技术在于专研
分类: 系统运维
2007-10-28 14:08:41
|
IOS GRE(隧道) + IPSec(传输模式+pre-share) 配置  1、London路由器GRE部分配置。 London(config)#interface Loopback0 London(config-if)#ip address 10.1.1.1 255.255.255.0 London(config)#interface Serial0/0 London(config-if)#ip address 173.16.1.1 255.255.255.252 London(config-if)#no shutdown London(config)#interface Tunnel0 London(config-if)#ip unnumbered Serial0/0 London(config-if)#tunnel source Serial0/0 London(config-if)#tunnel destination 173.16.1.2 London(config)#ip route 0.0.0.0 0.0.0.0 173.16.1.2 London(config)#ip route 10.2.2.0 255.255.255.0 Tunnel0 2、Denver路由器GRE部分配置。 Florence(config)#interface Loopback0 Denver(config-if)#ip address 10.2.2.1 255.255.255.0 Denver(config)#interface Serial0/0 Denver(config-if)#ip address 173.16.1.2 255.255.255.252 Denver(config-if)#no shutdown Denver(config)#interface Tunnel0 Denver(config-if)#ip unnumbered Serial0/0 Denver(config-if)#tunnel source Serial0/0 Denver(config-if)#tunnel destination 173.16.1.1 Denver(config)#ip route 0.0.0.0 0.0.0.0 173.16.1.6 Denver(config)#ip route 10.1.1.0 255.255.255.0 Tunnel0 3、London路由器IPSec部分配置。 London(config)#crypto isakmp enable London(config)#crypto isakmp policy 10 London(config-isakmp)#hash md5 London(config-isakmp)#authentication pre-share London(config-isakmp)#encryption 3des London(config-isakmp)#group 2 London(config)#crypto isakmp key cisco1234 address 173.16.1.5 London(config)#crypto ipsec transform-set ccsp esp-des esp-md5-hmac London (cfg-crypto-trans)#mode transport London(config)#crypto map cisco 10 ipsec-isakmp London(config-crypto-map)#set peer 173.16.1.5 London(config-crypto-map)#set transform-set ccsp London(config-crypto-map)#match address 101 London(config)#access-list 101 permit gre host 173.16.1.1 host 173.16.1.5 London(config)#interface Serial0/0 London(config-if)#crypto map cisco 4、Denver路由器IPSec部分配置。 Denver(config)#crypto isakmp enable Denver(config)#crypto isakmp policy 10 Denver(config-isakmp)#hash md5 Denver(config-isakmp)#authentication pre-share Denver(config-isakmp)#encryption 3des Denver(config-isakmp)#group 2 Denver(config)#crypto isakmp key cisco1234 address 173.16.1.1 Denver(config)#crypto ipsec transform-set ccsp esp-des esp-md5-hmac Denver(cfg-crypto-trans)#mode transport Denver(config)#crypto map cisco 10 ipsec-isakmp Denver(config-crypto-map)#set peer 173.16.1.1 Denver(config-crypto-map)#set transform-set ccsp Denver(config-crypto-map)#match address 101 Denver(config)#access-list 101 permit gre host 173.16.1.5 host 173.16.1.1 Denver(config)#interface Serial0/0 Denver(config-if)#crypto map cisco **************************************************
完整配制
[London]
r1#show run
Building configuration... Current configuration : 1737 bytes
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco address 173.16.1.2 ! ! crypto ipsec transform-set ccsp esp-des esp-md5-hmac mode transport ! crypto map cisco 10 ipsec-isakmp set peer 173.16.1.2 set transform-set ccsp match address 101 ! ! ! ! ! interface Tunnel0 ip unnumbered Serial1/0 tunnel source Serial1/0 tunnel destination 173.16.1.2 ! interface FastEthernet0/0 ip address 192.168.1.111 255.255.255.0 duplex half ! interface Serial1/0 ip address 173.16.1.1 255.255.255.252 serial restart-delay 0 crypto map cisco ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! interface Serial1/4 no ip address shutdown serial restart-delay 0 ! interface Serial1/5 no ip address shutdown serial restart-delay 0 ! interface Serial1/6 no ip address shutdown serial restart-delay 0 ! interface Serial1/7 no ip address shutdown serial restart-delay 0 ! ip route 0.0.0.0 0.0.0.0 173.16.1.2 ip route 10.2.2.0 255.255.255.0 Tunnel0 no ip http server no ip http secure-server ! ! ! logging alarm informational access-list 101 permit gre host 173.16.1.1 host 173.16.1.2 ! ! ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end [Denver]
r2#show run
Building configuration... Current configuration : 1764 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco address 173.16.1.1 ! ! crypto ipsec transform-set ccsp esp-des esp-md5-hmac mode transport ! crypto map cisco 10 ipsec-isakmp set peer 173.16.1.1 set transform-set ccsp match address 101 ! ! ! ! ! interface Tunnel0 ip unnumbered Serial1/0 tunnel source Serial1/0 tunnel destination 173.16.1.1 ! interface Loopback0 ip address 10.2.2.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex half ! interface Serial1/0 ip address 173.16.1.2 255.255.255.252 serial restart-delay 0 crypto map cisco ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! interface Serial1/4 no ip address shutdown serial restart-delay 0 ! interface Serial1/5 no ip address shutdown serial restart-delay 0 ! interface Serial1/6 no ip address shutdown serial restart-delay 0 ! interface Serial1/7 no ip address shutdown serial restart-delay 0 ! ip route 0.0.0.0 0.0.0.0 173.16.1.1 ip route 192.168.1.0 255.255.255.0 Tunnel0 no ip http server no ip http secure-server ! ! ! logging alarm informational access-list 101 permit gre host 173.16.1.2 host 173.16.1.1 ! ! ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end |
