1、实验拓扑
![](https://img.laitimes.com/img/_0nNw4CM6IyYiwiM6ICdiwiInBnauIDN5UkcCVjbCZ3dHFUQOh0THNVbTdUNYFTbvl2S39CX4QzLcNzNvwVMw00LcJDMzZWe39CXt92Yu8GdjFTNuMzcvw1LcpDc0RHaiojIsJye.jpg)
2、基础网络配置
R1配置:
service dhcp
ip dhcp excluded-address 16.1.1.1
ip dhcp pool net16
network 16.1.1.0 255.255.255.0
default-router 16.1.1.1
nterface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
interface FastEthernet1/0
ip address 13.1.1.1 255.255.255.0
interface FastEthernet2/0
ip address 16.1.1.1 255.255.255.0
R2配置:
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
ip address 172.16.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 12.1.1.1
R3配置:
ip address 13.1.1.3 255.255.255.0
ip address 192.168.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 13.1.1.1
R4配置:
ip address 172.16.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.16.1.254
R5配置:
ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
R6配置:
ip address dhcp
ip address 10.1.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 16.1.1.1
R7配置:
ip address 10.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.254
3、IPSec Dynamicc LAN-TO-LAN ×××配置
crypto keyring cisco
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile cisco
keyring cisco
match identity address 0.0.0.0
crypto ipsec transform-set cisco esp-3des esp-sha-hmac
crypto dynamic-map cisco 5
set transform-set cisco
set isakmp-profile cisco
crypto map cisco 10 ipsec-isakmp dynamic cisco
crypto map cisco
crypto isakmp key cisco address 12.1.1.2
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
crypto map cisco 1 ipsec-isakmp
set peer 12.1.1.2
match address 100
access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255