我也遇到这样的问题,中心是思科2611XM路由,虚拟拨号通过电信光纤上互联网,电信给用户帐号绑定公网地址,只要用户帐号拨到电信,就分配同一个公网IP地址,相当是给了一个固定的地址,分点是ADSLMODEM加思科1721路由,虚拟拨号PPPOE到电信,分配不固定的地址,每次拨上地址都不同。中心与分点建立VPN,设置后,双方上网都可以,但就是建立不了VPN,在分点1721上打开DEBUG,根本没有信息。不知为何,这种方式是否可行,如可行,该如何配置?
-------------------------------------------------------------------------------------------------
我的中心路由器配置:
Router#sh run
Building configuration...
Current configuration : 2211 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
enable secret 5 $1$AWT9$vJ9knNykKDcVYfZPk5NKp/
!
ip subnet-zero
!
!
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key 7309511 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local zdgjpool
!
!
crypto ipsec transform-set zdgjset esp-des esp-md5-hmac
!
crypto dynamic-map zdgjmap 10
set transform-set zdgjset
match address 115
!
!
crypto map zdgjtrans client configuration address initiate
crypto map zdgjtrans client configuration address respond
crypto map zdgjtrans 1 ipsec-isakmp dynamic zdgjmap
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
ip address 10.10.1.139 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username zdgj password 7 055C545F721C1E59
crypto map zdgjtrans
!
ip local pool zdgjpool 192.168.10.1 192.168.10.254
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer 1
ip http server
!
!
access-list 115 permit ip 10.10.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 115 permit ip 10.10.0.0 0.0.255.255 192.168.200.0 0.0.0.255
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 120 deny ip 10.10.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 120 deny ip 10.10.0.0 0.0.255.255 192.168.200.0 0.0.0.255
access-list 120 permit ip 10.10.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 120
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 031E5F0C0C5E731F
login
!
!
end
Router#
Router#
--------------------------------------------------------------------------------------
我的分点路由器配置:
Building configuration...
Current configuration : 1464 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key 7309511 address x.x.x.x
!
!
crypto ipsec transform-set zdgjset esp-des esp-md5-hmac
!
crypto map zdgjtrans 1 ipsec-isakmp
set peer x.x.x.x
set transform-set zdgjset
match address 115
!
!
!
!
interface Ethernet0
no ip address
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
ip address 192.168.100.1 255.255.255.0
ip nat inside
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username wangcd password 7 00554A51560B53545B
crypto map zdgjtrans
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
!
access-list 115 permit ip 192.168.100.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 115 deny ip 192.168.100.0 0.0.0.255 any
access-list 120 deny ip 192.168.100.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 120 permit ip 192.168.100.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 120
!
!
line con 0
line aux 0
line vty 0 4
!
no scheduler allocate
end
Router#
上网没问题,打开DEBUG没有任何信息
debug crypto ipsec
debug crypto isakmp
debug crypto engine
-----------------------------------------------------------------------------------
在hub to spoke 的结构中,要实现 spoke to spoke 通讯当然要求所有 spoke 也要有静态的IP的说,这里已经有一位兄弟作个这个测试了,ZT出来给大家看看的说:
关于四台Cisco防火墙实现VPN网络的实施
其实四台Cisco防火墙的VPN同两台防火墙做VPN没什么大的区别,只是一定要注意路由的配置(我就是在这上面花了很长的时间,不是多写就是少写了,多少都是不会通的);在四台Cisco pix做VPN中,有两种方式,一种是采用一个中心的方式,另一种就是分散式的(我自己起的名字J),前者,也就是说以一个PIX点为中心,其它的机器都连到本机上,在通过本机做路由;后者,则是在每一个路由上都要写出到另外三台的加密方式(听来就很麻烦),这里我采用的就是第一种类型(不是我偷懒,而是客户要求,谁让客户是上帝了呢!);
以下,是施工图以及四个Cisco pix的详细配置:
详细配置如下:
中心pix1:
: Saved
: Written by enable_15 at 23:10:31.763 UTC Thu Apr 24 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NHvIO9dsDwOK8b/k encrypted
passwd NHvIO9dsDwOK8b/k encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 172.17.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list 101 permit ip 172.17.5.0 255.255.255.0 172.17.10.0 255.255.255.0
