Tutorial topology:
Topology analysis:
Consists of four routes. The e0/1 ports of R1 and R4 simulate pc1 and pc2
R2 and R3 simulate the Internet
Purpose:
The two ends of the LAN can communicate with each other and can run dynamic routing protocols;
Encryption of LAN traffic at both ends;
LAN at both ends can access the Internet
Experiment Analysis:
Use IpSec to encrypt traffic at both ends
If the LAN can run the dynamic routing protocol, GRE must be run on the LAN router.
If the LAN can access the Internet, the LAN router must run NAT
Note:
The premise of running the dynamic routing protocol is that multicast update, while IpSec uses the unicast address. Therefore, Dynamic Routing Protocol cannot be run only on the IpSec route, therefore, you can use the GRE Tunnel to run the dynamic routing protocol, because GRE uses multicast addresses and supports multiple protocols. The method of traffic distribution is used to separate public and private network traffic. The public network enters the Internet from the public network interface, and the private network traffic communicates with each other through Tunnel. In this way, only private network traffic is encrypted, the defined map should be applied to the Tunnel port.
========================================================== ======================================
R1
Crypto isakmp policy 1
Encr 3des
Authentication pre-share
Group 2
Crypto isakmp key 6 cisco address 30.1.1.2
!
Crypto ipsec transform-set ah-sha-hmac esp-3des
!
Crypto map mymap 1 ipsec-isakmp
Set peer 30.1.1.2
Set transform-set
Set pfs group2
Match address 100
!
Interface Tunnel1
Ip address 10.1.1.1 255.255.255.0 // The Tunnel address is arbitrary.
Tunnel source 100.1.1.1 // source public network address
Tunnel destination 30.1.1.2 // destination public network address
Crypto map mymap // you need to apply the map to the tunnel port,
!
Interface Ethernet0/0
Ip address 100.1.1.1 255.255.255.0
Ip nat outside
Ip virtual-reassembly
Half-duplex
!
Interface Ethernet0/1
Ip address 192.168.1.1 255.255.255.0
Ip nat inside
Ip virtual-reassembly
Half-duplex
!
Router VPN 1 // run the dynamic routing protocol between the LAN
Network 10.0.0.0 // publish the Tunnel address CIDR Block
Network 192.168.1.0 // publish the private network address segment
Auto-summary
No ip http secure-server
! P http server
Ip route 0.0.0.0 0.0.0.0 Ethernet0/0 // The default LAN route points to the public network interface
!
Ip nat inside source list 1 interface Ethernet0/0 overload // overload enable the Intranet address to access the Internet using different ports connected to the Internet address
!
Access-list 1 permit 192.168.1.0 0.0.255
Access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.255 // allow Intranet traffic to access each other
========================================================== ======================================
R4
Crypto isakmp policy 1
Encr 3des
Authentication pre-share
Group 2
Crypto isakmp key 6 cisco address 100.1.1.1
!
Crypto ipsec transform-set ah-sha-hmac esp-3des
!
Crypto map mymap 1 ipsec-isakmp
Set peer 100.1.1.1
Set transform-set
Set pfs group2
Match address 100
!
Interface Tunnel1
Ip address 10.1.1.2 255.255.255.0
Tunnel source 30.1.1.2
Tunnel destination 100.1.1.1
Crypto map mymap
!
Interface Ethernet0/0
Ip address 30.1.1.2 255.255.255.0
Ip nat outside
Ip virtual-reassembly
Half-duplex
!
Interface Ethernet0/1
Ip address 192.168.2.1 255.255.255.0
Ip nat inside
Ip virtual-reassembly
Half-duplex
!
Router VPN 1
Network 10.0.0.0
Network 192.168.2.0
Auto-summary
Ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
Ip nat inside source list 1 interface Ethernet0/0 overload
!
Access-list 1 permit 192.168.2.0 0.0.255
Access-list 100 permit ip 192.168.2.0 0.0.255 192.168.1.0 0.0.255