GNS3 配置IPSec Dynamic LAN-TO-LAN ***

1、实验拓扑

2、基础网络配置

R1配置：

service dhcp

ip dhcp excluded-address 16.1.1.1

ip dhcp pool net16

   network 16.1.1.0 255.255.255.0

   default-router 16.1.1.1 

nterface FastEthernet0/0

 ip address 12.1.1.1 255.255.255.0

interface FastEthernet1/0

 ip address 13.1.1.1 255.255.255.0

interface FastEthernet2/0

 ip address 16.1.1.1 255.255.255.0

R2配置：

interface FastEthernet0/0

 ip address 12.1.1.2 255.255.255.0

interface FastEthernet1/0

 ip address 172.16.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 12.1.1.1

R3配置：

interface FastEthernet0/0

 ip address 13.1.1.3 255.255.255.0

interface FastEthernet1/0

 ip address 192.168.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 13.1.1.1

R4配置：

interface FastEthernet0/0

 ip address 172.16.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.16.1.254

R5配置：

interface FastEthernet0/0

 ip address 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.254

R6配置：

interface FastEthernet0/0

 ip address dhcp

interface FastEthernet1/0

 ip address 10.1.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 16.1.1.1

R7配置：

interface FastEthernet0/0

 ip address 10.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.254

3、IPSec Dynamicc LAN-TO-LAN ×××配置

R2配置：

crypto keyring cisco 

  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp profile cisco

   keyring cisco

   match identity address 0.0.0.0 

crypto ipsec transform-set cisco esp-3des esp-sha-hmac 

crypto dynamic-map cisco 5

 set transform-set cisco 

 set isakmp-profile cisco

crypto map cisco 10 ipsec-isakmp dynamic cisco 

interface FastEthernet0/0

 crypto map cisco

R3配置：

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 12.1.1.2

crypto ipsec transform-set cisco esp-3des esp-sha-hmac 

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

crypto map cisco 1 ipsec-isakmp 

 set peer 12.1.1.2

 set transform-set cisco 

 match address 100

interface FastEthernet0/0

 crypto map cisco

R6配置：

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 12.1.1.2

crypto ipsec transform-set cisco esp-3des esp-sha-hmac 

access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

crypto map cisco 1 ipsec-isakmp 

 set peer 12.1.1.2

 set transform-set cisco 

 match address 100

interface FastEthernet0/0

 crypto map cisco

4、R4、R5、R7内网互访测试（必须先从R5、R7 PING R4才能PING）

转载于:https://blog.51cto.com/kaiyuandiantang/1695371