IPSec VPN扩展实验
IPSec VPN扩展实验
需求:Site1 和 Site2,Site3分别建立IPSec VPN,实现流量加解密。
Site1:
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.12.254
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.23.3
crypto isakmp key cisco address 192.168.24.4
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map ccie 10 ipsec-isakmp
set peer 192.168.23.3
set transform-set myset
match address 100
crypto map ccie 20 ipsec-isakmp
set peer 192.168.24.4
set transform-set myset
match address 110
!
access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
access-list 110 permit ip host 1.1.1.1 host 3.3.3.3
!
interface FastEthernet0/0
crypto map ccie
!
Internet:
interface FastEthernet0/1
ip address 192.168.23.254 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.24.254 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.254 255.255.255.0
Site2:
interface FastEthernet0/0
ip address 192.168.23.3 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.23.254
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.12.1
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
access-list 100 permit ip host 2.2.2.2 host 1.1.1.1
crypto map ccie 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set myset
match address 100
!
interface FastEthernet0/0
crypto map ccie
!
Site3 :
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.24.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.24.254
access-list 110 permit ip host 3.3.3.3 host 1.1.1.1
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.12.1
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map ccie 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set myset
match address 110
!
interface FastEthernet0/0
ip address 192.168.24.4 255.255.255.0
crypto map ccie
测试:
Site1#ping 2.2.2.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 116/133/152 ms
Site1#ping 3.3.3.3 so
Site1#ping 3.3.3.3 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 100/132/164 ms
Site1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.23.3 192.168.12.1 QM_IDLE 1001 0 ACTIVE
192.168.24.4 192.168.12.1 QM_IDLE 1002 0 ACTIVE
Site1#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec 3DES+SHA 0 4 192.168.12.1
2 Fa0/0 IPsec 3DES+SHA 4 0 192.168.12.1
3 Fa0/0 IPsec 3DES+SHA 0 4 192.168.12.1
4 Fa0/0 IPsec 3DES+SHA 4 0 192.168.12.1
1001 Fa0/0 IKE SHA+3DES 0 0 192.168.12.1
1002 Fa0/0 IKE SHA+3DES 0 0 192.168.12.1
本文出自 “优乐美” 博客,请务必保留此出处http://youlemei.blog.51cto.com/2294538/1654959
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。