您好,欢迎访问三七文档
当前位置:首页 > 商业/管理/HR > 经营企划 > CISCO-IPsec-VPN配置大全
CISCOIPsecVPN配置大全一.基于PSK的IPsecVPN配置首先IOS带k的就可以了,支持加密特性,拓扑如下:,S1fX!Ms1.R1基本配置:R1(config)#interfaceloopback0R1(config-if)#ipaddress10.1.1.1255.255.255.0^R1(config-if)#noshutdown2A9T-u!]&w0v@+y.gR1(config-if)#interfaceserial0/0R1(config-if)#ipaddress192.168.1.1255.255.255.252纽爱科网络实验室社区+l6m7Q$G6K2j1G7D1|R1(config-if)#clockrate56000R1(config-if)#noshutdown2g'E6g*g(m;~$k'e;RR1(config-if)#exit9e3h1Op4A%i*J3U2.定义感兴趣流量与路由协议:R1(config)#access-list100permitip10.1.1.00.0.0.25510.2.2.00.0.0.255R1(config)#iproute0.0.0.00.0.0.0serial0/08]6T1P4p(`1d&G'h9u#K3.全局启用ISAKMP并定义对等体及其PSK(预共享密钥):.|']%D3~.y6ui$XR1(config)#cryptoisakmpenable!d7o/y8VFR1(config)#cryptoisakmpkey91labaddress192.168.1.23X6i1}7K1c'@4I:v4.定义IKE策略:R1(config)#cryptoisakmppolicy104V)f2v(F*H.w8K.j:b*v!FR1(config-isakmp)#encryptionaes128/---默认是DES加密---/$Y5r8b5i'W2F-e,b/VR1(config-isakmp)#hashsha/---默认是SHA-1---/R1(config-isakmp)#authenticationpre-share5R-f%p3T#d9q#@hR1(config-isakmp)#group2/---默认是768位的DH1---/R1(config-isakmp)#lifetime3600/---默认是86400秒---/!T(a&D;|5nR1(config-isakmp)#exit3d(x9J$c'k5.定义IPSec转换集(transformset):4n:T/J3|7Z4n&x._!KR1(config)#cryptoipsectransform-setttesp-aes128esp-sha-hmacR1(cfg-crypto-trans)#modetunnelR1(cfg-crypto-trans)#exit纽爱科网络实验室社区;K,y1G([(q[6.定义cryptomap并应用在接口上:R1(config)#cryptomapcisco10ipsec-isakmpR1(config-crypto-map)#matchaddress100R1(config-crypto-map)#setpeer192.168.1.2/---定义要应用cryptomap的对等体地址---/R1(config-crypto-map)#settransform-settt/---定义cryptomap要应用的IPsec转换集---/R1(config-crypto-map)#exitR1(config)#interfaceserial0/0(config-if)#cryptomapcisco*Mar100:08:31.131:%CRYPTO-6-ISAKMP_ON_OFF:ISAKMPisON(UbX%W+N1_6Xc.yR1(config-if)#end8F*a9d3D1JR1#纽爱科网络实验室社区.j-l*{'P2r?R1配置完成.同理,R2相关配置如下:纽爱科网络实验室社区,p$`0B&u,Q5K!!4q:g6B1Z!Ecryptoisakmppolicy109m7~5{6q&s5x6sencraes$n9V!d+Q5N~0k']6?`:Mauthenticationpre-share(|5}'ox5M']U2v(\group2cryptoisakmpkey91labaddress192.168.1.1)p&c-X2R/A5x9s1[1D)o!8b9H0K1s,P']:w,a!Q(f!纽爱科网络实验室社区&{$`1U'M5\cryptoipsectransform-setttesp-aesesp-sha-hmac!$j)x#y.E#U/}-M+Ecryptomapcisco10ipsec-isakmp纽爱科网络实验室社区v'u#z9q1_&wsetpeer192.168.1.12I(_:^;U&wb4Y2T%l&Bsettransform-setttmatchaddress100纽爱科网络实验室社区0|-?.I.I'_'j!4s0Z.A8S9f0W!纽爱科网络实验室社区'Zl2M,a1l3G#_'D$^'P3q4{!8d1b.P7[4@*z!*h1U&D4]9l$h2z!I&finterfaceLoopback0ipaddress10.2.2.1255.255.255.0!:A!o(Y%K/EinterfaceSerial0/0ipaddress192.168.1.2255.255.255.252cryptomapcisco纽爱科网络实验室社区-W.a;m'Q$R^(?7h:J'|!iproute0.0.0.00.0.0.0Serial0/0!access-list100permitip10.2.2.00.0.0.25510.1.1.00.0.0.2551l;~/Q[h5`5}0{9c/q!