从概念上讲,IP-VPN是运营商(即服务提供者)支持企业用户应用的方案。一个通用的方法可以适用于由一个运营商来支持的、涉及其他运营商网络的情况(如运营商的运营商)。
IP sec的VPN考配置
左边的router:
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 202.96.15.88
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 202.96.15.88
set transform-set rtpset
match address 102
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Ethernet0/1
ip address 61.153.158.44 255.255.255.0
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map rtp
ip nat inside source route-map nonat interface Ethernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 61.153.158.4x(网关)
no ip http server
access-list 101deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
route-map nonat permit 10
match ip address 102
右边的router:
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 61.153.158.44
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 61.153.158.44
set transform-set rtpset
match address 102
!
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Ethernet0/1
ip address 202.96.15.88 255.255.255.0
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map rtp
ip nat inside source route-map nonat interface Ethernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 202.96.15.8x(网关)
no ip http server
access-list 101deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
a