(1.1.1.1)R1(S1/1:12.12.12.1)-----------------(S1/0:12.12.12.2)R2(S1/1:23.23.23.2)------------------(S1/0:23.23.3)R3(3.3.3.3)
R1#sh running-config
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 23.23.23.3
!
crypto ipsec transform-set wk esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile isp
set transform-set wk
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
tunnel source 12.12.12.1
tunnel destination 23.23.23.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile isp
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Serial1/1
ip address 12.12.12.1 255.255.255.0
!
router ospf 110
network 1.1.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 12.12.12.2
R3#sh running-config
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 12.12.12.1
!
crypto ipsec transform-set wk esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile isp
set transform-set wk
!
interface Tunnel2
ip address 172.16.1.2 255.255.255.0
tunnel source 23.23.23.3
tunnel destination 12.12.12.1
tunnel mode ipsec ipv4 (告知路由器这是一个基于IPSCE的接口,而不是GRE)
tunnel protection ipsec profile isp(将IPSEC文件应用到隧道接口选择转换集类型)
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Serial1/0
ip address 23.23.23.3 255.255.255.0
!
router ospf 110
router-id 3.3.3.3
network 3.3.3.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 23.23.23.2
PS:引入IPSec文件的功能性可以将第二阶段的SA参数关联到一个隧道接口,而无需使用加密映射命令。IPSec VTI 使用IP 路由选择引擎简化了触发机制,IPSec VTI 不需要使用具有加密映射的ACL.