access-list 101 permit ip 172.17.10.0 255.255.255.0 172.17.5.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list 101 permit ip 172.17.5.0 255.255.255.0 172.17.17.0 255.255.255.0
access-list 101 permit ip 172.17.10.0 255.255.255.0 172.17.17.0 255.255.255.0
access-list hyzc permit icmp any any
access-list hyzc permit tcp any any
access-list hyzc permit udp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.2 255.255.255.240
ip address inside 172.17.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group hyzc in interface outside
route outside 0.0.0.0 0.0.0.0 218.7.16.49 1
route inside 172.17.0.0 255.255.0.0 172.17.5.20 1
route outside 172.17.17.0 255.255.255.0 192.168.0.4 1
route outside 172.17.16.0 255.255.255.0 192.168.0.1 1
route outside 172.16.0.0 255.255.255.0 192.168.0.3 1
route outside 172.17.18.0 255.255.255.0 218.7.16.52 1
route outside 172.17.18.64 255.255.255.0 218.7.16.49 1
route outside 218.7.248.100 255.255.255.252 218.7.16.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map tohyjt 20 ipsec-isakmp
crypto map tohyjt 20 match address 101
crypto map tohyjt 20 set peer 192.168.0.3
crypto map tohyjt 20 set peer 192.168.0.4
crypto map tohyjt 20 set peer 192.168.0.1
crypto map tohyjt 20 set transform-set strong
crypto map tohyjt interface outside
isakmp enable outside
isakmp key cisco address 192.168.0.3 netmask 255.255.255.255
isakmp key cisco address 192.168.0.4 netmask 255.255.255.255
isakmp key cisco address 192.168.0.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 218.7.16.49 255.255.255.255 inside
telnet 172.17.5.20 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:8982919a8bfa10ba09cddee3f2da0e6a
: end
pix2配置:
: Saved
: Written by enable_15 at 00:00:48.042 UTC Fri Apr 25 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N.swjdczcTdUzgrS encrypted
passwd N.swjdczcTdUzgrS encrypted
hostname HYZCrc
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 172.17.17.0 255.255.255.0 172.17.10.0 255.255.255.0
access-list 101 permit ip 172.17.17.0 255.255.255.0 172.17.5.0 255.255.255.0
access-list hyzc permit icmp any any
access-list hyzc permit tcp any any
access-list hyzc permit udp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.4 255.255.255.252
ip address inside 172.17.17.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 218.7.37.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map tohyzc 20 ipsec-isakmp
crypto map tohyzc 20 match address 101
crypto map tohyzc 20 set peer 192.168.0.2
crypto map tohyzc 20 set transform-set strong
crypto map tohyzc interface outside
isakmp enable outside
isakmp key cisco address 192.168.0.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 172.17.17.253 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f63109daf8abcaf74a4f3b30ab01b48a
: end
pix3配置:
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password X8QPBTnOSyX6X9Y9 encrypted
passwd X8QPBTnOSyX6X9Y9 encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list hy_in permit tcp any host 218.7.24.163 eq 8080
access-list hy_in permit tcp any host 218.7.24.162 eq pop3
access-list hy_in permit tcp any host 218.7.24.162 eq smtp
access-list hy_in permit icmp any any
access-list hy_in permit tcp any host 218.7.24.169
access-list hy_in permit tcp any host 218.7.24.171
access-list hy_in permit tcp any host 218.7.24.172
access-list hy_in permit tcp any host 218.7.24.173 eq 500
access-list hy_in permit udp any host 218.7.24.173 eq isakmp
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.3 255.255.255.252
ip address inside 172.16.16.5 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group hy_in in interface outside
