本文共 2045 字,大约阅读时间需要 6 分钟。
下面我们开始第一种ipsec over ger ,拓扑图如下:
配置:
R1:
- crypto isakmp policy 10
- encr 3des
- hash md5
- authentication pre-share
- group 2
- lifetime 3600
- crypto isakmp key root address 192.168.23.3
- crypto ipsec transform-set r1set esp-3des esp-md5-hmac
- crypto map r1map 10 ipsec-isakmp
- set peer 192.168.23.3
- set transform-set r1set
- match address r1***
- interface Loopback0
- ip address 192.168.1.1 255.255.255.0
- interface Tunnel1
- ip address 172.16.13.1 255.255.255.0
- tunnel source Ethernet0/0
- tunnel destination 192.168.23.3
- tunnel key 120314
- interface Ethernet0/0
- ip address 192.168.12.1 255.255.255.0
- half-duplex
- crypto map r1map
- router ospf 100
- router-id 1.1.1.1
- log-adjacency-changes
- network 172.16.13.0 0.0.0.255 area 0
- network 192.168.1.0 0.0.0.255 area 0
- ip route 0.0.0.0 0.0.0.0 192.168.12.2
- ip access-list extended r1***
- permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
R2:
- interface Ethernet0/0
- ip address 192.168.12.2 255.255.255.0
- interface Ethernet0/1
- ip address 192.168.23.2 255.255.255.0
R3:
- crypto isakmp policy 10
- encr 3des
- hash md5
- authentication pre-share
- group 2
- lifetime 3600
- crypto isakmp key root address 192.168.12.1
- crypto ipsec transform-set r3set esp-3des esp-md5-hmac
- crypto map r3map 10 ipsec-isakmp
- set peer 192.168.12.1
- set transform-set r3set
- match address r3***
- interface Loopback0
- ip address 192.168.3.3 255.255.255.0
- interface Tunnel3
- ip address 172.16.13.3 255.255.255.0
- tunnel source Ethernet0/1
- tunnel destination 192.168.12.1
- tunnel key 120314
- interface Ethernet0/1
- ip address 192.168.23.3 255.255.255.0
- half-duplex
- crypto map r3map
- router ospf 100
- router-id 3.3.3.3
- log-adjacency-changes
- network 172.16.13.0 0.0.0.255 area 0
- network 192.168.3.0 0.0.0.255 area 0
- ip route 0.0.0.0 0.0.0.0 192.168.23.2
- ip access-list extended r3***
- permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
测试:
分析:当从192.168.3.3 ping 192.168.1.1 时,首先查询路由表
去往192.168.1.1下一跳是tunnel3 ,由于tunnel3 中没有CRYPTO MAP ,所以封装GRP,
目的IP:192.168.12.1 源IP:192.168.23.3,然后在查路由表,匹配默认路由,然后从直连接口E0/1发出,这是虽然E0/1有cryptp map 但是由于源和目的IP已经不是感兴趣流了,所以不封装ESP 直接发出,根本不加密,与***没有上面关系。
转载地址:http://imfvl.baihongyu.com/