雅那安

拥有正确的价值观,实现自己的人生价值:所作所为有益于人类社会发展。
  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理
ipsec_笔记

 

1.基础IP配置
R1 

int f0/1
ip add 12.1.1.1 255.255.255.0
no sh
int f0/0
ip add 13.1.1.1 255.255.255.0
no sh
int loo 0
ip add 1.1.1.1 255.255.255.255
R2:
int f0/1
ip add 12.1.1.2 255.255.255.0
no sh
int f0/0
ip add 192.168.1.254 255.255.255.0
no sh
ip access-list 100 deny ip per 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list 100 permit ip any any
int f0/1
ip nat outside
int f0/0
ip nat inside
ip nat inside list 100 int f0/1 over
R3:
int f0/0
ip add 13.1.1.3 255.255.255.0
no sh
int f0/1
ip add 192.168.2.254 255.255.255.0
no sh
ip access-list 100 deny ip per 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list 100 permit ip any any
int f0/0
ip nat outside
int f0/1
ip nat inside 
ip nat inside list 100 inside int f0/0 over
R4:
int f0/0
ip add 192.168.1.1 255.255.255.0
no sh
no ip routing
ip default gateway 192.168.1.254
R5:
int f0/1
ip add 192.168.2.1 255.255.255.0
no sh
no ip routing
ip default gateway 192.168.2.254
2.ipsec配置
R3:
第一阶段
show crypto isakmp policy

 

crypto isakmp policy 10
encryption aes
hash md5
authentication per-share
group 2
lifetime 3600
show crypto isakmp policy

 

 (config)#crypto isakmp key 6 CCIE55 address 12.1.1.2 


第二阶段:
crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
mode tunnel
crypto map CCIE55MAP  10 ipsec-isakmp 
=======================================
access-list 101 per ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
=======================================
 set peer 12.1.1.2
set transform-set CCIE55
match address 101 
在R2上做类似配置:
R2配置如下:
access-list 101 per ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp policy 10
encryption aes
hash md5
authentication per-share
group 2
lifetime 3600
crypto isakmp key 6 CCIE55 address 13.1.1.3 
crypto ipsec transform-set CCIE55 esp-aes esp-md5-hmac
mode tunnel
crypto map CCIE55MAP  10 ipsec-isakmp 
 set peer 13.1.1.3
set transform-set CCIE55
match address 101 
在R3上调用:
R3:
int f0/0 
crypto map CCIE55MAP
R2:
int f0/1
crypto map CCIE55MAP

验证ipsec :
第一阶段:show crypto isakmp sa(如果没有表项,可以ping一下,流量触发)
show crypto isakmp key
第二阶段:show crypto ipsec sa
R2:show crypto ipsec sa

 

 

 

R3:show crypto ipsec sa
 


 

 

 

 



 

posted on 2020-07-14 00:26  雅那安  阅读(165)  评论(0编辑  收藏  举报