二.采用积极模式并PSK的IPsecVPN配置/U4t-W)r+G'E%U(dl{%T9O/X3N3Hz&S4{!u1.R1基本配置:-F!W(Z3c7hR1(config)#interfaceloopback01o-D8@)Z&S,b(s/G4ZR1(config-if)#ipaddress10.1.1.1255.255.255.0b/@8o:m,c%m:g5i%H9K4NR1(config-if)#noshutdown.}!s8MH/SR1(config-if)#interfaceserial0/0R1(config-if)#ipaddress192.168.1.1255.255.255.252!U'W)R&T3?0B)HR1(config-if)#clockrate56000R1(config-if)#noshutdownR1(config-if)#exit2.定义感兴趣流量与路由协议:R1(config)#access-list100permitip10.1.1.00.0.0.25510.2.2.00.0.0.255R1(config)#iproute0.0.0.00.0.0.0serial0/03.全局启用ISAKMP并定义对等体及其PSK(预共享密钥),采用积极模式:R1(config)#cryptoisakmpenable纽爱科网络实验室社区$F-DK!{*X1P#i&nPR1(config)#cryptoisakmppeeraddress192.168.1.2R1(config-isakmp-peer)#setaggressive-modeclient-endpointipv4-address192.168.1.1R1(config-isakmp-peer)#setaggressive-modepassword91lab4.定义IKE策略:R1(config)#cryptoisakmppolicy10)a'a;]2G8v,UR1(config-isakmp)#encryptionaes128/---默认是DES加密---/R1(config-isakmp)#hashsha/---默认是SHA-1---/R1(config-isakmp)#authenticationpre-share9j9d0y3X6]7DR1(config-isakmp)#group2/---默认是768位的DH1---/R1(config-isakmp)#lifetime3600/---默认是86400秒---/R1(config-isakmp)#exit&A%u0n']3G#|7p)D)P3k#w4k;M7j(?%R8b4l1J5v+b-r+b5.定义IPSec转换集(transformset):R1(config)#cryptoipsectransform-setttesp-aes128esp-sha-hmac纽爱科网络实验室社区9s)j1v,q2^8D3X4V%cR1(cfg-crypto-trans)#modetunnelR1(cfg-crypto-trans)#exit!l(o1?,t0u&{6.定义cryptomap并应用在接口上:R1(config)#cryptomapcisco10ipsec-isakmpR1(config-crypto-map)#matchaddress1003?,H7f:z&?R1(config-crypto-map)#setpeer192.168.1.2/---定义要应用cryptomap的对等体地址---/R1(config-crypto-map)#settransform-settt/---定义cryptomap要应用的IPsec转换集---/纽爱科网络实验室社区;x!}+i:I7\4XR1(config-crypto-map)#exitR1(config)#interfaceserial0/00yF1d'B-G({R1(config-if)#cryptomapcisco纽爱科网络实验室社区0P7[&P:|(t$b,m#K)a*Mar100:08:31.131:%CRYPTO-6-ISAKMP_ON_OFF:ISAKMPisON'^(I*V1E.o.P*Y3h2q_%m8]0[&w)\$?R1(config-if)#end's%^-g-H8?*lR1#R1配置完成.e*v+T)w$p同理,R2配置如下:%}{1r:l2q]0w!?!r7W%N(]%b,R!T3]&X-S;x4s5B2j%g&Lcryptoisakmppolicy10encraes纽爱科网络实验室社区4e$jA;O!Y2}VKauthenticationpre-share!A9op!X+@5~group2+t?9Q(J4Q;`!v0j!cryptoisakmppeeraddress192.168.1.1[0`(a`-Isetaggressive-modepassword91labsetaggressive-modeclient-endpointipv4-address192.168.1.1~3R$a9~!9P1D6H+f.L!z6U3b;Q9C1j4t.G;Ecryptoipsectransform-setttesp-aesesp-sha-hmac8L,C:|(p$O!6O3I0}3Z-q!X)bcryptomapcisco10ipsec-isakmp*G#^i3W0^.j)o7G*a2I/@4Y1vsetpeer192.168.1.1settransform-setttmatchaddress100!纽爱科网络
本文标题:CISCO-IPsec-VPN配置大全
链接地址:https://www.777doc.com/doc-4292995 .html