1.拓扑图:
2.基本接口配置:
R1(config)#int f0/0
R1(config-if)#ip add 192.168.12.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int l0
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R2(config)#int e0/0
R2(config-if)#ip add 192.168.12.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int e0/1
R2(config-if)#ip add 202.100.1.2 255.255.255.0
R2(config-if)#no sh
R3(config)#int f0/0
R3(config-if)#ip add 202.100.1.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int f0/1
R3(config-if)#ip add 202.100.2.3 255.255.255.0
R3(config-if)#no sh
R4(config)#int e0/0
R4(config-if)#ip add 192.168.45.4 255.255.255.0
R4(config-if)#no sh
R4(config-if)#int e0/1
R4(config-if)#ip add 202.100.2.4 255.255.255.0
R4(config-if)#no sh
R5(config)#int f0/0
R5(config-if)#ip add 192.168.45.5 255.255.255.0
R5(config-if)#no sh
R5(config-if)#int l0
R5(config-if)#ip add 20.1.1.5 255.255.255.0
R6(config)#int e0/0
R6(config-if)#ip add 192.168.67.6 255.255.255.0
R6(config-if)#no sh
R6(config-if)#int e0/1
R6(config-if)#ip add 202.100.3.6 255.255.255.0
R6(config-if)#no sh
R7(config)#int f0/0
R7(config-if)#ip add 192.168.67.7 255.255.255.0
R7(config-if)#no sh
R7(config-if)#int l0
R7(config-if)#ip add 30.1.1.7 255.255.255.0
3.静态路由配置:
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2
R2(config)#ip route 0.0.0.0 0.0.0.0 202.100.1.3
R2(config)#ip route 10.1.1.0 255.255.0.0 192.168.12.1
R4(config)#ip route 0.0.0.0 0.0.0.0 202.100.2.3
R4(config)#ip route 20.1.1.0 255.255.255.0 192.168.45.5
R5(config)#ip route 0.0.0.0 0.0.0.0 192.168.45.4
R6(config)#ip route 0.0.0.0 0.0.0.0 202.100.3.3
R6(config)#ip route 30.1.1.0 255.255.255.0 192.168.67.7
3.PAT配置:
A.动态PAT:
R2(config)#ip access-list extended nat
R2(config-ext-nacl)#permit ip 192.168.12.0 0.0.0.255 any
R2(config-ext-nacl)#permit ip 10.1.1.0 0.0.0.255 any
R2(config-ext-nacl)#int e0/0
R2(config-if)#ip nat inside
R2(config-if)#int e0/1
R2(config-if)#ip nat outside
R2(config-if)#exit
R2(config)#ip nat inside source list nat interface e0/1
R4(config)#ip access-list extended nat
R4(config-ext-nacl)#permit ip 192.168.45.0 0.0.0.255 any
R4(config-ext-nacl)#permit ip 20.1.1.0 0.0.0.255 any
R4(config-ext-nacl)#int e0/0
R4(config-if)#ip nat inside
R4(config-if)#int e0/1
R4(config-if)#ip nat outside
R4(config-if)#exit
R4(config)#ip nat inside source list nat interface e0/1
R6(config)#ip access-list extended nat
R6(config-ext-nacl)#permit ip 192.168.67.0 0.0.0.255 any
R6(config-ext-nacl)#permit ip 30.1.1.0 0.0.0.255 any
R6(config-ext-nacl)#int e0/0
R6(config-if)#ip nat inside
R6(config-if)#int e0/1
R6(config-if)#ip nat outside
R6(config-if)#exit
R6(config)#ip nat inside source list nat interface e0/1
B.静态PAT配置:
R2(config)#ip nat inside source static udp 192.168.12.1 500 interface e0/1 500
R2(config)#ip nat inside source static udp 192.168.12.1 4500 interface e0/1 4500
R4(config)#ip nat inside source static udp 192.168.45.5 500 interface e0/1 500
R4(config)#ip nat inside source static udp 192.168.45.5 4500 interface e0/1 4500
R6(config)#ip nat inside source static udp 192.168.67.7 500 interface e0/1 500
R6(config)#ip nat inside source static udp 192.168.67.7 4500 interface e0/1 4500
6.DM×××配置:
A.HUB:
①第一阶段:
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#au pre
R1(config-isakmp)#ha md
R1(config-isakmp)#en 3des
R1(config-isakmp)#gr 2
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 cisco address 0.0.0.0
②第二阶段:
R1(config)#crypto ipsec transform-set transet esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#mode transport
③ipsec profile第二阶段策略:
R1(config)#crypto ipsec profile ipsecpro
R1(ipsec-profile)#set transform-set transet
④tunnel接口配置:
R1(config)#int loop100
R1(config-if)#ip add 172.16.1.1 255.255.255.0
R1(config-if)#ip nhrp authentication ccnpsec
R1(config-if)#ip nhrp map multicast dynamic
R1(config-if)#ip nhrp network-id 172
R1(config-if)#ip nhrp cache non-authoritative