route outside 0.0.0.0 0.0.0.0 218.7.248.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map tohyzc 20 ipsec-isakmp
crypto map tohyzc 20 match address 101
crypto map tohyzc 20 set peer 218.7.248.134
crypto map tohyzc 20 set transform-set strong
crypto map tohyzc interface outside
isakmp enable outside
isakmp key cisco address 218.7.248.134netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:e4784293ff665fc559df92cb2d1d430e
: end
pix4配置:
: Saved
: Written by enable_15 at 00:00:48.042 UTC Fri Apr 25 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N.swjdczcTdUzgrS encrypted
passwd N.swjdczcTdUzgrS encrypted
hostname HYZCrc
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 172.17.5.0 255.255.255.0 172.17.16.0 255.255.255.0
access-list 101 permit ip 172.17.10.0 255.255.255.0 172.17.16.0 255.255.255.0
access-list hi permit icmp any any
access-list hi permit tcp any any
access-list hi permit udp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1 255.255.255.252
ip address inside 172.17.16.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 218.7.37.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map tohyzc 20 ipsec-isakmp
crypto map tohyzc 20 match address 101
crypto map tohyjt 20 set peer 192.168.0.2
crypto map tohyzc 20 set transform-set strong
crypto map tohyzc interface outside
isakmp enable outside
isakmp key cisco address 192.168.0.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 172.17.16.253 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f63109daf8abcaf74a4f3b30ab01b48a
: end
在以上的配置中,主要是中心点的路由,要注意,在配置过程开始时,sh isakmp sa 发现链路以建立,可是就是Ping不通,发现是因为没有针对于所在地的路由,还有就是当打开debug命令监控时,debug crypto isakmp ; debug crypto ipsec ;时,在内网的机器执行ping命令后,没有任何反映,后发现缺少命令激活扩展列表,具体命令:nat (inside) 0 access-list 101,
在就是我在pix3时内部多加了两条路由,静态的到中心的路由,在pix3以内怎么也Ping不出去,后来去掉以后发现通过。看来多写也是不行的。从总的来说,两台pix做vpn同多台机器做vpn没什么什么大的区别,主要是多写几条peer,也就是crypto map tohyjt 20 set peer 192.168.0.2(中间的名字 tohyjt这个没什么实际的规定,想写什么就写什么,但是最好是一致)和isakmp key cisco address ;在就是前面所提的路由(在中心点的配置中可以看到,在这里我隐去了真正的ip,主要是为客户的安全考虑,而已一个私有的IP网段来设定;),
不知道这对大家是否有帮助,希望有问题大家一起来学习。
--------------------------------------------------------------------------------------
继续深入讨论下去。
balance可能误解了我的意思,现在的难题是hub如何知道每一个spoke和相应的lan地址对应起来。
举个很简单hub-spoke的例子:
192.168.2/24--b-2.2.2.2---------------------
1.1.1.1-A-192.168.1/24
192.168.3/24--C-3.3.3.3---------------------
在B和C两个spoke的合法地址都固定的情况下,hub端应该至少会存在哪下的配置:
crypto map mymap 10 ipsec-isakmp
set peer 2.2.2.2
match address 102
crypto map mymap 11 ipsec-isakmp
set peer 3.3.3.3
match address 103
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
从这里可以看出,实际上每一段lan地址和spoke的关联,是由acl手工指定的,并通过和set peer的关联联系到相应的spoke上面。
那么,当spoke 的地址为动态地址时,应该如何才能将lan绑定到相应的spoke上呢???pepeng说有可能在协商SA的时候交换spoke后端的lan的信息,我觉得这种可能性不大,至少在cisco的ipsec实现中可能性是相当小的(真能这样的话,ipsec的配置可以说是大大的简化了。)
所以,我的结论仍然是:在目前的实现中,hub-spoke的lan2lan的ipsec,需要每一个站点都具备固定的合法IP地址。事实证明我的结论是错误的。
-----------------------------------------------------------------------------
再补充一下,实际环境和实验环境中是有很大的区别的。
1、不管是hub端还是spoke端,从路由的层面上来说,都是一条缺省路由到ISP的第一跳路由器。
2、实际环境中,spoke端的地址根本就是全动态的,没办法配置peer,只能按照access vpn的方式进行配置,或使用set peer 0.0.0.0匹配所有的spoke。这种情况下,有一个最关键的问题就是hub如何知道哪一个LAN在哪一个spoke的后面????
-------------------------------------------------------------------------------
Cisco 现在有个称为 DMVPN (dynamic multipoint VPN) 的DD,可以实现动态IP的spoke之间的通讯了,上面链接有sample
Dynamic Multipoint VPN: Generic Route Encapsulation (GRE) provides multiprotocol routing, dynamic routing updates for site-to-site networks, and Multicast access. Dynamic Multipoint VPN (DMVPN) extends this in terms of providing the same GRE benefits to dynamic users (ie: access to IP/TV) and also provides a "Full-Mesh" site-to-site connectivity. DMVPN can achieve this because it is used in combination with Next Hop Resolution Protocol (NHRP) and Multipoint GRE.
