实验拓扑:

 

需求分析:

 

SH公司使用双线介入到公司,需要使用×××与北京总部互联(双线可以是单ISP,或者多ISP),实验结果达到1.1.1.12.2.2.2能够互访.

 

Beijing配置:

 

与传统IPsec配置无区别,不做特殊解释

 


crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 200.1.1.10
crypto isakmp key cisco address 117.1.1.10

crypto ipsec transform-set cisco esp-3des esp-md5-hmac
crypto map *** 10 ipsec-isakmp
 set peer 200.1.1.10
 set peer 117.1.1.10
 set transform-set cisco
 match address ***

interface Loopback0
 ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
 ip address 124.1.1.1 255.255.255.0
 duplex half
 crypto map ***

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip access-list extended ***
 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

 

SH1配置:

 


crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 124.1.1.1
crypto isakmp keepalive 10 // DPD激活

crypto ipsec transform-set cisco esp-3des esp-md5-hmac
crypto map *** 10 ipsec-isakmp
 set peer 124.1.1.1
 set transform-set cisco
 match address ***
 reverse-route //与设备冗余不同,这里不能加static关键字,SA产生后的路由器会下发默认路由进内网.

interface FastEthernet1/0
 ip address 200.1.1.10 255.255.255.0
 duplex half
 crypto map ***

interface FastEthernet3/0
 ip address 10.1.1.10 255.255.255.0
 duplex half

router eigrp 10
 redistribute static
 network 10.1.1.0 0.0.0.255
 no auto-summary
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0

ip access-list extended ***
 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

 

SH2SH1配置大体相同不再累述

 

实验结果:

 

设备加解密情况