平台
R1(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode client Set client configuration policy enable Enable ISAKMP
identity Set the identity which ISAKMP will use invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers peer Set Peer Policy
policy Set policy for an ISAKMP protection suite profile Define ISAKMP Profiles
xauth Set Extended Authentication values R1(config)#crypto isakmp policy 1 R1(config-isakmp)#authentication ? pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption rsa-sig Rivest-Shamir-Adleman Signature R1(config-isakmp)#authentication pre-share R1(config-isakmp)#lifetime ?
<60-86400> lifetime in seconds R1(config-isakmp)#lifetime 500 R1(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow 6 Specifies an ENCRYPTED password will follow R1(config)#crypto isakmp key 0 ?
WORD The UNENCRYPTED (cleartext) user password
R1(config)#crypto isakmp key 0 yyfsb ?
address define shared key with IP address hostname define shared key with hostname R1(config)#crypto isakmp key 0 yyfsb address ? A.B.C.D Peer IP address
R1(config)#crypto isakmp key 0 yyfsb address 13.1.1.1 R1(config)#crypto ipsec ?
client Configure a client
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec profile Configure an ipsec policy profile security-association Security association parameters transform-set Define transform and settings R1(config)#crypto ipsec transform-set ? WORD Transform set tag
R1(config)#crypto ipsec transform-set R1 ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits) esp-sha-hmac ESP transform using HMAC-SHA auth R1(config)#crypto ipsec transform-set R1 esp-3des ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth
R1(config)#crypto ipsec transform-set R1 esp-3des esp-md5-hmac ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
R1(config)#crypto ipsec transform-set R1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#?
Crypto transform configuration commands: default Set a command to its defaults
exit Exit from crypto transform configuration mode mode encapsulation mode (transport/tunnel) no Negate a command or set its defaults R1(cfg-crypto-trans)#mode ?
transport transport (payload encapsulation) mode tunnel tunnel (datagram encapsulation) mode R1(cfg-crypto-trans)#mode tunnel R1(config)#crypt
R1(config)#crypto map ? WORD Crypto map tag R1(config)#crypto map R1 ?
<1-65535> Sequence to insert into crypto map entry client Specify client configuration settings isakmp Specify isakmp configuration settings isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map redundancy High availability options for this map R1(config)#crypto map R1 1 ?
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
R1(config)#crypto map R1 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R1(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy dialer Dialer related commands
exit Exit from crypto map configuration mode match Match values.
no Negate a command or set its defaults qos Quality of Service related commands reverse-route Reverse Route Injection.
set Set values for encryption/decryption R1(config-crypto-map)#set peer 13.1.1.1
R1(config-crypto-map)#set transform-set R1 R1(config-crypto-map)#match address 101
R1(config)#access-list 101 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 R1(config)#int s0/1
R1(config-if)#crypto map R1
*Mar 1 00:26:20.283: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON 同样对于R2中的基本配置:
R2(config)#crypto isakmp policy 1 //建立VPN 通道安全策略
R2(config-isakmp)#authentication pre-share //建立VPN安全策略机制方式 R2(config-isakmp)#lifetime 500 //建立VPN 通道连接存活时间 R2(config)#crypto isakmp key 0 yyfsb address 14.1.1.1 //建立对端通讯地址与密码
R2(config)#crypto ipsec transform-set R2 esp-3des esp-md5-hmac //建立通道数据加密方式 R2(cfg-crypto-trans)#mode tunnel //建立通道模式
R2(config)#crypto map R2 1 ipsec-isakmp //建立有效通道数据有效地图流 R2(config-crypto-map)#set peer 14.1.1.1 //设置对端VPN连接地址 R2(config-crypto-map)#set transform-set R2 //启用map地图
R2(config-crypto-map)#match address 100 //匹配需要的访问的对端数据地址表
R2(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255//匹配的访问列表 R2(config)#int s0/0 //把该VPN应用于外端口 R2(config-if)#crypto map R2
加载PAT的主要目的是为了区分不需要走管道与需要走管道的数据报 在R1中加载PAT
R1(config)#access-list 102 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 //建立需要区分的访问列表,即需要走管道的不进行地址转换
R1(config)#access-list 102 permit ip 10.1.1.0 0.0.0.255 any//无需走管道的需要地址转换 R1(config)#ip nat inside ?
destination Destination address translation source Source address translation R1(config)#ip nat inside source ?
list Specify access list describing local addresses route-map Specify route-map
static Specify static local->global mapping R1(config)#ip nat inside source list 102 ?
interface Specify interface for global address pool Name pool of global addresses R1(config)#ip nat inside source list 102 pool ? WORD Pool name for global addresses
R1(config)#ip nat inside source list 102 int s0/0 //把路由表加载到外端口,起作用
*Mar 1 00:37:24.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, chan ged state to up
R1(config)#int s0/0 //在端口启用PAT功能效果 R1(config-if)#ip nat outside
R1(config)#int loopback0// 在内端口启用PAT功能效果 R1(config-if)#ip nat inside
同样需要在R2中做PAT配置:
R1(config)#access-list 103 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 R1(config)#access-list 103 permit ip 172.16.1.0 0.0.0.255 any
R1(config)#ip nat inside source list 103 int s0/0(把访问列表加载到外端口,以便其作用) R1(config)#int s0/0
R1(config-if)#ip nat outside R1(config)#int loopback0
R1(config-if)#ip nat inside