IPsec VPN Experiment
experimental topology
Picture 1-1
Note: Unless otherwise specified, R1 or SW1 in the description corresponds to the device with the number 1 at the end of the device name in the topology, R2 or SW2 corresponds to the device with the number 2 at the end of the device name in the topology, and so on; In addition, in the same network segment , the host bit of the IP address is its device number, for example, if the g0/0 interface of R3 is in the
192.168.1.0/24network segment, its IP address is192.168.1.3/24, and so on
Experimental requirements
- Configure the IP address as shown
- Configure default routes on R1 and R3 to connect to the public network
- Configure IPsec VPN on R1 and R3 so that private networks at both ends can access each other
experimental solution
-
Configure the IP address part
-
Configure the default route part slightly
-
Configure IPsec VPN on R1 and R3 so that private networks at both ends can access each other
Step 1: Create a flow of interest on R1 and match the private network address segments at both ends
[R1]acl advanced 3000 [R1-acl-ipv4-adv-3000]rule per ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255Step 2: Create an IKE proposal on R1, configure the authentication mode as pre-shared key, and configure the encryption algorithm
[R1]ike proposal 1 [R1-ike-proposal-1]authentication-method pre-share [R1-ike-proposal-1]encryption-algorithm aes-cbc-128Step 3: Create a pre-shared key on R1
[R1]ike keychain r3 [R1-ike-keychain-r3]pre-shared-key address 100.2.2.3 key simple 123456Step 4: Create an IKE Profile on R1, specify the local and peer public addresses, and invoke the pre-shared key and IKE proposal
[R1]ike profile r3 [R1-ike-profile-r3]keychain r3 [R1-ike-profile-r3]local-identity address 100.1.1.1 [R1-ike-profile-r3]match remote identity address 100.2.2.3 [R1-ike-profile-r3]proposal 1Step 5: Create an IPsec transform set on R1, and configure encryption and authentication algorithms. Since the default working mode is tunnel mode, and the protocol uses ESP by default, no configuration is required
[R1]ipsec transform-set r3 [R1-ipsec-transform-set-r3]esp authentication-algorithm sha1 [R1-ipsec-transform-set-r3]esp encryption-algorithm aes-cbc-128Step 6: Create an IPsec policy on R1 and invoke the above configuration
[R1]ipsec policy r3 1 isakmp [R1-ipsec-policy-isakmp-r3-1]security acl 3000 [R1-ipsec-policy-isakmp-r3-1]ike-profile r3 [R1-ipsec-policy-isakmp-r3-1]transform-set r3 [R1-ipsec-policy-isakmp-r3-1]remote-address 100.2.2.3Step 7: Send the IPsec policy to the public interface of R1
[R1-GigabitEthernet0/0]ipsec apply policy r3Step 8: Complete the IPsec related configuration on R3, the method and command are the same as those on R1, just swap the addresses of the local end and the peer end
Effect test: Ping PC5 on PC4, you can ping directly
<PC4>ping 192.168.2.5 Ping 192.168.2.5 (192.168.2.5): 56 data bytes, press CTRL_C to break 56 bytes from 192.168.2.5: icmp_seq=0 ttl=253 time=26.000 ms 56 bytes from 192.168.2.5: icmp_seq=1 ttl=253 time=29.000 ms 56 bytes from 192.168.2.5: icmp_seq=2 ttl=253 time=34.000 ms 56 bytes from 192.168.2.5: icmp_seq=3 ttl=253 time=52.000 ms 56 bytes from 192.168.2.5: icmp_seq=4 ttl=253 time=25.000 ms