实验拓扑:

ipsec *** 多对等体

---------------------R1------------------------------------------------------

crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key root address 30.1.1.1 255.255.255.0
crypto isakmp key cisco address 20.1.1.1 255.255.255.0
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map smap 10 ipsec-isakmp
set peer 20.1.1.1
set transform-set trans
match address ***a
crypto map smap 20 ipsec-isakmp
set peer 30.1.1.1
set transform-set trans
match address ***b
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
speed 100
full-duplex
crypto map smap
!
ip route 0.0.0.0 0.0.0.0 10.1.1.10
!
ip access-list extended ***a
permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
ip access-list extended ***b
permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

---------------------------R2------------------------------

interface FastEthernet0/0
 ip address 20.1.1.10 255.255.255.0
!
interface FastEthernet0/1
 ip address 30.1.1.10 255.255.255.0
!
interface FastEthernet1/0
 ip address 10.1.1.10 255.255.255.0
 

----------------------ASA1------------------------------------

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 20.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
access-list ***a extended permit ip 3.3.3.0 255.255.255.0 1.1.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 20.1.1.10 1
route inside 0.0.0.0 0.0.0.0 192.168.3.3 tunneled
crypto ipsec ikev1 transform-set trans esp-des esp-md5-hmac
crypto map smap 10 match address ***a
crypto map smap 10 set peer 10.1.1.1
crypto map smap 10 set ikev1 transform-set trans
crypto map smap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
tunnel-group 10.1.1.1 type ipsec-l2l
tunnel-group 10.1.1.1 ipsec-attributes
 ikev1 pre-shared-key cisco

------------------------------ASA2-------------------------------


interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 30.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.4.1 255.255.255.0
!
access-list ***b extended permit ip 4.4.4.0 255.255.255.0 1.1.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 30.1.1.10 1
route inside 0.0.0.0 0.0.0.0 192.168.4.4 tunneled

crypto ipsec ikev1 transform-set trans esp-des esp-md5-hmac
crypto map smap 10 match address ***b
crypto map smap 10 set peer 10.1.1.1
crypto map smap 10 set ikev1 transform-set trans
crypto map smap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
no threat-detection statistics tcp-intercept
tunnel-group 10.1.1.1 type ipsec-l2l
tunnel-group 10.1.1.1 ipsec-attributes
 ikev1 pre-shared-key root

--------------------R3-------------------------------

interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.3.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.3.1

-------------------------R4----------------------

interface Loopback0
 ip address 4.4.4.4 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.4.4 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.4.1