DM***+EZ***

互联基本配置

!Internet:

int f0/0

ip add 100.1.1.1 255.255.255.0

no shut 

exit

int f1/1

ip add 200.1.1.1 255.255.255.0

no shut

exit

int f1/0

ip add 210.1.1.1 255.255.255.0

no shut

exit

int f2/0 

ip add 220.1.1.1 255.255.255.0

no shut

exit

!Beijing-Center:

int f0/0

ip add 100.1.1.2 255.255.255.0

no shut

exit

int f1/0

ip add 1.1.1.1 255.255.255.0

no shut

exit

!Shanghai分部：

int f0/0

ip add 210.1.1.2 255.255.255.0

no shut 

exit

int f1/0

ip add 2.2.2.2 255.255.255.0

no shut

exit

!PC2

ip 2.2.2.1/24 2.2.2.2 

!ShenZhen分部：

int f0/0 

ip add 220.1.1.2 255.255.255.0

no shut

exit

int f1/0

ip add 3.3.3.3 255.255.255.0

no shut

exit

PC3

ip 3.3.3.1/24 3.3.3.3 

!VMware 虚拟机安装的XP系统，VPCS做客户端EZ×××拨入后无法ping通内网段，只能使用虚拟机。

NoteBook

ip 200.1.1.2/24 200.1.1.1

BeiJing-Center:

ip route 0.0.0.0 0.0.0.0 100.1.1.1

ShangHai:

ip route 0.0.0.0 0.0.0.0 210.1.1.1

ShenZhen:

ip route 0.0.0.0 0.0.0.0 220.1.1.1

!======BeiJing-center=============EZ×××部分===================================

username cisco password 0 cisco

aaa new-model

!

!

!--- Xauth is configured for local authentication.

aaa authentication login userauthen local

aaa authorization network naton local 

!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for Easy ××× Clients.

crypto isakmp policy 20

hash md5

authentication pre-share

group 2

exit

!

!--- ××× Client configuration for group "naton"

!--- (this name is configured in the ××× Client).

crypto isakmp client configuration group naton

key naton

dns 1.1.11.10 1.1.11.11

wins 1.1.11.12 1.1.11.13

domain cisco.com

pool natonpool

exit

 

!--- Profile for ××× Client connections, matches the 

!--- "hw-client-group" group and defines the XAuth properties. 

crypto isakmp profile ×××client

match identity group naton

client authentication list userauthen

isakmp authorization list naton

client configuration address respond

exit

 

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set strong esp-3des esp-md5-hmac 

 mode transport

exit

!

!--- This dynamic crypto map references the ISAKMP 

!--- Profile ××× Client above.

!--- Reverse route injection is used to provide the 

!--- DM××× networks access to any Easy ××× Client networks.

crypto dynamic-map dynmap 10

 set transform-set strong 

 set isakmp-profile ×××client

 reverse-route

exit

!

!

!--- Crypto map only references the dynamic crypto map above.

 

crypto map dynmap 1 ipsec-isakmp dynamic dynmap 

!

interface FastEthernet0/0

crypto map dynmap

exit

!

ip local pool natonpool 1.1.11.60 1.1.11.80

!=====BeiJing-center============DM×××部分=============================

!--- Keyring that defines the wildcard pre-shared key.

crypto keyring dm***spokes 

pre-shared-key address 0.0.0.0 0.0.0.0 key naton123

exit

!

!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for DM××× spokes.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

exit

!

!--- Profile for LAN-to-LAN connection, references 

!--- the wildcard pre-shared key and a wildcard 

!--- identity (this is what is broken in 

!--- Cisco bug ID CSCea77140)

!--- and no XAuth.

 

crypto isakmp profile DM×××

keyring dm***spokes

match identity address 0.0.0.0 

exit

!

!

crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac 

 mode transport

exit

!--- Create an IPsec profile to be applied dynamically to the 

!--- generic routing encapsulation (GRE) over IPsec tunnels.

crypto ipsec profile naton-dm-ips

set security-association lifetime seconds 120

set transform-set naton-dm 

set isakmp-profile DM×××

exit

! 

