简要介绍
用IPSec隧道在Internet上进行安全的数据传输,是目前公司总部与分支通讯的主要解决方案。DM×××是一种非常具有扩展性的解决方案,它有很多优点,比如,简单的hub和spoke配置提供了Full-mesh的连通性,可以支持spoke端的动态地址,增加新的spoke端时,无须更改hub配置,spoke到spoke的流量不占用hub带宽,支持动态路由协议和从hub到spoke的组播,支持多个×××中心设备的负载均衡等特点,主要用到了2个技术:多点GRE即MGRE和下一跳解析协议即NHRP。
下面是基本的DM×××的配置,同时结合ADSL拨号,DDNS配置。图中HUB_R6为固定地址,SPOKE R1和R3为拨号上网。
一、拓扑:
说明:只要能上网就可以做DDNS相关配置,图中的Gateway桥接到本机Vmnet1,同时,把本地连接/无线网络连接共享给Vmnet1,如果没有动态域名就要先去相关网站申请,推荐一个www.pubyun.com。
附配置:
R1_Branch1#sh run
hostname R1_Branch1
!
ip name-server 202.106.0.20
ip ddns update method cisco
HTTP
注:jackyan1:password是我在DDNS服务提供商页面注册的用户名和密码。下面的http里面有一个?,输入?时,先Ctrl+v ,然后输入?再继续粘贴。
add http://jackyan1:password@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
remove http://jackyan1:password@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
!
!第一阶段策略,除了认证策略为预共享秘钥,其余策略用默认策略
crypto isakmp policy 10
authentication pre-share
!下面的address 0.0.0.0 0.0.0.0 应该可以用69.1.1.6来代替
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
mode transport (GRE over IPsec一般设置为transport)
!
crypto ipsec profile IPSECPRO (功能与crypto map 类似,加密运用此ipsec profile的接口流量,用传统的感兴趣流的方式配置也可以,那就用crypto map)
set transform-set myset
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 192.168.1.6 69.1.1.6
ip nhrp map multicast 69.1.1.6
ip nhrp network-id 30599
ip nhrp nhs 192.168.1.6
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 0
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile IPSECPRO
!
interface FastEthernet0/0
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface Dialer1
!(把拨号获得的地址用jackyan1:password到members.3322.org来注册jackyansite1.f3322.org这个域名)
ip ddns update hostname jackyansite1.f3322.org
ip ddns update cisco
ip address negotiated
ip mtu 1490
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username user1 password 0 cisco
!
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
###########################################################################
R3_Branch2#sh run
Building configuration...
version 12.4
hostname R3_Branch2
ip name-server 202.106.0.20
ip ddns update method cisco
HTTP
add http://jackyan2:password@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
remove http://jackyan2:password@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile IPSECPRO
set transform-set myset
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 192.168.1.6 69.1.1.6
ip nhrp map multicast 69.1.1.6
ip nhrp network-id 30599
ip nhrp nhs 192.168.1.6
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 0
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile IPSECPRO
!
interface FastEthernet0/0
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip ddns update hostname jackyansite2.f3322.org
ip ddns update cisco
ip address negotiated
ip mtu 1490
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username user2 password 0 cisco
!
router ospf 1
log-adjacency-changes
network 3.3.3.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
############################################################################
R6_Center#sh run
Building configuration...
version 12.4
!
hostname R6_Center
!
crypto isakmp policy 10
authentication pre-share
!这个address 必须为0.0.0.0 0.0.0.0,因为hub的地址不固定。
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile IPSECPRO
set transform-set myset
!
interface Loopback0
ip address 6.6.6.6 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
ip address 192.168.1.6 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 30599
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 100
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile IPSECPRO
!
interface Serial1/0
ip address 69.1.1.6 255.255.255.0
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool pool3
ppp authentication pap
!
router ospf 1
log-adjacency-changes
network 6.6.6.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 69.1.1.9
##############################################################################
R2_ISPA#sh run
hostname R2_ISPA
!
username user1 password 0 cisco
!
bba-group pppoe global
virtual-template 1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
pppoe enable group global
!
interface Serial1/0
ip address 29.1.1.2 255.255.255.0
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool pool1
ppp authentication pap
!
ip local pool pool1 111.1.1.1 111.1.1.100
ip route 0.0.0.0 0.0.0.0 29.1.1.9
###############################################################################
R4_ISPB#sh run
version 12.4
hostname R4_ISPB
!
username user2 password 0 cisco
bba-group pppoe global
virtual-template 1
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface FastEthernet0/0
no ip address
pppoe enable group global
!
interface Serial1/0
ip address 49.1.1.4 255.255.255.0
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool pool2
ppp authentication pap
!
ip local pool pool2 112.1.1.1 112.1.1.100
ip route 0.0.0.0 0.0.0.0 49.1.1.9
#############################################################################
Internet#sh run
hostname Internet
interface FastEthernet0/0
ip address 192.168.0.250 255.255.255.0
ip nat outside
!
interface Serial1/0
ip address 29.1.1.9 255.255.255.0
ip nat inside
!
interface Serial1/1
ip address 49.1.1.9 255.255.255.0
ip nat inside
interface Serial1/2
ip address 69.1.1.9 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 111.1.1.0 255.255.255.0 29.1.1.2
ip route 112.1.1.0 255.255.255.0 49.1.1.4
!
ip nat inside source list nat interface FastEthernet0/0 overload
!
ip access-list extended nat
permit ip any host 202.106.0.20 (DNS服务器)
permit ip any 61.160.0.0 0.0.255.255 (DDNS服务提供商)
#############################################################################
后记:DM×××不是很稳定,如果出现异常问题,请将隧道口shutdown,然后先从hub端开始no shutdown,如果没有生效,请检查配置。
验证:
R6_Center:
R6_Center#sh ip nhrp
192.168.1.1/32 via 192.168.1.1, Tunnel0 created 00:00:13, expire 01:59:46
Type: dynamic, Flags: unique registered used
NBMA address: 111.1.1.1
192.168.1.3/32 via 192.168.1.3, Tunnel0 created 00:00:11, expire 01:59:48
Type: dynamic, Flags: unique registered used
NBMA address: 112.1.1.1
R1_Branch1#sh ip route os
3.0.0.0/24 is subnetted, 1 subnets
O 3.3.3.0 [110/11112] via 192.168.1.3, 00:11:22, Tunnel0
6.0.0.0/24 is subnetted, 1 subnets
O 6.6.6.0 [110/11112] via 192.168.1.6, 00:11:12, Tunnel0
如果HUB和SPOKE全部为动态地址,这种方法就不好使了,因为不能在隧道里指定服务器的地址,那么需要通过其他方法,在动态地址的解决方案里,所有SPOKE间的流量都要经过HUB。但还是有一定的扩展性的,相关实验会陆续整理,敬请关注。
如有高见,欢迎探讨。
转载于:https://blog.51cto.com/jackyan/1107057
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
