Cisco IPSEC ***

 環境如下

 

 

Router1 F0/0 <----> Router2 F0/0 

Router1 F1/0 <----> Router3 F1/0 

Router2 F1/0 <----> Router4 F0/0 

Router3 F0/0 <----> Router5 F0/0 

 

Router1=ISP

Router2=R2

Router3=R3  

Router4=R2-Lan

Router5=R3-Lan

 

各設備IP以及路由表

R1

isp(config)#do show ip int bri

Interface                  IP-Address      OK? Method Status                Prot

ocol

FastEthernet0/0            200.1.1.10      YES manual up                    up

 

FastEthernet1/0            200.2.2.10      YES manual up                    up

Gateway of last resort is not set

 

C    200.1.1.0/24 is directly connected, FastEthernet0/0

C    200.2.2.0/24 is directly connected, FastEthernet1/0

 

R2

R2(config)#do show ip int bri

Interface                  IP-Address      OK? Method Status                Prot

ocol

FastEthernet0/0            200.1.1.20      YES manual up                    up

 

FastEthernet1/0            192.168.1.254   YES manual up                    up

 

NVI0                       unassigned      NO  unset  up                    up

Gateway of last resort is 200.1.1.10 to network 0.0.0.0

 

C    200.1.1.0/24 is directly connected, FastEthernet0/0

C    192.168.1.0/24 is directly connected, FastEthernet1/0

S*   0.0.0.0/0 [1/0] via 200.1.1.10

 

R3

R3(config)#do show ip int bri

Interface                  IP-Address      OK? Method Status                Prot

ocol

FastEthernet0/0            172.16.1.254    YES manual up                    up

 

FastEthernet1/0            200.2.2.20      YES manual up                    up

Gateway of last resort is 200.2.2.10 to network 0.0.0.0

 

C    200.2.2.0/24 is directly connected, FastEthernet1/0

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 [1/0] via 200.2.2.10

 

R2-Lan

R2-Lan(config)#do show ip int bri

Interface                  IP-Address      OK? Method Status                Prot

ocol

FastEthernet0/0            192.168.1.1     YES manual up                    up

 

Default gateway is 192.168.1.254

 

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

 

R3-Lan

R3-Lan(config)#do show ip int bri

Interface                  IP-Address      OK? Method Status                Prot

ocol

FastEthernet0/0            172.16.1.1      YES manual up                    up

 

Default gateway is 172.16.1.254

 

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

 

R2 to R3 ***

192.168.1.0 to 172.16.1.0

 

R2配置如下

 

crypto isakmp policy 1

encryption 3des

hash sha

authentication pre-share

group 2

lifetime 10000  

exit

crypto isakmp key 0 space address 200.2.2.20

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

crypto ipsec transform-set space esp-des ah-sha-hmac

crypto map a  1 ipsec-isakmp

set peer 200.2.2.20

set transform-set space

match address 100

exit

int f0/0

crypto map a

 

R3配置如下

 

crypto isakmp policy 1

encryption 3des

hash sha

authentication pre-share

group 2

lifetime 10000  

exit

crypto isakmp key 0 space address 200.1.1.20

access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto ipsec transform-set space esp-des ah-sha-hmac

crypto map a  1 ipsec-isakmp

set peer 200.1.1.20

set transform-set space

match address 100

exit

int f1/0

crypto map a 

 

R2-vlan test

 

r2-lan#traceroute 172.16.1.1

 

Type escape sequence to abort.

Tracing the route to 172.16.1.1

 

  1 192.168.1.254 80 msec 48 msec 20 msec

  2  *  *  *

  3 172.16.1.1 176 msec *  148 msec