拓扑:
GW:
aaa new-model
! aaa authentication login noacs line none aaa authentication login hr_authen local aaa authorization network ht_author local ! username cisco password 0 cisco ! ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group hrgroup key cisco pool hr_pool crypto isakmp profile isakmap_profile match identity group hrgroup client authentication list hr_authen isakmp authorization list ht_author client configuration address respond virtual-template 100//关联virtual-template 100 ! ! crypto ipsec transform-set hr_trans esp-des esp-md5-hmac ! crypto ipsec profile hr_ipsec_profile set transform-set hr_trans set isakmp-profile isakmap_profile ! ! ! ! ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Serial0/0 ip address 12.1.1.2 255.255.255.0 ip nat outside ip virtual-reassembly serial restart-delay 0 ! interface Serial0/1 ip address 23.1.1.2 255.255.255.0 ip nat inside ip virtual-reassembly serial restart-delay 0 ! interface FastEthernet1/0 ip address 192.168.10.254 255.255.255.0 duplex auto speed auto ! interface Virtual-Template100 type tunnel ip unnumbered Loopback0 ip nat inside ip virtual-reassembly tunnel source FastEthernet1/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile hr_ipsec_profile ! ip local pool hr_pool 10.1.1.10 10.1.1.20 ! ip route 3.3.3.0 255.255.255.0 23.1.1.3 ! ip nat inside source list nat interface Serial0/0 overload ! ip access-list extended nat deny ip 3.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255 permit ip 3.3.3.0 0.0.0.255 any permit ip 10.1.1.0 0.0.0.255 any R1配置:interface Serial0/0
ip address 12.1.1.1 255.255.255.0 line vty 0 4 no login line vty 5 871 no loginR2配置:
interface Loopback0
ip address 3.3.3.3 255.255.255.0 ! interface Serial0/1 ip address 23.1.1.3 255.255.255.0 serial restart-delay 0ip route 0.0.0.0 0.0.0.0 23.1.1.2
验证: