1.拓扑图:
互联网路由器模拟成一台DNS Server,实际环境需要内网一台pc作为DDNS 客户端,开机自动到公网去注册自己的域名。
相关链接:http://xrmjjz.blog.51cto.com/blog/3689370/683538
2.基本接口配置:
参见:http://333234.blog.51cto.com/323234/912231
3.静态路由配置:
参见:http://333234.blog.51cto.com/323234/912231
4.PAT配置:
参见:http://333234.blog.51cto.com/323234/912231
5.DNS server和client配置:
R3:DNS Server
ip domain name cisco.com
ip domain lookup
ip dns server
ip host R4.cisco.com 202.100.2.4
ip host R2.cisco.com 202.100.1.2
R1,R5:DNS Client
ip domain name cisco.com
ip domain lookup
ip name-server 202.100.1.3
6.×××配置:
A.第一阶段:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
B.第二阶段:
crypto ipsec transform-set transet esp-3des esp-sha-hmac
C.感兴趣流和crymap:
R1(config)#ip access-list extended vpn
R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config-ext-nacl)#eixt
R1(config)#crypto map crymap 10 ipsec-isakmp
R1(config-crypto-map)#set peer R4dynamic
R1(config-crypto-map)#set transform-set transet
R1(config-crypto-map)#match address vpn
R5(config)#ip access-list extended vpn
R5(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R5(config-ext-nacl)#exit
R5(config)#crypto map crymap 10 ipsec-isakmp
R5(config-crypto-map)#set peer R2dynamic
R5(config-crypto-map)#set transform-set transet
D.物理接口应用crymap:
R1(config-crypto-map)#int f0/0
R1(config-if)#crypto map crymap
R5(config-crypto-map)#int f0/0
R5(config-if)#crypto map crymap