注意:可能会存在一些错误,以测试过了VPN是可以通的。
网络拓扑见:http://down.51cto.com/data/854149
R1的配置
基本端口配置
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int fa 0/0
Router(config-if)#ip add 172.16.0.1 255.255.0.0
Router(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#int fa 1/0
Router(config-if)#ip add 100.0.0.1 255.255.255.252
Router(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to down
Router(config-if)#exit
Router(config)#host
Router(config)#hostname R1
R1(config)#
默认路由
R1(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.2
NAT的配置
R1(config)#acc 1 per172.16.10.0 0.0.0.255
R1(config)#acc 1 deny 172.16.0.0 0.0.255.0
R1(config)#ip nat pool xinbin 100.0.0.1 100.0.0.1 netmask 255.255.255.252
R1(config)#ip nat inside source list 1 p
R1(config)#ip nat inside source list 1 pool xinbin o
R1(config)#ip nat inside source list 1 pool xinbin overload
R1(config)#int fa 0/0
R1(config-if)#ip nat inside
R1(config-if)#int fa 1/0
R1(config-if)#ip nat outside
R1(config-if)#exit
ACL的配置
R1(config)#acc 110 per ip 172.16.10.0 0.0.0.255 10.10.33.0 0.0.0.255
R1(config)#acc 110 deny ip 172.16.0.0 0.0.255.255 10.10.33.0 0.0.0.255
R1(config-if)#acc 110 per ip any any
R1(config)#int fa 0/0
R1(config-if)#ip acc 110 in
R1(config-if)#int fa 1/0
R1(config-if)#ip acc 110 out
VPN的配置
R1(config)#crypto isakmp p 1
R1(config-isakmp)#cry
R1(config-isakmp)#g 2
R1(config-isakmp)#a p
R1(config-isakmp)#exit
R1(config)#cry
R1(config)#crypto key xinbin add 200.0.0.1
^
% Invalid input detected at '^' marker.
R1(config)#cry
R1(config)#crypto is
R1(config)#crypto isakmp key xinbin add 200.0.0.1
R1(config)#cry
R1(config)#cry ip
R1(config)#cry ipsec t
R1(config)#cry ipsec transform-set ah-m
R1(config)#cry ipsec transform-set ah-m
R1(config)#cry ipsec transform-set ah-md
R1(config)#cry ipsec transform-set vpntag ha
R1(config)#cry ipsec transform-set vpntag ah-m
R1(config)#cry ipsec transform-set vpntag ah-md5-hmac esp-des
R1(config)#cry ipsec transform-set vpntag ah-md5-hmac esp-des
R1(config)#access-list 10 per 172.16.10.0 0.0.0.255
R1(config)#cry map vpndemo 10 ipsec
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 200.0.0.1
R1(config-crypto-map)#set transform-set vpntag
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#exit
R1(config)#int t 0
%LINK-5-CHANGED: Interface Tunnel0, changed state to up
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#tunn s fa 1/0
R1(config-if)#tun d 200.0.0.1
R1(config-if)#exit
R1(config)#
R1(config)#int fa 0/0
R1(config-if)#cry map vpndemo
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#exit\
^
% Invalid input detected at '^' marker.
R1(config-if)#exit
R1(config)#int fa 1/0
R1(config-if)#cry map vpndemo
R1(config-if)#exit
R1(config)#
Router(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.2
Router(config)#ip route 10.10.33.0 255.255.255.0 192.168.1.2
Router(config)#access-list 101 permit gre host 100.0.0.1 host 200.0.0.1
R2的配置
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hos R2
R2(config)#int fa 4/0
R2(config-if)#ip add 100.0.0.2 255.255.255.252
R2(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet4/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4/0, changed state to up
R2(config)#int fa 5/0
R2(config-if)#ip add 200.0.0.2 255.255.255.252
R2(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet5/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5/0, changed state to up
R2(config-if)#
配置默认路由
R2(config)#ip route 172.16.0.0 255.255.0.0 100.0.0.1
R2(config)#ip route 10.10.33.0 255.255.255.0 200.0.0.1
R3的配置
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hos R3
R3(config)#int fa 0/0
R3(config-if)#ip add 10.10.33.1 255.255.255.0
R3(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#exit
R3(config)#int fa 1/0
R3(config-if)#ip add 200.0.0.1 255.255.255.252
R3(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to down
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.2
R3(config)#
VPN的配置
R3(config)#crypto isa policy 1
R3(config-isakmp)#a p
R3(config-isakmp)#g 2
R3(config-isakmp)#exit
R3(config)#crypto is
R3(config)#crypto isakmp key xinbin address 100.0.0.1
R3(config)#crypto ipsec t
R3(config)#crypto ipsec transform-set vpntag ah-m
R3(config)#crypto ipsec transform-set vpntag ah-md5-hmac esp-des
R3(config)#access 10 per 10.10.33.0 0.0.0.255
R3(config)#crypto map vpndemo 10 ipsec
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set pee 100.0.0.1
R3(config-crypto-map)#set t
R3(config-crypto-map)#set transform-set vpntag
R3(config-crypto-map)#match add 101
R3(config-crypto-map)#exit
R3(config)#
R3(config)#int t 0
%LINK-5-CHANGED: Interface Tunnel0, changed state to up
R3(config-if)#ip add 192.168.1.2 255.255.255.0
R3(config-if)#tunn s fa 1/0
R3(config-if)#tun d 100.0.0.1
R3(config-if)#exit
R3(config)#int fa 0/0
R3(config-if)#cry map vpndemo
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#exit
R3(config)#int fa 1/0
R3(config-if)#cry
R3(config-if)#crypto ma
R3(config-if)#crypto map vpndemo
R3(config-if)#
Router(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.2
Router(config)#ip route 172.16.10..0 255.255.255.0 192.168.1.1
Router(config)#access-list 101 permit gre host 200.0.0.1 host 100.0.0.1