实验网络拓扑:
Router---------------------Router
<R1> <R2>
R1接口ip:
s1/0:192.168.1.1/24 f0/0:172.16.1.2/24
R2接口ip:
s1/0:192.168.1.2/24 f0/0:172.16.2.1/24
2610的IOS为c2600-jk9s-mz.122-17.bin
步骤:
以R2为例进行配置
1.配置路由
2.定义加密数据的acl
access 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
3.生成rsa key
cry key generate rsa general-keys (生成General Purpose rsa Key )
或者 cry key generate rsa usage-keys (分别生成rsa signing key和rsa encryption key)
这里 统一用general purpose key
4.复制peer router的public key到本地router中
(1)在R1上生成general purpose key
(2)在R1上show cry key mypubkey rsa,(复制其中的General Purpose Key )
(3)在R2上,crypto key pubkey-chain rsa (设置public key)
addressed-key 10.130.23.244 (设置关联10.130.23.244ip地址的key )
key-string (定义key串 )
粘贴从R2上复制的(General Purpose Key )
(如果第三步生成了两种key,则这里复制粘贴的,应该是Encryption Key(三个key中的第二个)(双方都要互相配置)
5.定义isakmp policy
crypto isakmp policy 1
authentication rsa-encr (采用rsa Encryption key进行验证 )
(authentication参数必须配置,其他参数如group、hash、encr、lifetime等,如果进行配置,需要注意两个路由器上的对应参数配置必须相同。)
6.定义transform-set
crypto ipsec transform-set vpn-tfs esp-3des esp-sha-hmac
(其中vpn-tfs为transform-set name,后面两项为加密传输的算法 )
mode transport/tunnel (tunnel为默认值,此配置可选 )
7.定义crypto map entry
crypto map vpn-map 10 ipsec-isakmp
(其中vpn-map为map name,10 是entry 号码,ipsec-isakmp表示采用isakmp进行密钥管理 )
match address 101 (定义进行加密传输的数据,与第二步对应 )
set peer 192.168.1.1 (定义peer路由器的ip )
set transform-set vpn-tfs (与第五步对应)
(如果一个接口上要对应多个vpn peer,可以定义多个entry,每个entry对应一个peer;同样,pubkey 也要对应进行设置。
8.将crypto map应用到接口上
inter S1/0 (vpn通道入口 )
crypto map vpn-map
9.同样方法配置R2路由器。
R1完整配置:
r1#
r1#sh run
Building configuration...
Current configuration : 1379 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
ip subnet-zero
!
no ip domain-lookup
ip domain-name yhao.com
!
crypto isakmp policy 1
authentication rsa-encr
!
crypto ipsec transform-set vpn-tfs esp-3des esp-sha-hmac
!
crypto key pubkey-chain rsa
addressed-key 192.168.1.2
address 192.168.1.2
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B65771 BF929647
62602E8B FE20EB01 B8734307 DD2CF9C4 C3E69766 9E26BDEE 2388077C E005D012
27A7C6E9 5F9DFA10 DEBC26C8 6987C8FC 4EAC19A8 0F8DFF3A 9D020301 0001
quit
!
crypto map vpn-map 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set vpn-tfs
match address 101
!
call rsvp-sync
!
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
no keepalive
half-duplex
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.0
crypto map vpn-map
!
router ospf 100
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
login
!
end
r1#
R2完整配置:
r2#
r2#sh run
Building configuration...
Current configuration : 1398 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r2
!
username r1 password 0 cisco
ip subnet-zero
!
ip domain-name yhao.com
!
crypto isakmp policy 1
authentication rsa-encr
!
crypto ipsec transform-set vpn-tfs esp-3des esp-sha-hmac
!
crypto key pubkey-chain rsa
addressed-key 192.168.1.1
address 192.168.1.1
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00F9918D F6582321
58E9FB6D 64334D42 202929ED 6B312FE9 B6239B17 84D48AFE 16D13AD4 E0EE9BC7
9FDF69F8 96569F71 A67D7A84 B8AF8A9A 9C240DA9 8058DAE6 89020301 0001
quit
!
crypto map vpn-map 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set vpn-tfs
match address 101
!
call rsvp-sync
!
interface Ethernet0/0
ip address 172.16.2.1 255.255.255.0
no keepalive
half-duplex
!
interface Serial1/0
ip address 192.168.1.2 255.255.255.0
clockrate 64000
crypto map vpn-map
!
router ospf 100
log-adjacency-changes
network 172.16.2.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
!
end
r2#
欢迎到【弱电论坛】来学习和讨论问题!