Mô hình lap : Cấu hình VPN site2site cho R1 và R3 mã hóa ipsec
Có 3 router : R1,R2,R3
trong đó R2 đóng vai trò như ISP
R1,R2 là các site.
Cấu hình R1 :
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
!
!
ip tcp synwait-time 5
!
no ip domain lookup
ip audit po max-events 100
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.253.2
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map r1-r3 10 ipsec-isakmp
set peer 192.168.253.2
set transform-set myset
match address 101
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat outside
duplex auto
speed auto
crypto map r1-r3
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
no ip http server
no ip http secure-server
!
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
Cấu hình R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
!
!
ip tcp synwait-time 5
!
no ip domain lookup
ip audit po max-events 100
!
!
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 192.168.253.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip classless
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
Cấu hình R3:
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
no ip icmp rate-limit unreachable
ip cef
!
!
ip tcp synwait-time 5
!
no ip domain lookup
ip audit po max-events 100
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 10.0.0.1
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map r3-r1 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set myset
match address 101
!
!
!
!
interface FastEthernet0/0
ip address 192.168.253.2 255.255.255.0
ip nat outside
duplex auto
speed auto
crypto map r3-r1
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.253.1
!
no ip http server
no ip http secure-server
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
Kiểm tra mã hóa trên R1 R3 :
R1#show crypto isakmp policy
R1#show crypto engine connections active
