【每日必學】怎么多站點site to site VPN

發(fā)布作者：微思網(wǎng)絡   發(fā)布時間：2017-03-21   瀏覽量：0次

配置 Internet 路由器

interface Serial1/0

ip address 202.100.1.10 255.255.255.0 no shutdown

interface Serial1/1

ip address 202.100.2.10 255.255.255.0 no shutdown

interface Serial1/2

ip address 202.100.3.10 255.255.255.0 no shutdown

第一步:配置路由

 

配置 R1:

 

ip route 172.16.2.0 255.255.255.0 202.100.1.10 ip route 172.16.3.0 255.255.255.0 202.100.1.10 ip route 202.100.2.0 255.255.255.0 202.100.1.10 ip route 202.100.3.0 255.255.255.0 202.100.1.10

 

配置 R2:

 

ip route 172.16.1.0 255.255.255.0 202.100.2.10 ip route 172.16.3.0 255.255.255.0 202.100.2.10 ip route 202.100.1.0 255.255.255.0 202.100.2.10 ip route 202.100.3.0 255.255.255.0 202.100.2.10

 

配置 R3:

 

ip route 172.16.1.0 255.255.255.0 202.100.3.10 ip route 172.16.2.0 255.255.255.0 202.100.3.10 ip route 202.100.1.0 255.255.255.0 202.100.3.10 ip route 202.100.2.0 255.255.255.0 202.100.3.10

 

注：在實際應用中,企業(yè)都是通過配置默認路由到達 Internet,以上拓撲中可以在 R1,R2,R3 配置一條默認路由也可以解決路由問題,而且企業(yè)路由器也算是 Internet 邊緣路由器,0.0.0.0 0.0.0 的路由到達 internet 必不可少:

分別在 R1，R2，R3 配置默認路由

R1: ip route 0.0.0.0 0.0.0.0 202.100.1.10

R2: ip route 0.0.0.0 0.0.0.0 202.100.2.10

R3: ip route 0.0.0.0 0.0.0.0 202.100.3.10

第二步:ISAKMP 策略配置 R1:

crypto isakmp policy 10 encr 3des

hash md5 authentication pre-share group 2

crypto isakmp key cisco address 202.100.2.2 crypto isakmp key cisco address 202.100.3.3

配置 R2:

crypto isakmp policy 10 encr 3des

hash md5 authentication pre-share group 2

crypto isakmp key 0 cisco address 202.100.1.1 crypto isakmp key 0 cisco address 202.100.3.3

配置 R3:

crypto isakmp policy 10 encr 3des

hash md5 authentication pre-share group 2

crypto isakmp key cisco address 202.100.1.1 crypto isakmp key cisco address 202.100.2.2

第三步:ISAKMP 策略配置 IPSEC 轉(zhuǎn)換集

 

配置 R1: crypto ipsec transform-set myset esp-3des esp-sha-hmac

配置 R2: crypto ipsec transform-set myset esp-3des esp-sha-hmac

配置 R3: crypto ipsec transform-set myset esp-3des esp-sha-hmac

第四步:感興趣流量配置 R1:

Access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

Access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255

 

配置 R2:

Access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

Access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255

 

配置 R3:

Access-list 100 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255

Access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.2.0 0.0.0.255

 

第五步:配置 crypto map

 

配置 R1:

crypto map mymap 10 ipsec-isakmp set peer 202.100.2.2

match address 100

set transform-set myset

crypto map mymap 20 ipsec-isakmp set peer 202.100.3.3

match address 101

set transform-set myset

配置 R2:

crypto map mymap 10 ipsec-isakmp set peer 202.100.1.1

match address 100

set transform-set myset

crypto map mymap 20 ipsec-isakmp set peer 202.100.3.3

match address 101

set transform-set myset

 

配置 R3:

crypto map mymap 10 ipsec-isakmp set peer 202.100.1.1

match address 100

set transform-set myset

crypto map mymap 20 ipsec-isakmp set peer 202.100.2.2

match address 101

set transform-set myset

 

第六步:在相應的接口應用 crypto map

 

配置 R1:

int s1/0

crypto map mymap

 

配置 R2:

 int s1/0

crypto map mymap

 

配置 R3:

int s1/0

crypto map mymap

 

第六步:測試

R1#ping 172.16.2.2 source 172.16.1.1

R1#ping 172.16.3.3 source 172.16.1.1

或

R2#ping 172.16.1.1 source 172.16.2.2

R2#ping 172.16.3.3 source 172.16.2.2

或

R3#ping 172.16.1.1 source 172.16.3.3

R3#ping 172.16.2.2 source 172.16.3.3

 

常用檢查命令:

 

show crypto isakmp policy show crypto ipsec transform-set show crypto isakmp sa

show crypto ipsec sa show crypto map

clear cryto sa

clear crypto sa peer (ip address|peer name) clear crypto sa map (map name)

Debug cryto isakmp

Debug cryto ipsec