ISAKMP Profile使用在总部与多个站点进行IPSEC ×××通信,且总部与不同分支使用不同的第一阶段策略时使用。

以下为拓扑:

 

直发R2,R4,R5的配置:

 

 

R1:

 

 

!

!

!

!

!

crypto keyring keyring                          //创建于对端R4使用的KEY

  pre-shared-key address 34.1.1.4 key cisco

crypto keyring r5keyring 

  pre-shared-key address 35.1.1.5 key cisco

!

crypto isakmp policy 10                        //Policy10用于与R4的第一阶段策略

 encr 3des

 hash md5 

 authentication pre-share

 group 2

!

crypto isakmp policy 20                       //Policy20用于与R5的第一阶段策略

 authentication pre-share

crypto isakmp profile r4profile              //创建于R4建立IKE的profile

   keyring keyring                           //关联keyring

   match identity address 34.1.1.4 255.255.255.255     //match identity 指出对端

crypto isakmp profile r5profile

   keyring r5keyring

   match identity address 35.1.1.5 255.255.255.255 

!

!

crypto ipsec transform-set set esp-des esp-md5-hmac 

!

!

crypto map mapr1 10 ipsec-isakmp  //因为接口上只能调用一个MAP,所以只能创建一个MAP然后用不同的序号将不同的profile和地址关联

 set peer 34.1.1.4

 set transform-set set 

 set isakmp-profile r4profile

 match address r4list

crypto map mapr1 20 ipsec-isakmp 

 set peer 35.1.1.5

 set transform-set set 

 set isakmp-profile r5profile

 match address r5list

!

!

interface Ethernet0/0

 ip address 192.168.1.2 255.255.255.0

 half-duplex

!

interface Ethernet0/1          //在接口调用MAP

 ip address 23.1.1.2 255.255.255.0

 half-duplex

 crypto map mapr1

!

interface Ethernet0/2

 no ip address

 shutdown

 half-duplex

!

interface Ethernet0/3

 no ip address

 shutdown

 half-duplex

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 Ethernet0/1

!

ip access-list extended r4list

 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

ip access-list extended r5list

 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

!

!

control-plane

!

 

 

 

R4:

 

 

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp key cisco address 23.1.1.2

!         

!

crypto ipsec transform-set set esp-des esp-md5-hmac 

!

crypto map map 10 ipsec-isakmp 

 set peer 23.1.1.2

 set transform-set set 

 match address r4

!

!

!

!

interface Ethernet0/0

 ip address 34.1.1.4 255.255.255.0

 half-duplex

 crypto map map

!

interface Ethernet0/1

 ip address 192.168.4.1 255.255.255.0

 half-duplex

!

interface Ethernet0/2

 no ip address

 shutdown 

 half-duplex

!

interface Ethernet0/3

 no ip address

 shutdown

 half-duplex

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 Ethernet0/0

!

!

!

ip access-list extended r4

 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

 

R5:

 

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 23.1.1.2

!

!

crypto ipsec transform-set set esp-des esp-md5-hmac 

!         

crypto map map 10 ipsec-isakmp 

 set peer 23.1.1.2

 set transform-set set 

 match address list

!

!

!

!

interface Ethernet0/0

 ip address 35.1.1.5 255.255.255.0

 half-duplex

 crypto map map

!

interface Ethernet0/1

 ip address 192.168.5.1 255.255.255.0

 half-duplex

!

interface Ethernet0/2

 no ip address

 shutdown

 half-duplex

!

interface Ethernet0/3

 no ip address

 shutdown

 half-duplex

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 Ethernet0/0

!

!

!

ip access-list extended list

 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

 

 

总结:在ISAKMP Profile中用

crypto isakmp profile r5profile

   keyring r5keyring

   match identity address 35.1.1.5 255.255.255.255 

代替了 crypto isakmp key 0 cisco add 35.1.1.5命令