完成:
所有的分支和总部都可以ipsecvpn互防,且都能上公网访问服务器。 分支和分支也能ipsecvpn访问,走的是总部跳转。
总部路由配置:
bj-router#show running-config
Building configuration…
Current configuration : 1627 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname bj-router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
!
crypto isakmp key adminadmin address 120.1.1.2
crypto isakmp key adminadmin address 200.1.1.2
!
!
!
crypto ipsec transform-set beijing esp-aes 128 esp-sha-hmac
!
crypto map beijing-map 1 ipsec-isakmp
set peer 200.1.1.2
set transform-set beijing
match address 100
!
crypto map beijing-map 2 ipsec-isakmp
set peer 120.1.1.2
set transform-set beijing
match address 103
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 100.1.1.1 255.255.255.0
ip nat outside
duplex auto
speed auto
crypto map beijing-map
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 100.1.1.2
!
ip flow-export version 9
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 103 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 103 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
广州分支路由:
gz-route#show running-config
Building configuration…
Current configuration : 1379 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname gz-route
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
!
crypto isakmp key adminadmin address 100.1.1.1
!
!
!
crypto ipsec transform-set guanzhou esp-aes 128 esp-sha-hmac
crypto ipsec transform-set guangzhou esp-aes 128 esp-sha-hmac
!
crypto map guangzhou-map 1 ipsec-isakmp
set peer 100.1.1.1
set transform-set guangzhou
match address 100
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 120.1.1.2 255.255.255.0
ip nat outside
duplex auto
speed auto
crypto map guangzhou-map
!
interface FastEthernet0/1
ip address 10.1.1.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 120.1.1.1
!
ip flow-export version 9
!
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 101 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 101 deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
gz-route#
上海分支路由:
sh-router#show running-config
Building configuration…
Current configuration : 1341 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname sh-router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
!
crypto isakmp key adminadmin address 100.1.1.1
!
!
!
crypto ipsec transform-set shanghai esp-aes 128 esp-sha-hmac
!
crypto map shanghai-map 1 ipsec-isakmp
set peer 100.1.1.1
set transform-set shanghai
match address 100
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 200.1.1.2 255.255.255.0
ip nat outside
duplex auto
speed auto
crypto map shanghai-map
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 101 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 200.1.1.1
!
ip flow-export version 9
!
!
access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
sh-router#
ISP路由配置:
isp#show running-config
Building configuration…
Current configuration : 753 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname isp
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 100.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 200.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 120.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 150.1.1.254 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
isp#
查看协商:
show crypto isakmp sa (这个必须要有ping流量才能看到)
show crypto ipsec sa
查看两边加密算法等配置是否一样:
show crypto isakmp policy
show crypto ipsec than…
3155
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
