這是一個(gè)使用六臺路由器進(jìn)行組網(wǎng)而完成的一個(gè)實(shí)驗(yàn)，中間的R3代表ISP，R2代表公司總部，銜接ISP和內(nèi)部局域網(wǎng)。

R1等同于公司內(nèi)部的PC主機(jī)。此實(shí)驗(yàn)?zāi)康氖菫榱送瓿蒘ite-Site Ipsec VPN的配置和驗(yàn)證過程。下面是拓?fù)鋱D：

全部配置命令如下：

R2：

r2#show runn

Building configuration...

Current configuration : 1337 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname r2

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

ip cef

no ip domain lookup

crypto isakmp policy 1 ##確定vpn策略

encryption des ##加密使用對稱加密算法des

group 1 ##密鑰交換使用group 1

hash md5 ##認(rèn)證用md5算法

authentication pre-share ##使用預(yù)共享密鑰進(jìn)行認(rèn)證，此處由于默認(rèn)使用加密算法為des和密鑰交換為group 1，所以在show runn中看不到，但是必須配置

crypto isakmp key 6 cisco address 192.168.5.2 ##進(jìn)行預(yù)共享的對等體和密鑰

crypto ipsec transform-set ccnp ah-md5-hmac ##定義一個(gè)ipsec轉(zhuǎn)換集名為ccnp，使用ah，未使用esp進(jìn)行數(shù)據(jù)加密

crypto map mymap 1 ipsec-isakmp ##定義一個(gè)map名為mymap，此map引用acl110和剛定義的轉(zhuǎn)換集ccnp，設(shè)置對等體地址

set peer 192.168.5.2 ##設(shè)置對等體地址

set transform-set ccnp ##引用剛定義的轉(zhuǎn)換集ccnp

match address 110 ##引用acl 110

interface Ethernet0/0

no ip address

shutdown

half-duplex

interface Ethernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside ##此接口為內(nèi)網(wǎng)接口，啟用nat轉(zhuǎn)換

ip virtual-reassembly

half-duplex

interface Ethernet0/2

ip address 192.168.4.1 255.255.255.0

ip nat outside ##此接口為接ISP的公網(wǎng)口，啟用nat轉(zhuǎn)換，私有地址將被轉(zhuǎn)換為此接口上的共有地址訪問互聯(lián)網(wǎng)

ip virtual-reassembly

half-duplex

crypto map mymap

interface Ethernet0/3

no ip address

shutdown

half-duplex

ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.4.2 ##默認(rèn)路由到ISP，下一跳地址為與ISP相連的地址

ip nat inside source list 100 interface Ethernet0/2 overload ##啟用nat轉(zhuǎn)換，引用acl 100，符合acl 100的地址將被轉(zhuǎn)換

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ##此acl定義nat需要轉(zhuǎn)換的私有地址，先將需要vpn轉(zhuǎn)換的地址拒絕掉

access-list 100 permit ip 192.168.1.0 0.0.0.255 any ##這是需要nat轉(zhuǎn)換的私有地址

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ##此acl定義vpn需要轉(zhuǎn)換的地址，當(dāng)192.168.1.0網(wǎng)段訪問192.168.2.0網(wǎng)段時(shí)執(zhí)行定義的isakmp和ipsec進(jìn)行加密等

control-plane

line con 0

line aux 0

line vty 0 4

end

r2#

r1:此路由器充當(dāng)公司總部pc

r1#ping 192.168.2.2 ##能夠ping通代表公司分部的pc地址，說明vpn成功了

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 120/194/232 ms

r1#ping 192.168.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 124/138/160 ms

r1#ping 192.168.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 104/164/216 ms

r1#ping 192.168.3.2 ##能夠ping通代表互聯(lián)網(wǎng)地址的3.2說明nat轉(zhuǎn)換成功

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/151/220 ms

r1#show runn

Building configuration...

