1、103实验指导1对多 Site To Site VPN实验指导(1对多 Site To Site VPN)一、 实验任务 R1:RotuerA、 R2:Internet、 R3:RotuerB、 R4:RotuerC RouterB、RouterC采用VPN和总部连接 总部和不同分部之间的VPN采用不同的参数、密码 要保证三个site之间都可以互相通信二、 实验步骤1、 R1、R2、R3上如图配置IP地址,打开接口,配置路由:Switch(S1):Switch(config)#int f0/0Switch(config-if)#shutdownRouterA(R1):int s1/1 no s
2、hutdown clock rate 128000 ip add 202.96.134.1 255.255.255.252int loopback0 ip add 10.1.1.1 255.255.255.0ip route 0.0.0.0 0.0.0.0 s1/1Internet(R2):int s1/0 no shutdown clock rate 128000 ip add 202.96.134.2 255.255.255.252int s1/1 no shutdown clock rate 128000 ip add 61.0.0.1 255.255.255.252int e0/0 n
3、o shutdown duplex full ip add 198.133.0.1 255.255.255.252RouterB(R3):int s1/0 no shutdown clock rate 128000 ip add 61.0.0.02 255.255.255.252int loopback0 ip add 10.2.2.2 255.255.255.0ip route 0.0.0.0 0.0.0.0 s1/0RouterC(R4):int e0/0 no shutdown duplex full ip add 198.133.0.2 255.255.255.252int loopb
4、ack0 ip add 10.3.3.3 255.255.255.0ip route 0.0.0.0 0.0.0.0 198.133.0.12、 RouterA:和RouterB之间联通的配置:!crypto isakmp policy 10 hash md5 authentication pre-share!crypto isakmp key 0 cisco1234 address 61.0.0.2!crypto ipsec transform-set SITE2 esp-des esp-md5-hmac !crypto map TEST-MAP 10 ipsec-isakmp set pe
5、er 61.0.0.2 set transform-set SITE2 match address 110!interface Serial1/1 crypto map TEST-MAP!access-list 110 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255!3、 RouterB:和RouterA之间联通的配置:!crypto isakmp policy 10 hash md5 authentication pre-share!crypto isakmp key 0 cisco1234 address 202.96.134.1!crypt
6、o ipsec transform-set SITE1 esp-des esp-md5-hmac !crypto map TEST-MAP 10 ipsec-isakmp set peer 202.96.134.1 set transform-set SITE1 match address 110!interface Serial1/0 crypto map TEST-MAP!access-list 110 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255!4、 RouterA:和RouterC之间联通的配置:!crypto isakmp poli
7、cy 20 encry aes hash sha group 2 authentication pre-share!crypto isakmp key 0 123456 address 198.133.0.2!crypto ipsec transform-set SITE3 esp-3des esp-sha!crypto map TEST-MAP 20 ipsec-isakmp set peer 198.133.0.2 set transform-set SITE3 match address 120!interface Serial1/1 crypto map TEST-MAP!access
8、-list 120 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.2555、 RouterC:和RouterA之间联通的配置:!crypto isakmp policy 10 encry aes hash sha group 2 authentication pre-share!crypto isakmp key 0 123456 address 202.96.134.1!crypto ipsec transform-set SITE1 esp-3des esp-sha!crypto map TEST-MAP 10 ipsec-isakmp set p
9、eer 202.96.134.1 set transform-set SITE1 match address 110!interface e0/0 crypto map TEST-MAP!access-list 110 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255!6、 测试:从RouterA的loopback0接口ping RouterB和RouterC的loopback0RouterA:ping 10.2.2.2 source 10.1.1.1ping 10.3.3.3 source 10.1.1.1RouterB:ping 10.1.1.
