在Cisco路由器上配置VPN 
网络环境介绍:
用两台路由器分别代表公司总部(R1)和公司分部(R2).公司总部内部地址为192.168.1.0/24网段.分部内部地址为192.168.2.0/24网段.
网络拓扑如下:
 实验配置:
R1
r1#show run
Building configuration... Current configuration : 1505 bytes
! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip subnet-zero ! ! ip cef no ip domain lookup ! ip audit po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 定义策略集,下面是策略集的内容,两边要一致. hash md5 authentication pre-share lifetime 64000 crypto isakmp key cisco address 202.10.1.2 设置共享密钥和对端地址! ! crypto ipsec transform-set benet ah-md5-hmac esp-des 配置IPSec的相关参数,两边也要一致. ! crypto map map1 1 ipsec-isakmp 配置端口应用,就是将IKE与IPSec做个关联,我是这样理解的. set peer 202.10.1.2 set transform-set benet match address 101 ! ! ! ! interface Loopback0 回环地址模拟公司内部地址 ip address 192.168.1.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 配置路由器的地址 ip address 202.10.1.1 255.255.255.0 serial restart-delay 0 crypto map map1 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! ip http server no ip http secure-server ip classless ip route 192.168.2.0 255.255.255.0 202.10.1.2 静态路由到公司分部 ! ! access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 !设置要加密的数据流.这里是指从192.168.1.0到192.168.2.0的数据流 ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 ! end R2上的配置差不多,就把IP地址改了.
r2#show run
Building configuration... Current configuration : 1505 bytes
! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip subnet-zero ! ! ip cef no ip domain lookup ! ip audit po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 64000 crypto isakmp key cisco address 202.10.1.1 ! ! crypto ipsec transform-set cisco ah-md5-hmac esp-des ! crypto map map1 1 ipsec-isakmp set peer 202.10.1.1 set transform-set cisco match address 101 ! ! ! ! interface Loopback0 ip address 192.168.2.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 ip address 202.10.1.2 255.255.255.0 serial restart-delay 0 crypto map map1 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! ip http server no ip http secure-server ip classless ip route 192.168.1.0 255.255.255.0 202.10.1.1 ! ! access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 ! end r2#
这命令还是要常敲啊,学完这个有段时间了,就差不多都忘了. 本文出自 51CTO.COM技术博客 |
dream_sky11
博客统计信息
热门文章
最新评论
友情链接