image.png

【直接使用ipsecvpn互通】在预配公网互通前提下

R2

conf t
crypto isakmp policy 10 　　　　　　//策略优先级 越小越先匹配
encryption aes 　　　　　　　　　　//非对称式加密算法 不同设备支持不同
hash md5 　　　　　　　　　　　　//哈希加密算法 默认是sha 在show run中不显示
authentication pre-share　　　　　　 //认证模式选择预共享秘钥
group 5 　　　　　　　　　　　　　 //DH值 长度 一般ios都支持1 2 5
lifetime 3600 　　　　　　　　　　　//密钥有效期
exit
crypto isakmp key 6 CCIE address 13.1.1.3

//配置本地秘钥安全级别为6 --预共享秘钥所以需要配一个密码
//如果开启了GRE ，并且传输模式选择了transport，address要写对端tunnel地址
//第一阶段的1-6个报文已经配置完毕

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
//匹配感兴趣流

crypto ipsec transform-set MYSET esp-aes esp-md5-hmac //封装协议
mode tunnel //封装tunnel 直接在互联网上传输
//如果开启了GRE 模式可以选择transport
exit

crypto map MYMAP 10 ipsec-isakmp //创建一个map关联上面的配置
set peer 13.1.1.3
set transform-set MYSET
match address 101
exit

int e0/1 //接口下调用
crypto map MYMAP
end
wr

       R3

conf t
crypto isakmp policy 10
encryption aes
hash md5
authentication pre-share
group 5
lifetime 3600
exit
crypto isakmp key 6 CCIE address 12.1.1.2
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
mode tunnel
exit
crypto map MYMAP 10 ipsec-isakmp
set peer 12.1.1.2
set transform-set MYSET
match address 101
exit
int e0/2
crypto map MYMAP
end
wr

//show crypto isakmp sa 第一阶段主要是交换秘钥 （sa安全关联）
state：QM_IDLE QM快速模式 意思是第二段已经开始了 第一阶段成功了
conn-id status：1002 active (1002代表区分不同隧道 active代表正常状态)
//show cry ipsec sa 查看第二阶段的信息

【GREvpn + IPsec 加密】在预配公网互通前提下

R2

conf t
int tunnel 0
tunnel source e0/1
tunnel destination 13.1.1.3
ip add 10.1.1.2 255.255.255.0
exit
//在GRE上加一个动态路由保证两个私网互通，直接用静态路由指向tunnel也可以，都行。
router eigrp 23
network 192.168.1.0
network 10.0.0.0
exit

crypto isakmp policy 10
encryption aes
hash md5
authentication pre-share
group 5
lifetime 3600
exit
crypto isakmp key 6 CCIE address 13.1.1.3 //应该是tunnel ip但是通，就用对端公网ip就通了
crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
mode transport
exit

crypto ipsec profile MYPROFILE
set transform-set MYSET
int tun0
tunnel protection ipsec profile MYPROFILE
end
wr

       R3

conf t
int tunnel 0
tunnel source e0/2
tunnel destination 12.1.1.2
ip add 10.1.1.3 255.255.255.0
exit
//在GRE上加一个动态路由保证两个私网互通，直接用静态路由指向tunnel也可以，都行。
router eigrp 23
network 192.168.1.0
network 10.0.0.0
exit
crypto isakmp policy 10
encryption aes
hash md5
authentication pre-share
group 5
lifetime 3600
exit
crypto isakmp key 6 CCIE address 12.1.1.2 //应该是tunnel ip但是通，就用对端公网ip就通了
crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
mode transport
exit
crypto ipsec profile MYPROFILE
set transform-set MYSET
int tun0
tunnel protection ipsec profile MYPROFILE
end
wr

(预配)

    R2 

conf t
int e0/0
ip add 192.168.1.254 255.255.255.0
no shut
int e0/1
ip add 12.1.1.2 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 12.1.1.1
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
ip nat inside source list 100 interface Ethernet0/1 overload
int e0/0
ip nat inside
int e0/1
ip nat outside
end
wr

R3  

conf t
int e0/0
ip add 192.168.2.254 255.255.255.0
no shut
int e0/2
ip add 13.1.1.3 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 13.1.1.1
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
ip nat inside source list 100 interface Ethernet0/2 overload
int e0/0
ip nat inside
int e0/2
ip nat outside
end
wr

R1

conf t
int e0/1
ip add 12.1.1.1 255.255.255.0
no shut
int e0/2
ip add 13.1.1.1 255.255.255.0
no shut
end
wr

​   R4

conf t
no ip routing
ip default-gateway 192.168.1.254
int e0/0
ip add 192.168.1.4 255.255.255.0
no shut
end
wr

R5

conf t
no ip routing
ip default-gateway 192.168.2.254
int e0/0
ip add 192.168.2.5 255.255.255.0
no shut
end
wr