GNS3 simulated Site-to-Site VPN Experiment

Simulate Site-to-Site VPN Experiment
First, let's talk about the experiment background. Remote users want to use VPN technology to securely access internal servers of the headquarters. The topology of the experiment is as follows: the three Cisco 2811 routers simulate the Internet, corporate headquarters, and corporate branch respectively. Server simulates internal servers and Laptop simulates remote users. For more information, see the red notes of the experiment. For more information, see my VPN logs. Site to site vpn is less than remote vpn in terms of configuration commands, but the negotiation process between the two routers is the same.
Tutorial topology:

650) this. width = 650; "src =" 51cto.com/uploads/allianz 110829/1334235163-0.jpg "class =" blogimg "border =" 0 "/>

IP address planning is as follows:

650) this. width = 650; "src =" 51cto.com/uploads/allianz 110829/1334232546-1.jpg "class =" blogimg "style =" width: 700px; height: 309.791px; "border =" 0 "height =" 309 "width =" 700 "/>

The basic configurations of the experiment are as follows:
Internet router configuration:
Interface FastEthernet0/0
Ip address 200.1.1.1 255.255.255.0
No shutdown
Interface FastEthernet0/1
Ip address 100.1.1.1 255.255.255.0
No shutdown

ZongBu router configuration:
Interface FastEthernet0/0
Ip address 192.168.1.254 255.255.255.0
No shutdown
Interface FastEthernet0/1
Ip address 100.1.1.2 255.255.255.0
No shutdown
Ip route 0.0.0.0 0.0.0.0 100.1.1.1

Crypto isakmp policy 10 // security parameter configuration in Ipsec Phase 1
Encr 3des
Hash md5
Authentication pre-share

Crypto isakmp key tom address 200.1.1.2 // specify the key and the peer can be any IP address.

Crypto ipsec transform-set tim esp-3des esp-md5-hmac // configuration of IPSec Phase II

Crypto map tom 10 ipsec-isakmp
Set peer 200.1.1.2
Set transform-set tim
Match address 101 // traffic of interest. Only traffic that meets the access list will be encrypted.

Interface FastEthernet0/1
Ip address 100.1.1.2 255.255.255.0
Crypto map tom // bind to interface
Access-list 101 permit ip 192.168.1.0 0.0.255 172.16.1.0 0.0.255

FenBu router configuration:
Interface FastEthernet0/0
Ip address 200.1.1.2 255.255.255.0
No shutdown
Interface FastEthernet0/1
Ip address 172.16.1.254 255.255.255.0
No shutdown
Ip route 0.0.0.0 255.255.0 200.1.1.1

Crypto isakmp policy 10
Encr 3des
Hash md5
Authentication pre-share

Crypto isakmp key tom address 100.1.1.2
Crypto ipsec transform-set tim esp-3des esp-md5-hmac

Crypto map tom 10 ipsec-isakmp
Set peer 100.1.1.2
Set transform-set tim
Match address 101

Interface FastEthernet0/0
Crypto map tom
Access-list 101 permit ip 172.16.1.0 0.0.255 192.168.1.0 0.0.255

Verify the experiment results:
Laptop Ping Server. (Note: Laptop cannot be pinged to the Server before the VPN is enabled. After the experiment is completed, packet loss occurs during the initial phase of the Laptop Ping Server, which is a normal phenomenon, wait .) By establishing a VPN, remote users can directly access the Intranet Server.