【干货】手把手教你Site to Site VPN
发布作者:微思网络 发布时间:2017-03-14 浏览量:0次
1、Site to Site VPN
配置Internet 路由器
interface Serial1/0 ip address 202.100.1.10 255.255.255.0 no shutdown
interface Serial1/1 ip address 202.100.2.10 255.255.255.0 no shutdown
配置R1,R2 路由
第一步:配置路由
R1:ip route 0.0.0.0 0.0.0.0 202.100.1.10 R2: ip route 0.0.0.0 0.0.0.0 202.100.2.10
第二步:ISAKMP 策略配置 R1:
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2
crypto isakmp key cisco address 202.100.2.2
配置R2:
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2
crypto isakmp key cisco address 202.100.1.1
第三步:ISAKMP 策略配置IPSEC 转换集
R1: crypto ipsec transform-set myset esp-3des esp-md5-hmac R2: crypto ipsec transform-set myset esp-3des esp-md5-hmac
第四步:感兴趣流量配置 R1:
Access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
配置R2:
Access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
第五步:配置crypto map 配置 R1:
crypto map mymap 10 ipsec-isakmp set peer 202.100.2.2 match address 100 set transform-set myset
配置R2:
crypto map mymap 10 ipsec-isakmp set peer 202.100.1.1 match address 100 set transform-set myset
第六步:在相应的接口应用crypto map 配置 R1:
Interface s1/0 crypto map mymap
配置R2: |
|||
Interface s1/0 |
|||
crypto map mymap
|
|||
第七步:测试 |
|||
R1#ping 172.16.2.2 source 172.16.1.1 |
|||
R1#show crypto engine connections active |
|||
ID Interface IP-Address State |
Algorithm |
Encrypt |
Decrypt |
1 Serial1/0 202.100.1.1 set |
HMAC_MD5+3DES_56_C |
0 |
0 |
2001 Serial1/0 202.100.1.1 set |
3DES+MD5 |
0 |
9 |
2002 Serial1/0 202.100.1.1 set |
3DES+MD5 |
9 |
0 |
检查命令: |
|
|
|
show crypto isakmp policy |
|
|
|
show crypto ipsec transform-set |
|
|
|
show crypto isakmp sa |
|
|
|
show crypto ipsec sa |
|
|
|
show crypto map |
|
|
|
clear cryto sa |
|
|
|
clear crypto sa peer (ip address|peer name) |
|
|
|
clear crypto sa map (map name) |
|
|
|
Debug cryto isakmp |
|
|
|
Debug cryto ipsec |
|
|
|