上图是一个总部到分部的典型的IPSec VPN,要求实现总部分部、分部分部的内部网络的互访。
R1 配置
hostname R1
!
no ip domain lookup
!
interface Loopback0
no shutdown
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
no shutdown
ip address 10.0.0.1 255.255.255.0
duplex auto
!
interface Ethernet0/1
no shutdown
no ip address
shutdown
duplex auto
!
interface Ethernet0/2
no shutdown
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
R2上配置
hostname R2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 34.34.34.4
crypto isakmp key cisco address 35.35.35.5
!
!
crypto ipsec transform-set trans123 esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto map map123 10 ipsec-isakmp
set peer 34.34.34.4
set peer 35.35.35.5
set transform-set trans123
match address vpn
!
!
interface Ethernet0/0
no shutdown
ip address 10.0.0.2 255.255.255.0
duplex auto
!
interface Ethernet0/1
no shutdown
ip address 23.23.23.2 255.255.255.0
duplex auto
crypto map map123
!
interface Ethernet0/2
no shutdown
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 23.23.23.3
ip route 1.1.1.0 255.255.255.0 10.0.0.1
!
ip access-list extended vpn
permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255
permit ip 1.1.1.0 0.0.0.255 5.5.5.0 0.0.0.255
!
R3上配置
hostname R3
!
interface Ethernet0/0
no shutdown
ip address 34.34.34.3 255.255.255.0
duplex auto
!
interface Ethernet0/1
no shutdown
ip address 23.23.23.3 255.255.255.0
duplex auto
!
interface Ethernet0/2
no shutdown
ip address 35.35.35.3 255.255.255.0
duplex auto
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
duplex auto
!
R4上配置
!
hostname R4
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 35.35.35.5
crypto isakmp key cisco address 23.23.23.2
!
!
crypto ipsec transform-set trans123 esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto map map123 10 ipsec-isakmp
set peer 23.23.23.2
set peer 35.35.35.5
set transform-set trans123
match address vpn
!
interface Loopback0
no shutdown
ip address 4.4.4.4 255.255.255.0
!
interface Ethernet0/0
no shutdown
ip address 34.34.34.4 255.255.255.0
duplex auto
crypto map map123
!
interface Ethernet0/1
no shutdown
no ip address
shutdown
duplex auto
!
interface Ethernet0/2
no shutdown
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 34.34.34.3
!
ip access-list extended vpn
permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255
permit ip 4.4.4.0 0.0.0.255 5.5.5.0 0.0.0.255
!
R5上配置
!
hostname R5
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 23.23.23.2
crypto isakmp key cisco address 34.34.34.4
!
!
crypto ipsec transform-set trans123 esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto map map123 10 ipsec-isakmp
set peer 34.34.34.4
set peer 23.23.23.2
set transform-set trans123
match address vpn
!
!
interface Loopback0
no shutdown
ip address 5.5.5.5 255.255.255.0
!
interface Ethernet0/0
no shutdown
no ip address
shutdown
duplex auto
!
interface Ethernet0/1
no shutdown
no ip address
shutdown
duplex auto
!
interface Ethernet0/2
no shutdown
ip address 35.35.35.5 255.255.255.0
duplex auto
crypto map map123
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 35.35.35.3
!
ip access-list extended vpn
permit ip 5.5.5.0 0.0.0.255 1.1.1.0 0.0.0.255
permit ip 5.5.5.0 0.0.0.255 4.4.4.0 0.0.0.255
!
在R1上ping 4.4.4.4 和5.5.5.5
R1#ping 4.4.4.4 source 1.1.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/1 ms
R1#ping 5.5.5.5 source 1.1.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/2 ms
在R4上ping 1.1.1.1 和5.5.5.5
R4#ping 1.1.1.1 source 4.4.4.4 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 2/4/6 ms
R4#ping 5.5.5.5 source 4.4.4.4 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 2/4/11 ms
在R5上ping 1.1.1.1 和4.4.4.4
R5#ping 1.1.1.1 source 5.5.5.5 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/4/8 ms
R5#ping 4.4.4.4 source 5.5.5.5 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/4/6 ms
分别在R2 R4 R5上查看sa情况
R2#show crypto engine connections ac
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
17 IPsec DES+MD5 0 99 99 23.23.23.2
18 IPsec DES+MD5 99 0 0 23.23.23.2
19 IPsec DES+MD5 0 99 99 23.23.23.2
20 IPsec DES+MD5 99 0 0 23.23.23.2
1001 IKE MD5+3DES 0 0 0 23.23.23.2
1002 IKE MD5+3DES 0 0 0 23.23.23.2
R4#show crypto engine connections ac
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
13 IPsec DES+MD5 0 99 99 34.34.34.4
14 IPsec DES+MD5 99 0 0 34.34.34.4
15 IPsec DES+MD5 0 99 99 34.34.34.4
16 IPsec DES+MD5 99 0 0 34.34.34.4
1001 IKE MD5+3DES 0 0 0 34.34.34.4
1003 IKE MD5+3DES 0 0 0 34.34.34.4
R5#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
13 IPsec DES+MD5 0 99 99 35.35.35.5
14 IPsec DES+MD5 99 0 0 35.35.35.5
15 IPsec DES+MD5 0 99 99 35.35.35.5
16 IPsec DES+MD5 99 0 0 35.35.35.5
1002 IKE MD5+3DES 0 0 0 35.35.35.5
1003 IKE MD5+3DES 0 0 0 35.35.35.5
每个路由上都有两个ISAKMP SA,四个IPSec SA .