1、实验拓扑

GNS3 配置IPSec Dynamic LAN-TO-LAN VPN_GNS3 配置IPSec Dynamic

2、基础网络配置

R1配置:

service dhcp

ip dhcp excluded-address 16.1.1.1

ip dhcp pool net16

   network 16.1.1.0 255.255.255.0

   default-router 16.1.1.1 

nterface FastEthernet0/0

 ip address 12.1.1.1 255.255.255.0

interface FastEthernet1/0

 ip address 13.1.1.1 255.255.255.0

interface FastEthernet2/0

 ip address 16.1.1.1 255.255.255.0


R2配置:

interface FastEthernet0/0

 ip address 12.1.1.2 255.255.255.0

interface FastEthernet1/0

 ip address 172.16.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 12.1.1.1


R3配置:

interface FastEthernet0/0

 ip address 13.1.1.3 255.255.255.0

interface FastEthernet1/0

 ip address 192.168.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 13.1.1.1


R4配置:

interface FastEthernet0/0

 ip address 172.16.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.16.1.254


R5配置:

interface FastEthernet0/0

 ip address 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.254


R6配置:

interface FastEthernet0/0

 ip address dhcp

interface FastEthernet1/0

 ip address 10.1.1.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 16.1.1.1


R7配置:

interface FastEthernet0/0

 ip address 10.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.254


3、IPSec Dynamicc LAN-TO-LAN ×××配置

R2配置:

crypto keyring cisco 

  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco


crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2


crypto isakmp profile cisco

   keyring cisco

   match identity address 0.0.0.0 


crypto ipsec transform-set cisco esp-3des esp-sha-hmac 


crypto dynamic-map cisco 5

 set transform-set cisco 

 set isakmp-profile cisco


crypto map cisco 10 ipsec-isakmp dynamic cisco 


interface FastEthernet0/0

 crypto map cisco


R3配置:

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2


crypto isakmp key cisco address 12.1.1.2


crypto ipsec transform-set cisco esp-3des esp-sha-hmac 


access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255


crypto map cisco 1 ipsec-isakmp 

 set peer 12.1.1.2

 set transform-set cisco 

 match address 100


interface FastEthernet0/0

 crypto map cisco


R6配置:

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2


crypto isakmp key cisco address 12.1.1.2


crypto ipsec transform-set cisco esp-3des esp-sha-hmac 


access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255


crypto map cisco 1 ipsec-isakmp 

 set peer 12.1.1.2

 set transform-set cisco 

 match address 100


interface FastEthernet0/0

 crypto map cisco


4、R4、R5、R7内网互访测试(必须先从R5、R7 PING R4才能PING)