cisco dynamic site-to-site做积极模式***
pre-shared-key address 0.0.0.0 0.0.0.0 keycisco !crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp profile l2l
keyring k1
match> initiate mode aggressive
!
!
crypto ipsec transform-set bbb esp-3des esp-sha-hmac
!
!
crypto dynamic-map ***map 1
set transform-set bbb
set isakmp-profile l2l
match address 110
!
!
crypto map ***map 1 ipsec-isakmp dynamic ***map
!
!
!
!
interface Loopback0
ip address 10.100.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 218.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map ***map
!
access-list 110 permit ip 10.100.1.0 0.0.0.255 10.1.1.00.0.0.255
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 218.1.1.1
分支段为ADSL的配置:
!
hostname R2
!
vpdn enable
!
crypto isakmp policy 10
encr 3des
authentication pre-share
!
crypto isakmp peer address 218.1.1.2
set aggressive-mode password cisco
set aggressive-mode client-endpoint ipv4-address218.1.1.2
!
!
crypto ipsec transform-set bbb esp-3des esp-sha-hmac
!
crypto map ***map 1 ipsec-isakmp
set peer 218.1.1.2
set transform-set bbb
match address 110
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname cisco
ppp chap password 0 cisco
crypto map ***map
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 110 permit ip 10.1.1.0 0.0.0.255 10.100.1.00.0.0.255
dialer-list 1 protocol ip permit
分支段的配置也可如下:
vpdn enable
!
crypto keyring k2
pre-shared-key address 218.1.1.2 key cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp profile L2L
keyring k2
match> initiate mode aggressive
!
!
crypto ipsec transform-set cisco111 esp-3des esp-sha-hmac
!
crypto map mtsbw 1 ipsec-isakmp
set peer 218.1.1.2
set transform-set cisco111
set isakmp-profile L2L
match address 110
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet1/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname cisco
ppp chap password 0 cisco
crypto map mtsbw
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 110 permit ip 10.1.1.0 0.0.0.255 10.100.1.00.0.0.255
dialer-list 1 protocol ip permit
通过R2查看***建立情况
R2#sh crypto isakmp sa
dst src state conn-id slot status
218.1.1.2 218.2.2.2 QM_IDLE 10ACTIVE
ping测试:
R2#ping 10.100.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.1.1, timeout is 2seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/33/60ms
部分debug信息:
*Mar1 01:30:03.735: ISAKMP:(0:3:SW:1): beginningAggressive Mode exchange
*Mar1 01:30:03.735: ISAKMP:(0:3:SW:1): sendingpacket to 218.1.1.2 my_port 500 peer_port 500 (I)AG_INIT_EXCH
*Mar1 01:30:03.859: ISAKMP (0:134217731):received packet from 218.1.1.2 dport 500 sport 500 Global (I)AG_INIT_EXCH
*Mar1 01:30:03.863: ISAKMP:(0:3:SW:1):processing SA payload. message>
*Mar1 01:30:03.863: ISAKMP:(0:3:SW:1):processing>
*Mar1 01:30:03.863: ISAKMP (0:134217731):> next-payl.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/38/76ms
R2#oad : 10
type : 1
address : 218.1.1.2
protocol : 0
port : 0
length : 12
*Mar1 01:30:03.867: ISAKMP:(0:3:SW:1):: peermatches *none* of the profiles
*Mar1 01:30:03.867: ISAKMP:(0:3:SW:1):processing vendor>
*Mar1 01:30:03.867: ISAKMP:(0:3:SW:1): vendor>
*Mar1 01:30:03.871: ISAKMP:(0:3:SW:1):processing vendor>
*Mar1 01:30:03.871: ISAKMP:(0:3:SW:1): vendor>
*Mar1 01:30:03.871: ISAKMP:(0:3:SW:1):processing vendor> *Mar1 01:30:03.871: ISAKMP:(0:3:SW:1): speakingto another IOS box!
*Mar1 01:30:03.875: ISAKMP:(0:3:SW:1):SA usingtunnel password as pre-shared key.
页:
[1]