L2L虚拟专用网络项目实践

实验拓扑

实验步骤

1、根据拓扑配置 IP 地址，保证直连联通；

2、R2 和 R4 配置 NAT, R1 和 R5 配置默认路由，要求 R1 和 R5 能够访问互联网 R3(3.3.3.3/32) ；
R2：
ip access-list extended NAT
permit ip 10.1.12.0 0.0.0.255 any
interface f0/0
ip nat inside
interface f1/0
ip nat outside
ip nat inside source list NAT interface f1/0 overload

R4：
ip access-list extended NAT
permit ip 10.1.45.0 0.0.0.255 any
interface f1/0
ip nat inside
interface f0/0
ip nat outside
ip nat inside source list NAT interface f0/0 overload

R1/R5:
ip route 0.0.0.0 0.0.0.0 10.1.12.2
ip route 0.0.0.0 0.0.0.0 10.1.45.4

3、在 R2 和 R4 上面配置 IPsec 虚拟专用网络，共享密码为 pinginglab；
R2：
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
hash sha
crypto isakmp key 0 pinginglab address 100.1.34.4
crypto ipsec transform-set I2ltrans esp-3des esp-sha-hmac
ip access-list extended l2lacl
permit ip 10.1.12.0 0.0.0.255 10.1.45.0 0.0.0.255
crypto map l2lmap 1 ipsec-isakmp
set peer 100.1.34.4
set transform-set l2ltrans
match address l2lacl
interface f1/0
crypto map l2lmap

R4：
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
hash sha
crypto isakmp key 0 pinginglab address 100.1.23.2
crypto ipsec transform-set I2ltrans esp-3des esp-sha-hmac
ip access-list extended l2lacl
permit ip 10.1.45.0 0.0.0.255 10.1.12.0 0.0.0.255
crypto map l2lmap 1 ipsec-isakmp
set peer 100.1.23.2
set transform-set l2ltrans
match address l2lacl
interface f0/0
crypto map l2lmap

ip access-list extended NAT
5 deny 10.1.12.0 0.0.0.255 10.1.45.0 0.0.0.255
10 permit ip 10.1.45.0 0.0.0.255 any

4、R1 和 R5 通过虚拟专用网络实现联通，最终通过 wireshark 抓包(互联网链路)得到加密数据。