实验拓扑
接口及路由配置省略R1和R3配置默认路由即可实现公网互通(测试两端公网互通即可开始操作)
接下来主要配置IPSEC VPN如下配置
R1配置
R1配置 步骤一:在R1上创建感兴趣流匹配两端私网地址网段 [R1] acl advanced 3500 [R1] rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 步骤二:在 R1 上创建IKE提议配置验证模式为预共享密钥并配置加密算法 [R1]ike proposal 1 [R1-ike-proposal-1]authentication-method pre-share [R1-ike-proposal-1]encryption-algorithm aes-cbc-128 步骤三:在 R1 上创建预共享密钥 [R1]ike keychain r3 [R1-ike-keychain-r3]pre-shared-key address 2.2.2.2 key simple 123456 步骤四:在 R1 上创建 IKE Profile指定本端和对端公网地址并调用预共享密钥和 IKE 提议 [R1]ike profile r3 [R1-ike-profile-r3]keychain r3 [R1-ike-profile-r3]local-identity address 1.1.1.1 [R1-ike-profile-r3]match remote identity address 2.2.2.2 [R1-ike-profile-r3]proposal 1 步骤五:在 R1 上创建IPsec 转换集配置加密和验证算法。由于工作模式默认是隧道模式且协议默认使用 ESP所以无需配置 [R1]ipsec transform-set r3 [R1-ipsec-transform-set-r3]esp authentication-algorithm sha1 [R1-ipsec-transform-set-r3]esp encryption-algorithm aes-cbc-128 步骤六:在 R1 上创建 IPsec 策略调用上述配置 [R1]ipsec policy r3 1 isakmp [R1-ipsec-policy-isakmp-r3-1]security acl 3500 [R1-ipsec-policy-isakmp-r3-1]ike-profile r3 [R1-ipsec-policy-isakmp-r3-1]transform-set r3 [R1-ipsec-policy-isakmp-r3-1]remote-address 2.2.2.2 步骤七:在 R1 的公网接口上下发 IPsec 策略 [R1-GigabitEthernet0/0]ipsec apply policy r3
R2配置
R2配置 步骤一:在R2上创建感兴趣流匹配两端私网地址网段 [R2]acl advanced 3500 [R2]rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 步骤二:在 R2 上创建IKE提议配置验证模式为预共享密钥并配置加密算法 [R2]ike proposal 1 [R2-ike-proposal-1]authentication-method pre-share [R2-ike-proposal-1]encryption-algorithm aes-cbc-128 步骤三:在 R2 上创建预共享密钥 [R2]ike keychain r1 [R2-ike-keychain-r1]pre-shared-key address 1.1.1.1 key simple 123456 步骤四:在 R2 上创建 IKE Profile指定本端和对端公网地址并调用预共享密钥和 IKE 提议 [R2]ike profile r1 [R2-ike-profile-r1]keychain r1 [R2-ike-profile-r1]local-identity address 2.2.2.2 [R2-ike-profile-r1]match remote identity address 1.1.1.1[R2-ike-profile-r1]proposal 1 步骤五:在 R2 上创建IPsec 转换集配置加密和验证算法。由于工作模式默认是隧道模式且协议默认使用 ESP所以无需配置 [R2]ipsec transform-set r1 [R1-ipsec-transform-set-r1]esp authentication-algorithm sha1 [R1-ipsec-transform-set-r1]esp encryption-algorithm aes-cbc-128 步骤六:在 R2 上创建 IPsec 策略调用上述配置 [R2]ipsec policy r1 1 isakmp [R2-ipsec-policy-isakmp-r1-1]security acl 3500 [R2-ipsec-policy-isakmp-r1-1]ike-profile r1 [R2-ipsec-policy-isakmp-r1-1]transform-set r1 [R2-ipsec-policy-isakmp-r1-1]remote-address 1.1.1.1 步骤七:在 R2 的公网接口上下发 IPsec 策略 [R2-GigabitEthernet0/0]ipsec apply policy r1
此时配置到这里IPSEC全部结束你以为就能互通了嘛太天真了
测试
哈哈是不是不通分析原理其实是IPSEC的acl与NAT的acl冲突。 解决方法是在NAT的acl中拒绝ipsec的acl让他不进行nat转换
修改ACL
R1上修改 rule 4 deny ip source 192.168.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 (2 times matched) rule 5 permit ip source 192.168.1.0 0.0.0.255 (3 times matched) R3上修改 rule 4 deny ip source 172.16.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 rule 5 permit ip source 172.16.1.0 0.0.0.255 (2 times matched)
实验结果
PC_4与PC_5成功互访
ike sa
display ike sa
ipsec sa
display ipsec sa
路由器的ipsec穿越NAT很简单。