Cisco router ipsecvpn practice-fixed ip addresses at both ends

Cisco router ipsecvpn practice-top of fixed ip addresses at both ends figure: This document uses the network setup shown in this digoal. www.2cto.com

Environment: 1. The gateway Router simulates the public network environment; 2. The private networks of ra and rb are replaced by the loopback ports. 3. The Private Network of the target a and router B is interconnected through ipsecvpn. 4. device Version ROM: 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4 (15) t1 public configuration of each port ip address, specified nat port, con0 asynchronous, disable dns query and default route (this is only required by a and B), do not experience in the configuration;
1. Configure vroraraa: configure the key exchange policy crypto isakmp policy 10 authentication pre-encryption 3 deshash md5group 2B: configure the pre-shared key crypto isakmp key cisco address 95.95.95.2C: configure the encrypted conversion set mysetcrypto ipsec transform-set rtpset ah-sha-hmac esp-3des esp-sha-hmacD: Define the traffic of interest access-list 115 permit ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255E: configure the encryption ing map mymap and bind it to the outside interface crypto map mymap 10 ipsec-isakmpmatch address 115 set transform-set mysetset peer 95.95.95.2int f0/0 www.2cto.com crypto map mymap
F: Configure non-nat vpn data traffic (this is missing in many documents); access-list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255access-list 110 permit ip 10.50.50.0 0.0.0.255 any! Route-map nonat permit 10 match ip address 110! Ip nat inside source route-map nonat interface FastEthernet0/0 overload! 2. Configure vrob B (same as vroa a) 3. Configure the IP addresses of the two interfaces and activate the gateway. Others remain unchanged. Finally, check it. There is a problem here. Many friends who have no practical experience should pay attention to it: I have no practical experience in cisco vpn, leading to questions about version problems and whether the configuration is wrong. Show crypto isakmp sashow crypto isakmp peers is not created here. Ping 10.103.1.75 source 10.50.50.50 on router a or router B.
Then show it and find that it has been created. Router # show crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id slot status95.95.95.2 99.99.99.2 QM_IDLE 1001 0 ACTIVE in addition, you can notice the change in the number of encrypted data packets: On Router: www.2cto.com Router # show crypto ipsec sainterface: FastEthernet0/0 Crypto map tag: rtp, local addr 99.99.99.2 protected vrf: (none) local ident (addr/mask/prot/port ): (10.50.50.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.103.1.0/255.255.255.0/0/0) current_peer 95.95.95.2 port 500 PERMIT, flags = {origin_is_acl ,} # pkts encaps: 13, # pkts encrypt: 13, # pkts digest: 13 # pkts decaps: 13, # pkts decrypt: 13, # pkts verify: 13
Then, five pingpackets are sent to Router B: Router # ping 10.50.50.50 source 10.103.1.75Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 10.50.50.50, timeout is 2 seconds: Packet sent with a source address of 10.103.1.75 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 252/290/360 ms then observe the number of packets on vrouter A: Router # show crypto ipsec sa! Interface: FastEthernet0/0 Crypto map tag: rtp, local addr 99.99.99.2! Protected vrf: (none) local ident (addr/mask/prot/port): (10.50.50.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port ): (10.103.1.0/255.255.255.0/0/0) current_peer protocol port 500 PERMIT, flags = {origin_is_acl, }# pkts encaps: 18, # pkts encrypt: 18, # pkts digest: 18 # pkts decaps: 18, # pkts decrypt: 18, # pkts verify: 18
We have noticed that the number of data has changed to 18, and 5 more, which means that 5 packets are pinged and encrypted. Does the route change? Route table a before ipsecvpn is created: Router # show ip route www.2cto.com Gateway of last resort is 99.99.99.1 to network 0.0.0.0 99.0.0.0/24 is subnetted, 1 subnetsC 99.99.99.0 is directly connected, fastEthernet0/0 10.0.0.0/24 is subnetted, 1 subnetsC 10.50.50.0 is directly connected, Loopback0S * 0.0.0.0/0 [1/0] via 99.99.99.1
Route table of a after vpn creation: Router # show ip route 99.0.0.0/24 is subnetted, 1 subnetsC 99.99.99.0 is directly connected, FastEthernet0/0 10.0.0.0/24 is subnetted, 1 subnetsC 10.50.50.0 is directly connected, Loopback0S * 0.0.0.0/0 [1/0] via 99.99.99.1 found no difference.