ipsec *** 多对等体
實驗拓撲:
---------------------R1------------------------------------------------------
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key root address 30.1.1.1 255.255.255.0
crypto isakmp key cisco address 20.1.1.1 255.255.255.0
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map smap 10 ipsec-isakmp
set peer 20.1.1.1
set transform-set trans
match address ***a
crypto map smap 20 ipsec-isakmp
set peer 30.1.1.1
set transform-set trans
match address ***b
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
speed 100
full-duplex
crypto map smap
!
ip route 0.0.0.0 0.0.0.0 10.1.1.10
!
ip access-list extended ***a
permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
ip access-list extended ***b
permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255
---------------------------R2------------------------------
interface FastEthernet0/0
?ip address 20.1.1.10 255.255.255.0
!
interface FastEthernet0/1
?ip address 30.1.1.10 255.255.255.0
!
interface FastEthernet1/0
?ip address 10.1.1.10 255.255.255.0
?
----------------------ASA1------------------------------------
interface GigabitEthernet0
?nameif outside
?security-level 0
?ip address 20.1.1.1 255.255.255.0
!
interface GigabitEthernet1
?nameif inside
?security-level 100
?ip address 192.168.3.1 255.255.255.0
!
access-list ***a extended permit ip 3.3.3.0 255.255.255.0 1.1.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 20.1.1.10 1
route inside 0.0.0.0 0.0.0.0 192.168.3.3 tunneled
crypto ipsec ikev1 transform-set trans esp-des esp-md5-hmac
crypto map smap 10 match address ***a
crypto map smap 10 set peer 10.1.1.1
crypto map smap 10 set ikev1 transform-set trans
crypto map smap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
?authentication pre-share
?encryption des
?hash md5
?group 2
?lifetime 86400
tunnel-group 10.1.1.1 type ipsec-l2l
tunnel-group 10.1.1.1 ipsec-attributes
?ikev1 pre-shared-key cisco
------------------------------ASA2-------------------------------
interface GigabitEthernet0
?nameif outside
?security-level 0
?ip address 30.1.1.1 255.255.255.0
!
interface GigabitEthernet1
?nameif inside
?security-level 100
?ip address 192.168.4.1 255.255.255.0
!
access-list ***b extended permit ip 4.4.4.0 255.255.255.0 1.1.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 30.1.1.10 1
route inside 0.0.0.0 0.0.0.0 192.168.4.4 tunneled
crypto ipsec ikev1 transform-set trans esp-des esp-md5-hmac
crypto map smap 10 match address ***b
crypto map smap 10 set peer 10.1.1.1
crypto map smap 10 set ikev1 transform-set trans
crypto map smap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
?authentication pre-share
?encryption des
?hash md5
?group 2
?lifetime 86400
no threat-detection statistics tcp-intercept
tunnel-group 10.1.1.1 type ipsec-l2l
tunnel-group 10.1.1.1 ipsec-attributes
?ikev1 pre-shared-key root
--------------------R3-------------------------------
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.3.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.3.1
-------------------------R4----------------------
interface Loopback0
?ip address 4.4.4.4 255.255.255.0
!
interface FastEthernet0/0
?ip address 192.168.4.4 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.4.1
轉載于:https://blog.51cto.com/692344/1032959
總結
以上是生活随笔為你收集整理的ipsec *** 多对等体的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 怎么做黄金交易
- 下一篇: Linux+Apache+Postgre