A-A+
在Cisco路由器上完整实现OSPF跨网段下IPSec Tunnel模式VPN
拓扑图如下:
PC1--R1--ISP1--ISP2--R3--PC2
说明:ISP之间使用OSPF动态路由协议,R1和R3模拟边界路由,并启用PAT,PC1和PC2模拟内网主机。
要求:PC1和PC2能够使用私有IP加密互访,其他Internet流量使用常规PAT访问。
各设备配置如下:
PC1的配置:
- conf t
- int f0/0
- ip add 192.168.0.1 255.255.255.0
- no shut
- exit
- no ip routing
- ip default-gateway 192.168.0.2
- end
- wr
PC2的配置:
- conf t
- int f0/0
- ip add 172.16.0.1 255.255.255.0
- no shut
- exit
- no ip routing
- ip default-gateway 172.16.0.2
- end
- wr
R1的配置命令:
- conf t
- int e0/0
- ip add 192.168.0.2 255.255.255.0
- duplex full
- ip nat inside
- no shut
- int e0/1
- ip add 1.0.0.1 255.255.255.252
- duplex full
- ip nat outside
- no shut
- exit
- access-list 1 permit any
- ip nat inside source list 1 interface e0/1 overload
- ip route 0.0.0.0 0.0.0.0 1.0.0.2
- crypto isakmp enable
- crypto isakmp policy 1
- encryption aes
- hash sha
- group 2
- authentication pre-share
- exit
- crypto isakmp key 0 IPSEC-TUNNEL address 2.0.0.1
- access-list 100 permit gre host 1.0.0.1 host 2.0.0.1
- access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
- crypto ipsec transform-set myset ah-sha-hmac esp-md5-hmac esp-3des
- mode tunnel
- exit
- crypto map mymap 1 ipsec-isakmp
- match address 100
- set transform-set myset
- set peer 2.0.0.1
- exit
- int e0/1
- crypto map mymap
- int tunnel 0
- ip add 100.0.0.1 255.255.255.252
- tunnel source 1.0.0.1
- tunnel destination 2.0.0.1
- crypto map mymap
- keepalive 2 3
- no shutdown
- exit
- ip route 172.16.0.0 255.255.255.0 tunnel 0
- do wr
R3的配置命令行:
- conf t
- int e0/1
- ip add 172.16.0.2 255.255.255.0
- duplex full
- ip nat inside
- no shut
- int e0/0
- ip add 2.0.0.1 255.255.255.252
- duplex full
- ip nat outside
- no shut
- exit
- access-list 1 permit any
- ip nat inside source list 1 interface e0/0 overload
- ip route 0.0.0.0 0.0.0.0 2.0.0.2
- crypto isakmp enable
- crypto isakmp policy 1
- encryption aes
- hash sha
- group 2
- authentication pre-share
- exit
- crypto isakmp key 0 IPSEC-TUNNEL address 1.0.0.1
- access-list 100 permit gre host 2.0.0.1 host 1.0.0.1
- access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
- crypto ipsec transform-set myset ah-sha-hmac esp-md5-hmac esp-3des
- mode tunnel
- exit
- crypto map mymap 1 ipsec-isakmp
- match address 100
- set transform-set myset
- set peer 1.0.0.1
- exit
- int e0/0
- crypto map mymap
- int tunnel 0
- ip add 100.0.0.2 255.255.255.252
- tunnel source 2.0.0.1
- tunnel destination 1.0.0.1
- crypto map mymap
- keepalive 2 3
- no shutdown
- exit
- ip route 192.168.0.0 255.255.255.0 tunnel 0
- do wr
ISP1的配置命令行:
- conf t
- int e0/1
- ip add 1.0.0.2 255.255.255.252
- duplex full
- no shut
- int e0/0
- ip add 12.0.0.1 255.255.255.252
- duplex full
- no shut
- exit
- router ospf 100
- network 1.0.0.0 0.0.0.3 area 0
- network 12.0.0.0 0.0.0.3 area 0
- exit
- do wr
ISP2的配置命令行:
- conf t
- int e0/0
- ip add 12.0.0.2 255.255.255.252
- duplex full
- no shut
- int e0/1
- ip add 2.0.0.2 255.255.255.252
- duplex full
- no shut
- exit
- router ospf 100
- network 2.0.0.0 0.0.0.3 area 0
- network 12.0.0.0 0.0.0.3 area 0
- exit
- do wr