这篇文章主要为大家介绍了如何配置Cisco路由器和ASA硬件防火墙上的IPSec VPN技术,不会配置的朋友可以和的小编一起去看看
IPsec VPN
IPSec VPN即指采用IPSec协议来实现远程接入的一种VPN技术,IPSec全称为Internet Protocol Security,是由Internet Engineering Task Force (IETF) 定义的安全标准框架,用以提供公用和专用网络的端对端加密和验证服务。
关于Cisco IPSEC VPN 的配置步骤是怎样的呢?请看下面,主要涉及在Cisco路由器和ASA硬件防火墙上的IPSec VPN技术。喜欢的朋友可以抱走。
一、实验拓扑:
二、实验要求:
保证两个站点的路由没问题。
在站点A与站点B间配置VPN,保障企业的网络通过互联网连接起来。
三、实验的配置:
R1的全部配置:
r1#show running-config
Building configuration...
Current configuration : 597 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msecno service password-encryption!
hostname r1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.2.1ip route 0.0.0.0 0.0.0.0 192.168.2.1!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Building configuration...
Current configuration : 597 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msecno service password-encryption!
hostname r1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.2.1ip route 0.0.0.0 0.0.0.0 192.168.2.1!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
siteA的全部配置:
siteA# show running-config
Building configuration...
Current configuration : 1184 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msecno service password-encryption!
hostname siteA
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco address 61.128.1.1!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac!
crypto map map 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set cisco
match address vpn
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 202.100.1.1 255.255.255.0
crypto map map
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.100.1.10
ip route 192.168.0.0 255.255.255.0 192.168.2.3ip route 192.168.1.0 255.255.255.0 202.100.1.10!
!
ip access-list extended vpn
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Building configuration...
Current configuration : 1184 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msecno service password-encryption!
hostname siteA
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco address 61.128.1.1!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac!
crypto map map 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set cisco
match address vpn
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 202.100.1.1 255.255.255.0
crypto map map
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.100.1.10
ip route 192.168.0.0 255.255.255.0 192.168.2.3ip route 192.168.1.0 255.255.255.0 202.100.1.10!
!
ip access-list extended vpn
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Internet的全部配置:
Internet#show running-config
Building configuration...
Current configuration : 708 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msecno service password-encryption!
hostname Internet
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FTX15245R08!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 202.100.1.10 255.255.255.0
clock rate 64000
!
interface Serial0/0/1
ip address 61.128.1.10 255.255.255.0
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Building configuration...
Current configuration : 708 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msecno service password-encryption!
hostname Internet
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FTX15245R08!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 202.100.1.10 255.255.255.0
clock rate 64000
!
interface Serial0/0/1
ip address 61.128.1.10 255.255.255.0
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
siteB的全部配置:
siteB#show running-config
Building configuration...
Current configuration : 1183 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msecno service password-encryption!
hostname siteB
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco address 202.100.1.1!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac!
crypto map map 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set cisco
match address vpn
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/0/1
ip address 61.128.1.1 255.255.255.0
crypto map map
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 61.128.1.10
ip route 192.168.0.0 255.255.255.0 61.128.1.10ip route 192.168.2.0 255.255.255.0 61.128.1.10!
!
ip access-list extended vpn
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Building configuration...
Current configuration : 1183 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msecno service password-encryption!
hostname siteB
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco address 202.100.1.1!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac!
crypto map map 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set cisco
match address vpn
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/0/1
ip address 61.128.1.1 255.255.255.0
crypto map map
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 61.128.1.10
ip route 192.168.0.0 255.255.255.0 61.128.1.10ip route 192.168.2.0 255.255.255.0 61.128.1.10!
!
ip access-list extended vpn
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
以上就是Cisco IPSEC VPN 的配置过程,谢谢阅读,希望能帮到大家,请继续关注,我们会努力分享更多优秀的文章。