地点:公司 配置及说明: [b]A、light Router的配置及说明[/b] [b]B、house Router的配置及说明[/b] 开始的时候没有成功,始终没有触发通道的建立,后来仔细检查配置发现没有设定感兴趣流量,没有做一条加密图引用的ACL来定义数据流量,加上之后立即成功,通道建立成功!
内容:configuring IPSec Router-to-Router with NAT and Cisco Secure VPN Client
VPN Client因没有客户端故未能进行实验。
网络拓扑:
[img]http://www.cisco.com/warp/public/707/ios_D-a.gif[/img]
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Light
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip su.net-zero
!
!
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
[u]crypto isakmp policy 5[/u] ****创建IKE策略
[u]hash md5[/u] *****定义散列算法
[u] authentication pre-share[/u] ****定义预认证方法为预共享密鈅
[u]crypto isakmp key cisco123 address 192.168.18.252 255.255.255.0 no-xauth[/u] ****配置预共享密鈅
[u]crypto isakmp key 123cisco address 0.0.0.0 0.0.0.0[/u] ****为动态VPN Client配置预共享密鈅
[u]crypto isakmp client configuration address-pool local test-pool[/u] ****为VPN Client定义IP
!
!
[u]crypto ipsec transform-set testset esp-des esp-md5-hmac [/u] ****配置IPSec变换集
!
[u]crypto dynamic-map test-dynamic 10[/u] ****创建动态加密图
[u] set transform-set testset [/u] ****指定使用的变换集
!
!
[u]crypto map test client configuration address initiate[/u] ****使用IKE模式的客户机配置,可以为客户机设定IP
[u]crypto map test client configuration address respond[/u] ****可以为请求IP的客户机提供IP
[u]crypto map test 5 ipsec-isakmp [/u] ****创建加密图
[u] set peer 192.168.18.252[/u] ****指定对等体
[u] set transform-set testset [/u] ****指定变换集
[u] match address 115[/u] ****引用加密访问列表确定受保护的流量
[u]crypto map test 10 ipsec-isakmp dynamic test-dynamic [/u] ****把动态加密图集加入到正规图集中
!
!
!
!
interface FastEthernet0/0
ip address 192.168.18.251 255.255.255.0
ip nat outside
duplex auto
speed auto
[u]crypto map test[/u] ****指定要使用的加密图
!
interface FastEthernet0/1
ip address 192.168.100.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip local pool test-pool 192.168.1.1 192.168.1.254
ip nat inside source route-map nonat interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.18.1
!
!
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
[color=Red]access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255[/color]
!
route-map nonat permit 10
match ip address 110
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname house
!
enable password cisco
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
[u]crypto isakmp policy 5[/u] ****[color=Blue]创建IKE策略[/color]
[u]hash md5[/u] ****定义散列算法
[u]authentication pre-share[/u] ****定义认证方法为预共享密鈅
[u]crypto isakmp key cisco123 address 10.64.10.44 no-xauth[/u] ****配置预共享密鈅
!
!
[u]crypto ipsec transform-set testset esp-des esp-md5-hmac [/u] ****配置IPSec变换集
!
[u]crypto map test 5 ipsec-isakmp [/u] ****创建加密图
[u] set peer 10.64.10.44[/u] ****指定对等体
[u] set transform-set testset [/u] ****指定使用的变换集
[u] match address 115[/u] ****引用加密访问列表确定受保护的流量
!
!
!
voice call carrier capacity active
!!
!
mta receive maximum-recipients 0
!
!
!
interface FastEthernet0/0
ip address 10.64.10.45 255.255.255.0
ip nat outside
duplex auto
speed auto
[u]crypto map test[/u] ****指定要使用的加密图
!
interface FastEthernet0/1
ip address 192.168.200.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.64.10.33
ip http server
!
!
access-list 110 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 110 permit ip 192.168.200.0 0.0.0.255 any
access-list 115 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
!
route-map nonat permit 10
match ip address 110
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
所有配置完事!!!
文章来源于领测软件测试网 https://www.ltesting.net/
版权所有(C) 2003-2010 TestAge(领测软件测试网)|领测国际科技(北京)有限公司|软件测试工程师培训网 All Rights Reserved
北京市海淀区中关村南大街9号北京理工科技大厦1402室 京ICP备10010545号-5
技术支持和业务联系:info@testage.com.cn 电话:010-51297073