要把internet上的兩個局域網通過加密的通道連接起來
左邊代表一個局域網,中間代表着Internet,右邊是另一個局域網。
我們要在兩個路由器上配置來建立×××通道
一、先在左邊的路由器R1上配置
1、配置信息
r1>en
r1#conf t
r1(config)#crypto isakmp enable
r1(config)#crypto isakmp policy 1
r1(config-isakmp)#hash sha
r1(config-isakmp)#authentication pre-share
r1(config)#crypto isakmp key 6 ming address 200.200.2.2
r1(config)#crypto ipsec transform-set xinzhan ah-sha-hmac esp-3des
r1(cfg-crypto-trans)#exit
r1(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
r1(config)#crypto ipsec transform-set xinzhan ah-sha-hmac esp-3des
r1(cfg-crypto-trans)#access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
r1(config)#crypto map xian 2 ipsec-isakmp
r1(config-crypto-map)#set peer 200.200.2.2
r1(config-crypto-map)#set transform-set xinzhan
r1(config-crypto-map)#match address 110
r1(config-crypto-map)#int f0/0
r1(config-if)#crypto map xian
r1(config-if)#exit
2、查看配置信息
r3#show crypto map
Crypto Map "xian" 2 ipsec-isakmp
Peer = 200.200.2.2
Extended IP access list 110
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Current peer: 200.200.2.2
Security association lifetime: 100 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
xinzhan,
}
Interfaces using crypto map xian:
Ethernet0/0
二、再在右邊的路由器R3上配置
1、配置R3
r3>en
r3#conf t
r3(config)#crypto isakmp enable
r3(config)#crypto isakmp policy 2
r3(config-isakmp)#hash sha
r3(config-isakmp)#authentication pre-share
r3(config)#crypto isakmp key 6 ming address 100.100.1.1
r3(config)#crypto ipsec transform-set xinzhan ah-sha-hmac esp-3des
r3(cfg-crypto-trans)#exit
r3(config)#access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r3(config)#crypto ipsec transform-set xinzhan ah-sha-hmac esp-3des
r3(cfg-crypto-trans)#access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r3(config)#crypto map xian 2 ipsec-isakmp
r3(config-crypto-map)#set peer 100.100.1.1
r3(config-crypto-map)#set transform-set xinzhan
r3(config-crypto-map)#match address 111
r3(config-crypto-map)#int f0/1
r3(config-if)#crypto map xian
r3(config-if)#exit
2、查看配置信息
r3#show crypto map
Crypto Map "xian" 2 ipsec-isakmp
Peer = 100.100.1.1
Extended IP access list 111
access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 100.100.1.1
Security association lifetime: 100 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
xinzhan,
}
Interfaces using crypto map xian:
Ethernet0/1
3、在中間的路由器上模擬internet
r1>en
r1#conf t
r1(config)#host internet
r1(config)#no ip domain-lookup
r1(config)#int f0/0
r1(config-if)#ip add 100.100.2.2 255.255.0.0
r1(config-if)#no shutdown
r1(config-if)#int f0/1
r1(config-if)#ip add 200.200.1.1 255.255.0.0
r1(config-if)#no shutdown
r1(config-if)#exit
4、配置完測試能否ping通
VPCS 2 >ping 192.168.1.2
192.168.1.2 icmp_seq=1 time=96.000 ms
192.168.1.2 icmp_seq=2 time=58.000 ms
192.168.1.2 icmp_seq=3 time=19.000 ms
192.168.1.2 icmp_seq=4 time=19.000 ms
192.168.1.2 icmp_seq=5 time=79.000 ms
VPCS 1 >ping 192.168.2.2
192.168.2.2 icmp_seq=1 time=96.000 ms
192.168.2.2 icmp_seq=2 time=58.000 ms
192.168.2.2 icmp_seq=3 time=19.000 ms
192.168.2.2 icmp_seq=4 time=19.000 ms
192.168.2.2 icmp_seq=5 time=79.000 ms