IPsec VPN isakmp aggressive mode实验配置

IPsec VPN isakmp aggressive mode实验配置

Aggressive mode 通常用于IPsec VPN一端为拨号接入没有固定IP，另一端无法指定对端IP，以及无法通过IP作为ID标识对端pre-key。路由器SPOKE，VPNHUB loopback接口模拟内部网络。SPOKE s1/1接口IP172.16.1.1模拟拨号接入动态获取的（此处略掉拨号接入—pppoe配置）。ISP路由器模拟internet网络。

SPOKE configuration

SPOKE#sh run

Building configuration...

Current configuration : 1448 bytes !

version 12.4

service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !

hostname SPOKE !

boot-start-marker boot-end-marker ! !

no aaa new-model memory-size iomem 5 ! ! ip cef

no ip domain lookup ! ! ! ! ! !

!

crypto isakmp policy 10 hash md5

authentication pre-share group 2 !

crypto isakmp peer address 172.16.2.1 set aggressive-mode password xinjialove

set aggressive-mode client-endpoint fqdn xinjialove ! !

crypto ipsec transform-set xinjialove esp-des esp-md5-hmac !

crypto map xinjialove 10 ipsec-isakmp set peer 172.16.2.1

set transform-set xinjialove match address 100 ! ! ! !

interface Loopback0

ip address 1.1.1.1 255.255.255.255 !

interface FastEthernet0/0 no ip address shutdown duplex auto speed auto !

interface Serial1/0 no ip address shutdown

serial restart-delay 0 !

interface Serial1/1

ip address 172.16.1.1 255.255.255.0 serial restart-delay 0 crypto map xinjialove !

interface Serial1/2 no ip address shutdown

serial restart-delay 0 !

interface Serial1/3 no ip address shutdown

serial restart-delay 0 !

interface FastEthernet2/0 no ip address shutdown duplex auto speed auto !

no ip http server

no ip http secure-server !

ip route 0.0.0.0 0.0.0.0 Serial1/1 ! !

access-list 100 permit ip host 1.1.1.1 host 3.3.3.3 ! !

control-plane ! ! ! ! ! ! !

line con 0

logging synchronous line aux 0 line vty 0 4 ! ! end

VPNHUB configuration

VPNHUB#sh run

Building configuration...

Current configuration : 1338 bytes !

version 12.4

service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !

hostname VPNHUB !

boot-start-marker boot-end-marker ! !

no aaa new-model !

resource policy ! ip cef ! ! ! !

no ip domain lookup ! ! ! ! ! ! !

crypto isakmp policy 10 hash md5

authentication pre-share group 2

crypto isakmp key xinjialove hostname xinjialove ! !

crypto ipsec transform-set xinjialove esp-des esp-md5-hmac !

crypto dynamic-map xinjialove 10 set transform-set xinjialove reverse-route ! !

crypto map xinjialove 10 ipsec-isakmp dynamic xinjialove ! ! ! !

interface Loopback0

ip address 3.3.3.3 255.255.255.255 !

interface FastEthernet0/0 no ip address shutdown duplex half !

interface Serial1/0

ip address 172.16.2.1 255.255.255.0 serial restart-delay 0 crypto map xinjialove !

interface Serial1/1

no ip address shutdown

serial restart-delay 0 !

interface Serial1/2 no ip address shutdown

serial restart-delay 0 !

interface Serial1/3 no ip address shutdown

serial restart-delay 0 !

interface FastEthernet2/0 no ip address shutdown duplex half !

ip route 0.0.0.0 0.0.0.0 Serial1/0 no ip http server

no ip http secure-server ! ! !

logging alarm informational ! ! ! ! !

control-plane ! !

line con 0

logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end

show信息

SPOKE#sh crypto isakmp sa

dst src 172.16.2.1 172.16.1.1

state QM_IDLE conn-id slot status

1 0 ACTIVE

本文来源：https://www.bwwdw.com/article/c6y5.html