10、1 source 10.2.2.2RouterC:ping 10.1.1.1 source 10.3.3.3RouterB、RouterC是否可以互相ping loopback接口? show crypto isakmp policy show cry ipsec transform-set show crypto map show crypto isakmp sa show crypto ipsec sa show crypto engine connections active clear crypto sa clear crypto isakmp7、 RouterB、RouterC也要可
11、以互相通信,需要改变感兴趣流(ACL)RouterA:增加access-list 110 permit ip 10.3.3.0 0.0.0.255 10.2.2.0 0.0.0.255access-list 120 permit ip 10.2.2.0 0.0.0.255 10.3.3.0 0.0.0.255RouterB:增加access-list 110 permit ip 10.2.2.0 0.0.0.255 10.3.3.0 0.0.0.255RouterC:增加access-list 110 permit ip 10.3.3.0 0.0.0.255 10.2.2.0 0.0.0.25
12、5重新测试:RouterA:ping 10.2.2.2 source 10.1.1.1ping 10.3.3.3 source 10.1.1.1RouterB:ping 10.3.3.3 source 10.2.2.2RouterC:ping 10.2.2.2 source 10.3.3.3三、 完整配置(RouterC/RouterB不能通信)=R1=!hostname R1!boot-start-markerboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cef! ! !crypto isakmp policy 10 hash
13、md5 authentication pre-share!crypto isakmp policy 20 encr aes authentication pre-share group 2crypto isakmp key cisco1234 address 61.0.0.2crypto isakmp key 123456 address 198.133.0.2!crypto ipsec transform-set SITE2 esp-des esp-md5-hmac crypto ipsec transform-set SITE3 esp-3des esp-sha-hmac !crypto
14、map TEST-MAP 10 ipsec-isakmp set peer 61.0.0.2 set transform-set SITE2 match address 110crypto map TEST-MAP 20 ipsec-isakmp set peer 198.133.0.2 set transform-set SITE3 match address 120!interface Loopback0 ip address 10.1.1.1 255.255.255.0! interface Ethernet0/0 no ip address shutdown half-duplex!i
15、nterface Ethernet0/1 no ip address shutdown half-duplex!interface Ethernet0/2 no ip address shutdown half-duplex!interface Ethernet0/3 no ip address shutdown half-duplex!interface Serial1/0 no ip address shutdown serial restart-delay 0 no fair-queue!interface Serial1/1 ip address 202.96.134.1 255.25
16、5.255.252 serial restart-delay 0 clock rate 128000 crypto map TEST-MAP!interface Serial1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 Serial1/1!access-list 110 permit
17、ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255access-list 120 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255!control-plane!line con 0line aux 0line vty 0 4! End=R2=!hostname R2!boot-start-markerboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cef! ! !interface Ethernet0/0 ip address 198.133.0.1 255
18、.255.255.252 full-duplex! interface Ethernet0/1 no ip address shutdown half-duplex!interface Ethernet0/2 no ip address shutdown half-duplex!interface Ethernet0/3 no ip address shutdown half-duplex!interface Serial1/0 ip address 202.96.134.2 255.255.255.252 serial restart-delay 0 clock rate 128000 no
19、 fair-queue!interface Serial1/1 ip address 61.0.0.1 255.255.255.252 serial restart-delay 0 clock rate 128000!interface Serial1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!ip http serverno ip http secure-server!control-plane! !line
20、 con 0 exec-timeout 0 0line aux 0line vty 0 4!End=R3=!hostname R3!boot-start-markerboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cef! ! !crypto isakmp policy 10 hash md5 authentication pre-sharecrypto isakmp key cisco1234 address 202.96.134.1!crypto ipsec transform-set SITE1 esp-des esp-md5
21、-hmac !crypto map TEST-MAP 10 ipsec-isakmp set peer 202.96.134.1 set transform-set SITE1 match address 110!interface Loopback0 ip address 10.2.2.2 255.255.255.0!interface Ethernet0/0 no ip address shutdown half-duplex!interface Ethernet0/1 no ip address shutdown half-duplex!interface Ethernet0/2 no
22、ip address shutdown half-duplex!interface Ethernet0/3 no ip address shutdown half-duplex!interface Serial1/0 ip address 61.0.0.2 255.255.255.252 serial restart-delay 0 clock rate 128000 no fair-queue crypto map TEST-MAP!interface Serial1/1 no ip address shutdown serial restart-delay 0!interface Seri
23、al1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 Serial1/0!access-list 110 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255!control-plane! !line con 0line aux 0line vty
24、 0 4!end=R4=!hostname R4!boot-start-markerboot-end-marker!no aaa new-modelmemory-size iomem 5!ip cef! ! !crypto isakmp policy 10 encr aes authentication pre-share group 2crypto isakmp key 123456 address 202.96.134.1! crypto ipsec transform-set SITE1 esp-3des esp-sha-hmac !crypto map TEST-MAP 10 ipse
25、c-isakmp set peer 202.96.134.1 set transform-set SITE1 match address 110!interface Loopback0 ip address 10.3.3.3 255.255.255.0!interface Ethernet0/0 ip address 198.133.0.2 255.255.255.252 full-duplex crypto map TEST-MAP!interface Ethernet0/1 no ip address shutdown half-duplex! interface Ethernet0/2
26、no ip address shutdown half-duplex!interface Ethernet0/3 no ip address shutdown half-duplex!interface Serial1/0 no ip address shutdown serial restart-delay 0!interface Serial1/1 no ip address shutdown serial restart-delay 0!interface Serial1/2 no ip address shutdown serial restart-delay 0!interface Serial1/3 no ip address shutdown serial restart-delay 0!ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 198.133.0.1!access-list 110 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255!control-plane! !line con 0line aux 0line vty 0 4!End
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1