网络环境介绍:
用两台路由器分别代表公司总部(R1)和公司分部(R2).公司总部内部地址为192.168.1.0/24网段.分部内部地址为192.168.2.0/24网段.
网络拓扑如下:
在Cisco路由器上配置×××_第1张图片
 
实验配置:
R1
 
r1#show run
Building configuration...
Current configuration : 1505 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip domain lookup
!
ip audit po max-events 100
no ftp-server write-enable
!        
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1     定义策略集,下面是策略集的内容,两边要一致.
 hash md5       
 authentication pre-share
 lifetime 64000
crypto isakmp key cisco address 202.10.1.2   设置共享密钥和对端地址!
!
crypto ipsec transform-set benet ah-md5-hmac esp-des 配置IPSec的相关参数,两边也要一致.
!        
crypto map map1 1 ipsec-isakmp  配置端口应用,就是将IKE与IPSec做个关联,我是这样理解的.
 set peer 202.10.1.2
 set transform-set benet
 match address 101
!
!
!
!
interface Loopback0    回环地址模拟公司内部地址
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!        
interface Serial1/0         配置路由器的地址
 ip address 202.10.1.1 255.255.255.0
 serial restart-delay 0
 crypto map map1
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip http server
no ip http secure-server
ip classless
ip route 192.168.2.0 255.255.255.0 202.10.1.2    静态路由到公司分部
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!设置要加密的数据流.这里是指从192.168.1.0到192.168.2.0的数据流
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
!        
end
R2上的配置差不多,就把IP地址改了.
r2#show run
Building configuration...
Current configuration : 1505 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip domain lookup
!
ip audit po max-events 100
no ftp-server write-enable
!        
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 lifetime 64000
crypto isakmp key cisco address 202.10.1.1
!
!
crypto ipsec transform-set cisco ah-md5-hmac esp-des
!        
crypto map map1 1 ipsec-isakmp
 set peer 202.10.1.1
 set transform-set cisco
 match address 101
!
!
!
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!        
interface Serial1/0
 ip address 202.10.1.2 255.255.255.0
 serial restart-delay 0
 crypto map map1
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip http server
no ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 202.10.1.1
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
!        
end
r2#
 
这命令还是要常敲啊,学完这个有段时间了,就差不多都忘了.