本篇介绍hub和spoke全部为动态地址的情况,此种情形spoke间的所有***流量都会有hub中转,下面用两种方法来配置,一种是GRE over IPsec,另一种是GRE over Ez×××,思路都是一样的,用隧道建立一个可以访问的NHRP服务器,让spoke来注册,如果只用一种方法来配置的话,spoke的配置是差不多的,hub也不用改配置。体现了较高的扩展性
如图所示,只是将上篇的拓扑稍作修改,添加了一台PPPoE的服务器。其余配置跟上篇一样,这里只将三个站点的配置贴出来,其余配置,可以参考上篇。
Branch1 为ez***客户端
hostname Branch1
no aaa new-model
ip cef
!
ip name-server 202.106.0.20
!DDNS 配置
ip ddns update method cisco
HTTP
add http://jackyan1:passwd@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
remove http://jackyan1:passwd@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
!
! crypto isakmp key 后面支持域名
crypto isakmp key cisco hostname jackyansite3.f3322.org
!Ez×××client配置
crypto ipsec client ez*** hwxd
connect auto 定义连接方法,有自动,有手动
group ez***group key cisco 第一阶段认证用的组和秘钥
mode network-extension 模式用NEM
peer jackyansite3.f3322.org 对端的域名或IP
username aaauser password cisco 1.5阶段认证用的用户名和密码
xauth userid mode local xauth认证方法用本地用户名
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
crypto ipsec client ez*** hwxd inside Ez×××的内网,定义可以访问服务器端网络的本地网络
!
interface Loopback100
description Inside.network
ip address 192.168.1.1 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
ip nhrp authentication cisco 认证可选
ip nhrp map multicast 5.5.5.5 组播映射
ip nhrp map 172.16.1.5 5.5.5.5 nhrp注册
ip nhrp network-id 30599 id 必选
ip nhrp nhs 172.16.1.5 nhrp服务器
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 0
tunnel source Loopback0
tunnel destination 5.5.5.5 tunnel mode 为点到点的GRE
tunnel key 123
!
interface FastEthernet0/0
no ip address
pppoe enable group global PPPoE配置
pppoe-client dial-pool-number 1
!
interface Dialer1
ip ddns update hostname jackyansite1.f3322.org 把接口地址映射到jackyansite1.f3322.org
ip ddns update cisco
ip address negotiated
ip mtu 1490
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username user1 password 0 cisco
crypto ipsec client ez*** hwxd Ez×××的外部接口
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
############################################################################
hostname Branch2
ip cef
!
ip name-server 202.106.0.20
ip ddns update method cisco
HTTP
add http://jackyan2:passwd@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
remove http://jackyan2:passwd@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
!
!
crypto isakmp policy 10 第一阶段策略
authentication pre-share 认证方式为预共享秘钥
crypto isakmp key cisco hostname jackyansite3.f3322.org 对端为这个域名时的进行认证的秘钥
!
crypto ipsec transform-set myset esp-des esp-md5-hmac 转换集,第二阶段加密和认证策略
crypto map mymap 10 ipsec-isakmp 用crypto map来关联第一二阶段的策略
set peer jackyansite3.f3322.org dynamic
set transform-set myset
match address *** 感兴趣流
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Loopback100
description Inside.network
ip address 192.168.3.1 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
ip address 172.16.1.3 255.255.255.0
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast 5.5.5.5
ip nhrp map 172.16.1.5 5.5.5.5
ip nhrp network-id 30599
ip nhrp nhs 172.16.1.5
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 0
tunnel source Loopback0
tunnel destination 5.5.5.5 tunnel mode 为点到点GRE
tunnel key 123
!
interface FastEthernet0/0
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip ddns update hostname jackyansite2.f3322.org
ip ddns update cisco
ip address negotiated
ip mtu 1490
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username user2 password 0 cisco
crypto map mymap 运用crypto map到外部接口
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip access-list extended ***
permit ip host 3.3.3.3 host 5.5.5.5
!
ip sla 1 用来触发IPsec,建立隧道
icmp-echo 5.5.5.5 source-ip 3.3.3.3
ip sla schedule 1 life forever start-time now
!
##########################################################################
hostname Center
!
aaa new-model 1.5阶段认证用aaa,这里用的是本地的AAA,可以用RADIUS
!
aaa authentication login noacs line none 线下保护(考场需要)
aaa authentication login ez*** local Ez×××1.5阶段认证用的策略
aaa authorization network ez*** local Ez×××的授权策略
!
!
aaa session-id common
ip cef
!
!
ip name-server 202.106.0.20
ip ddns update method cisco
HTTP
add http://jackyan3:passwd@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
remove http://jackyan3:passwd@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>&wildcard=ON&backmx=NO&offline=NO
!
! 本台设备有两种不同的×××,建议使用isakmp profile来配置match identity。
crypto keyring l2lkey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco 预共享秘钥,LAN-to-LAN需要
!
crypto isakmp policy 5 L2L的第一阶段策略
authentication pre-share
!
crypto isakmp policy 10 Ez×××的第一阶段策略
authentication pre-share
group 2 必须group2
!
crypto isakmp client configuration group ez***group Ez××× 认证用的group
key cisco 和秘钥
pool pool1 认证成功后分配的地址
acl split.acl 隧道分割的acl,定义源自服务器端内网到客户内网的流量
save-password 用户可以保存密码,以便自动拨Ez×××
crypto isakmp profile pro1 Ez×××的认证和授权策略的profile
match identity group ez***group
client authentication list ez***
isakmp authorization list ez***
client configuration address respond
crypto isakmp profile isapro1 LAN-to-LAN认证的profile
keyring l2lkey
match identity host domain f3322.org
!
crypto ipsec transform-set myset esp-des esp-md5-hmac 两种***共用一种加密策略,可以不同
!
crypto dynamic-map mymap 10 动态map来关联Ez×××的策略
set transform-set myset
set isakmp-profile pro1
reverse-route
!
!
crypto map mymap 1 ipsec-isakmp 静态map关联LAN-to-LAN的策略,一般静态map优先
set peer jackyansite2.f3322.org dynamic
set transform-set myset
set isakmp-profile isapro1
match address ***
crypto map mymap 10 ipsec-isakmp dynamic mymap
!
username aaauser password 0 cisco 1.5阶段认证用的用户名和密码
!
interface Loopback0
ip address 5.5.5.5 255.255.255.0
!
interface Loopback100
ip address 192.168.5.1 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
ip address 172.16.1.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 30599
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 100
tunnel source Loopback0
tunnel mode gre multipoint hub端的tunnel mode 为gre multipoint
tunnel key 123
!
interface FastEthernet0/0
no ip address
pppoe enable group global PPPoE配置
pppoe-client dial-pool-number 1
!
!
interface Dialer1 PPPoE配置
ip ddns update hostname jackyansite3.f3322.org
ip ddns update cisco
ip address negotiated
ip mtu 1490
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username user3 password 0 cisco
crypto map mymap 运用map到接口
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
!
ip local pool pool1 199.1.1.1 199.1.1.100 Ez×××分配的地址
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
!
ip access-list extended split.acl 建立隧道用的地址
permit ip host 5.5.5.5 host 1.1.1.1
ip access-list extended ***
permit ip host 5.5.5.5 host 3.3.3.3
!
转载于:https://blog.51cto.com/jackyan/1111612
扫一扫
9487
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
