103实验指导1对多 Site To Site VPN.docx
《103实验指导1对多 Site To Site VPN.docx》由会员分享,可在线阅读,更多相关《103实验指导1对多 Site To Site VPN.docx(22页珍藏版)》请在冰豆网上搜索。
103实验指导1对多SiteToSiteVPN
实验指导(1对多SiteToSiteVPN)
一、实验任务
◆R1:
RotuerA、R2:
Internet、R3:
RotuerB、R4:
RotuerC
◆RouterB、RouterC采用VPN和总部连接
◆总部和不同分部之间的VPN采用不同的参数、密码
◆要保证三个site之间都可以互相通信
二、实验步骤
1、R1、R2、R3上如图配置IP地址,打开接口,配置路由:
Switch(S1):
Switch(config)#intf0/0
Switch(config-if)#shutdown
RouterA(R1):
ints1/1
noshutdown
clockrate128000
ipadd202.96.134.1255.255.255.252
intloopback0
ipadd10.1.1.1255.255.255.0
iproute0.0.0.00.0.0.0s1/1
Internet(R2):
ints1/0
noshutdown
clockrate128000
ipadd202.96.134.2255.255.255.252
ints1/1
noshutdown
clockrate128000
ipadd61.0.0.1255.255.255.252
inte0/0
noshutdown
duplexfull
ipadd198.133.0.1255.255.255.252
RouterB(R3):
ints1/0
noshutdown
clockrate128000
ipadd61.0.0.02255.255.255.252
intloopback0
ipadd10.2.2.2255.255.255.0
iproute0.0.0.00.0.0.0s1/0
RouterC(R4):
inte0/0
noshutdown
duplexfull
ipadd198.133.0.2255.255.255.252
intloopback0
ipadd10.3.3.3255.255.255.0
iproute0.0.0.00.0.0.0198.133.0.1
2、RouterA:
和RouterB之间联通的配置:
!
cryptoisakmppolicy10
hashmd5
authenticationpre-share
!
cryptoisakmpkey0cisco1234address61.0.0.2
!
cryptoipsectransform-setSITE2esp-desesp-md5-hmac
!
cryptomapTEST-MAP10ipsec-isakmp
setpeer61.0.0.2
settransform-setSITE2
matchaddress110
!
interfaceSerial1/1
cryptomapTEST-MAP
!
access-list110permitip10.1.1.00.0.0.25510.2.2.00.0.0.255
!
3、RouterB:
和RouterA之间联通的配置:
!
cryptoisakmppolicy10
hashmd5
authenticationpre-share
!
cryptoisakmpkey0cisco1234address202.96.134.1
!
cryptoipsectransform-setSITE1esp-desesp-md5-hmac
!
cryptomapTEST-MAP10ipsec-isakmp
setpeer202.96.134.1
settransform-setSITE1
matchaddress110
!
interfaceSerial1/0
cryptomapTEST-MAP
!
access-list110permitip10.2.2.00.0.0.25510.1.1.00.0.0.255
!
4、RouterA:
和RouterC之间联通的配置:
!
cryptoisakmppolicy20
encryaes
hashsha
group2
authenticationpre-share
!
cryptoisakmpkey0123456address198.133.0.2
!
cryptoipsectransform-setSITE3esp-3desesp-sha
!
cryptomapTEST-MAP20ipsec-isakmp
setpeer198.133.0.2
settransform-setSITE3
matchaddress120
!
interfaceSerial1/1
cryptomapTEST-MAP
!
access-list120permitip10.1.1.00.0.0.25510.3.3.00.0.0.255
5、RouterC:
和RouterA之间联通的配置:
!
cryptoisakmppolicy10
encryaes
hashsha
group2
authenticationpre-share
!
cryptoisakmpkey0123456address202.96.134.1
!
cryptoipsectransform-setSITE1esp-3desesp-sha
!
cryptomapTEST-MAP10ipsec-isakmp
setpeer202.96.134.1
settransform-setSITE1
matchaddress110
!
interfacee0/0
cryptomapTEST-MAP
!
access-list110permitip10.3.3.00.0.0.25510.1.1.00.0.0.255
!
6、测试:
从RouterA的loopback0接口pingRouterB和RouterC的loopback0
RouterA:
ping10.2.2.2source10.1.1.1
ping10.3.3.3source10.1.1.1
RouterB:
ping10.1.1.1source10.2.2.2
RouterC:
ping10.1.1.1source10.3.3.3
RouterB、RouterC是否可以互相pingloopback接口?
