×××的配置扩展

 实验目的：

熟悉×××的工做原理，可以在Cisco路由器上配置多点IPsec ×××

实验环境拓扑图及要求：

 

 

 

建议：

1. Router 可用7200模拟实现，IOS型号：unzip-c7200-advsecurityk9-mz.124-9.T1.bin

2. PC可用模拟PC实现

要求：

一、 实现全网互通

二、 实现50.50.50.0网段 和 60.60.60.0网段间的×××链接

三、 实现50.50.50.0网段 和 70.70.70.0网段间的×××链接

实验步骤：【必写】

分类写出你的实验进行中的步骤,可用文字或图片加水印标记

配置文档：

R1:

en

conf t

no ip domain-lo

host R1

int f1/0

ip add 50.50.50.50 255.255.255.0 //配置端口IP

no sh

exit

int f0/0

ip add 192.168.10.1 255.255.255.0

no sh

exit

ip route 60.60.60.0 255.255.255.0 192.168.10.2 //配置去60网段的静态路由

ip route 70.70.70.0 255.255.255.0 192.168.10.3

crypto isakmp policy 1 //配置IKE,以及优先级

hash md5 //配置验证算法

encryption 3des //配置封装

authentication pre-share //配置预约义密码

exit

crypto isakmp key lolst address 192.168.10.2 //配置IKE密码并指定地址

crypto ipsec transform-set lolst1 ah-md5-hmac esp-3des //配置AH验证和DES加密

access-list 101 permit ip 50.50.50.0 0.0.0.255 60.60.60.0 0.0.0.255 //配置访问列表

crypto map share 1 ipsec-isakmp //配置映射以及优先级

set peer 192.168.10.2 //配置对端地址

set transform-set lolst1 //配置映射名

match address 101 //绑定访问列表

exit

crypto isakmp key plander address 192.168.10.3

crypto ipsec transform-set plander1 ah-md5-hmac esp-3des

access-list 102 permit ip 50.50.50.0 0.0.0.255 70.70.70.0 0.0.0.255

crypto map share 2 ipsec-isakmp

set peer 192.168.10.3

set transform-set plander1

match address 102

exit

int f0/0

crypto map share //在端口上应用映射

end

-----------------------------------------

R2:

en

conf t

no ip domain-lo

host R2

int f1/0

ip add 60.60.60.60 255.255.255.0

no sh

exit

int f0/0

ip add 192.168.10.2 255.255.255.0

no sh

exit

ip route 50.50.50.0 255.255.255.0 192.168.10.1

ip route 70.70.70.0 255.255.255.0 192.168.10.3

crypto isakmp policy 1

hash md5

encryption 3des

authentication pre-share

exit

crypto isakmp key lolst address 192.168.10.1

crypto ipsec transform-set lolst1 ah-md5-hmac esp-3des

access-list 101 permit ip 60.60.60.0 0.0.0.255 50.50.50.0 0.0.0.255

crypto map share 1 ipsec-isakmp

set peer 192.168.10.1

set transform-set lolst1

match address 101

exit

int f0/0

crypto map share

end

-----------------------------------------

R3:

en

conf t

no ip domain-lo

host R3

int f1/0

ip add 70.70.70.70 255.255.255.0

no sh

exit

int f0/0

ip add 192.168.10.3 255.255.255.0

no sh

exit

ip route 60.60.60.0 255.255.255.0 192.168.10.2

ip route 50.50.50.0 255.255.255.0 192.168.10.1

crypto isakmp policy 1

hash md5

encryption 3des

authentication pre-share

exit

crypto isakmp key plander address 192.168.10.1

crypto ipsec transform-set plander1 ah-md5-hmac esp-3des

access-list 102 permit ip 70.70.70.0 0.0.0.255 50.50.50.0 0.0.0.255

crypto map share 2 ipsec-isakmp

set peer 192.168.10.1

set transform-set plander1

match address 102

exit

int f0/0

crypto map share

end

-----------------------------------------

PC1:

en

conf t

host pc1

no ip routing //禁用路由功能

no ip domain-lo

int f1/0

ip add 50.50.50.1 255.255.255.0

no sh

exit

ip default-gate 50.50.50.50 //配置网关

end

----------------------------------------

PC2:

en

conf t

host pc2

no ip routing

no ip domain-lo

int f1/0

ip add 60.60.60.1 255.255.255.0

no sh

exit

ip default-gate 60.60.60.60

end

----------------------------------------

PC3:

en

conf t

host pc3

no ip routing

no ip domain-lo

int f1/0

ip add 70.70.70.1 255.255.255.0

no sh

exit

ip default-gate 70.70.70.70

end

----------------------------------------

查看正使用的IKE策略，描述策略中的内容

Router# show crypto isakmp policy

查看IPsce的封装策略，描述内容，说明当前的封装方式是传输模式仍是隧道模式。

Router# show crypto ipsec transform-set

查看正使用的ISAKMP SA信息，分析和对端创建的×××链接。

Router#show crypto isakmp sa

查看正使用的IP sec SA 信息，指出当前通过×××封装的数据流量

Router# show crypto ipsec sa

查看应用在路由器上的映射列表，描述其内容。

Router# show crypto map

思考题：

若想实现三个站点之间都经过×××通讯，该如何实现？

在路由器2也像路由器1上配置…