cisco路由器配置ipsecvpn

发表于 | 分类于 |

步骤1:基本配置保证在没有做vpn之前网络连通

步骤2:创建IKE加密策略

r1(config)#crypto isakmp policy 1

r1(config-isakmp)#encryption des               (加密消息算法)

r1(config-isakmp)#authentication pre-share      (对等体验证方法)

r1(config-isakmp)#hash md5                  (消息完整性算法)

r1(config-isakmp)#group 1                  (密钥交换参数)

r1#show crypto isakmp policy                显示策略配置结果

Protection suite of priority 1
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

B路由器配置同理,注意两端使用的各种方法要相同

步骤3:由于使用了共享密钥验证对等体,定义密钥。注意密钥和对等体要一起定义

r1(config)#crypto isakmp key cisco address 135.25.1.2

r2(config)#crypto isakmp key cisco address 135.25.1.1

步骤4:定义IPSEC变换集

r1(config)#crypto ipsec transform-set future esp-des

r2(config)#crypto ipsec transform-set future esp-des

注意两端的参数要相同

r1#show crypto ipsec transform-set

Transform set future: { esp-des  }
   will negotiate = { Tunnel,  }

步骤5:定义将要保护的数据流

r1(config)#access-list 101 permit ip 135.25.3.0 0.0.0.255 135.25.4.0 0.0.0.255

r2(config)# access-list 101 permit ip 135.25.4.0 0.0.0.255 135.25.3.0 0.0.0.255

步骤6:配置加密映射:将加密策略和流量联系起来

r1(config)#crypto map zhangyu 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.

r1(config-crypto-map)#set peer 135.25.1.2

r1(config-crypto-map)#set transform-set future

r1(config-crypto-map)#match address 101

B路由器同理

步骤7:将加密映射应用到接口

r1(config)#int s 0

r1(config-if)#crypto map zhangyu

步骤8:测试显示A路由器上IPSEC连接

r1#show crypto engine connections active

ID Interface       IP-Address      State  Algorithm         Encrypt  Decrypt

在PC1上ping 135.25.4.1

r1#show crypto engine connections active

  ID Interface       IP-Address      State  Algorithm          Encrypt  Decrypt
2000 Serial0         135.25.1.1      set    DES_56_CBC               0        5
2001 Serial0         135.25.1.1      set    DES_56_CBC