IPsec LAN-to-LAN ×××_IPsec


----------------------------------上海分公司----------------------------------


R6(config)#interface fastEthernet 0/0

R6(config-if)#ip address 172.17.10.20 255.255.255.0

R6(config-if)#no sh


R6(config)#ip route 10.1.1.0 255.255.255.0 172.17.10.10




R5(config)#interface fastEthernet 0/0

R5(config-if)#ip address 172.17.10.10 255.255.255.0

R5(config-if)#no sh


R5(config)#interface fastEthernet 0/1

R5(config-if)#ip address 10.1.1.5 255.255.255.0

R5(config-if)#no sh


R5(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1




R1(config)#interface fastEthernet 0/1

R1(config-if)#ip address 10.1.1.1 255.255.255.0

R1(config-if)#no sh


R1(config)#interface fastEthernet 0/0

R1(config-if)#ip address 12.1.1.1 255.255.255.0

R1(config-if)#no sh


R1(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 0/0

R1(config)#ip route 172.17.10.0 255.255.255.0 10.1.1.5




R1#ping 172.17.10.20


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.17.10.20, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 284/326/380 ms




-----------------------------------Internet-----------------------------------


R2(config)#interface fastEthernet 0/0

R2(config-if)#ip address 12.1.1.2 255.255.255.0

R2(config-if)#no sh


R2(config)#interface fastEthernet 0/1

R2(config-if)#ip address 23.1.1.2 255.255.255.0

R2(config-if)#no sh




R3(config)#interface fastEthernet 0/1

R3(config-if)#ip address 23.1.1.3 255.255.255.0

R3(config-if)#no sh


R3(config)#interface fastEthernet 0/0

R3(config-if)#ip address 192.168.1.3 255.255.255.0

R3(config-if)#no sh


R3(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 0/1

R3(config)#ip route 192.168.20.0 255.255.255.0 192.168.1.4




R3#ping 12.1.1.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 348/384/424 ms


R3#ping 10.1.1.5


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)




-----------------------------------北京总部-----------------------------------


R4(config)#interface fastEthernet 0/0

R4(config-if)#ip address 192.168.1.4 255.255.255.0

R4(config-if)#no sh


R4(config)#interface fastEthernet 0/1

R4(config-if)#ip address 192.168.20.10 255.255.255.0

R4(config-if)#no sh


R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.3




R7(config)#interface fastEthernet 0/1

R7(config-if)#ip address 192.168.20.20 255.255.255.0

R7(config-if)#no sh


R7(config)#ip route 192.168.1.0 255.255.255.0 192.168.20.10




R7#ping 192.168.1.3


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 328/383/412 ms


R7#ping 12.1.1.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)




------------------------------Router to Router------------------------------


R1(config)#crypto isakmp policy 1

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#encryption 3des

R1(config-isakmp)#hash sha

R1(config-isakmp)#group 2


R1(config)#crypto isakmp key 0 cisco address 23.1.1.3

R1(config)#crypto ipsec transform-set SH esp-3des esp-sha-hmac

R1(cfg-crypto-trans)#mode tunnel


R1(config)#ip access-list extended SH-TO-BJ

R1(config-ext-nacl)#permit ip 172.17.10.0 0.0.0.255 192.168.20.0 0.0.0.255


R1(config)#crypto map SH_BJ 1 ipsec-isakmp

R1(config-crypto-map)#set peer 23.1.1.3

R1(config-crypto-map)#set transform-set SH

R1(config-crypto-map)#match address SH-TO-BJ


R1(config)#interface fastEthernet 0/0

R1(config-if)#crypto map SH_BJ




R6(config)#ip route 192.168.20.0 255.255.255.0 172.17.10.10




R3(config)#crypto isakmp policy 1

R3(config-isakmp)#authentication pre-share

R3(config-isakmp)#encryption 3des

R3(config-isakmp)#hash sha

R3(config-isakmp)#group 2


R3(config)#crypto isakmp key 0 cisco address 12.1.1.1

R3(config)#crypto ipsec transform-set BJ esp-3des esp-sha-hmac

R3(cfg-crypto-trans)#mode tunnel


R3(config)#ip access-list extended BJ-TO-SH

R3(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 172.17.10.0 0.0.0.255


R3(config)#crypto map BJ_SH 1 ipsec-isakmp

R3(config-crypto-map)#set peer 12.1.1.1

R3(config-crypto-map)#set transform-set BJ

R3(config-crypto-map)#match address BJ-TO-SH


R3(config)#interface fastEthernet 0/1

R3(config-if)#crypto map BJ_SH




R7(config)#ip route 172.17.10.0 255.255.255.0 192.168.20.10




R7#ping 172.17.10.20


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.17.10.20, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 808/1164/1448 ms


R7#traceroute 172.17.10.20


Type escape sequence to abort.

Tracing the route to 172.17.10.20


1 192.168.20.10 272 msec 220 msec 276 msec

2 192.168.1.3 404 msec 292 msec 388 msec

3 * * *

4 172.17.10.20 1568 msec 1264 msec 1224 msec