多站点V.P.N TOPO图：

实验目的：

实现client1、client2 通过IPSec V.P.N 通道，都可以访问到server1

配置步骤：

1. ip地址配置：{ 中间路由器是运营商路由（ISP） ，只需给配上ip地址就OK！！！ }

R1>en
R1#conf t
R1(config)#no ip domain lookup
R1(config)#inter g0/1
R1(config-if)#no shutdown
R1(config-if)#ip address 100.0.0.1 255.255.255.0
R1(config-if)#inter g0/0
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.1.254 255.255.255.0
ISP>EN
ISP#CONF T
ISP(config)#no ip domain lookup
ISP(config)#inter g0/0
ISP(config-if)#ip address 100.0.0.254 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#inter g0/1
ISP(config-if)#no shut
ISP(config-if)#ip address 120.0.0.254 255.255.255.0
ISP(config-if)#inter g0/2
ISP(config-if)#no shutdown
ISP(config-if)#ip address 130.0.0.254 255.255.255.0
R2>en
R2#conf t
R2(config)#no ip domain lookup
R2(config)#inter g0/0
R2(config-if)#no shutdown
R2(config-if)#ip address 120.0.0.1 255.255.255.0
R2(config-if)#inter g0/1
R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.2.254 255.255.255.0
R3>en
R3#conf t
R3(config)#no ip domain-lookup
R3(config)#inter g0/0
R3(config-if)#no shutdown
R3(config-if)#ip address 130.0.0.1 255.255.255.0
R3(config-if)#inter g0/1
R3(config-if)#no shutdown
R3(config-if)#ip address 192.168.3.254 255.255.255.0

2. 配置V.P.N通道：

R1(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.254
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
R1(config)#crypto isakmp key hahui address 120.0.0.1
R1(config)#access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config)#crypto ipsec transform-set hh-set esp-des esp-sha-hmac
R1(config)#crypto map hh-map 1 ipsec-isakmp
R1(config-crypto-map)#set peer 120.0.0.1
R1(config-crypto-map)#set transform-set hh-set
R1(config-crypto-map)#match address 120
R1(config-crypto-map)#exit
R1(config)#inter f0/1
R1(config-if)#crypto map hh-map
以上配置是client1 去往 client2 的V.P.N通道！！！

R1(config)#crypto isakmp key huihui address 130.0.0.1
R1(config)#access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
R1(config)#crypto map hh-map 2 ipsec-isakmp
R1(config-crypto-map)#set peer 130.0.0.1
R1(config-crypto-map)#set transform-set hh-set
R1(config-crypto-map)#match address 130

R2(config)#ip route 0.0.0.0 0.0.0.0 120.0.0.254
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#exit
R2(config)#crypto isakmp key hahui address 100.0.0.1
R2(config)#access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R2(config)#crypto ipsec transform-set hh-set esp-des esp-sha-hmac
R2(config)#crypto map hh-map 1 ipsec-isakmp
R2(config-crypto-map)#set peer 100.0.0.1
R2(config-crypto-map)#set transform-set hh-set
R2(config-crypto-map)#match address 120
R2(config-crypto-map)#exit
R2(config)#interface f0/0
R2(config-if)#crypto map hh-map
R3(config)#ip route 0.0.0.0 0.0.0.0 130.0.0.254
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#exit
R3(config)#crypto isakmp key huihui address 100.0.0.1
R3(config)#access-list 130 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#crypto ipsec transform-set hh-set esp-des esp-sha-hmac
R3(config)#crypto map hh-map 2 ipsec-isakmp
R3(config-crypto-map)#set peer 100.0.0.1
R3(config-crypto-map)#set transform-set hh-set
R3(config-crypto-map)#match address 130
R3(config-crypto-map)#exit
R3(config)#inter f0/0
R3(config-if)#crypto map hh-map

测试连接：

Client1：


Client2: