路由器和路由器之間的VPN配置代碼

　　Hub Router

　　2503#show running-config

　　Building configuration

　　Current configuration : 1466 bytes

　　version 122

　　service timestamps debug datetime msec

　　service timestamps log uptime

　　no service password-encryption

　　hostname 2503

　　ip subnet-zero

　　--- Configuration for IKE policies

　　crypto isakmp policy 10

　　--- Enables the IKE policy configuration (config-isakmp)

　　--- command mode, where you can specify the parameters that

　　--- are used during an IKE negotiation

　　hash md5

　　authentication pre-share

　　crypto isakmp key cisco123 address 200121

　　crypto isakmp key cisco123 address 200131

　　--- Specifies the preshared key "cisco123" which should

　　--- be identical at both peers This is a global

　　--- configuration mode command

　　--- Configuration for IPSec policies

　　crypto ipsec transform-set myset esp-des esp-md5-hmac

　　--- Enables the crypto transform configuration mode,

　　--- where you can specify the transform sets that are used

　　--- during an IPSec negotiation

　　crypto map mymap 10 ipsec-isakmp

　　--- Indicates that IKE is used to establish

　　--- the IPSec security association for protecting the

　　--- traffic specified by this crypto map entry

　　set peer 200121

　　--- Sets the IP address of the remote end

　　set transform-set myset

　　--- Configures IPSec to use the transform-set

　　--- "myset" defined earlier in this configuration

　　match address 110

　　--- Specifyies the traffic to be encrypted

　　crypto map mymap 20 ipsec-isakmp

　　set peer 200131

　　set transform-set myset

　　match address 120

　　interface Loopback0

　　ip address 10111 2552552550

　　interface Ethernet0

　　ip address 200111 2552552550

　　no ip route-cache

　　--- You must enable process switching for IPSec

　　--- to encrypt outgoing packets This command disables fast switching

　　no ip mroute-cache

　　crypto map mymap

　　--- Configures the interface to use the

　　--- crypto map "mymap" for IPSec

　　--- Output suppressed

　　ip classless

　　ip route 1721610 2552552550 Ethernet0

　　ip route 19216810 2552552550 Ethernet0

　　ip route 200100 25525500 Ethernet0

　　ip http server

　　access-list 110 permit ip 10110 000255 1721610 000255

　　access-list 110 permit ip 19216810 000255 1721610 000255

　　access-list 120 permit ip 10110 000255 19216810 000255

　　access-list 120 permit ip 1721610 000255 19216810 000255

　　--- This crypto ACL-permit identifies the

　　--- matching traffic flows to be protected via encryption

　　Spoke 1 Router

　　2509a#show running-config

　　Building configuration

　　Current configuration : 1203 bytes

　　version 122

　　service timestamps debug datetime msec

　　service timestamps log uptime

　　no service password-encryption

　　hostname 2509a

　　enable secret 5 $1$DOX3$rIrxEnTVTw/7LNbxiakz0

　　ip subnet-zero

　　no ip domain-lookup

　　crypto isakmp policy 10

　　hash md5

　　authentication pre-share

　　crypto isakmp key cisco123 address 200111

　　crypto ipsec transform-set myset esp-des esp-md5-hmac

　　crypto map mymap 10 ipsec-isakmp

　　set peer 200111

　　set transform-set myset

　　match address 110

　　interface Loopback0

　　ip address 1721611 2552552550

　　interface Ethernet0

　　ip address 200121 2552552550

　　no ip route-cache

　　no ip mroute-cache

　　crypto map mymap

　　--- Output suppressed

　　ip classless

　　ip route 10110 2552552550 Ethernet0

　　ip route 19216810 2552552550 Ethernet0

　　ip route 200100 25525500 Ethernet0

　　no ip http server

　　access-list 110 permit ip 1721610 000255 10110 000255

　　access-list 110 permit ip 1721610 000255 19216810 000255

　　end

　　2509a#

　　Spoke 2 Router

　　VPN2509#show running-config

　　Building configuration

　　Current configuration : 1117 bytes

　　version 122

　　service timestamps debug datetime msec

　　service timestamps log uptime

　　service password-encryption

　　hostname VPN2509

　　ip subnet-zero

　　no ip domain-lookup

　　crypto isakmp policy 10

　　hash md5

　　authentication pre-share

　　crypto isakmp key cisco123 address 200111

　　crypto ipsec transform-set myset esp-des esp-md5-hmac

　　crypto map mymap 10 ipsec-isakmp

　　set peer 200111

　　set transform-set myset

　　match address 120

　　interface Loopback0

　　ip address 19216811 2552552550

　　interface Ethernet0

　　ip address 200131 2552552550

　　--- No ip route-cache

　　no ip mroute-cache

　　crypto map mymap

　　--- Output suppressed

　　ip classless

　　ip route 10110 2552552550 Ethernet0

　　ip route 1721600 25525500 Ethernet0

　　ip route 200100 25525500 Ethernet0

　　no ip http server

　　access-list 120 permit ip 19216810 000255 1721610 000255

　　access-list 120 permit ip 19216810 000255 10110 000255

　　end

　　VPN2509#