IPsec VPN基础实验,希望能够帮助大家学好IPsec VPN
一、拓扑图二、实验需求
PC1和PC2能够通过VPN互联。
三、实验配置
1.基本IP配置
R1的f0/1口IP为12.0.0.1,f0/0口为192.168.1.254做网关;R3的f0/0口IP为23.0.0.3;其余IP的配置均按照以上规律配置。
2.NAT配置,保证私网地址正常ping通公网地址。
R1:
conf t
in f0/1
ip nat outside
in f0/0
ip nat inside
exit
access-list 111 permit ip host 192.168.1.1 host 2.2.2.2
ip nat inside source list 111 int f0/1 overload
ip route 0.0.0.0 0.0.0.0 12.0.0.2
R3:
conf t
in f0/1
ip nat inside
in f0/0
ip nat outside
exit
access-list 111 permit ip host 192.168.2.1 host 2.2.2.2
ip nat inside source list 111 int f0/0 overload
ip route 0.0.0.0 0.0.0.0 23.0.0.2
测试:在R2(模拟运营商)上开启debug(debup ip icmp),并在PC1ping2.2.2.2,在R2上会看到如下图的回显。
上图证明:NAT已经生效,把原来从PC1发送的数据,转发到nat转换的f0/1的地址。
3.IPsec VPN配置。
R1:
conf t
crypto isakmp policy 10
encryption aes
hash md5
authentication pre-share group 2
exit
crypto isakmp key 6 123 address 23.0.0.3
crypto ipsec transform-set cy esp-md5-hmac esp-aes
crypto map yc 10 ipsec-isakmp
set transform-set cy
set peer 23.0.0.3
match address 122
access-list 122 permit ip host 192.168.1.1 host 192.168.2.1
in f0/1
crypto map yc
R3:
conf t
crypto isakmp policy 10
encryption aes
hash md5
authentication pre-sharegroup 2
exit
crypto isakmp key 6 123 address 12.0.0.1
crypto ipsec transform-set cy esp-md5-hmac esp-aes
crypto map yc 10 ipsec-isakmp
set transform-set cy
set peer 12.0.0.1
match address 122
access-list 122 permit ip host 192.168.2.1 host 192.168.1.1
in f0/0
crypto map yc
测试:在总公司(PC1)ping 分公司(PC2)的私网地址,如下图。
各位有什么疑虑。可以随时联系我,我会尽我所能为大家解答。
本实验中有什么不对的地方欢迎指正。谢谢大家。
{:6_267:}{:6_267:}{:6_267:} {:6_290:} 最基础的配置
页:
[1]