R2上的配置：
　　crypto isakmp enable
　　crypto isakmp identity address
　　crypto isakmp policy 10
　　encryption aes
　　authentication pre-share
　　group 2
　　hash sha
　　exit
　　crypto isakmp key cisco123 address 192.1.1.40 no-xauth
　　ip access-list extended ToR1
　　permit gre host 192.1.1.20 host 192.1.1.40
　　exit
　　crypto ipsec transform-set trans esp-aes esp-sha-hmac
　　mode transport
　　exit
　　crypto map mymap 10 ipsec-isakmp
　　match address ToR1
　　set transform-set trans
　　set peer 192.1.1.40
　　exit
　　interface s1/0
　　crypto map mymap
　　exit
　　ip access-list extended perimeter
　　no permit gre host 192.1.1.40 host 192.1.1.20
　　测试实验结果：
　　r1#sh ip route
　　Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
　　D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
　　N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
　　E1 - OSPF external type 1, E2 - OSPF external type 2
　　i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
　　ia - IS-IS inter area, * - candidate default, U - per-user static route
　　o - ODR, P - periodic downloaded static route
　　Gateway of last resort is 192.1.1.20 to network 0.0.0.0
　　C 192.1.1.0/24 is directly connected, Serial1/1
　　C 192.168.1.0/24 is directly connected, Loopback0
　　　192.168.2.0/32 is subnetted, 1 subnets
　　O 192.168.2.1 [110/11112] via 192.168.3.2, 00:00:17, Tunnel0
　　C 192.168.3.0/24 is directly connected, Tunnel0
　　S* 0.0.0.0/0 [1/0] via 192.1.1.20
　　R1上ping PC2:
　　r1#ping 192.168.2.1
　　Type escape sequence to abort.
　　Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
　　!!!!!
　　Success rate is 100 percent (5/5), round-trip min/avg/max = 36/56/84 ms
　　PC1上ping PC2:
　　r1#ping 192.168.2.1 source lo0
　　Type escape sequence to abort.
　　Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
　　Packet sent with a source address of 192.168.1.1
　　!!!!!
　　Success rate is 100 percent (5/5), round-trip min/avg/max = 36/55/104 ms
　　可以看到不管是从PC1到PC2的流量还是R1到PC2的流量，只要通过隧道，都会被IPSEC封装加密，所以都能PING通PC2！

上一页12下一页