1.拓扑图:
2.基本接口配置:
A.R1:
R1(config)#int f0/0
R1(config-if)#ip add 202.100.12.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int l0
R1(config-if)#ip add 172.16.1.1 255.255.255.0
R1(config-if)#int l1
R1(config-if)#ip add 192.168.1.1 255.255.255.0
B.R2:
R2(config)#int f0/0
R2(config-if)#ip add 202.100.12.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int f0/1
R2(config-if)#ip add 202.100.23.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int f1/0
R2(config-if)#ip add 202.100.24.2 255.255.255.0
R2(config-if)#no sh
C.R3:
R3(config)#int f0/0
R3(config-if)#ip add 202.100.23.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int l0
R3(config-if)#ip add 172.16.1.3 255.255.255.0
R3(config-if)#int l1
R3(config-if)#ip add 192.168.3.3 255.255.255.0
D.R4:
R4(config)#int f1/0
R4(config-if)#ip add 202.100.24.4 255.255.255.0
R4(config-if)#no sh
R4(config-if)#int l0
R4(config-if)#ip add 172.16.1.4 255.255.255.0
R4(config-if)#int l1
R4(config-if)#ip add 192.168.4.4 255.255.255.0
3.静态路由配置
R1(config)#ip route 0.0.0.0 0.0.0.0 202.100.12.2
R3(config)#ip route 0.0.0.0 0.0.0.0 202.100.23.2
R4(config)#ip route 0.0.0.0 0.0.0.0 202.100.24.2
4.动态VTI配置:
A.HUB:
①第一阶段:
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#au pre
R1(config-isakmp)#ha md
R1(config-isakmp)#en 3des
R1(config-isakmp)#gr 2
R1(config-isakmp)#exit
R1(config)#crypto keyring R1
R1(conf-keyring)#pre-shared-key address 202.100.23.3 key cisco
R1(conf-keyring)#pre-shared-key address 202.100.24.4 key cisco
R1(config)#crypto isakmp profile isakmppro
R1(conf-isa-prof)#keyring R1
R1(conf-isa-prof)#match identity address 202.100.23.3
R1(conf-isa-prof)#match identity address 202.100.24.4
R1(conf-isa-prof)#virtual-template 1
②第二阶段:
R1(config)#crypto ipsec transform-set transet esp-3des esp-sha-hmac
③ipsec profile关联第一阶段和第二阶段策略:
R1(config)#crypto ipsec profile ipsecpro
R1(ipsec-profile)#set isakmp-profile isakmppro
R1(ipsec-profile)#set transform-set transet
④VTI配置
R1(config)#int virtual-template 1 type tunnel
R1(config-if)#ip unnumbered loopback 0
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile ipsecpro
B.Spoke1:
①第一阶段:
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#au pr
R3(config-isakmp)#en 3des
R3(config-isakmp)#gr 2
R3(config-isakmp)#ha md
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 0 cisco address 202.100.12.1
②第二阶段:
R3(config)#crypto ipsec transform-set transet esp-3des esp-sha-hmac
③ipsec profile关联第二阶段策略:
R3(config)#crypto ipsec profile ipsecpro
R3(ipsec-profile)#set transform-set transet
R3(ipsec-profile)#exit
④VTI配置
R3(config)#int tunnel 0
R3(config-if)#ip unnumbered loopback 0
R3(config-if)#tunnel source f0/0
R3(config-if)#tunnel destination 202.100.1.1
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile ipsecpro
R3(config-if)#exit
C.Spoke2:
①第一阶段:
R4(config)#crypto isakmp policy 10
R4(config-isakmp)#au pr
R4(config-isakmp)#au pre-share
R4(config-isakmp)#ha md
R4(config-isakmp)#en 3de
R4(config-isakmp)#gr 2
R4(config-isakmp)#exit
R4(config)#crypto isakmp key 0 cisco address 202.100.12.1
②第二阶段:
R4(config)#crypto ipsec transform-set transet esp-3des esp-sha-hmac
R4(cfg-crypto-trans)#exit
③ipsec profile关联第二阶段策略:
R4(config)#crypto ipsec profile ipsecpro
R4(ipsec-profile)#set transform-set transet
R4(ipsec-profile)#exit
④VTI配置
R4(config-if)#int tun 0
R4(config-if)#ip unnumbered loopback 0
R4(config-if)#tunnel source f1/0
R4(config-if)#tunnel destination 202.100.12.1
R4(config-if)#tunnel mode ipsec ipv4
R4(config-if)#tunnel protection ipsec profile ipsecpro
5.动态路由配置:
R1(config)#router eigrp 10
R1(config-router)#no auto-summary
R1(config-router)#net 172.16.1.0 0.0.0.255
R1(config-router)#net 192.168.1.0 0.0.0.255
R3(config)#router eigrp 10
R3(config-router)#no auto-summary
R3(config-router)#net 172.16.1.0 0.0.0.255
R3(config-router)#net 192.168.3.0 0.0.0.255
R4(config)#router eigrp 10
R4(config-router)#no auto-summary
R4(config-router)#net 172.16.1.0 0.0.0.255
R4(config-router)#net 192.168.4.0 0.0.0.255
6.验证:
R1#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 202.100.12.1 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 172.16.1.1 YES TFTP down down
Virtual-Access2 172.16.1.1 YES TFTP up up
Virtual-Access3 172.16.1.1 YES TFTP up up
Loopback0 172.16.1.1 YES manual up up
Loopback1 192.168.1.1 YES manual up up
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.12.1 202.100.23.3 QM_IDLE 1001 0 ACTIVE
202.100.12.1 202.100.24.4 QM_IDLE 1002 0 ACTIVE
R1#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec 3DES+SHA 0 422 202.100.12.1
2 Fa0/0 IPsec 3DES+SHA 426 0 202.100.12.1
5 Fa0/0 IPsec 3DES+SHA 0 103 202.100.12.1
6 Fa0/0 IPsec 3DES+SHA 205 0 202.100.12.1
1001 Fa0/0 IKE MD5+3DES 0 0 202.100.12.1
1002 Fa0/0 IKE MD5+3DES 0 0 202.100.12.1
R1#ping 192.168.3.3 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/116/136 ms
R1#ping 192.168.4.4 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/105/128 ms
R1#show ip route eigrp
D 192.168.4.0/24 [90/297372416] via 172.16.1.4, 00:13:59, Virtual-Access3
D 192.168.3.0/24 [90/297372416] via 172.16.1.3, 00:14:50, Virtual-Access2
R3#show ip route eigrp
D 192.168.4.0/24 [90/310172416] via 172.16.1.1, 00:13:46, Tunnel0
D 192.168.1.0/24 [90/297372416] via 172.16.1.1, 00:14:55, Tunnel0
R4#show ip route eigrp
D 192.168.1.0/24 [90/297372416] via 172.16.1.1, 00:01:14, Tunnel0
D 192.168.3.0/24 [90/310172416] via 172.16.1.1, 00:00:55, Tunnel0
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/910931,如需转载请自行联系原作者
