路由器组网的Site-Site Ipsec VPN配置和验证的方法

 

全部配置命令如下：

 

R2：
r2#show runn
Building configuration...

Current configuration : 1337 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1   ##确定vpn策略
encryption des  ##加密使用对称加密算法des
group 1   ##密钥交换使用group 1
 hash md5           ##认证用md5算法
 authentication pre-share  ##使用预共享密钥进行认证，此处由于默认使用加密算法为des和密钥交换为group 1，所以在show runn中看不到，但是必须配置
crypto isakmp key 6 cisco address 192.168.5.2   ##进行预共享的对等体和密钥
!
!
crypto ipsec transform-set ccnp ah-md5-hmac  ##定义一个ipsec转换集名为ccnp，使用ah，未使用esp进行数据加密
!
crypto map mymap 1 ipsec-isakmp   ##定义一个map名为mymap，此map引用acl110和刚定义的转换集ccnp，设置对等体地址
 set peer 192.168.5.2   ##设置对等体地址
 set transform-set ccnp  ##引用刚定义的转换集ccnp
 match address 110     ##引用acl 110
!
!
!
!
interface Ethernet0/0
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside  ##此接口为内网接口，启用nat转换
 ip virtual-reassembly
 half-duplex
!
interface Ethernet0/2
 ip address 192.168.4.1 255.255.255.0
 ip nat outside   ##此接口为接ISP的公网口，启用nat转换，私有地址将被转换为此接口上的共有地址访问互联网
 ip virtual-reassembly
 half-duplex
 crypto map mymap
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.4.2  ##默认路由到ISP，下一跳地址为与ISP相连的地址
!
!
ip nat inside source list 100 interface Ethernet0/2 overload  ##启用nat转换，引用acl 100，符合acl 100的地址将被转换
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255  ##此acl定义nat需要转换的私有地址，先将需要vpn转换的地址拒绝掉
access-list 100 permit ip 192.168.1.0 0.0.0.255 any     ##这是需要nat转换的私有地址
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255  ##此acl定义vpn需要转换的地址，当192.168.1.0网段访问192.168.2.0网段时执行定义的isakmp和ipsec进行加密等
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

r2#

 

 

 

r1:此路由器充当公司总部pc

r1#ping 192.168.2.2  ##能够ping通代表公司分部的pc地址，说明vpn成功了

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 120/194/232 ms
r1#ping 192.168.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/138/160 ms
r1#ping 192.168.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/164/216 ms
r1#ping 192.168.3.2 ##能够ping通代表互联网地址的3.2说明nat转换成功

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/151/220 ms
r1#show runn
Building configuration...

Current configuration : 806 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
!
!
no ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.1.2 255.255.255.0
 no ip route-cache
 half-duplex
!
interface Ethernet0/2
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

r1#

 

 

 

r3:此路由器充当ISP路由器，连接了三个网络，一个3.0网段，4.0网段代表公司总部，5.0代表公司分部，此路由器配置简单，直接配3个地址就ok了

r3>en
r3#show runn
Building configuration...

Current configuration : 708 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.3.1 255.255.255.0  ##与代表互联网地址的3.0网段相连
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.4.2 255.255.255.0  ##与代表公司总部的路由器相连
 half-duplex
!
interface Ethernet0/2
 ip address 192.168.5.1 255.255.255.0   ##与代表公司分部的路由器相连
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

r3#

 

 

 

r4:与公司分部相连的路由器，此路由器的配置和r2相似，不再单独介绍，只说不同点
2, changed state to up
r4(config-if)#
r4(config-if)#
r4(config-if)#
r4(config-if)#
r4(config-if)#ex
r4(config)#in e0/1
r4(config-if)#ip nat ou
r4(config-if)#ip nat outside
r4(config-if)#
*Mar  1 00:12:48.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to upex
r4(config)#in e0/2
r4(config-if)#ip nat ins
r4(config-if)#ex
r4(config)#acc
r4(config)#access-list 100 den
r4(config)#$ 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r4(config)#acc
r4(config)#access-list 100 per
r4(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 any
r4(config)#ip http://www.luyouqiwang.com/14539/ nat inside sourc list 100 in
r4(config)#ip nat inside sourc list 100 interface e0/1 ove
r4(config)#ip route 0.0.0.0 0.0.0.0 192.168.5.1
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#
r4(config)#acc
r4(config)#access-list 110 per
r4(config)#$ 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
r4(config)#cry
r4(config)#crypto is
r4(config)#crypto isakmp po
r4(config)#crypto isakmp policy ?
  <1-10000>  Priority of protection suite

