DMVPN+EZVPN
经过上次交流对贵公司的网络的基本情况有了初步的了解,就针对DMVPN部署是有一些设备、协议上要求和限制(DMVPN通过mGRE实现,限制参考下面注:)。贵公司苏州总部有一条internet出口使用的路由器作为接入设备,可以使用路由器实现DMVPN或者使用ASA部署EZVPN作为代替方案现实分部到总部互联。
注:
★GRE Tunnel只支持路由器,不支持VPN集中器和PIX以及ASA。(因为ASA或PIX本身的安全机制限制)
★GRE支持的协议有IP ,Decnet,IPX,Appletalk。
★GRE可分为point-to-point GRE和multipoint GRE(mGRE)两种。
★point-to-point GRE只能在两台路由器之间建立。
★multipoint GRE(mGRE)也可以在两台以上的路由器之间建立。
★point-to-point GRE支持IP单播,组播,以及IGP动态路由协议和非IP协议。
★multipoint GRE(mGRE)只支持单播,组播以及动态IGP路由协议,不支持非IP协议。
以苏州总部路由器为HUB,上海、南通路由器为spoke的DMVPN配置实例如下(省略一些无关配置):
苏州路由器(HUB)配置:
!
cryptoisakmp policy 10 hash md5
authentication pre-share !
cryptoisakmp key cisco123 address 0.0.0.0 0.0.0.0 !
cryptoipsec transform-set strong esp-3des esp-md5-hmac !
cryptoipsec profile cisco
set security-association lifetime seconds 120 set transform-set strong !
interface Tunnel0
ip address 192.168.1.1 255.255.255.0 no ip redirects ipmtu 1440
ipnhrp authentication cisco123 ipnhrp map multicast dynamic
ipnhrp network-id 1 no ip split-horizon eigrp 90 no ip next-hop-self eigrp 90 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0
tunnel protection ipsec profile cisco !
interface FastEthernet0/0
ip address 209.168.202.225 255.255.255.0 duplex auto speed auto !
interface FastEthernet0/1 ip address 1.1.1.1 255.255.255.0 duplex auto speed auto !
routereigrp 90
network 1.1.1.0 0.0.0.255 network 192.168.1.0 no auto-summary !
ip http server
no ip http secure-server ip classless
ip route 0.0.0.0 0.0.0.0 209.168.202.226
上海路由器(spoke)配置:
cryptoisakmp policy 10 hash md5
authentication pre-share
cryptoisakmp key cisco123 address 0.0.0.0 0.0.0.0 ! !
cryptoipsec transform-set strong esp-3des esp-md5-hmac mode transport !
cryptoipsec profile cisco
set security-association lifetime seconds 120 set transform-set strong ! !
no voice hpi capture buffer no voice hpi capture destination !
interface Tunnel0
ip address 192.168.1.3 255.255.255.0 no ip redirects ipmtu 1440
ipnhrp authentication cisco123 ipnhrp map multicast dynamic
ipnhrp map 192.168.1.1 209.168.202.225 ipnhrp map multicast 209.168.202.225 ipnhrp network-id 1 ipnhrpholdtime 300 ipnhrpnhs 192.168.1.1 no ip split-horizon eigrp 90 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0
tunnel protection ipsec profile cisco !
interface FastEthernet0/0
ip address 209.168.202.130 255.255.255.0 duplex auto speed auto !
interface FastEthernet0/1 ip address 3.3.3.3 255.255.255.0 duplex auto speed auto ! !
routereigrp 90
network 3.3.3.0 0.0.0.255 network 192.168.1.0 no auto-summary !
ip http server
no ip http secure-server ip classless
ip route 0.0.0.0 0.0.0.0 209.168.202.225 ip route 2.2.2.0 255.255.255.0 Tunnel0
南通路由器(spoke)配置:
!
!cryptoisakmp policy 10 hash md5
authentication pre-share
cryptoisakmp key cisco123 address 0.0.0.0 0.0.0.0 !
!crypto ipsec transform-set strong esp-3des esp-md5-hmac cryptoipsec profile cisco
set security-association lifetime seconds 120 set transform-set strong ! !
interface Tunnel0
ip address 192.168.1.3 255.255.255.0 no ip redirects ipmtu 1440
ipnhrp authentication cisco123 ipnhrp map multicast dynamic
ipnhrp map 192.168.1.1 209.168.202.225 ipnhrp map multicast 209.168.202.225 ipnhrp network-id 1 ipnhrpnhs 192.168.1.1 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0
tunnel protection ipsec profile cisco !
interface FastEthernet0/0
ip address 209.168.202.130 255.255.255.0 duplex auto speed auto !
interface FastEthernet0/1 ip address 3.3.3.3 255.255.255.0 duplex auto speed auto !
routereigrp 90
network 3.3.3.0 0.0.0.255 network 192.168.1.0 no auto-summary !
ip http server
no ip http secure-server ip classless
搜索“diyifanwen.net”或“第一范文网”即可找到本站免费阅读全部范文。收藏本站方便下次阅读,第一范文网,提供最新资格考试认证DMVPN+EZVPN 全文阅读和word下载服务。
相关推荐:
南海凝心