Topology：

配置第一階段加密

ZB(config)#crypto is
ZB(config)#crypto isakmp po
ZB(config)#crypto isakmp policy 1
ZB(config-isakmp)#au
ZB(config-isakmp)#authentication p
#驗證方式為預共享密鑰?
ZB(config-isakmp)#authentication pre-share?
ZB(config-isakmp)#enc
ZB(config-isakmp)#encryption 3
#加密算法為3des
ZB(config-isakmp)#encryption 3des?
ZB(config-isakmp)#ha
ZB(config-isakmp)#hash md
#完整性校驗算法為md5
ZB(config-isakmp)#hash md5?
ZB(config-isakmp)#gr
#DH組為2
ZB(config-isakmp)#group 2
#SA建立后，沒有數據傳輸時的存活時間
ZB(config-isakmp)#li
ZB(config-isakmp)#lifetime 3600
ZB(config-isakmp)#
ZB(config)#crypto isakmp key admin add
ZB(config)#crypto isakmp key admin address 2.2.2.1
ZB(config)#
----------------------------------------------------------
配置第二階段加密
ZB(config)#rypto ipsec transform-set vpn ah-sha-hmac esp-3des
ZB(config)#crypto map cisco 1 ipsec-isakmp?
% NOTE: This new crypto map will remain disabled until a peer
? ? ? ? and a valid access list have been configured.
ZB(config-crypto-map)#set peer 2.2.2.1
ZB(config-crypto-map)#set transform-set vpn
ZB(config-crypto-map)#add
ZB(config-crypto-map)#ma
ZB(config-crypto-map)#match add
ZB(config-crypto-map)#match address 101
ZB(config-crypto-map)#
ZB(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.25
----------------------------------------------------------
將map應用在fa0/0接口
ZB(config)#inter fa0/0
ZB(config-if)#crypto map cisco
*Jan ?3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

ZB(config-if)#

在另外一臺(FB)上面配置按照ZB路由器配置既可。

其中ISP路由器中只需要配置接口IP，并在R1和R2上寫一條靜態路由，將數據拋給ISP。

隨后在PC1上tracert 192.168.2.2

PC>tracert 192.168.2.2


Tracing route to 192.168.2.2 over a maximum of 30 hops:?


? 1 ? 0 ms ? ? ?1 ms ? ? ?0 ms ? ? ?192.168.1.1
? 2 ? * ? ? ? ? * ? ? ? ? * ? ? ? ? Request timed out.
? 3 ? 0 ms ? ? ?0 ms ? ? ?0 ms ? ? ?192.168.2.2


Trace complete.

----------------------------------------------------------
在ZB路由器上查看第一階段SA建立過程
IPv4 Crypto ISAKMP SA
dst ? ? ? ? ? ? src ? ? ? ? ? ? state ? ? ? ? ?conn-id slot status
2.2.2.1 ? ? ? ? 1.1.1.1 ? ? ? ? QM_IDLE ? ? ? ? ? 1028 ? ?0 ACTIVE


IPv6 Crypto ISAKMP SA
----------------------------------------------------------
第二階段SA查看
ZB#show crypto ipsec sa


interface: FastEthernet0/0
? ? Crypto map tag: cisco, local addr 1.1.1.1


? ?protected vrf: (none)
? ?local ?ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
? ?remote ?ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
? ?current_peer 2.2.2.1 port 500
? ? PERMIT, flags={origin_is_acl,}
? ?#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
? ?#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
? ?#pkts compressed: 0, #pkts decompressed: 0
? ?#pkts not compressed: 0, #pkts compr. failed: 0
? ?#pkts not decompressed: 0, #pkts decompress failed: 0
? ?#send errors 1, #recv errors 0


? ? ?local crypto endpt.: 1.1.1.1, remote crypto endpt.:2.2.2.1
? ? ?path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
? ? ?current outbound spi: 0x19EE6B60(435055456)


? ? ?inbound esp sas:
? ? ? spi: 0x05CF1BA1(97459105)
? ? ? ? transform: esp-3des ,
? ? ? ? in use settings ={Tunnel, }
? ? ? ? conn id: 2006, flow_id: FPGA:1, crypto map: cisco
? ? ? ? sa timing: remaining key lifetime (k/sec): (4525504/3132)
? ? ? ? IV size: 16 bytes
? ? ? ? replay detection support: Y
? ? ? ? Status: ACTIVE


