×××的配置擴展

 實驗目的：

熟悉×××的工做原理，可以在Cisco路由器上配置多點IPsec ×××

實驗環境拓撲圖及要求：

 

 

 

建議：

1. Router 可用7200模擬實現，IOS型號：unzip-c7200-advsecurityk9-mz.124-9.T1.bin

2. PC可用模擬PC實現

要求：

一、 實現全網互通

二、 實現50.50.50.0網段 和 60.60.60.0網段間的×××鏈接

三、 實現50.50.50.0網段 和 70.70.70.0網段間的×××鏈接

實驗步驟：【必寫】

分類寫出你的實驗進行中的步驟,可用文字或圖片加水印標記

配置文檔：

R1:

en

conf t

no ip domain-lo

host R1

int f1/0

ip add 50.50.50.50 255.255.255.0 //配置端口IP

no sh

exit

int f0/0

ip add 192.168.10.1 255.255.255.0

no sh

exit

ip route 60.60.60.0 255.255.255.0 192.168.10.2 //配置去60網段的靜態路由

ip route 70.70.70.0 255.255.255.0 192.168.10.3

crypto isakmp policy 1 //配置IKE,以及優先級

hash md5 //配置驗證算法

encryption 3des //配置封裝

authentication pre-share //配置預約義密碼

exit

crypto isakmp key lolst address 192.168.10.2 //配置IKE密碼並指定地址

crypto ipsec transform-set lolst1 ah-md5-hmac esp-3des //配置AH驗證和DES加密

access-list 101 permit ip 50.50.50.0 0.0.0.255 60.60.60.0 0.0.0.255 //配置訪問列表

crypto map share 1 ipsec-isakmp //配置映射以及優先級

set peer 192.168.10.2 //配置對端地址

set transform-set lolst1 //配置映射名

match address 101 //綁定訪問列表

exit

crypto isakmp key plander address 192.168.10.3

crypto ipsec transform-set plander1 ah-md5-hmac esp-3des

access-list 102 permit ip 50.50.50.0 0.0.0.255 70.70.70.0 0.0.0.255

crypto map share 2 ipsec-isakmp

set peer 192.168.10.3

set transform-set plander1

match address 102

exit

int f0/0

crypto map share //在端口上應用映射

end

-----------------------------------------

R2:

en

conf t

no ip domain-lo

host R2

int f1/0

ip add 60.60.60.60 255.255.255.0

no sh

exit

int f0/0

ip add 192.168.10.2 255.255.255.0

no sh

exit

ip route 50.50.50.0 255.255.255.0 192.168.10.1

ip route 70.70.70.0 255.255.255.0 192.168.10.3

crypto isakmp policy 1

hash md5

encryption 3des

authentication pre-share

exit

crypto isakmp key lolst address 192.168.10.1

crypto ipsec transform-set lolst1 ah-md5-hmac esp-3des

access-list 101 permit ip 60.60.60.0 0.0.0.255 50.50.50.0 0.0.0.255

crypto map share 1 ipsec-isakmp

set peer 192.168.10.1

set transform-set lolst1

match address 101

exit

int f0/0

crypto map share

end

-----------------------------------------

R3:

en

conf t

no ip domain-lo

host R3

int f1/0

ip add 70.70.70.70 255.255.255.0

no sh

exit

int f0/0

ip add 192.168.10.3 255.255.255.0

no sh

exit

ip route 60.60.60.0 255.255.255.0 192.168.10.2

ip route 50.50.50.0 255.255.255.0 192.168.10.1

crypto isakmp policy 1

hash md5

encryption 3des

authentication pre-share

exit

crypto isakmp key plander address 192.168.10.1

crypto ipsec transform-set plander1 ah-md5-hmac esp-3des

access-list 102 permit ip 70.70.70.0 0.0.0.255 50.50.50.0 0.0.0.255

crypto map share 2 ipsec-isakmp

set peer 192.168.10.1

set transform-set plander1

match address 102

exit

int f0/0

crypto map share

end

-----------------------------------------

PC1:

en

conf t

host pc1

no ip routing //禁用路由功能

no ip domain-lo

int f1/0

ip add 50.50.50.1 255.255.255.0

no sh

exit

ip default-gate 50.50.50.50 //配置網關

end

----------------------------------------

PC2:

en

conf t

host pc2

no ip routing

no ip domain-lo

int f1/0

ip add 60.60.60.1 255.255.255.0

no sh

exit

ip default-gate 60.60.60.60

end

----------------------------------------

PC3:

en

conf t

host pc3

no ip routing

no ip domain-lo

int f1/0

ip add 70.70.70.1 255.255.255.0

no sh

exit

ip default-gate 70.70.70.70

end

----------------------------------------

查看正使用的IKE策略，描述策略中的內容

Router# show crypto isakmp policy

查看IPsce的封裝策略，描述內容，說明當前的封裝方式是傳輸模式仍是隧道模式。

Router# show crypto ipsec transform-set

查看正使用的ISAKMP SA信息，分析和對端創建的×××鏈接。

Router#show crypto isakmp sa

查看正使用的IP sec SA 信息，指出當前通過×××封裝的數據流量

Router# show crypto ipsec sa

查看應用在路由器上的映射列表，描述其內容。

Router# show crypto map

思考題：

若想實現三個站點之間都經過×××通訊，該如何實現？

在路由器2也像路由器1上配置…