Current configuration : 806 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname r1

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

no ip routing

no ip cef

no ip domain lookup

interface Ethernet0/0

no ip address

no ip route-cache

shutdown

half-duplex

interface Ethernet0/1

ip address 192.168.1.2 255.255.255.0

no ip route-cache

half-duplex

interface Ethernet0/2

no ip address

no ip route-cache

shutdown

half-duplex

interface Ethernet0/3

no ip address

no ip route-cache

shutdown

half-duplex

ip default-gateway 192.168.1.1

ip http server

no ip http secure-server

control-plane

line con 0

line aux 0

line vty 0 4

end

r1#

r3:此路由器充當(dāng)ISP路由器，連接了三個(gè)網(wǎng)絡(luò)，一個(gè)3.0網(wǎng)段，4.0網(wǎng)段代表公司總部，5.0代表公司分部，此路由器配置簡單，直接配3個(gè)地址就ok了

r3>en

r3#show runn

Building configuration...

Current configuration : 708 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname r3

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

ip cef

no ip domain lookup

interface Ethernet0/0

ip address 192.168.3.1 255.255.255.0 ##與代表互聯(lián)網(wǎng)地址的3.0網(wǎng)段相連

half-duplex

interface Ethernet0/1

ip address 192.168.4.2 255.255.255.0 ##與代表公司總部的路由器相連

half-duplex

interface Ethernet0/2

ip address 192.168.5.1 255.255.255.0 ##與代表公司分部的路由器相連

half-duplex

interface Ethernet0/3

no ip address

shutdown

half-duplex

ip http server

no ip http secure-server

control-plane

line con 0

line aux 0

line vty 0 4

end

r3#

r4:與公司分部相連的路由器，此路由器的配置和r2相似，不再單獨(dú)介紹，只說不同點(diǎn)

2, changed state to up

r4(config-if)#

r4(config-if)#

r4(config-if)#

r4(config-if)#

r4(config-if)#ex

r4(config)#in e0/1

r4(config-if)#ip nat ou

r4(config-if)#ip nat outside

r4(config-if)#

*Mar 1 00:12:48.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to upex

r4(config)#in e0/2

r4(config-if)#ip nat ins

r4(config-if)#ex

r4(config)#acc

r4(config)#access-list 100 den

r4(config)#$ 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

r4(config)#acc

r4(config)#access-list 100 per

r4(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 any

r4(config)#ip http://www.luyouqiwang.com/14539/ nat inside sourc list 100 in

r4(config)#ip nat inside sourc list 100 interface e0/1 ove

r4(config)#ip route 0.0.0.0 0.0.0.0 192.168.5.1

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#

r4(config)#acc

r4(config)#access-list 110 per

r4(config)#$ 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

r4(config)#cry

r4(config)#crypto is

r4(config)#crypto isakmp po

r4(config)#crypto isakmp policy ?

Priority of protection suite

r4(config)#crypto isakmp policy 1 ?

r4(config)#crypto isakmp policy 1

r4(config-isakmp)#en

r4(config-isakmp)#encryption des

r4(config-isakmp)#hash mdt

% Invalid input detected at "^" marker.

r4(config-isakmp)#hash md5

r4(config-isakmp)#auth

r4(config-isakmp)#authentication pre

r4(config-isakmp)#authentication pre-share

r4(config-isakmp)#gr

r4(config-isakmp)#group 1

r4(config-isakmp)#ex

r4(config)#cry

r4(config)#crypto is

r4(config)#crypto isakmp key 6 cisco add ?

A.B.C.D Peer IP address

r4(config)#crypto isakmp key 6 cisco add 192.168.4.1 ?

A.B.C.D Peer IP subnet mask

no-xauth Bypasses XAuth for this peer

r4(config)#crypto isakmp key 6 cisco add 192.168.4.1

r4(config)#cry ip

r4(config)#cry ipsec tran

r4(config)#cry ipsec transform-set ccnp ?

