一、保证路由可达
R(config)#ip route 0.0.0.0 0.0.0.0 Serial1/0
二、定义允许通过的数据流
R(config)#access-list 111 permit ip 3.1.1.0 0.0.0.255 172.16.0.0 0.0.0.255
三、IKE 1 (ISAKMP SA)
R(config)#crypto isakmp enable
R(config)#crypto isakmp policy 1
R(config-isakmp)#authentication pre-share
R(config-isakmp)#hash md5
R(config-isakmp)#encr 3des
R(config)#crypto isakmp key 6 aaa address 2.1.1.2(密码要两边统一,2.1.1.2是对方的公网地址)
四、IKE 2 (IPSec SA)
R(config)#crypto ipsec transform-set my ah-sha-hmac esp-des esp-md5-hmac
R(cfg-crypto-trans)#mode tunnel
五、MAP(把允许通过的数据流和IPSec做结合)
R(config)#crypto map yuan 1 ipsec-isakmp
R(config-crypto-map)#match add 111
R(config-crypto-map)#set transfer-set my
R(config-crypto-map)#set peer 2.1.1.2
六、应用MAP到外网接口上
R(config)#int S1/0
R(config-if)#crypto map yuan
R1的配置:
R1#sh run
Building configuration...
Building configuration...
Current configuration : 1543 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 6 aaa address 2.1.1.2
!
!
crypto ipsec transform-set my ah-sha-hmac esp-des esp-md5-hmac
!
crypto map yuan 1 ipsec-isakmp
set peer 2.1.1.2
set transform-set my
match address 111
!
!
!
!
interface FastEthernet0/0
ip address 3.1.1.1 255.255.255.0
duplex half
!
interface Serial1/0
ip address 1.1.1.1 255.255.255.0
serial restart-delay 0
crypto map yuan
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 2.1.1.0 255.255.255.0 1.1.1.2
!
no ip http server
no ip http secure-server
!
!
access-list 111 permit ip 3.1.1.0 0.0.0.255 172.16.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 6 aaa address 2.1.1.2
!
!
crypto ipsec transform-set my ah-sha-hmac esp-des esp-md5-hmac
!
crypto map yuan 1 ipsec-isakmp
set peer 2.1.1.2
set transform-set my
match address 111
!
!
!
!
interface FastEthernet0/0
ip address 3.1.1.1 255.255.255.0
duplex half
!
interface Serial1/0
ip address 1.1.1.1 255.255.255.0
serial restart-delay 0
crypto map yuan
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 2.1.1.0 255.255.255.0 1.1.1.2
!
no ip http server
no ip http secure-server
!
!
access-list 111 permit ip 3.1.1.0 0.0.0.255 172.16.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
R2的配置:
R2#sh run
Building configuration...
Building configuration...
Current configuration : 1194 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 1.1.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 2.1.1.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip route 3.1.1.0 255.255.255.0 1.1.1.1
ip route 172.16.0.0 255.255.255.0 2.1.1.2
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 1.1.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 2.1.1.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip route 3.1.1.0 255.255.255.0 1.1.1.1
ip route 172.16.0.0 255.255.255.0 2.1.1.2
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
R3的配置:
R3#sh run
Building configuration...
Building configuration...
Current configuration : 1546 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 6 aaa address 1.1.1.1
!
!
crypto ipsec transform-set my ah-sha-hmac esp-des esp-md5-hmac
!
crypto map yuan 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set my
match address 111
!
!
!
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0
duplex half
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 2.1.1.2 255.255.255.0
serial restart-delay 0
crypto map yuan
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/1
ip route 1.1.1.0 255.255.255.0 2.1.1.1
!
no ip http server
no ip http secure-server
!
!
access-list 111 permit ip 172.16.0.0 0.0.0.255 3.1.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key 6 aaa address 1.1.1.1
!
!
crypto ipsec transform-set my ah-sha-hmac esp-des esp-md5-hmac
!
crypto map yuan 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set my
match address 111
!
!
!
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0
duplex half
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 2.1.1.2 255.255.255.0
serial restart-delay 0
crypto map yuan
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/1
ip route 1.1.1.0 255.255.255.0 2.1.1.1
!
no ip http server
no ip http secure-server
!
!
access-list 111 permit ip 172.16.0.0 0.0.0.255 3.1.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end