實驗要求:PC1和PC2經過安全通道可以正常通訊
R1配置:
crypto isakmp policy 1 \\ 創建轉換集
encr 3des \\ 加密方式
hash md5 \\ 散列算法
authentication pre-share \\ 認證方式
group 2 \\ DH組
crypto isakmp key cisco address 10.1.1.2 \\創建對等體密鑰
!
crypto ipsec transform-set TEST000 esp-3des esp-md5-hmac \\創建轉換集
!
crypto map SDM_CMAP_1 1 ipsec-isakmp \\ 創建IPsec地圖
description Tunnel to10.1.1.2 \\ 描述內容
set peer 10.1.1.2 \\ 指定對端地址
set transform-set TEST000 \\ 調用轉換集
match address 100 \\調用ACL
!
interface FastEthernet0/0
ip nat outside \\關聯PAT
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1 \\調用IPsec地圖
!
interface FastEthernet1/0
ip nat inside 關聯PAT
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2 \\默認路由
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255 \\創建ACL
ip nat inside source list 102 interface FastEthernet0/0 overload \\創建PAT(可選)
R2配置:
crypto isakmp policy 1 \\ 創建轉換集
encr 3des \\ 加密方式
hash md5 \\ 散列算法
authentication pre-share \\ 認證方式
group 2 \\ DH組
crypto isakmp key cisco address 10.1.1.1 \\創建對等體密鑰
!
crypto ipsec transform-set TEST000 esp-3des esp-md5-hmac \\創建轉換集
!
crypto map SDM_CMAP_1 1 ipsec-isakmp \\ 創建IPsec地圖
description Tunnel to10.1.1.1 \\ 描述內容
set peer 10.1.1.1 \\ 指定對端地址
set transform-set TEST000 \\ 調用轉換集
match address 100 \\調用ACL
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1 \\調用IPsec地圖
!
interface FastEthernet1/0
ip address 172.16.0.1 255.255.0.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1 \\默認路由
!
access-list 100 permit ip 172.16.0.0 0.0.255 192.168.10.0 0.0.0.255 \\創建ACL