这个实验,是通过GNS3做的,
如ROUTER上有做多个×××可以用这种方法
我的本本是DELL VOSTRO 1400运行2个IOS刚好
R1#show run
Building configuration...
Current configuration : 1236 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 10
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
!
!
!
!
!
crypto keyring cisco
pre-shared-key address 10.1.1.2 key cisco
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp profile cisco
keyring cisco
match identity address 10.1.1.2 255.255.255.255
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 10.1.1.2
set transform-set cisco
set isakmp-profile cisco
match address vpn
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 2.2.2.2 255.255.255.255 10.1.1.2
!
ip http server
no ip http secure-server
!
ip access-list extended vpn
permit ip host 1.1.1.1 host 2.2.2.2
!
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
R1#ping 2.2.2.2 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/219/396 ms
R2#show run
Building configuration...
Current configuration : 1236 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 10
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
!
!
!
!
!
crypto keyring cisco
pre-shared-key address 10.1.1.1 key cisco
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp profile cisco
keyring cisco
match identity address 10.1.1.1 255.255.255.255
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set cisco
set isakmp-profile cisco
match address vpn
!
!
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map cisco
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 1.1.1.1 255.255.255.255 10.1.1.1
!
ip http server
no ip http secure-server
!
ip access-list extended vpn
permit ip host 2.2.2.2 host 1.1.1.1
!
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
R2#ping 1.1.1.1 so 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/164/332 ms
注:ping 的时候要加上源地址,要不PING会绕过×××,PING 通对方LOOPBACK,
这样即使有错误你也会认为配置正确。
