Cisco Router-to-Router VPN

浏览数:22 / 时间:2015年06月20日

技术分享

实验简单说明:

1.R3模拟公网,不做任何路由,也不允许做任何路由。

2.R2和R4模拟企业边界路由器,NAT上internet,和ipsec vpn

3.R1和R5模拟内网机器。



R1#show run
Building configuration...

Current configuration : 1144 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!        
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
!
!        
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 password cisco
 login local
line vty 5 15
 password cisco
 login local
!
!
end

R1#


R2#show run
Building configuration...

Current configuration : 1671 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!        
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!        
crypto isakmp policy 1              
 encr 3des
 hash md5
 authentication pre-share
 group 2

#######################################################################

说明:定义了ISAKMP policy 1,加密方式为3des,hash算法为md5,认证方式为Pre-Shared Keys (PSK),密钥算法(Diffie-Hellman)为group 2。

#######################################################################



crypto isakmp key cisco111 address 200.1.1.4


#######################################################################

说明:因为之前定义的认证方式为Pre-Shared Keys (PSK),所以需要定义认证密码,这里定义与peer 200.1.1.4的认证密码为cisco111,并且双方密码必须一致,否则无法建立IKE SA,其中0表示密码在running-config中显示为明文。

#######################################################################


!
!
crypto ipsec transform-set A-TO-B esp-3des esp-md5-hmac


#######################################################################

说明:配置了transform-set为A-TO-B,其中数据封装使用esp加3des加密,并且使用esp结合md5做hash计算,默认的IPsec mode为tunnel。

#######################################################################
!
crypto map |2| 1 ipsec-isakmp
 set peer 200.1.1.4
 set transform-set A-TO-B
 match address VPN

#######################################################################

说明:在R2上配置crypto map为l2l,序号为1,即第1组策略,其中指定加密数据发往的对端为200.1.1.4,即和200.1.1.4建立IPsec隧道,调用的IPsec transform为A-TO-B,并且指定扩展ACL VPN中的流量为被保护的流量。

#######################################################################


!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!        
interface FastEthernet1/0
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 100.1.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map |2|

#######################################################################

说明:将crypto map应用在公网的接口F1/1上

#######################################################################
!
ip classless
ip route 0.0.0.0 0.0.0.0 100.1.1.3
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface FastEthernet1/1 overload
!        
ip access-list extended NAT
 deny   ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip any any

#######################################################################

说明:NAT中VPN的流量不做NAT

#######################################################################
ip access-list extended VPN
 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R2#


R3#show run
Building configuration...

Current configuration : 1012 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!        
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!        
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 200.1.1.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 100.1.1.3 255.255.255.0
 duplex auto
 speed auto
!
ip classless
no ip http server
no ip http secure-server
!
!        
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R3#


R4#show run
Building configuration...

Current configuration : 1674 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!        
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!        
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco111 address 100.1.1.2
!
!
crypto ipsec transform-set B-TO-A esp-3des esp-md5-hmac
!
crypto map |2| 1 ipsec-isakmp
 set peer 100.1.1.2
 set transform-set B-TO-A
 match address VPN
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!        
interface FastEthernet1/0
 ip address 200.1.1.4 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map |2|
!
interface FastEthernet1/1
 ip address 192.168.1.4 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.1.1.3
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface FastEthernet1/0 overload
!        
ip access-list extended NAT
 deny   ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip any any
ip access-list extended VPN
 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R4#


R5#show run
Building configuration...

Current configuration : 1150 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!        
no ip dhcp use vrf connected
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
!
!        
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 192.168.1.5 255.255.255.0
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.4
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 password cisco
 login local
line vty 5 15
 password cisco
 login local
!
!
end

R5#


本文出自 “个人随笔” 博客,请务必保留此出处http://oppoa10000k.blog.51cto.com/5067864/1657782

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。

标签: ipsec vpn r-to-ripsec vpn r-to-r

相关文章

随机文章

您可能还喜欢

您可能还喜欢