? ? ?inbound ah sas:
? ? ? spi: 0x77772C45(2004298821)
? ? ? ? transform: ah-sha-hmac ,
? ? ? ? in use settings ={Tunnel, }
? ? ? ? conn id: 2006, flow_id: FPGA:1, crypto map: cisco
? ? ? ? sa timing: remaining key lifetime (k/sec): (4525504/3132)
? ? ? ? IV size: 16 bytes
? ? ? ? replay detection support: Y
? ? ? ? Status: ACTIVE


? ? ?inbound pcp sas:


? ? ?outbound esp sas:
? ? ? spi: 0x19EE6B60(435055456)
? ? ? ? transform: esp-3des ,
? ? ? ? in use settings ={Tunnel, }
? ? ? ? conn id: 2007, flow_id: FPGA:1, crypto map: cisco
? ? ? ? sa timing: remaining key lifetime (k/sec): (4525504/3132)
? ? ? ? IV size: 16 bytes
? ? ? ? replay detection support: Y
? ? ? ? Status: ACTIVE


? ? ?outbound ah sas:
? ? ? spi: 0x7D8B6D32(2106289458)
? ? ? ? transform: ah-sha-hmac ,
? ? ? ? in use settings ={Tunnel, }
? ? ? ? conn id: 2007, flow_id: FPGA:1, crypto map: cisco
? ? ? ? sa timing: remaining key lifetime (k/sec): (4525504/3132)
? ? ? ? IV size: 16 bytes
? ? ? ? replay detection support: Y
? ? ? ? Status: ACTIVE

? ? ?outbound pcp sas:

分隔線:因為博客中不能上傳文件，只能將配置貼在下方

----------------------------------------------------------------------------------------------

ZB#sh run
Building configuration...


Current configuration : 915 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ZB
!
!
!
!
!
!
!
!
crypto isakmp policy 1
?encr 3des
?hash md5
?authentication pre-share
?group 2
?lifetime 3600
!
crypto isakmp key admin address 2.2.2.1
!
!
crypto ipsec transform-set vpn ah-sha-hmac esp-3des
!
crypto map cisco 1 ipsec-isakmp?
?set peer 2.2.2.1
?set transform-set vpn?
?match address 101
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
?ip address 1.1.1.1 255.255.255.0
?duplex auto
?speed auto
?crypto map cisco
!
interface FastEthernet0/1
?ip address 192.168.1.1 255.255.255.0
?duplex auto
?speed auto
!
interface Vlan1
?no ip address
?shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2?
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
?login
!
!
!
end

----------------------------------------------------------------------------------------------

ISP#sh run
Building configuration...


Current configuration : 504 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
?ip address 1.1.1.2 255.255.255.0
?duplex auto
?speed auto
!
interface FastEthernet0/1
?ip address 2.2.2.2 255.255.255.0
?duplex auto
?speed auto
!
interface Vlan1
?no ip address
?shutdown
!
ip classless
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
?login
!
!
!
end

----------------------------------------------------------------------------------------------

FB#sh run
Building configuration...


Current configuration : 915 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname FB
!
!
!
!
!
!
!
!
crypto isakmp policy 1
?encr 3des
?hash md5
?authentication pre-share
?group 2
?lifetime 3600
!
crypto isakmp key admin address 1.1.1.1
!
!
crypto ipsec transform-set vpn ah-sha-hmac esp-3des
!
crypto map cisco 1 ipsec-isakmp?
?set peer 1.1.1.1
?set transform-set vpn?
?match address 101
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
?ip address 2.2.2.1 255.255.255.0
?duplex auto
?speed auto
?crypto map cisco
!
interface FastEthernet0/1
?ip address 192.168.2.1 255.255.255.0
?duplex auto
?speed auto
!
interface Vlan1
?no ip address
?shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 2.2.2.2?
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
?login
!
!
!
end

----------------------------------------------------------------------------------------------

總結

以上是生活随笔為你收集整理的Cisco路由器配置Ipsec的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。