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform

comp-lzs IP Compression using the LZS compression algorithm

esp-3des ESP transform using 3DES(EDE) cipher (168 bits)

esp-aes ESP transform using AES cipher

esp-des ESP transform using DES cipher (56 bits)

esp-md5-hmac ESP transform using HMAC-MD5 auth

esp-null ESP transform w/o cipher

esp-seal ESP transform using SEAL cipher (160 bits)

esp-sha-hmac ESP transform using HMAC-SHA auth

r4(config)#cry ipsec transform-set ccnp ah

r4(config)#cry ipsec transform-set ccnp ah-m

r4(config)#cry ipsec transform-set ccnp ah-md5-hmac

r4(cfg-crypto-trans)#exit

r4(config)#cry

r4(config)#crypto map mymap 1 ips

r4(config)#crypto map mymap 1 ipsec-is

r4(config)#crypto map mymap 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

r4(config-crypto-map)#mat

r4(config-crypto-map)#match add 110

r4(config-crypto-map)#set tr

r4(config-crypto-map)#set transform-set ccnp

r4(config-crypto-map)#set peer 192.168.4.1

r4(config-crypto-map)#ex

r4(config)#in e0/1

r4(config-if)#cry map mymap

r4(config-if)#ex

*Mar 1 00:18:34.063: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

r4(config)#end

r4#show ru

*Mar 1 00:19:44.447: %SYS-5-CONFIG_I: Configured from console by consolenn

Building configuration...

Current configuration : 1337 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname r4

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

ip cef

no ip domain lookup

crypto isakmp policy 1 ##與r2配置必須相同，只是對等體地址換成r2公網(wǎng)接口地址

hash md5

authentication pre-share

crypto isakmp key 6 cisco address 192.168.4.1

crypto ipsec transform-set ccnp ah-md5-hmac

crypto map mymap 1 ipsec-isakmp

set peer 192.168.4.1

set transform-set ccnp

match address 110

interface Ethernet0/0

no ip address

shutdown

half-duplex

interface Ethernet0/1

ip address 192.168.5.2 255.255.255.0

ip nat outside

ip virtual-reassembly

half-duplex

crypto map mymap

interface Ethernet0/2

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

half-duplex

interface Ethernet0/3

no ip address

shutdown

half-duplex

ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.5.1

ip nat inside source list 100 interface Ethernet0/1 overload

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

control-plane

line con 0

line aux 0

line vty 0 4

end

r4#

r5:此路由器為公司分部的pc，需要訪問公司總部的1.0網(wǎng)段

r5>en

r5#show runn

Building configuration...

Current configuration : 806 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname r5

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

no ip routing

no ip cef

no ip domain lookup

interface Ethernet0/0

no ip address

no ip route-cache

shutdown

half-duplex

interface Ethernet0/1

ip address 192.168.2.2 255.255.255.0

no ip route-cache

half-duplex

interface Ethernet0/2

no ip address

no ip route-cache

shutdown

half-duplex

interface Ethernet0/3

no ip address

no ip route-cache

shutdown

half-duplex

ip default-gateway 192.168.2.1

ip http server

no ip http secure-server

control-plane

line con 0

line aux 0

line vty 0 4

end

r5#ping 192.168.1.2 ##與代表公司總部的pc能夠ping通，代表vpn成功

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 124/135/144 ms

r5#

r6:此路由器代表互聯(lián)網(wǎng)上的服務(wù)器資源

r6>en

r6#show runn

Building configuration...

Current configuration : 806 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname r6

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

no ip routing

no ip cef

no ip domain lookup

interface Ethernet0/0

no ip address

no ip route-cache

shutdown

half-duplex

interface Ethernet0/1

ip address 192.168.3.2 255.255.255.0

no ip route-cache

half-duplex

interface Ethernet0/2

no ip address

no ip route-cache

shutdown

half-duplex

interface Ethernet0/3

no ip address

no ip route-cache

shutdown

half-duplex

ip default-gateway 192.168.3.1

ip http server

no ip http secure-server

control-plane

line con 0

line aux 0

line vty 0 4

end

r6#