IPSecV\/P\/N基本配置【图文】

2020-05-17 09:18:12 作者小周

原标题:"IPSecV\/P\/N基本配置【图文】"关于路由器的知识分享。 - 素材来源网络 编辑:kaka。

141736212.jpg

实验要求:192.168.1.100/24通过配置IPSceV\/P\/N访问172.16.1.100/24。

配置思路:R1、R2、R3使用EIGRP通告公网接口网段(私网IP不能通告出去),配置V\/P\/N使R1、R3各自的内网地址可以访问R2的回环地址2.2.2.2(模拟公网服务器),然后配置IPSceV\/P\/N,最后R1、R3分别配置缺省路由指向R2相邻接口IP即可。

IPSceV\/P\/N配置步骤: 1、建立ACL过滤感兴趣流量

2、配置isakmp key及peer(对端路由公网IP)

3、配置isakmp policy策略

4、配置ipsec transform-set集

5、配置crypto map(即将以上配置集合应用)

6、应用到本地路由器出接口

实验配置:

R1#


crypto isakmp policy 1 配置isakmp策略
hash md5
authentication pre-share
group 2

crypto isakmp key cisco address 23.1.1.3 配置isakmp key及peer(对端路由公网IP)

crypto ipsec transform-set1esp-3desesp-md5-hmac 配置ipsectransform-set集

crypto map 1to3 1 ipsec-isakmp 配置cryptomap(即将以上配置集合应用)

set peer 23.1.1.3
set transform-set 1
match address 100

interface Loopback 0
ip address 1.1.1.1 255.255.255.0

interface FastEthernet 0/0
ip address 12.1.1.1 255.255.255.0
ip nat outside
crypto map 1to3 将map应用到本地出接口
no shutdown

interface FastEthernet 0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shutdown

router eigrp 100
network 12.1.1.0 0.0.0.255
network 1.1.1.0 0.0.0.255
no auto-summary

ip nat inside source list 1 interface FastEthernet 0/0 overload

ip route 0.0.0.0 0.0.0.0 12.1.1.2

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 建立感兴趣流量过滤

access-list 1 permit 192.168.1.0 0.0.0.255 NAT过滤的流量

------------------------------------------------

R2#


interface Loopback 0
ip address 2.2.2.2 255.255.255.0

interface FastEthernet 0/0
ip address 23.1.1.2 255.255.255.0
no shutdown

interface FastEthernet 0/1
ip address 12.1.1.2 255.255.255.0
no shutdown

router eigrp 100
network 12.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
network 23.1.1.0 0.0.0.255
no auto-summary

-------------------------------------------------------

R3#


crypto isakmp policy 1
hash md5
authentication pre-share
group 2

crypto isakmp key cisco address 12.1.1.1

crypto ipsec transform-set 1 esp-3desesp-md5-hmac

crypto map 3to1 1 ipsec-isakmp
set peer 12.1.1.1
set transform-set 1
match address 100

interface Loopback 0
ip address 3.3.3.3 255.255.255.0

interface FastEthernet 0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
no shutdown

interface FastEthernet 0/1
ip address 23.1.1.3 255.255.255.0
ip nat outside
crypto map 3to1
no shutdown

router eigrp 100
network 23.1.1.0 0.0.0.255
network 3.3.3.0 0.0.0.255
no auto-summary

ip nat inside source list 1 interface FastEthernet 0/1 overload

ip route 0.0.0.0 0.0.0.0 23.1.1.2


access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 1 permit 172.16.1.0 0.0.0.255

--------------------------------------------------------

查看R1的路由表:

144016536.jpg

--------------------------------------------------------------------------

查看R2路由表:

144054374.jpg

--------------------------------------------------------------------------------

查看R3路由器:

144135691.jpg

------------------------------------------------------------------

查看PC192.168.1.100:

144220798.jpg

----------------------------------------------------

查看PC172.16.1.100:

144255136.jpg

--------------------------------------------------

*实验结果:通过配置IPSceV\/P\/N使得192.168.1.0/24可以访问172.16.1.0/24网段。

郑重声明:本文版权归原作者所有,转载文章仅为传播更多信息之目的,如作者信息标记有误,请第一时间联系我们修改或删除,多谢。