R1(config-if)#tunnel source FastEthernet0/0
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#tunnel key 12345
R1(config-if)#tunnel protection ipsec profile ipsecpro
B.Spoke:
①第一阶段:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
②第二阶段:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
mode transport
③ipsec profile关联第二阶段策略:
crypto ipsec profile ipsecpro
set transform-set transet
④tunnel接口配置:
interface Tunnel0
ip address 172.16.1.5 255.255.255.0
ip mtu 1400
ip nhrp authentication ccnpsec
ip nhrp map 172.16.1.1 202.100.1.2
ip nhrp map multicast 202.100.1.2
ip nhrp network-id 172
ip nhrp nhs 172.16.1.1
ip nhrp cache non-authoritative
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile ipsecpro
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
ip mtu 1400
ip nhrp authentication ccnpsec
ip nhrp map 172.16.1.1 202.100.1.2
ip nhrp map multicast 202.100.1.2
ip nhrp network-id 172
ip nhrp nhs 172.16.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile ipsecpro
C.动态路由配置:
R1(config)#router eigrp 10
R1(config-router)#no auto-summary
R1(config-router)#network 172.16.1.0 0.0.0.255
R1(config-router)#net 192.168.12.0 0.0.0.255
R5(config)#router eigrp 10
R5(config-router)#no auto-summary
R5(config-router)#net 172.16.1.0 0.0.0.255
R5(config-router)#net 192.168.45.0 0.0.0.255
R5(config)#router eigrp 10
R5(config-router)#no auto-summary
R5(config-router)#net 172.16.1.0 0.0.0.255
R5(config-router)#net 192.168.67.0 0.0.0.255
Hub节点路由优化:
interface Tunnel0
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
6.验证:
A.Spoke2去PING spoke1
R7#ping 20.1.1.5 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.5, timeout is 2 seconds:
Packet sent with a source address of 30.1.1.7
!!!.!
Success rate is 80 percent (4/5), round-trip min/avg/max = 372/537/648 ms
B.Spoke居然有三条第一阶段隧道:
R7#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.2.4 192.168.67.7 QM_IDLE 1003 0 ACTIVE
192.168.67.7 202.100.2.4 QM_IDLE 1002 0 ACTIVE
202.100.1.2 192.168.67.7 QM_IDLE 1001 0 ACTIVE
R5#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
202.100.1.2 192.168.45.5 QM_IDLE 1001 0 ACTIVE
202.100.3.6 192.168.45.5 QM_IDLE 1002 0 ACTIVE
192.168.45.5 202.100.3.6 QM_IDLE 1003 0 ACTIVE
C.Spoke加解密情况:
R7#show crypto engine conn act
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Tu0 IPsec 3DES+MD5 0 146 192.168.67.7
2 Tu0 IPsec 3DES+MD5 138 0 192.168.67.7
7 Fa0/0 IPsec 3DES+MD5 0 0 192.168.67.7
8 Fa0/0 IPsec 3DES+MD5 0 0 192.168.67.7
1001 Tu0 IKE MD5+3DES 0 0 192.168.67.7
1002 Fa0/0 IKE MD5+3DES 0 0 192.168.67.7
1003 Tu0 IKE MD5+3DES 0 0 192.168.67.7
R5#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Tu0 IPsec 3DES+MD5 0 335 192.168.45.5
2 Tu0 IPsec 3DES+MD5 329 0 192.168.45.5
7 Tu0 IPsec 3DES+MD5 0 0 192.168.45.5
8 Tu0 IPsec 3DES+MD5 0 0 192.168.45.5
1001 Tu0 IKE MD5+3DES 0 0 192.168.45.5
1002 Tu0 IKE MD5+3DES 0 0 192.168.45.5
1003 Fa0/0 IKE MD5+3DES 0 0 192.168.45.5
D.Spoke2再去PING spoke1
R7#ping 20.1.1.5 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.5, timeout is 2 seconds:
Packet sent with a source address of 30.1.1.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/262/372 ms
D.Spoke加解密情况:
R7#show crypto engine conn act
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Tu0 IPsec 3DES+MD5 0 151 192.168.67.7
2 Tu0 IPsec 3DES+MD5 144 0 192.168.67.7
7 Fa0/0 IPsec 3DES+MD5 0 5 192.168.67.7
8 Fa0/0 IPsec 3DES+MD5 5 0 192.168.67.7
1001 Tu0 IKE MD5+3DES 0 0 192.168.67.7
1002 Fa0/0 IKE MD5+3DES 0 0 192.168.67.7
1003 Tu0 IKE MD5+3DES 0 0 192.168.67.7
R5#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Tu0 IPsec 3DES+MD5 0 355 192.168.45.5
2 Tu0 IPsec 3DES+MD5 349 0 192.168.45.5
7 Tu0 IPsec 3DES+MD5 0 5 192.168.45.5
8 Tu0 IPsec 3DES+MD5 5 0 192.168.45.5
1001 Tu0 IKE MD5+3DES 0 0 192.168.45.5
1002 Tu0 IKE MD5+3DES 0 0 192.168.45.5
1003 Fa0/0 IKE MD5+3DES 0 0 192.168.45.5