实验过程:
1、建立如图拓扑结构
网络拓扑图
2、为主机配置地址
R1接口配置
sys
sysn R1
int g0/0/0
ip add 192.168.12.3 24
int g0/0/1
ip add 192.168.1.254 24
undo shu
#
R2接口配置
sys
sysn R2
int g0/0/0
ip add 192.168.12.2 24
int g0/0/1
ip add 192.168.23.1 24
undo shu
#
R3接口配置
sys
sysn R3
int g0/0/0
ip add 192.168.2.254 24
int g0/0/1
ip add 192.168.23.3 24
undo shu
#
然后配置VPN
公司总部路由器R3配置:
[R3]acl number 3000 //创建ACl
[R3-acl-adv-3000]rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 //配置允许192.168.2.0 网段访问192.168.1.0网段
[R3-acl-adv-3000]ipsec proposal huawei //新建安全提议,名字为huawei
[R3-ipsec-proposal-huawei]esp authentication-algorithm sha1 //设置加密方式sha1,默认MD5
[R3-ipsec-proposal-huawei]q
[R3]ipsec policy huawei 10 manual
//配置ipsec策略,策略名为huawei,编号为10,模式为手动配置模式
[R3-ipsec-policy-manual-huawei-10]security acl 3000
//匹配acl,就是让这个数据(192.168.1.0访问192.168.2.0的数据)走VPN
[
R3-ipsec-policy-manual-huawei-10]proposal huawei //引用名为huawei的提议
[
R3-ipsec-policy-manual-huawei-10]tunnel local 192.168.23.3 //本地隧道地址
[
R3-ipsec-policy-manual-huawei-10]tunnel remote 192.168.12.3 //对端隧道地址
[R3-ipsec-policy-manual-huawei-10]sa spi inbound esp 54321
//安全联盟入方向,SPI为54321,本端入方向SPI必须和对端出方向SPI一致
[
R3-ipsec-policy-manual-huawei-10]sa string-key inbound esp cipher huawei //安全联盟密钥,入方向为加密的huawei,本端入方向密钥必须和对端出方向密钥一致
[R3-ipsec-policy-manual-huawei-10]sa spi outbound esp 12345
//安全联盟出方向,SPI为12345,本端出方向SPI必须和对端入方向SPI一致
[R3-ipsec-policy-manual-huawei-10]sa string-key outbound esp cipher huawei000
//安全联盟密钥,出方向为加密的huawei,本端入方向密钥必须和对端出方向密钥一致
[R3]int g0/0/1 //进入端口g0/0/1
[R3-GigabitEthe.NET0/0/1]ipsec policy huawei //在端口上应用
在R3上配置静态路由
[R3]ip route-static 0.0.0.0 0 192.168.23.1
分公司路由器R1配置:
[R1]acl number 3000
[R1-acl-adv-3000]rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.1
68.2.0 0.0.0.255
[R1-acl-adv-3000]ipsec proposal huawei
[R1-ipsec-proposal-huawei]esp authentication-algorithm sha1
[R1-ipsec-proposal-huawei]q
[R1]ipsec policy huawei 10 manual
[R1-ipsec-policy-manual-huawei-10]security acl 3000
[R1-ipsec-policy-manual-huawei-10]proposal huawei
[R1-ipsec-policy-manual-huawei-10]tunnel local 192.168.12.3
[R1-ipsec-policy-manual-huawei-10]tunnel remote 192.168.23.3
[R1-ipsec-policy-manual-huawei-10]sa spi inbound esp 12345
[R1-ipsec-policy-manual-huawei-10]sa string-key inbound esp cipher huawei000
[R1-ipsec-policy-manual-huawei-10]sa spi outbound esp 54321
[R1-ipsec-policy-manual-huawei-10]sa string-key outbound esp cipher huawei
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ipsec policy huawei
在R1上配置静态路由
[R1]ip route-static 0.0.0.0 0 192.168.12.2
最终效果:PC1ping通PC2
最终效果:PC2pingPC1
在R1的g0/0/0接口抓包
在R3的g0/0/1接口抓包