路由器
-
路由器以及
××× Client
之间的
×××
拓扑图:
Cisco 2611 Router
***2611#show run
Building configuration...
Current configuration : 2265 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***2611
!
!-- Enable aaa for user authentication
!--- and group authorization.
aaa new-model
!
!
!--- To enable X-Auth for user authentication,
!--- enable the aaa authentication commands.
aaa authentication login userauthen local
!--- To enable group authorization, enable
!--- the aaa authorization commands.
aaa authorization network groupauthor local
aaa session-id common
!
!---For local authentication of the IPSec user,
!--- create the user with password.
username cisco password 0 cisco
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!---Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP)
!--- policy for Phase 1 negotiations for the ××× 3.x clients.
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!--- Create an ISAKMP policy for Phase 1
!--- negotiations for the LAN-to-LAN tunnels.
crypto isakmp policy 10
hash md5
authentication pre-share
!---Specify the PreShared key for the LAN-to-LAN tunnel.
!--- Make sure that you use
!--- no-xauth parameter with your ISAKMP key.
crypto isakmp key cisco123 address 172.18.124.199 no-xauth
!!
!--- Create a group that will be used to
!--- specify the WINS, DNS servers' address
!--- to the client, along with the pre-shared
!--- key for authentication.
crypto isakmp client configuration group 3000client
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
!!
!
!---Create the Phase 2 Policy for actual data encryption.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!---Create a dynamic map and apply
!--- the transform set that was created above.
crypto dynamic-map dynmap 10
set transform-set myset
!
!
!--- Create the actual crypto map, and
!--- apply the aaa lists that were created
!--- earlier. Also create a new instance例子 for your
!--- LAN-to-LAN tunnel. Specify指定 the peer IP address,
!--- transform变换 set and an Access Control List (ACL) for this
!--- instance.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 172.18.124.199
set transform-set myset
match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!--- Apply the crypto map on the outside interface.
interface Ethernet0/0
ip address 172.18.124.159 255.255.255.0
half-duplex
crypto map clientmap
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 10.10.10.1 255.255.255.0
no keepalive
half-duplex
!
!
!--- Create a pool of addresses to be
!--- assigned to the ××× Clients.
ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!
!
!--- Create an ACL for the traffic
!--- to be encrypted. In this example,
!--- the traffic from 10.10.10.0/24 to 10.10.20.0/24
!--- would be encrypted.
access-list 100 permit i p 10.10.10 .0 0.0.0.255 10.10.20.0 0.0.0.255
!
!
snmp-server community foobar RO
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
end
Cisco 3640 Router
Building configuration...
Current configuration : 2265 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***2611
!
!-- Enable aaa for user authentication
!--- and group authorization.
aaa new-model
!
!
!--- To enable X-Auth for user authentication,
!--- enable the aaa authentication commands.
aaa authentication login userauthen local
!--- To enable group authorization, enable
!--- the aaa authorization commands.
aaa authorization network groupauthor local
aaa session-id common
!
!---For local authentication of the IPSec user,
!--- create the user with password.
username cisco password 0 cisco
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!---Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP)
!--- policy for Phase 1 negotiations for the ××× 3.x clients.
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!--- Create an ISAKMP policy for Phase 1
!--- negotiations for the LAN-to-LAN tunnels.
crypto isakmp policy 10
hash md5
authentication pre-share
!---Specify the PreShared key for the LAN-to-LAN tunnel.
!--- Make sure that you use
!--- no-xauth parameter with your ISAKMP key.
crypto isakmp key cisco123 address 172.18.124.199 no-xauth
!!
!--- Create a group that will be used to
!--- specify the WINS, DNS servers' address
!--- to the client, along with the pre-shared
!--- key for authentication.
crypto isakmp client configuration group 3000client
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
!!
!
!---Create the Phase 2 Policy for actual data encryption.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!---Create a dynamic map and apply
!--- the transform set that was created above.
crypto dynamic-map dynmap 10
set transform-set myset
!
!