![]()
Primary DMVPN hub配置:
crypto isakmp policy 1
encr 3des
!
crypto ipsec transform-set t1 esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set t2 esp-3des esp-sha-hmac
crypto ipsec transform-set t3 esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set t4 esp-3des esp-sha-hmac comp-lzs
mode transport
!
crypto dynamic-map dmap 20
set transform-set t2 t1 t3 t4
!
crypto map test local-address Loopback0
crypto map test 1 ipsec-isakmp dynamic dmap
!
interface Loopback0
ip address 128.107.108.129 255.255.255.255
!
interface Tunnel0
description MGRE + NHRP
bandwidth 2000
ip address 3.3.3.1 255.255.255.0
no ip redirects
ip mtu 1436
ip pim nbma-mode
ip pim sparse-dense-mode
ip multicast rate-limit out 768
ip nhrp map multicast dynamic
ip nhrp network-id 10107
ip nhrp server-only
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 10107
!
interface Tunnel11
description MGRE + NHRP (split-tunneling)
bandwidth 2000
ip address 3.4.3.1 255.255.255.0
no ip redirects
ip mtu 1436
ip pim nbma-mode
ip pim sparse-dense-mode
ip nhrp map multicast dynamic
ip multicast rate-limit out 768
ip nhrp network-id 14107
ip nhrp server-only
ip igmp explicit-tracking
ip igmp version 3
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 14107
!
interface FastEthernet0/1
ip address 10.34.250.44 255.255.255.248
ip pim sparse-dense-mode
duplex auto
speed auto
crypto map test
Secondary DMVPN hub配置:
crypto isakmp policy 1
encr aes
!
crypto isakmp policy 2
encr 3des
crypto isakmp keepalive 30 5
!
crypto ipsec transform-set t1 esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set t2 esp-3des esp-sha-hmac
crypto ipsec transform-set t3 esp-aes esp-sha-hmac
crypto ipsec transform-set t4 esp-aes esp-sha-hmac
mode transport
!
crypto dynamic-map dmap 10
set transform-set t1 t2 t3 t4
!
crypto map test local-address Loopback0
crypto map test 1 ipsec-isakmp dynamic dmap
!
interface Loopback0
ip address 128.107.108.131 255.255.255.255
!
interface Tunnel0
description MGRE + NHRP
bandwidth 1500
ip address 3.3.5.1 255.255.255.0
no ip redirects
ip mtu 1416
ip pim nbma-mode
ip pim sparse-dense-mode
ip multicast rate-limit out 768
ip nhrp map multicast dynamic
ip nhrp network-id 10127
ip nhrp holdtime 600
ip nhrp server-only
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 10127
!
interface Tunnel11
description MGRE + NHRP (split-tunneling)
bandwidth 1500
ip address 3.4.5.1 255.255.255.0
no ip redirects
ip mtu 1436
ip pim nbma-mode
ip pim sparse-dense-mode
ip multicast rate-limit out 768
ip nhrp map multicast dynamic
ip nhrp network-id 14127
ip nhrp server-only
ip igmp version 3
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 14127
!
interface FastEthernet1/0
ip address 10.34.250.46 255.255.255.248
ip pim sparse-dense-mode
duplex full
crypto map test
Spoke 1配置:
crypto isakmp policy 1
encr aes
!
crypto isakmp policy 2
encr 3des
!
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime kilobytes 530000000
crypto ipsec security-association lifetime seconds 14400
!
crypto ipsec transform-set t1 esp-3des esp-sha-hmac
crypto ipsec transform-set VPNSC_TS_1 esp-3des esp-sha-hmac
crypto ipsec transform-set t3 esp-aes esp-sha-hmac
!
crypto ipsec profile stealth-vpnprof
set transform-set t3 t1 VPNSC_TS_1
!
interface Tunnel0
description MGRE + NHRP - Primary
bandwidth 2000
ip address 3.4.3.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip multicast rate-limit out 128
ip nhrp map multicast 128.107.108.129
ip nhrp map 3.4.3.1 128.107.108.129
ip nhrp network-id 14107
ip nhrp holdtime 300
ip nhrp nhs 3.4.3.1
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel key 14107
tunnel protection ipsec profile stealth-vpnprof
!
interface Tunnel1
description MGRE + NHRP - Load Balance/Failover
bandwidth 1500
ip address 3.4.5.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip multicast rate-limit out 128
ip nhrp authentication stealth
ip nhrp map multicast 128.107.108.131
ip nhrp map 3.4.5.1 128.107.108.131
ip nhrp network-id 14127
ip nhrp holdtime 300
ip nhrp nhs 3.4.5.1
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel key 14127
tunnel protection ipsec profile stealth-vpnprof
!
router eigrp 6
network 3.4.3.0 0.0.0.255
network 3.4.5.0 0.0.0.255
network 10.32.254.32 0.0.0.15
no auto-summary
no eigrp log-neighbor-changes |