0.0.1
R3(config)#access-list 101 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255 R3(config)#crypto map baba-map 2 ipsec-isakmp
R3(config-crypto-map)#set peer 101.0.0.1
R3(config-crypto-map)#set transform-set baba-set
R3(config-crypto-map)#match address 101
配置路由
R1(config)#ip route 0.0.0.0 0.0.0.0 F0/0
R2(config)#ip route 0.0.0.0 0.0.0.0 F0/0
R3(config)#ip route 0.0.0.0 0.0.0.0 F0/0
转载于:https://blog.51cto.com/13562306/2070516