!--- Create the actual crypto map, and
!--- apply the aaa lists that were created
!--- earlier. Also create a new instance例子 for your
!--- LAN-to-LAN tunnel. Specify指定 the peer IP address,
!--- transform变换 set and an Access Control List (ACL) for this
!--- instance.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 172.18.124.199
set transform-set myset
match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!--- Apply the crypto map on the outside interface.
interface Ethernet0/0
ip address 172.18.124.159 255.255.255.0
half-duplex
crypto map clientmap
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 10.10.10.1 255.255.255.0
no keepalive
half-duplex
!
!
!--- Create a pool of addresses to be
!--- assigned to the ××× Clients.
ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!
!
!--- Create an ACL for the traffic
!--- to be encrypted. In this example,
!--- the traffic from 10.10.10.0/24 to 10.10.20.0/24
!--- would be encrypted.
access-list 100 permit i p 10.10.10 .0 0.0.0.255 10.10.20.0 0.0.0.255
!
!
snmp-server community foobar RO
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
end
Cisco 3640 Router
***3640#show run
Building configuration...
Current configuration : 1287 bytes
!
! Last configuration change at 13:47:37 UTC Wed Mar 6 2002
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***3640
!
!
ip subnet-zero
ip cef
!
!--- Create an ISAKMP policy for Phase 1
!--- negotiations for the LAN-to-LAN tunnels.
crypto isakmp policy 10
hash md5
authentication pre-share
!--- Specify the PreShared key for the LAN-to-LAN
!--- tunnel. You do not have to add
!--- X-Auth parameter, as this
!--- router is not doing Cisco Unity Client IPSEC
!--- authentication.
crypto isakmp key cisco123 address 172.18.124.159
!
!
!--- Create the Phase 2 Policy for actual data encryption.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create the actual crypto map. Specify
!--- the peer IP address, transform
!--- set and an ACL for this instance.
crypto map mymap 10 ipsec-isakmp
set peer 172.18.124.159
set transform-set myset
match address 100
!
call RSVP-sync
!
!
!
!--- Apply the crypto map on the outside interface.
interface Ethernet0/0
ip address 172.18.124.199 255.255.255.0
half-duplex
crypto map mymap
!
interface Ethernet0/1
ip address 10.10.20.1 255.255.255.0
half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!
!--- Create an ACL for the traffic to
!--- be encrypted. In this example,
!--- the traffic from 10.10.20.0/24 to 10.10.10.0/24
!--- would be encrypted.
access-list 100 permit i p 10.10.20 .0 0.0.0.255 10.10.10.0 0.0.0.255
snmp-server community foobar RO
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
end
Building configuration...
Current configuration : 1287 bytes
!
! Last configuration change at 13:47:37 UTC Wed Mar 6 2002
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***3640
!
!
ip subnet-zero
ip cef
!
!--- Create an ISAKMP policy for Phase 1
!--- negotiations for the LAN-to-LAN tunnels.
crypto isakmp policy 10
hash md5
authentication pre-share
!--- Specify the PreShared key for the LAN-to-LAN
!--- tunnel. You do not have to add
!--- X-Auth parameter, as this
!--- router is not doing Cisco Unity Client IPSEC
!--- authentication.
crypto isakmp key cisco123 address 172.18.124.159
!
!
!--- Create the Phase 2 Policy for actual data encryption.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create the actual crypto map. Specify
!--- the peer IP address, transform
!--- set and an ACL for this instance.
crypto map mymap 10 ipsec-isakmp
set peer 172.18.124.159
set transform-set myset
match address 100
!
call RSVP-sync
!
!
!
!--- Apply the crypto map on the outside interface.
interface Ethernet0/0
ip address 172.18.124.199 255.255.255.0
half-duplex
crypto map mymap
!
interface Ethernet0/1
ip address 10.10.20.1 255.255.255.0
half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!
!--- Create an ACL for the traffic to
!--- be encrypted. In this example,
!--- the traffic from 10.10.20.0/24 to 10.10.10.0/24
!--- would be encrypted.
access-list 100 permit i p 10.10.20 .0 0.0.0.255 10.10.10.0 0.0.0.255
snmp-server community foobar RO
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
end