(1.1.1.1)R1(S1/1:12.12.12.1)-----------------(S1/0:12.12.12.2)R2(S1/1:23.23.23.2)------------------(S1/0:23.23.3)R3(3.3.3.3)
ISAKMP Profile(1):映射isakmp参数到ipsec隧道,主要用于vrf ***,证书认证管理,ipsec/Qos配置。
ISAKMP Profile(2):用于一个设备和不同站点配置多个ipsec隧道,并且每个站点需要不同的第一阶段策略的场合。
R1#sh running-config
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 23.23.23.3
!
!
crypto ipsec transform-set wk esp-des esp-md5-hmac
!
crypto map *** 10 ipsec-isakmp
set peer 23.23.23.3
set transform-set wk
match address 101!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Serial1/1
ip address 12.12.12.1 255.255.255.0
serial restart-delay 0
crypto map ***
!
!
ip route 0.0.0.0 0.0.0.0 12.12.12.2
!
!
access-list 101 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
R2#sh running-config
interface Serial1/0
ip address 12.12.12.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 23.23.23.2 255.255.255.0
serial restart-delay 0
!
!
R3#sh running-config
crypto keyring ll
pre-shared-key address 12.12.12.1 key cisco
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile isp
keyring ll
match identity address 12.12.12.1 255.255.255.255
!
!
crypto ipsec transform-set wk esp-des esp-md5-hmac
!
crypto map *** 10 ipsec-isakmp
set peer 12.12.12.1
set transform-set wk
set isakmp-profile isp
match address 101
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
!
interface Serial1/0
ip address 23.23.23.3 255.255.255.0
serial restart-delay 0
crypto map ***
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 23.23.23.2
!
!
access-list 101 permit ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
转载于:https://blog.51cto.com/2974159/798035