Cisco--IPSec-VPN-配置步骤详细介绍

long88417
3 ℃
2020-03-10

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

Site-to-SiteVPN配置指南一．网络拓扑InternetRouterA192.168.1.0/24100.100.100.1/30200.200.200.1/30172.16.10.1/2450.50.50.1/3010.10.10.1/24RouterBRouterC二．路由器A的配置1.启用IKE:RouterA(config)#cryptoisakmpenable2.生成IKE策略：RouterA(config)#cryptoisakmppolicy10RouterA(config-isakmp)#authenticationpre-shareRouterA(config-isakmp)#encryptiondesRouterA(config-isakmp)#group1RouterA(config-isakmp)#hashshaRouterA(config-isakmp)#lifetime86400RouterA(config-isakmp)#exitRouterA(config)#cryptoisakmppolicy20RouterA(config-isakmp)#authenticationpre-shareRouterA(config-isakmp)#encryptiondesRouterA(config-isakmp)#group2RouterA(config-isakmp)#hashmd5RouterA(config-isakmp)#lifetime864003.配置ISAKMP身份：RouterA(config)#cryptoisakmpidentity{address|hostname}//默认是地址RouterA(config)#iphostRouterB.domain.com200.200.200.1//如是地址认证，不需要配置RouterA(config)#iphostRouterC.domain.com50.50.50.14.配置预共享密钥：RouterA(config)#cryptoisakmpkeycisco,123456address200.200.200.1RouterA(config)#cryptoisakmpkeycisco,654321address50.50.50.15.配置IPSec变换集：RouterA(config)#cryptoipsectransform-serToRouterBesp-sha-hmacesp-desRouterA(config)#cryptoipsectransform-serToRouterCesp-md5-hmacesp-3des6.配置全局IPSecSA生命期：RouterA(config)#cryptoipsecsecurity-associationlifetimeseconds3600RouterA(config)#cryptoipsecsecurity-associationlifetimekilobytes46080007.配置加密ACL：RouterA(config)#access-list110permitipsource192.168.1.00.0.0.255destination172.16.10.00.0.0.0.255RouterA(config)#access-list110denyanyanyRouterA(config)#access-list120permitipsource192.168.1.00.0.0.255destination10.10.10.00.0.0.255RouterA(config)#access-list120denyanyany8.配置加密映射：RouterA(config)#cryptomapDaDa5ipsec-isakmpRouterA(config-crypto-map)#matchaddress110RouterA(config-crypto-map)#setpeer200.200.200.1RouterA(config-crypto-map)#setpfsgroup1RouterA(config-crypto-map)#settransform-setToRouterBRouterA(config-crypto-map)#setsecurity-associationlifetime86400RouterA(config)#cryptomapDaDa15ipsec-isakmpRouterA(config-crypto-map)#matchaddress120RouterA(config-crypto-map)#setpeer50.50.50.1RouterA(config-crypto-map)#setpfsgroup2RouterA(config-crypto-map)#settransform-setToRouterCRouterA(config-crypto-map)#setsecurity-associationlifetime72009.应用加密映射到接口：RouterA(config)#inte0/0RouterA(config-if)#ipaddress100.100.100.1255.255.255.252RouterA(config-if)#cryptomapDaDa