!

!--- Create a GRE tunnel template which is applied to 

!--- all the dynamically created GRE tunnels.

router eigrp 10

network 1.1.1.0 0.0.0.255

network 10.0.0.0 0.0.0.255

no auto-summary

interface Tunnel0

ip address 10.0.0.1 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication naton123

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 300

no ip split-horizon eigrp 10

no ip next-hop-self eigrp 10

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile naton-dm-ips

exit

!

=====ShangHai============DM×××部分=============================

!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for DM××× spokes.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

exit

!

!

crypto isakmp key naton123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac 

 mode transport

exit

!--- Create an IPsec profile to be applied dynamically to the 

!--- generic routing encapsulation (GRE) over IPsec tunnels.

crypto ipsec profile naton-dm-ips

set security-association lifetime seconds 120

set transform-set naton-dm 

exit

router eigrp 10

network 2.2.2.0 0.0.0.255

network 10.0.0.0 0.0.0.255

no auto-summary

interface Tunnel0

ip address 10.0.0.2 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication naton123

ip nhrp map 10.0.0.1 100.1.1.2

ip nhrp map multicast 100.1.1.2

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile naton-dm-ips

=====ShenZhen============DM×××部分=============================

!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for DM××× spokes.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

exit

!

!

crypto isakmp key naton123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac 

 mode transport

exit

!--- Create an IPsec profile to be applied dynamically to the 

!--- generic routing encapsulation (GRE) over IPsec tunnels.

crypto ipsec profile naton-dm-ips

set security-association lifetime seconds 120

set transform-set naton-dm 

exit

router eigrp 10

network 3.3.3.0 0.0.0.255

network 10.0.0.0 0.0.0.255

no auto-summary

interface Tunnel0

ip address 10.0.0.3 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication naton123

ip nhrp map 10.0.0.1 100.1.1.2

ip nhrp map multicast 100.1.1.2

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile naton-dm-ips

测试iPS：

Beijing-Cent：

#sh crypto ips sa

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 100.1.1.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (100.1.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (210.1.1.2/255.255.255.255/47/0)

   current_peer 210.1.1.2 port 500

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (100.1.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (220.1.1.2/255.255.255.255/47/0)

   current_peer 220.1.1.2 port 500

ShangHai:

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 210.1.1.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (210.1.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (100.1.1.2/255.255.255.255/47/0)

   current_peer 100.1.1.2 port 500

Shenzhen:

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 220.1.1.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (220.1.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port

BeiJing-Center#sh crypto isakmp sa 

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

100.1.1.2       220.1.1.2       QM_IDLE           1002 ACTIVE

100.1.1.2       210.1.1.2       QM_IDLE           1001 ACTIVE

ShangHai#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

100.1.1.2       210.1.1.2       QM_IDLE           1001 ACTIVE

ShenZhen#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

100.1.1.2       220.1.1.2       QM_IDLE           1001 ACTIVE

BeiJing-Center#sh crypto engine connections activ

Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address

  139  IPsec   3DES+SHA                  0       13       13 100.1.1.2

  140  IPsec   3DES+SHA                 13        0        0 100.1.1.2

  141  IPsec   3DES+SHA                  0        3        3 100.1.1.2

  142  IPsec   3DES+SHA                  2        0        0 100.1.1.2

 1001  IKE     MD5+3DES                  0        0        0 100.1.1.2

 1002  IKE     MD5+3DES                  0        0        0 100.1.1.2

BeiJing-Center##ping 2.2.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/98/232 ms

BeiJing-Center##ping 3.3.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/78/100 ms

NoteBook

进入虚拟机添加IP地址200.1.1.2 255.255.255.0 200.1.1.1，安装cisco ××× Client 配置如下（name：naton，password：naton）：

双击***，输入用户名cisco，密码cisco，显示拨入成功；

ping 总部服务器地址全通，Easy ×××配置成功。

本实验全部完成，请提出意见或建议，谢谢。

转载于:https://blog.51cto.com/aluna/1714988