1.拓扑图:

A.传统配置:

213358355.jpg

B.两边都是Static VTI:

213422466.jpg

C.一边Dynamic VTI,另一边Static VTI:

213533707.jpg

2.基本接口配置:
A.R1
interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
B.R2
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shut  
interface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
no shut
C.R3
interface FastEthernet0/0
ip address 202.100.1.3 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.3 255.255.255.0
no shut
D.R4
interface Ethernet0/0
ip address 20.1.1.4 255.255.255.0
no shut  
interface Ethernet0/1
ip address 202.100.2.4 255.255.255.0
no shut
E.R5
interface Loopback0
ip address 192.168.2.5 255.255.255.0
interface FastEthernet0/0
ip address 20.1.1.5 255.255.255.0
no shut
3.静态路由和PAT配置:
A.静态路由配置:
①R1
 ip route 0.0.0.0 0.0.0.0 10.1.1.2
②R2
 ip route 0.0.0.0 0.0.0.0 202.100.1.3
 ip route 192.168.1.0 255.255.255.0 10.1.1.1
③R4
 ip route 0.0.0.0 0.0.0.0 202.100.2.3
 ip route 192.168.2.0 255.255.255.0 20.1.1.5
④R5
 ip route 0.0.0.0 0.0.0.0 20.1.1.4
B.动态PAT配置:
①R2
ip access-list extended 100
permit ip 192.168.1.0 0.0.0.255 any
permit ip 10.1.1.0 0.0.0.255 any
int e0/0
ip nat inside
int e0/1
ip nat outside
ip nat inside source list 100 interface e0/1
②R4
ip access-list extended 100
permit ip 192.168.2.0 0.0.0.255 any
permit ip 20.1.1.0 0.0.0.255 any
int e0/0
ip nat inside
int e0/1
ip nat outside
ip nat inside source list 100 interface e0/1
C.静态PAT配置:
①R2
ip nat inside source static udp 10.1.1.1 500 interface e0/1 500
ip nat inside source static udp 10.1.1.1 4500 interface e0/1 4500
②R4
ip nat inside source static udp 20.1.1.5 500 interface e0/1 500
ip nat inside source static udp 20.1.1.5 4500 interface e0/1 4500
备注:如果是VTI方式配置,可以只配置任意一端的静态PAT,因为动态路由协议能够保持×××隧道,从而保证内网任意一端主动发起连接都能成功(DVTI因为是被动接受别人的连接,需要确保有静态PAT)。
4.传统×××配置:
A.第一阶段:
①R1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.2.4
②R5
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
B.第二阶段:
R1   crypto ipsec transform-set transet esp-3des esp-sha-hmac
R5   crypto ipsec transform-set transet esp-3des esp-sha-hmac
C.感兴趣流和crymap:
①R1
ip access-list extended ***
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.4
set transform-set transet
match address ***
②R5
ip access-list extended ***
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.2
set transform-set transet
match address ***
D.物理接口应用crymap:
①R1
int f0/0
crypto map crymap
②R5
int f0/0
crypto map crymap
5.Static VTI ×××配置:
A.第一阶段:
①R1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 cisco address 202.100.2.4
②R5
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 cisco address 202.100.1.2
B.第二阶段:
①R1
crypto ipsec transform-set transet esp-3des esp-sha-hmac
②R5
crypto ipsec transform-set transet esp-3des esp-sha-hmac
C.IPsec Profile关联第二阶段策略:
①R1
crypto ipsec profile ipsecprofile
set transform-set transet
②R5
crypto ipsec profile ipsecprofile
set transform-set transet
D.VTI接口配置:
①tunnel接口配置:
R1
int tun 0
tunnel source FastEthernet0/0
tunnel destination 202.100.2.4
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile
ip add 172.16.1.1 255.255.255.0
R5
int tun 0
tunnel source FastEthernet0/0
tunnel destination 202.100.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile
ip add 172.16.1.5 255.255.255.0
②动态路由:
R1
router eigrp 10
no auto-summary
network 172.16.1.0 0.0.0.255
net 192.168.1.0 0.0.0.255
R5
router eigrp 10
no auto-summary
net 172.16.1.0 0.0.0.255
net 192.168.2.0 0.0.0.255
6.Dynamic VTI ×××配置:
A.R1(HUB):
①第一阶段:
crypto keyring R4
pre-shared-key address 202.100.2.4 key cisco
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile isakmpprofile
  keyring R4
  match identity address 20.1.1.5
  virtual-template 1
---------isakmp profie中identity地址必须是真实地址,而不是NAT后地址
②第二阶段:
crypto ipsec transform-set transet esp-3des esp-sha-hmac
③ipsec profile关联第一阶段和第二阶段策略:
crypto ipsec profile ipsecprofile
set transform-set transet
set isakmp-profile isakmpprofile
④VTI配置:
interface Loopback100
ip address 172.16.1.1 255.255.255.0
interface Virtual-Template1 type tunnel
ip unnumbered Loopback100
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile
备注:在virtual-template接口直接配置IP地址时好像会有问题。
B.R5(Spoke):
①第一阶段:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
②第二阶段:
crypto ipsec transform-set transet esp-3des esp-sha-hmac
③ipsec profile关联第二阶段策略:
crypto ipsec profile ipsecprofile
set transform-set transet
④VTI配置:
interface Tunnel0
ip address 172.16.1.5 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 202.100.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile
C.动态路由配置:
①R1
router eigrp 10
network 172.16.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
②R5
router eigrp 10
network 172.16.1.0 0.0.0.255
network 192.168.2.0
no auto-summary
6.验证:
A.传统和Static VTI方式:
R1#ping 192.168.2.5 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 188/240/276 ms
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.2.4     10.1.1.1        QM_IDLE           1003    0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto engine conn active
Crypto Engine Connections
  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   7 Fa0/0      IPsec 3DES+SHA                  0        4 10.1.1.1
   8 Fa0/0      IPsec 3DES+SHA                  4        0 10.1.1.1
1003 Fa0/0      IKE   MD5+3DES                  0        0 10.1.1.1
B.Dynamic VIT 方式:
R1#show ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up      
FastEthernet0/1            unassigned      YES unset  administratively down down    
Virtual-Access1            unassigned      YES unset  down                  down    
Virtual-Template1          172.16.1.1      YES TFTP   down                  down    
Virtual-Access2            172.16.1.1      YES TFTP   up                    up      
Loopback0                  192.168.1.1     YES manual up                    up      
Loopback100                172.16.1.1      YES manual up                    up      
R1#show ip route eigrp
D    192.168.2.0/24 [90/297372416] via 172.16.1.5, 00:01:06, Virtual-Access2
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.1.1.1        202.100.2.4     QM_IDLE           1005    0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto engine conn act
Crypto Engine Connections
  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
   9 Fa0/0      IPsec 3DES+SHA                  0       64 10.1.1.1
  10 Fa0/0      IPsec 3DES+SHA                 35        0 10.1.1.1
1005 Fa0/0      IKE   MD5+3DES                  0        0 10.1.1.1
R1#