2012-09-09_102348

GW1:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 64.1.1.0 255.255.255.0 //对方可能获得IP地址范围的IP地址,可以是0.0.0.0 0.0.0.0
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto dynamic-map dymap 10 //配置动态MAP
set transform-set SET
set pfs group5
!
crypto map cisco 1000 ipsec-isakmp dynamic dymap //关联动态MAP
!

interface Loopback0
ip address 1.1.1.1 255.255.255.0
!

interface FastEthernet1/0
ip address 202.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco //应用普通MAP
!

ip route 0.0.0.0 0.0.0.0 202.1.1.10

Internet:

ip dhcp excluded-address 64.1.1.10
!
ip dhcp pool ×××
network 64.1.1.0 255.255.255.0
default-router 64.1.1.10
!
interface FastEthernet1/0
ip address 202.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 64.1.1.10 255.255.255.0
duplex auto
speed auto

GW2:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.1.1.1
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.1.1.1
set transform-set SET
set pfs group5
match address ***
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet1/0
ip address dhcp
duplex auto
speed auto
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 64.1.1.10
ip route 0.0.0.0 0.0.0.0 64.1.1.10 254
!
ip access-list extended ***
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

只能GW2发起IPSec流量,GW1不能先发起