基于采用4台思科路由器进行简单组网的情况下,配置Dynamic LAN-to-LAN VPN(简称DyVPN)的方法并不难,还可以举一反三的学会EZVPN的操作方法。下面是拓扑图: R1配置:
R1#show running-config Building configuration... Current configuration : 1347 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef no ip domain lookup ip domain name lab.local ! ! ! ! ! crypto keyring abc pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp profile ppp keyring abc match identity address 0.0.0.0 ! ! crypto ipsec transform-set ccie esp-3des esp-sha-hmac ! crypto dynamic-map dymap 5 set transform-set ccie set isakmp-profile ppp ! ! crypto map mymap 10 ipsec-isakmp dynamic dymap ! ! ! ! interface Ethernet0/0 ip address 12.1.1.1 255.255.255.0 half-duplex crypto map mymap ! interface Ethernet0/1 ip address 10.1.1.1 255.255.255.0 half-duplex ! interface Ethernet0/2 no ip address shutdown half-duplex ! interface Ethernet0/3 no ip address shutdown half-duplex ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 12.1.1.2 ip route 10.1.2.0 255.255.255.0 10.1.1.5 ! ! control-plane ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end R2配置 略 (模拟ISP 只配置IP) R3配置 R3#show running-config Building configuration... Current configuration : 1889 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef no ip domain lookup ip domain name lab.local ! ! !
! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address 12.1.1.1 ! ! crypto ipsec transform-set ccie esp-3des esp-sha-hmac ! crypto map l2l 1 ipsec-isakmp set peer 12.1.1.1 set transform-set ccie match address 100 ! ! ! ! interface Ethernet0/0 ip address 192.168.1.3 255.255.255.0 ip nat inside ip virtual-reassembly half-duplex ! interface Ethernet0/1 no ip address shutdown half-duplex ! interface Ethernet0/2 no ip address shutdown half-duplex ! interface Ethernet0/3 no ip address shutdown half-duplex ! interface Serial1/0 ip address 23.1.1.3 255.255.255.0 ip nat outside ip virtual-reassembly serial restart-delay 0 crypto map l2l ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 23.1.1.2 ! ! ip nat inside source list 110 interface Serial1/0 overload ! access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 110 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 110 deny ip 192.168.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 110 permit ip any any ! ! ! control-plane ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end R4配置 R4#show running-config Building configuration... Current configuration : 1550 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef no ip domain lookup ip domain name lab.local ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address 12.1.1.1 ! ! crypto ipsec transform-set ccie esp-3des esp-sha-hmac ! crypto map l2l 1 ipsec-isakmp set peer 12.1.1.1 set transform-set ccie match address 100 ! ! ! ! interface Ethernet0/0 ip address 172.16.1.4 255.255.255.0 ip nat inside ip virtual-reassembly half-duplex ! interface Ethernet0/1 ip address dhcp ip nat outside ip virtual-reassembly half-duplex crypto map l2l ! interface Ethernet0/2 no ip address shutdown half-duplex ! interface Ethernet0/3 no ip address shutdown half-duplex ! no ip http server no ip http secure-server ! ! ip nat inside source list 110 interface Ethernet0/1 overload ! access-list 100 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 100 permit ip 172.16.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 110 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 110 deny ip 172.16.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 110 permit ip any any ! ! ! control-plane ! ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! R5配置 R5#show running-config Building configuration... Current configuration : 878 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R5 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ! ! ip cef no ip domain lookup ip domain name lab.local ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Ethernet0/0 ip address 10.1.2.5 255.255.255.0 half-duplex ! interface Ethernet0/1 ip address 10.1.1.5 255.255.255.0 half-duplex ! interface Ethernet0/2 no ip address shutdown half-duplex ! interface Ethernet0/3 no ip address shutdown half-duplex ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.1.1.1 ! ! ! ! ! ! control-plane ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end 验证: R1#show crypto isakmp sa dst src state conn-id slot status 12.1.1.1 23.1.1.3 QM_IDLE 1 0 ACTIVE 12.1.1.1 24.1.1.1 QM_IDLE 2 0 ACTIVE R3#ping 10.1.2.5 source 192.168.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.5, timeout is 2 seconds: Packet sent with a source address of 192.168.1.3 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 152/172/204 ms R4#ping 10.1.2.5 source 172.16.1.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.5, timeout is 2 seconds: Packet sent with a source address of 172.16.1.4 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 152/170/204 ms 在R3 和R4中都定义了ipsec 需要加密的 兴趣流和 nat 穿越。 所以在R3和R4访问R5的数据流量走vpn 访问internet的数据走NAT。 R1(Hub端)是不能事先向R3 R4(spoke端)发起流量来触发自己的SA建立 只能相应spoke端vpn请求。 |
不良信息举报Q:2000617|Archiver|ROS软路由论坛 ROSABC.com 网络方案网络工程交流
GMT+8, 2025-8-21 00:27 , Processed in 0.095699 second(s), 16 queries .
Powered by Discuz! X3.4
Copyright © 2001-2021, Tencent Cloud.
