×××通道的建立

要把internet上的兩個局域網通過加密的通道連接起來

左邊代表一個局域網，中間代表着Internet，右邊是另一個局域網。

 

 

我們要在兩個路由器上配置來建立×××通道

一、先在左邊的路由器R1上配置

1、配置信息
r1>en
r1#conf t
r1(config)#crypto isakmp enable
r1(config)#crypto isakmp policy 1
r1(config-isakmp)#hash sha
r1(config-isakmp)#authentication pre-share
r1(config)#crypto isakmp key 6 ming address 200.200.2.2
r1(config)#crypto ipsec transform-set xinzhan ah-sha-hmac esp-3des
r1(cfg-crypto-trans)#exit
r1(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
r1(config)#crypto ipsec transform-set xinzhan ah-sha-hmac esp-3des
r1(cfg-crypto-trans)#access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
r1(config)#crypto map xian 2 ipsec-isakmp
r1(config-crypto-map)#set peer 200.200.2.2
r1(config-crypto-map)#set transform-set xinzhan
r1(config-crypto-map)#match address 110
r1(config-crypto-map)#int f0/0
r1(config-if)#crypto map xian
r1(config-if)#exit

2、查看配置信息
r3#show crypto map
Crypto Map "xian" 2 ipsec-isakmp
        Peer = 200.200.2.2
        Extended IP access list 110
            access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
        Current peer: 200.200.2.2
        Security association lifetime: 100 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                xinzhan,
        }
        Interfaces using crypto map xian:
                Ethernet0/0

二、再在右邊的路由器R3上配置

1、配置R3
r3>en
r3#conf t
r3(config)#crypto isakmp enable
r3(config)#crypto isakmp policy 2
r3(config-isakmp)#hash sha
r3(config-isakmp)#authentication pre-share
r3(config)#crypto isakmp key 6 ming address 100.100.1.1
r3(config)#crypto ipsec transform-set xinzhan ah-sha-hmac esp-3des
r3(cfg-crypto-trans)#exit
r3(config)#access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r3(config)#crypto ipsec transform-set xinzhan ah-sha-hmac esp-3des
r3(cfg-crypto-trans)#access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r3(config)#crypto map xian 2 ipsec-isakmp
r3(config-crypto-map)#set peer 100.100.1.1
r3(config-crypto-map)#set transform-set xinzhan
r3(config-crypto-map)#match address 111
r3(config-crypto-map)#int f0/1
r3(config-if)#crypto map xian
r3(config-if)#exit

2、查看配置信息
r3#show crypto map
Crypto Map "xian" 2 ipsec-isakmp
        Peer = 100.100.1.1
        Extended IP access list 111
            access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
        Current peer: 100.100.1.1
        Security association lifetime: 100 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                xinzhan,
        }
        Interfaces using crypto map xian:
                Ethernet0/1

3、在中間的路由器上模擬internet

r1>en
r1#conf t

r1(config)#host internet

r1(config)#no ip domain-lookup

r1(config)#int f0/0

r1(config-if)#ip add 100.100.2.2 255.255.0.0

r1(config-if)#no shutdown

r1(config-if)#int f0/1

r1(config-if)#ip add 200.200.1.1 255.255.0.0

r1(config-if)#no shutdown

r1(config-if)#exit

4、配置完測試能否ping通
VPCS 2 >ping 192.168.1.2
192.168.1.2 icmp_seq=1 time=96.000 ms
192.168.1.2 icmp_seq=2 time=58.000 ms
192.168.1.2 icmp_seq=3 time=19.000 ms
192.168.1.2 icmp_seq=4 time=19.000 ms
192.168.1.2 icmp_seq=5 time=79.000 ms

VPCS 1 >ping 192.168.2.2
192.168.2.2 icmp_seq=1 time=96.000 ms
192.168.2.2 icmp_seq=2 time=58.000 ms
192.168.2.2 icmp_seq=3 time=19.000 ms
192.168.2.2 icmp_seq=4 time=19.000 ms
192.168.2.2 icmp_seq=5 time=79.000 ms