实验要求:192.168.1.100/24通过配置IPSceVPN访问172.16.1.100/24。
配置思路:R1、R2、R3使用EIGRP通告公网接口网段(私网IP不能通告出去),配置VPN使R1、R3各自的内网地址可以访问R2的回环地址2.2.2.2(模拟公网服务器),然后配置IPSceVPN,最后R1、R3分别配置缺省路由指向R2相邻接口IP即可。
IPSceVPN配置步骤: 1、建立ACL过滤感兴趣流量
2、配置isakmp key及peer(对端路由公网IP)
3、配置isakmp policy策略
4、配置ipsec transform-set集
5、配置crypto map(即将以上配置集合应用)
6、应用到本地路由器出接口
实验配置:
R1#
crypto isakmp policy 1 配置isakmp策略
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 23.1.1.3 配置isakmp key及peer(对端路由公网IP)
crypto ipsec transform-set1esp-3desesp-md5-hmac 配置ipsectransform-set集
crypto map 1to3 1 ipsec-isakmp 配置cryptomap(即将以上配置集合应用)
set peer 23.1.1.3
set transform-set 1
match address 100
interface Loopback 0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet 0/0
ip address 12.1.1.1 255.255.255.0
ip nat outside
crypto map 1to3 将map应用到本地出接口
no shutdown
interface FastEthernet 0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shutdown
router eigrp 100
network 12.1.1.0 0.0.0.255
network 1.1.1.0 0.0.0.255
no auto-summary
ip nat inside source list 1 interface FastEthernet 0/0 overload
ip route 0.0.0.0 0.0.0.0 12.1.1.2
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 建立感兴趣流量过滤
access-list 1 permit 192.168.1.0 0.0.0.255 NAT过滤的流量
------------------------------------------------
R2#
interface Loopback 0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet 0/0
ip address 23.1.1.2 255.255.255.0
no shutdown
interface FastEthernet 0/1
ip address 12.1.1.2 255.255.255.0
no shutdown
router eigrp 100
network 12.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
network 23.1.1.0 0.0.0.255
no auto-summary
-------------------------------------------------------
R3#
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 12.1.1.1
crypto ipsec transform-set 1 esp-3desesp-md5-hmac
crypto map 3to1 1 ipsec-isakmp
set peer 12.1.1.1
set transform-set 1
match address 100
interface Loopback 0
ip address 3.3.3.3 255.255.255.0
interface FastEthernet 0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
no shutdown
interface FastEthernet 0/1
ip address 23.1.1.3 255.255.255.0
ip nat outside
crypto map 3to1
no shutdown
router eigrp 100
network 23.1.1.0 0.0.0.255
network 3.3.3.0 0.0.0.255
no auto-summary
ip nat inside source list 1 interface FastEthernet 0/1 overload
ip route 0.0.0.0 0.0.0.0 23.1.1.2
access-list 100 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 1 permit 172.16.1.0 0.0.0.255
--------------------------------------------------------
查看R1的路由表:
--------------------------------------------------------------------------
查看R2路由表:
--------------------------------------------------------------------------------
查看R3路由器:
------------------------------------------------------------------
查看PC192.168.1.100:
----------------------------------------------------
查看PC172.16.1.100:
--------------------------------------------------
*实验结果:通过配置IPSceVPN使得192.168.1.0/24可以访问172.16.1.0/24网段。
