IPSec VPN扩展实验

IPSec VPN扩展实验

需求：Site1 和 Site2，Site3分别建立IPSec VPN，实现流量加解密。

Site1：

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 192.168.12.1 255.255.255.0

！

ip route 0.0.0.0 0.0.0.0 192.168.12.254

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 192.168.23.3

crypto isakmp key cisco address 192.168.24.4

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto map ccie 10 ipsec-isakmp 

 set peer 192.168.23.3

 set transform-set myset 

 match address 100

crypto map ccie 20 ipsec-isakmp 

 set peer 192.168.24.4

 set transform-set myset 

 match address 110

!

access-list 100 permit ip host 1.1.1.1 host 2.2.2.2

access-list 110 permit ip host 1.1.1.1 host 3.3.3.3

！

interface FastEthernet0/0

 crypto map ccie

！

Internet：

interface FastEthernet0/1

 ip address 192.168.23.254 255.255.255.0

!

interface FastEthernet1/0

 ip address 192.168.24.254 255.255.255.0

!

interface FastEthernet0/0

 ip address 192.168.12.254 255.255.255.0

Site2:

interface FastEthernet0/0

 ip address 192.168.23.3 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.23.254

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 192.168.12.1

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

access-list 100 permit ip host 2.2.2.2 host 1.1.1.1

crypto map ccie 10 ipsec-isakmp 

 set peer 192.168.12.1

 set transform-set myset 

 match address 100

!

interface FastEthernet0/0

  crypto map ccie

!

Site3 :

interface Loopback0

 ip address 3.3.3.3 255.255.255.0

!

interface FastEthernet0/0

 ip address 192.168.24.4 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.24.254

access-list 110 permit ip host 3.3.3.3 host 1.1.1.1

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 192.168.12.1

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto map ccie 10 ipsec-isakmp 

 set peer 192.168.12.1

 set transform-set myset 

 match address 110

!

interface FastEthernet0/0

 ip address 192.168.24.4 255.255.255.0

 crypto map ccie

测试：

Site1#ping 2.2.2.2 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1 

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 116/133/152 ms

Site1#ping 3.3.3.3 so

Site1#ping 3.3.3.3 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1 

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 100/132/164 ms

Site1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

192.168.23.3    192.168.12.1    QM_IDLE           1001    0 ACTIVE

192.168.24.4    192.168.12.1    QM_IDLE           1002    0 ACTIVE

Site1#show crypto engine connections active 

Crypto Engine Connections

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address

    1 Fa0/0      IPsec 3DES+SHA                  0        4 192.168.12.1

    2 Fa0/0      IPsec 3DES+SHA                  4        0 192.168.12.1

    3 Fa0/0      IPsec 3DES+SHA                  0        4 192.168.12.1

    4 Fa0/0      IPsec 3DES+SHA                  4        0 192.168.12.1

 1001 Fa0/0      IKE   SHA+3DES                  0        0 192.168.12.1

 1002 Fa0/0      IKE   SHA+3DES                  0        0 192.168.12.1

本文出自 “优乐美” 博客，请务必保留此出处http://youlemei.blog.51cto.com/2294538/1654959