●showcryptoisakmppolicy
●showcryipsectransform-set
●showcryptomap
●showcryptoisakmpsa
●showcryptoipsecsa
●showcryptoengineconnectionsactive
●clearcryptosa
●clearcryptoisakmp
7、RouterB、RouterC也要可以互相通信,需要改变感兴趣流(ACL)
RouterA:
增加
access-list110permitip10.3.3.00.0.0.25510.2.2.00.0.0.255
access-list120permitip10.2.2.00.0.0.25510.3.3.00.0.0.255
RouterB:
增加
access-list110permitip10.2.2.00.0.0.25510.3.3.00.0.0.255
RouterC:
增加
access-list110permitip10.3.3.00.0.0.25510.2.2.00.0.0.255
重新测试:
RouterA:
ping10.2.2.2source10.1.1.1
ping10.3.3.3source10.1.1.1
RouterB:
ping10.3.3.3source10.2.2.2
RouterC:
ping10.2.2.2source10.3.3.3
三、完整配置(RouterC/RouterB不能通信)
===============================R1===============================
!
hostnameR1
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
cryptoisakmppolicy10
hashmd5
authenticationpre-share
!
cryptoisakmppolicy20
encraes
authenticationpre-share
group2
cryptoisakmpkeycisco1234address61.0.0.2
cryptoisakmpkey123456address198.133.0.2
!
!
cryptoipsectransform-setSITE2esp-desesp-md5-hmac
cryptoipsectransform-setSITE3esp-3desesp-sha-hmac
!
cryptomapTEST-MAP10ipsec-isakmp
setpeer61.0.0.2
settransform-setSITE2
matchaddress110
cryptomapTEST-MAP20ipsec-isakmp
setpeer198.133.0.2
settransform-setSITE3
matchaddress120
!
!
!
!
interfaceLoopback0
ipaddress10.1.1.1255.255.255.0
!
interfaceEthernet0/0
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
nofair-queue
!
interfaceSerial1/1
ipaddress202.96.134.1255.255.255.252
serialrestart-delay0
clockrate128000
cryptomapTEST-MAP
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute0.0.0.00.0.0.0Serial1/1
!
!
access-list110permitip10.1.1.00.0.0.25510.2.2.00.0.0.255
access-list120permitip10.1.1.00.0.0.25510.3.3.00.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
!
!
End
===============================R2===============================
!
hostnameR2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceEthernet0/0
ipaddress198.133.0.1255.255.255.252
full-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
ipaddress202.96.134.2255.255.255.252
serialrestart-delay0
clockrate128000
nofair-queue
!
interfaceSerial1/1
ipaddress61.0.0.1255.255.255.252
serialrestart-delay0
clockrate128000
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
exec-timeout00
lineaux0
linevty04
!
!
End
===============================R3===============================
!
hostnameR3
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
cryptoisakmppolicy10
hashmd5
authenticationpre-share
cryptoisakmpkeycisco1234address202.96.134.1
!
!
cryptoipsectransform-setSITE1esp-desesp-md5-hmac
!
cryptomapTEST-MAP10ipsec-isakmp
setpeer202.96.134.1
settransform-setSITE1
matchaddress110
!
!
!
!
interfaceLoopback0
ipaddress10.2.2.2255.255.255.0
!
interfaceEthernet0/0
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
ipaddress61.0.0.2255.255.255.252
serialrestart-delay0
clockrate128000
nofair-queue
cryptomapTEST-MAP
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute0.0.0.00.0.0.0Serial1/0
!
!
access-list110permitip10.2.2.00.0.0.25510.1.1.00.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
!
!
end
===============================R4===============================
!
hostnameR4
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
cryptoisakmppolicy10
encraes
authenticationpre-share
group2
cryptoisakmpkey123456address202.96.134.1
!
!
cryptoipsectransform-setSITE1esp-3desesp-sha-hmac
!
cryptomapTEST-MAP10ipsec-isakmp
setpeer202.96.134.1
settransform-setSITE1
matchaddress110
!
!
!
!
interfaceLoopback0
ipaddress10.3.3.3255.255.255.0
!
interfaceEthernet0/0
ipaddress198.133.0.2255.255.255.252
full-duplex
cryptomapTEST-MAP
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute0.0.0.00.0.0.0198.133.0.1
!
!
access-list110permitip10.3.3.00.0.0.25510.1.1.00.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
!
!
End