环境:三台路由器串口相连
要求:路由器R2模拟ISP,让R1和R3之间建立×××,R2模拟ISP,将在不同两地的企业之间建立一条安全的IPSEC ×××
娼樿€佽櫄鎷熷疄楠屽
步骤一:对接口的基本配置 并测试连通性
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config)#int s0/1
R1(config-if)#ip add 12.1.1.1 255.255.255.0
R1(config-if)#no shu
R1(config-if)#router rip
R1(config-router)#version 2
R1(config-router)#no auto-summary
R1(config-router)#net 12.0.0.0
R1(config-router)#net 1.0.0.0
 
ISP(config-line)#int s0/0
ISP(config-if)#ip add 12.1.1.2 255.255.255.0
ISP(config-if)#no shu
ISP(config-if)#int s0/1
ISP(config-if)#ip add 23.1.1.1 255.255.255.0
ISP(config-if)#no shu
ISP(config-if)#router rip
ISP(config-router)#version 2
ISP(config-router)#no auto-summary
ISP(config-router)#net 23.0.0.0
ISP(config-router)#net 12.0.0.
 
R3(config-line)#int s0/0
R3(config-if)#ip add 23.1.1.2 255.255.255.0
R3(config-if)#no shu
R3(config-if)#int lo0
R3(config-if)#ip add 3.3.3.3 255.255.255.0
R3(config-if)#router rip
R3(config-router)#version 2
R3(config-router)#no auto-summary
R3(config-router)#net 3.0.0.0
R3(config-router)#net 23.0.0.0
 
 
R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/248/356 ms
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 216/282/404
 
配置二:配置IKE的两个阶段,并用到接口上
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco address 3.3.3.3 
R1(config)#crypto ipsec transform-set fuck ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth
R1(config)#crypto ipsec transform-set fuck esp-sha-hmac esp-3des
R1(cfg-crypto-trans)#exit
R1(config)#access-list 100 per ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
R1(config)#crypto map ccnp ?
  <1-65535>       Sequence to insert into crypto map entry
  client          Specify client configuration settings
  isakmp          Specify isakmp configuration settings
  isakmp-profile  Specify isakmp profile to use
  local-address   Interface to use for local address for this crypto map
  redundancy      High availability options for this map
R1(config)#crypto map ccnp 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#set peer 3.3.3.3
R1(config-crypto-map)#set transform-set ccnp
ERROR: transform set with tag "ccnp" does not exist.
R1(config-crypto-map)#set transform-set fuck
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exit
R1(config-if)#int s0/1
R1(config-if)#crypto map ccnp
R1(config-if)#
*Mar  1 00:14:50.295: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
 
R3(config)#crypto isakmp policy 2
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#exit
R3(config)#crypto isakmp key ?
  0  Specifies an UNENCRYPTED password will follow
  6  Specifies an ENCRYPTED password will follow
R3(config)#crypto isakmp key 0 cisco address 1.1.1.1
R3(config)#crypto ipsec transform-set fuck1 esp-sha-hmac  esp-des
R3(cfg-crypto-trans)#exit
R3(config)#access-list 100 per ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
R3(config)#crypto map ccnp 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#set peer 1.1.1.1
R3(config-crypto-map)#set transform-set fuck1
R3(config-crypto-map)#exit
R3(config)#int s0/0
R3(config-if)#crypto map fuck1
ERROR: Crypto Map with tag "fuck1" does not exist.
R3(config-if)#
R3(config-if)#
R3(config-if)#
R3(config-if)#
R3(config-if)#
R3(config-if)#crypto map ccnp
R3(config-if)#
*Mar  1 00:18:59.655: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
 
这样我们就可以测试一下
R3#ping 1.1.1.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/188/240 ms
 
R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/165/240 ms
这样我们就将在不同两地的路由器的IPSEC ×××建立起来了