附加作业2 IPSEC

PC 地址配置

PC	IP地址	子网掩码	网关
PC_0	172.16.1.1	255.255.255.0	172.16.1.2
PC_1	192.168.1.2	255.255.255.0	192.168.1.1

R0

Router>ena
Router#conf t
Router(config)#ip route 0.0.0.0 0.0.0.0 50.1.1.2
Router(config)#int f0/0
Router(config-if)#ip ad 172.16.1.2 255.255.255.0
Router(config-if)#no shu
Router(config-if)#int f0/1
Router(config-if)#ip ad 50.1.1.1 255.255.255.0
Router(config-if)#no shu
Router(config-if)#ex
Router(config)#crypto isakmp policy 10 
Router(config-isakmp)#encryption des
Router(config-isakmp)#hash sha 
Router(config-isakmp)#authentication pre-share 
Router(config-isakmp)#group 2
Router(config-isakmp)#ex
Router(config)#crypto isakmp key 1 address 60.1.1.2
Router(config)#crypto ipsec transform-set good esp-3des esp-md5-hmac 
Router(config)#ip access-list extended hello
Router(config-ext-nacl)#permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Router(config-ext-nacl)#ex
Router(config)#crypto map crymap 10 ipsec-isakmp 
Router(config-crypto-map)#set peer 60.1.1.2
Router(config-crypto-map)#set transform-set good
Router(config-crypto-map)#match address hello
Router(config-crypto-map)#int f0/1
Router(config-if)#crypto map crymap
Router(config-if)#ex
Router(config)#access-list 100 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Router(config)#access-list 100 permit ip any any 
Router(config)#ip nat inside source list 100 interface f0/1 overload 
Router(config)#int f0/0
Router(config-if)#ip nat inside 
Router(config-if)#int f0/1
Router(config-if)#ip nat out

纯文本配置

ena
conf t
ip route 0.0.0.0 0.0.0.0 50.1.1.2
int f0/0
ip ad 172.16.1.2 255.255.255.0
no shu
int f0/1
ip ad 50.1.1.1 255.255.255.0
no shu
ex
crypto isakmp policy 10 
encryption des
hash sha 
authentication pre-share 
group 2
ex
crypto isakmp key 1 address 60.1.1.2
crypto ipsec transform-set good esp-3des esp-md5-hmac 
ip access-list extended hello
permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
ex
crypto map crymap 10 ipsec-isakmp 
set peer 60.1.1.2
set transform-set good
match address hello
int f0/1
crypto map crymap
ex
access-list 100 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip any any 
ip nat inside source list 100 interface f0/1 overload 
int f0/0
ip nat inside 
int f0/1
ip nat out

R1

Router>ena
Router#conf t
Router(config)#int f0/0
Router(config-if)#ip ad 50.1.1.2 255.255.255.0 
Router(config-if)#no shu
Router(config-if)#int f0/1
Router(config-if)#ip ad 60.1.1.1 255.255.255.0 
Router(config-if)#no shu

纯文本配置

ena
conf t
int f0/0
ip ad 50.1.1.2 255.255.255.0 
no shu
int f0/1
ip ad 60.1.1.1 255.255.255.0 
no shu

R2

Router>ena
Router#conf t
Router(config)#int f0/1
Router(config-if)#ip ad 60.1.1.2 255.255.255.0
Router(config-if)#no shu
Router(config-if)#int f0/0
Router(config-if)#ip ad 192.168.1.1 255.255.255.0
Router(config-if)#no shu
Router(config-if)#ex
Router(config)#ip route 0.0.0.0 0.0.0.0 60.1.1.1
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#encryption des 
Router(config-isakmp)#hash sha 
Router(config-isakmp)#authentication pre-share 
Router(config-isakmp)#group 2
Router(config-isakmp)#ex
Router(config)#crypto isakmp key 1 address 50.1.1.1
Router(config)#crypto ipsec transform-set good esp-3des esp-md5-hmac 
Router(config)#ip access-list extended hello
Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
Router(config-ext-nacl)#ex
Router(config)#crypto map crymap 10 ipsec-isakmp 
Router(config-crypto-map)#set peer 50.1.1.1
Router(config-crypto-map)#set transform-set good
Router(config-crypto-map)#match address hello
Router(config-crypto-map)#int f0/1
Router(config-if)#crypto map crymap
Router(config-if)#ex
Router(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
Router(config)#access-list 100 permit ip any any 
Router(config)#ip nat inside source list 100 interface f0/1 overload 
Router(config)#int f0/1
Router(config-if)#ip nat out
Router(config-if)#int f0/0
Router(config-if)#ip nat inside

纯文本配置

ena
conf t
int f0/1
ip ad 60.1.1.2 255.255.255.0
no shu
int f0/0
ip ad 192.168.1.1 255.255.255.0
no shu
ex
ip route 0.0.0.0 0.0.0.0 60.1.1.1
crypto isakmp policy 10
encryption des 
hash sha 
authentication pre-share 
group 2
ex
crypto isakmp key 1 address 50.1.1.1
crypto ipsec transform-set good esp-3des esp-md5-hmac 
ip access-list extended hello
permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
ex
crypto map crymap 10 ipsec-isakmp 
set peer 50.1.1.1
set transform-set good
match address hello
int f0/1
crypto map crymap
ex
access-list 100 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip any any 
ip nat inside source list 100 interface f0/1 overload 
int f0/1
ip nat out
int f0/0
ip nat inside

PC 地址配置

R0

R1

R2

ping 测试若不通则需两次