IPSec VPN扩展实验

IPSec VPN扩展实验

 技术分享

需求:Site1 和 Site2,Site3分别建立IPSec VPN,实现流量加解密。


Site1:

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

 ip address 192.168.12.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.12.254

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 192.168.23.3

crypto isakmp key cisco address 192.168.24.4

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto map ccie 10 ipsec-isakmp 

 set peer 192.168.23.3

 set transform-set myset 

 match address 100

crypto map ccie 20 ipsec-isakmp 

 set peer 192.168.24.4

 set transform-set myset 

 match address 110

!

access-list 100 permit ip host 1.1.1.1 host 2.2.2.2

access-list 110 permit ip host 1.1.1.1 host 3.3.3.3

interface FastEthernet0/0

 crypto map ccie

Internet

interface FastEthernet0/1

 ip address 192.168.23.254 255.255.255.0

!

interface FastEthernet1/0

 ip address 192.168.24.254 255.255.255.0

!

interface FastEthernet0/0

 ip address 192.168.12.254 255.255.255.0


Site2:

interface FastEthernet0/0

 ip address 192.168.23.3 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.23.254

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 192.168.12.1

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

access-list 100 permit ip host 2.2.2.2 host 1.1.1.1

crypto map ccie 10 ipsec-isakmp 

 set peer 192.168.12.1

 set transform-set myset 

 match address 100

!

interface FastEthernet0/0

  crypto map ccie

!

Site3 :

interface Loopback0

 ip address 3.3.3.3 255.255.255.0

!

interface FastEthernet0/0

 ip address 192.168.24.4 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.24.254

access-list 110 permit ip host 3.3.3.3 host 1.1.1.1

crypto isakmp policy 100

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key cisco address 192.168.12.1

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto map ccie 10 ipsec-isakmp 

 set peer 192.168.12.1

 set transform-set myset 

 match address 110

!

interface FastEthernet0/0

 ip address 192.168.24.4 255.255.255.0

 crypto map ccie


测试

Site1#ping 2.2.2.2 source lo0


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1 

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 116/133/152 ms

Site1#ping 3.3.3.3 so

Site1#ping 3.3.3.3 source lo0


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1 

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 100/132/164 ms

Site1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

192.168.23.3    192.168.12.1    QM_IDLE           1001    0 ACTIVE

192.168.24.4    192.168.12.1    QM_IDLE           1002    0 ACTIVE


Site1#show crypto engine connections active 

Crypto Engine Connections


   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address

    1 Fa0/0      IPsec 3DES+SHA                  0        4 192.168.12.1

    2 Fa0/0      IPsec 3DES+SHA                  4        0 192.168.12.1

    3 Fa0/0      IPsec 3DES+SHA                  0        4 192.168.12.1

    4 Fa0/0      IPsec 3DES+SHA                  4        0 192.168.12.1

 1001 Fa0/0      IKE   SHA+3DES                  0        0 192.168.12.1

 1002 Fa0/0      IKE   SHA+3DES                  0        0 192.168.12.1


本文出自 “优乐美” 博客,请务必保留此出处http://youlemei.blog.51cto.com/2294538/1654959

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。