說明:此Lab為實機上單純建立Site To Site VNP。
Show Run只有RO_D,RO_C不小心清掉了,不過兩邊大同小異啦!
VPN設定大部份在上一篇都有解釋,就只補充少部份的囉~
實作條件:
一、Site To Site VPN之設定
ISAKMP
Encryption:AES
Authentication:PSK ( PW:CISCO )
DH Group:5
Hash:SHA
Lifetime:12 hr
IPSec
Encryption:3DES
Authentication:MD5
Mode:Tunnel
Lifetime:12 hr OR Data 100MB
RO_D Show Run如下:
RO_D#sh run
Building configuration...
Current configuration : 1399 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RO_D
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
VPN之區域
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 43200
crypto isakmp key CISCO address 10.140.3.2
!
crypto ipsec security-association lifetime kilobytes 102400
VPN建立後只要流量超過102400KB(100MB)就重新再驗證
crypto ipsec security-association lifetime seconds 43200
VPN建立後只要時間超過43200秒(12小時)後就重新再驗證
兩個條件達成其中之一就會重新驗證
!
crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 10.140.3.2
set transform-set 3DES_SHA
match address 101
!
介面之區域
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 10.140.4.2 255.255.255.0
crypto map VPN 將VPN綁至在介面上
!
interface FastEthernet0/1
ip address 192.168.104.254 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
路由之區域
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.140.4.1
!
no ip http server
no ip http secure-server
!
ACL之區域
access-list 101 permit ip 192.168.104.0 0.0.0.255 192.168.103.0 0.0.0.255
ACL 101綁在VPN上
!
control-plane
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
end
留言列表
