实验拓扑:
需求分析:
SH公司使用双线介入到公司,需要使用×××与北京总部互联(双线可以是单ISP,或者多ISP),实验结果达到1.1.1.1与2.2.2.2能够互访.
Beijing配置:
与传统IPsec配置无区别,不做特殊解释
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 200.1.1.10
crypto isakmp key cisco address 117.1.1.10
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
crypto map *** 10 ipsec-isakmp
set peer 200.1.1.10
set peer 117.1.1.10
set transform-set cisco
match address ***
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 124.1.1.1 255.255.255.0
duplex half
crypto map ***
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip access-list extended ***
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
SH1配置:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 124.1.1.1
crypto isakmp keepalive 10 // DPD激活
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
crypto map *** 10 ipsec-isakmp
set peer 124.1.1.1
set transform-set cisco
match address ***
reverse-route //与设备冗余不同,这里不能加static关键字,在SA产生后的路由器会下发默认路由进内网.
interface FastEthernet1/0
ip address 200.1.1.10 255.255.255.0
duplex half
crypto map ***
interface FastEthernet3/0
ip address 10.1.1.10 255.255.255.0
duplex half
router eigrp 10
redistribute static
network 10.1.1.0 0.0.0.255
no auto-summary
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
SH2与SH1配置大体相同不再累述
实验结果:
设备加解密情况:
转载于:https://blog.51cto.com/linfengpiaoye/886577