综合实验DMVPN+EZVPN+Eigrp&OSPF+路由重发布

互联基本配置

!Internet:

conf t

int f0/0

ip add 100.1.1.1 255.255.255.0

no shut 

exit

int f1/0

ip add 210.1.1.1 255.255.255.0

no shut

exit

int f1/1

ip add 200.1.1.1 255.255.255.0

no shut

exit

!Beijing-Center:

Route#

conf t

int f0/0

ip add 100.1.1.2 255.255.255.0

ip nat outside

no shut

exit

int f1/0

ip add 10.0.2.5 255.255.255.0

ip nat inside

no shut

exit

int f1/1

ip add 10.1.1.49 255.255.255.252

no shut

exit

ip route 0.0.0.0 0.0.0.0 100.1.1.1

ip route 172.16.0.0 255.255.0.0 10.0.2.6

ip access-list extended internet

10 per ip 172.16.0.0 0.0.255.255 any

exit

Naton-Core#

conf t

int f0/0

ip add 10.0.2.6 255.255.255.0

no shut

exit

ip routing

ip route 0.0.0.0 0.0.0.0 10.0.2.5

exit

vlan data

vlan 10

vlan 20

exit

PC2:

ip 172.16.2.230/24 172.18.2.1

!Shanghai分部：

conf t

int f0/0

ip add 210.1.1.2 255.255.255.0

ip nat outside

no shut

exit

int f1/0

ip add 10.1.2.5 255.255.255.0

ip nat inside

no shut

exit

int f1/1

ip add 10.1.1.50 255.255.255.252

no shut

exit

ip route 0.0.0.0 0.0.0.0 210.1.1.1

ip route 172.18.0.0 255.255.0.0 10.1.2.6

ip nat inside source list internet int f0/0 overload

ip access-list extended internet

10 per ip 172.18.0.0 0.0.255.255 any

exit

Core#

conf t

int f0/0

ip add 10.1.2.6 255.255.255.0

no shut

exit

ip routing

ip route 0.0.0.0 0.0.0.0 10.1.2.5

exit

vlan data

vlan 10

vlan 20

exit

conf t

int vlan 20 

ip add 172.18.2.1 255.255.255.0

no shut

exit

int vlan 1

ip add 10.1.2.193 255.255.255.0

exit

int f1/15

switchport mode access

switchport access vlan 20

exit

PC2:

ip 172.18.2.230/24 172.18.2.1

!======BeiJing-center=============EZ×××部分===================================

username cisco password 0 cisco

aaa new-model

!

!

!--- Xauth is configured for local authentication.

aaa authentication login userauthen local

aaa authorization network naton local 

!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for Easy ××× Clients.

crypto isakmp policy 20

hash md5

authentication pre-share

group 2

exit

!

!--- ××× Client configuration for group "naton"

!--- (this name is configured in the ××× Client).

crypto isakmp client configuration group naton

key naton

dns 1.1.11.10 1.1.11.11

wins 1.1.11.12 1.1.11.13

domain cisco.com

pool natonpool

exit

 

!--- Profile for ××× Client connections, matches the 

!--- "hw-client-group" group and defines the XAuth properties. 

crypto isakmp profile ×××client

match identity group naton

client authentication list userauthen

isakmp authorization list naton

client configuration address respond

exit

 

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set strong esp-3des esp-md5-hmac 

 mode transport

exit

!

!--- This dynamic crypto map references the ISAKMP 

!--- Profile ××× Client above.

!--- Reverse route injection is used to provide the 

!--- DM××× networks access to any Easy ××× Client networks.

crypto dynamic-map dynmap 10

 set transform-set strong 

 set isakmp-profile ×××client

 reverse-route

exit

!

!

!--- Crypto map only references the dynamic crypto map above.

 

crypto map dynmap 1 ipsec-isakmp dynamic dynmap 

!

interface FastEthernet0/0

crypto map dynmap

exit

!

ip local pool natonpool 1.1.11.60 1.1.11.80

!=====BeiJing-center============DM×××部分=============================

!--- Keyring that defines the wildcard pre-shared key.

crypto keyring dmvpnspokes 

pre-shared-key address 0.0.0.0 0.0.0.0 key naton123

exit

!

!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for DM××× spokes.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

exit

!

!--- Profile for LAN-to-LAN connection, references 

!--- the wildcard pre-shared key and a wildcard 

!--- identity (this is what is broken in 

!--- Cisco bug ID CSCea77140)

!--- and no XAuth.

 

crypto isakmp profile DM×××

keyring dmvpnspokes

match identity address 0.0.0.0 

exit

!

!

crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac 

 mode transport

exit

!--- Create an IPsec profile to be applied dynamically to the 

!--- generic routing encapsulation (GRE) over IPsec tunnels.

crypto ipsec profile naton-dm-ips

set security-association lifetime seconds 120

set transform-set naton-dm 

set isakmp-profile DM×××

exit

! 

!

!--- Create a GRE tunnel template which is applied to 

!--- all the dynamically created GRE tunnels.

router eigrp 10

network 10.0.0.0 0.0.0.255

 network 10.0.2.0 0.0.0.7

 network 10.0.2.192 0.0.0.63

no auto-summary

redistribute ospf 1 metric 1000 100 255 1 1500

interface Tunnel0

ip address 10.0.0.1 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication naton123

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 300

no ip split-horizon eigrp 10

no ip next-hop-self eigrp 10

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile naton-dm-ips

exit

!

=====ShangHai============DM×××部分=============================

!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for DM××× spokes.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

exit

!

!

crypto isakmp key naton123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac 

 mode transport

exit

!--- Create an IPsec profile to be applied dynamically to the 

!--- generic routing encapsulation (GRE) over IPsec tunnels.

crypto ipsec profile naton-dm-ips

set security-association lifetime seconds 120

set transform-set naton-dm 

exit

router eigrp 10

network 10.0.0.0 0.0.0.255

 network 10.1.2.0 0.0.0.7

 network 10.1.2.192 0.0.0.63

no auto-summary

interface Tunnel0

ip address 10.0.0.2 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication naton123

ip nhrp map 10.0.0.1 100.1.1.2

ip nhrp map multicast 100.1.1.2

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile naton-dm-ips

=====ShenZhen============DM×××部分=============================

!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for DM××× spokes.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

exit

!

!

crypto isakmp key naton123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac 

 mode transport

exit

!--- Create an IPsec profile to be applied dynamically to the 

!--- generic routing encapsulation (GRE) over IPsec tunnels.

crypto ipsec profile naton-dm-ips

set security-association lifetime seconds 120

set transform-set naton-dm 

exit

router eigrp 10

network 3.3.3.0 0.0.0.255

network 10.0.0.0 0.0.0.255

no auto-summary

interface Tunnel0

ip address 10.0.0.3 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication naton123

ip nhrp map 10.0.0.1 100.1.1.2

ip nhrp map multicast 100.1.1.2

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile naton-dm-ips