ipsec nat-t 与 vrf 穿越实验

要求：R1做vrf穿 越，R5访问通过R1，R2做，并且R1，R2可以主动的访问R5 

vrf穿越

写两条静态地址映射使 R1，R2可以主动的访问R5 

R5pingR1、R4

R4pingR1、R5

R1pingR5、R4

R1

p vrf k
 rd 1:1
crypto keyring k vrf k 
  pre-shared-key address 0.0.0.0 0.0.0.0 key 6 ccie
!
crypto isakmp policy 10
 authentication pre-share
!
!
crypto ipsec transform-set k esp-3des esp-md5-hmac 
 mode transport
!
!
crypto ipsec profile k
 set transform-set k 

interface Loopback0
 ip address 172.16.0.1 255.255.255.255
!
interface Tunnel0
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip next-hop-self eigrp 1
 no ip split-horizon eigrp 1
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip ospf network broadcast
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel vrf k
 tunnel protection ipsec profile k
!
interface FastEthernet0/0
 ip vrf forwarding k
 ip address 12.0.0.1 255.255.255.0
 duplex full
router eigrp 1
 network 172.16.0.0 0.0.0.255
 network 192.168.0.0
!
ip route vrf k 0.0.0.0 0.0.0.0 12.0.0.2

R2

interface FastEthernet0/0
 ip address 12.0.0.2 255.255.255.0
 duplex full
!
interface FastEthernet1/0
 ip address 23.0.0.2 255.255.255.0
 duplex full
!
interface FastEthernet2/0
 ip address 24.0.0.2 255.255.255.0
 duplex full

R3

interface FastEthernet0/0
 ip address 23.0.0.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex full
!
interface FastEthernet1/0
 ip address 35.0.0.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex full

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static udp 35.0.0.1 500 23.0.0.1 500 extendable
ip nat inside source static udp 35.0.0.1 4500 23.0.0.1 4500 extendable
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

R5

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key 6 ccie address 0.0.0.0        
!
!
crypto ipsec transform-set k esp-3des esp-md5-hmac 
 mode transport

crypto ipsec profile k
 set transform-set k 

interface Loopback0
 ip address 172.16.1.1 255.255.255.255
!
interface Tunnel0
 ip address 192.168.0.2 255.255.255.0
 no ip redirects
 ip nhrp map 192.168.0.1 12.0.0.1
 ip nhrp map multicast 12.0.0.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.0.1
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile k
!
interface FastEthernet0/0
 ip address 35.0.0.1 255.255.255.0
 duplex full
router eigrp 1
 network 172.16.1.1 0.0.0.0
 network 192.168.0.0 0.0.0.255

R4

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key 6 ccie address 0.0.0.0        
!
!
crypto ipsec transform-set k esp-3des esp-md5-hmac 
 mode transport
!
!
crypto ipsec profile k
 set transform-set k 
!
interface Loopback0
 ip address 172.16.2.1 255.255.255.255
!
interface Tunnel0
 ip address 192.168.0.3 255.255.255.0
 no ip redirects
 ip nhrp map 192.168.0.1 12.0.0.1
 ip nhrp map multicast 12.0.0.1
 ip nhrp network-id 100
 ip nhrp nhs 192.168.0.1
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile k
!
interface FastEthernet0/0
 ip address 24.0.0.1 255.255.255.0
 duplex full
router eigrp 1
 network 172.16.2.1 0.0.0.0
 network 192.168.0.0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0