cisco路由器实现IPesc VPN的配置实例和方法

要想使用思科cisco路由器来实现IPesc VPN，下面给出一个实例供大家参考，包含拓扑图和全部配置命令。方法是次要的，重要的是了解其原理和日常工作中的应用方式。下面有4个路由器、2个PC客户端和2台服务器，组网拓扑如下：

IP地址：

1、在R2、R3上边运行ospf协议

2、在R1、R4配置静态默认路由，pc1与R2,R3,R4,都无法ping通，pc2与R1,R2,R3,都无法ping通，pc1 与pc2不通

3、在R1与R4上边配置IPsecVPN（配置成功后pc1 ，pc2，server0，server1可以互通）

R1上的配置如下：

R1#show run

Building configuration...

Current configuration : 1091 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R1

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 lifetime 14400

!

crypto isakmp key 123 address 3.3.3.2

!

!

crypto ipsec transform-set cmap1 esp-3des esp-sha-hmac

!

crypto map cmap1 1 ipsec-isakmp

 set peer 3.3.3.2

 set security-association lifetime seconds 1800

 set transform-set cmap1

 match address 111

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

 ip address 1.1.1.1 255.255.255.0

 duplex auto

 speed auto

 crypto map cmap1

!

interface FastEthernet0/1

 ip address 192.168.1.1 255.255.255.0

duplex auto

 speed auto

!

interface Vlan1

 no ip address

 shutdown

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

!

access-list 111 permit ip any any

line con 0

line vty 0 4

 login

end

R2路由器上配置：

R2#show run

Building configuration...

Current configuration : 601 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R2

!

!

interface FastEthernet0/0

 ip address 1.1.1.2 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 2.2.2.2 255.255.255.0

 duplex auto

 speed auto

!

interface Vlan1

 no ip address

 shutdown

!

router ospf 1

 log-adjacency-changes

 redistribute static subnets

 network 1.1.1.0 0.0.0.255 area 0

 network 2.2.2.0 0.0.0.255 area 0

!

ip classless

!

line con 0

line vty 0 4

 login

!

!

!

End

R3路由器上配置：

R3#show run

Building configuration...

Current configuration : 601 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R3

!

!

!

!

interface FastEthernet0/0

 ip address 2.2.2.3 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 3.3.3.1 255.255.255.0

 duplex auto

 speed auto

!

interface Vlan1

 no ip address

 shutdown

!

router ospf 1

 log-adjacency-changes

 redistribute static subnets

 network 2.2.2.0 0.0.0.255 area 0

 network 3.3.3.0 0.0.0.255 area 0

!

ip classless

!

!

line con 0

line vty 0 4

 login

!

!

!

End

R4路由器上配置：

R4#show run

Building configuration...

Current configuration : 881 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R4

!

!

!

!

!

!

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 lifetime 14400

!

crypto isakmp key 123 address 1.1.1.1

!

!

crypto ipsec transform-set cmap1 esp-3des esp-sha-hmac

!

crypto map cmap1 1 ipsec-isakmp

 set peer 1.1.1.1

 set security-association lifetime seconds 1800

 set transform-set cmap1

 match address 111

!

interface FastEthernet0/0

 ip address 3.3.3.2 255.255.255.0

 duplex auto

 speed auto

 crypto map cmap1

!

interface FastEthernet0/1

 ip address 192.168.2.1 255.255.255.0

 duplex auto

 speed auto

!

interface Vlan1

 no ip address

 shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

http://www.luyouqiwang.com/15022/ 

!

access-list 111 permit ip any any

!

!

!

!

!

line con 0

line vty 0 4

 login

!

!

!

End

测试结果：

PC0可以ping通对端主机，也可以登录到web服务器，但与