In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-02-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Router IPSec V.P.N with dynamic crypto map (based on Cisco)
R1 is the headquarters, R2 is the operator, and R3 is the branch.
In this case, R1 uses dynamic mapping, R3 uses static mapping, and f0Universe 0 of R3 uses dhcp to obtain a dynamic IP address, so the administrator at headquarters does not know the IP address of the branch office, and there is no way to specify the other party's IP address and Crypto ACL in the static crypto map. This requires the use of a dynamic crypto map, and the parameters required in the static crypto map will be dynamically populated in the dynamic crypto map, which requires the configuration of a static crypto map on the branch router to allow the branch to initiate negotiations. However, dynamic crypto maps cannot be applied to interfaces. So you also need to create a static crypto map and reference the dynamic crypto map, and then apply the static crypto map to the interface.
One: basic settings
Basic configuration of R1
R1#conf t
R1 (config) # int f0bin0
R1 (config-if) # ip add 200.0.0.1 255.255.255.0
R1 (config-if) # no shut
R1 (config) # int f0bin1
R1 (config-if) # ip add 192.168.1.254 255.255.255.0
R1 (config-if) # no shut
Basic configuration of R2
R2#conf t
R2 (config) # int f0and0
R2 (config-if) # ip add 200.0.0.2 255.255.255.0
R2 (config-if) # no shut
R2 (config-if) # int f0bin1
R2 (config-if) # ip add 100.0.0.2 255.255.255.0
R2 (config-if) # no shut
R2 (config-if) # exit
R2 (config) # ip dhcp pool cisco
R2 (dhcp-config) # network 193.1.1.0 255.255.255.0
Basic configuration of R3
R3#conf t
R3 (config) # int f0Let0
R3 (config-if) # ip add dhcp
R3 (config-if) # no shut
R3 (config-if) # int f0swap 1
R3 (config-if) # ip add 192.168.2.254 255.255.255.0
R3 (config-if) # no shut
R3 (config-if) # exit
R3#show ip int br
Second, the setting of routing
Routing of R1
R1 (config) # ip route 0.0.0.0 0.0.0.0 200.0.0.2
Routing for R3
R3 (config) # ip route 0.0.0.0 0.0.0.0 100.0.0.2
Three: the setting of × × ×
Xxx of R1
R1 (config) # crypto isakmp enable
R1 (config) # crypto isakmp identity address
R1 (config) # crypto isakmp policy 10
R1 (config-isakmp) # encryption aes 128
R1 (config-isakmp) # hash md5
R1 (config-isakmp) # authentication pre-share
R1 (config-isakmp) # group 2
R1 (config-isakmp) # exit
R1 (config) # crypto isakmp key 6 cisco123 address 0.0.0.0 0.0.0.0 no-xauth
R1 (config) # access-list 101 permit ip 192.168.1.0 0.0.255 192.168.2.0 0.0.0.255
R1 (config) # crypto ipsec transform-set cisco-set esp-aes esp-md5-hmac
R1 (cfg-crypto-trans) # exit
R1 (config) # crypto dynamic-map cisco-dymap 10
R1 (config-crypto-map) # set transform-set cisco-set
R1 (config-crypto-map) # match address 101
R1 (config-crypto-map) # exit
R1 (config) # crypto map cisco-stmap 65000 ipsec-isakmp dynamic cisco-dymap discover
R1 (config) # access-list 102 deny ip 192.168.1.0 0.0.255 192.168.2.0 0.0.0.255
R1 (config) # access-list 102 permit ip 192.168.1.0 0.0.255 any
R1 (config) # ip nat inside source list 102 interface f0 overload
R1 (config) # int f0bin0
R1 (config-if) # ip nat outside
R1 (config-if) # crypto map cisco-stmap
R1 (config-if) # int f0bin1
R1 (config-if) # ip nat inside
R1 (config-if) #
× × of R3
R3#conf t
R3 (config) # crypto isakmp enable
R3 (config) # crypto isakmp identity address
R3 (config) # crypto isakmp policy 10
R3 (config-isakmp) # encryption aes 128
R3 (config-isakmp) # hash md5
R3 (config-isakmp) # authentication pre-share
R3 (config-isakmp) # group 2
R3 (config-isakmp) # exit
R3 (config) # crypto isakmp key 6 cisco123 address 200.0.0.1 no-xauth
R3 (config) # access-list 101 permit ip 192.168.2.0 0.0.255 192.168.1.0 0.0.0.255
R3 (config) # crypto ipsec transform-set cisco-set esp-aes esp-md5-hmac
R3 (cfg-crypto-trans) # exit
R3 (config) # crypto map cisco-map 10 ipsec-isakmp
R3 (config-crypto-map) # set peer 200.0.0.1
R3 (config-crypto-map) # set transform-set cisco-set
R3 (config-crypto-map) # match address 101
R3 (config-crypto-map) # exit
R3 (config) # access-list 102 deny ip 192.168.2.0 0.0.255 192.168.1.0 0.0.0.255
R3 (config) # access-list 102 permit ip 192.168.2.0 0.0.255 any
R3 (config) # ip nat inside source list 102 interface f0amp 0 overload
R3 (config) # int f0Let0
R3 (config-if) # ip nat outside
R3 (config-if) # crypto map cisco-map
R3 (config-if) # int f0swap 1
R3 (config-if) # ip nat inside
test
If you want to use pc2 to measure the connectivity of pc1, you can't use pc1 to ping pc2 first, and then you can use pc1 ping to communicate with pc2 after testing.
This case does not configure routing for R2, nor NAT for R1 and R3, so neither pc1 nor pc3 can communicate with R2 (carrier).
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