r4(config)#crypto isakmp policy 1 ?
  <cr>

r4(config)#crypto isakmp policy 1
r4(config-isakmp)#en
r4(config-isakmp)#encryption des
r4(config-isakmp)#hash mdt
                         ^
% Invalid input detected at '^' marker.

r4(config-isakmp)#hash md5
r4(config-isakmp)#auth
r4(config-isakmp)#authentication pre
r4(config-isakmp)#authentication pre-share
r4(config-isakmp)#gr
r4(config-isakmp)#group 1
r4(config-isakmp)#ex
r4(config)#cry
r4(config)#crypto is
r4(config)#crypto isakmp key 6 cisco add ?
  A.B.C.D  Peer IP address

r4(config)#crypto isakmp key 6 cisco add 192.168.4.1 ?
  A.B.C.D   Peer IP subnet mask
  no-xauth  Bypasses XAuth for this peer
  <cr>

r4(config)#crypto isakmp key 6 cisco add 192.168.4.1
r4(config)#cry ip
r4(config)#cry ipsec tran
r4(config)#cry ipsec transform-set ccnp ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm

  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth

r4(config)#cry ipsec transform-set ccnp ah
r4(config)#cry ipsec transform-set ccnp ah-m
r4(config)#cry ipsec transform-set ccnp ah-md5-hmac
r4(cfg-crypto-trans)#exit
r4(config)#cry
r4(config)#crypto map mymap 1 ips
r4(config)#crypto map mymap 1 ipsec-is
r4(config)#crypto map mymap 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
r4(config-crypto-map)#mat
r4(config-crypto-map)#match add 110
r4(config-crypto-map)#set tr
r4(config-crypto-map)#set transform-set ccnp
r4(config-crypto-map)#set peer 192.168.4.1
r4(config-crypto-map)#ex
r4(config)#in e0/1
r4(config-if)#cry map mymap
r4(config-if)#ex
*Mar  1 00:18:34.063: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
r4(config)#end
r4#show ru
*Mar  1 00:19:44.447: %SYS-5-CONFIG_I: Configured from console by consolenn
Building configuration...

Current configuration : 1337 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5

!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1  ##与r2配置必须相同，只是对等体地址换成r2公网接口地址
 hash md5
 authentication pre-share
crypto isakmp key 6 cisco address 192.168.4.1
!
!
crypto ipsec transform-set ccnp ah-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
 set peer 192.168.4.1
 set transform-set ccnp
 match address 110
!
!
!
!
interface Ethernet0/0
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.5.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 half-duplex
 crypto map mymap
!
interface Ethernet0/2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.5.1
!
!
ip nat inside source list 100 interface Ethernet0/1 overload
!
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

r4#

 

 

 

r5:此路由器为公司分部的pc，需要访问公司总部的1.0网段

r5>en
r5#show runn
Building configuration...

Current configuration : 806 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
!
!
no ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.2.2 255.255.255.0
 no ip route-cache
 half-duplex
!
interface Ethernet0/2
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
ip default-gateway 192.168.2.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

r5#ping 192.168.1.2  ##与代表公司总部的pc能够ping通，代表vpn成功

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/135/144 ms
r5#

 

 

r6:此路由器代表互联网上的服务器资源

 

r6>en
r6#show runn
Building configuration...

Current configuration : 806 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
!
!
no ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.3.2 255.255.255.0
 no ip route-cache
 half-duplex
!
interface Ethernet0/2

 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
ip default-gateway 192.168.3.1
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

r6#