被误解的TED

看见几次有人说TED，引擎搜索都困难。
终于让我搜出来是Tunnel End-Point Discovery的缩写。
我就认真的研读一番，发现某些人给人家的建议实在不妥，你真搞清楚它了。
首先它是思科私有协议，只在IOS下运行，你说ASA能行吗？！
其次它只能运行在外网IP在同一网段的环境，真是鸡肋，搞这个有用吗！
还用继续下去吗？我没感到有什么实用价值。
难怪搜索引擎都不收入，没人用嘛。
不过终于学习了一点东西，上次有人问那个discover干吗用的，本人很老实的说没用过，不知道。现在知道它的出处了，不过我就纳闷了，很多地方看见有人用这个指令，根本就是无的放矢嘛。也不知道谁先开的头。
以后谁在提TED，我就要问TED到底懂了没？！

下面转帖思科的案例配置
Building configuration...

Current configuration : 1426 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Daphne
!
boot system flash  c2600-jk9s-mz.122-27.bin


enable password cisco
!

memory-size iomem 10
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
!

!--- Defines the IKE policy. While using TED, the peer
!--- address associated with the pre-shared key should be defined as wildcard
!--- in the IKE policy, to authenticate any discovered peer.
         
crypto isakmp policy 10
authentication pre-share
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
!
!

!--- Defines the transform to use for IPsec SAs.

crypto ipsec transform-set ted-transforms esp-des esp-md5-hmac
!

!--- Defines a dynamic crypto map to use for establishing IPsec SAs.

crypto dynamic-map ted-map 10
set transform-set ted-transforms
match address 101
!
!

!--- The 'discover' keyword used with the dynamic crypto map
!--- enables peer discovery.

crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover
!


!
interface FastEthernet0/0
ip address 11.11.11.1 255.255.255.0
duplex auto
speed auto
crypto map tedtag
!
interface FastEthernet0/1
ip address 13.13.13.13 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.2
ip http server

!
!
!

!--- Defines the traffic to be encrypted using IPsec.

access-list 101 permit ip 13.13.13.0 0.0.0.255 12.12.12.0 0.0.0.255

!
!

!--- Output is suppressed.


!
!


line con 0
line aux 0
line vty 0 4

login
!
end


Building configuration...

Current configuration : 1295 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname fred
!
boot system flash  c2600-jk9s-mz.122-27.bin


!
memory-size iomem 10
ip subnet-zero
!
!
!
!
!
!

!--- Defines the IKE policy. While using TED, the peer
!--- address associated with the pre-shared key should be defined as wildcard
!--- in the IKE policy, to authenticate any discovered peer.

crypto isakmp policy 10
authentication pre-share
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
!
!

!--- Defines the transform to use for IPsec SAs.

crypto ipsec transform-set ted-transforms esp-des esp-md5-hmac
!

!--- Defines a dynamic crypto map used to establish IPsec SAs.

crypto dynamic-map ted-map 10
set transform-set ted-transforms
match address 101
!
!

!--- The 'discover' keyword used with the dynamic crypto map
!--- enables peer discovery.

crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover
!

!
!
interface FastEthernet0/0
ip address 11.11.11.2 255.255.255.0
duplex auto
speed auto
crypto map tedtag
!
interface FastEthernet0/1
ip address 12.12.12.12 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.1
ip http server

!         
!
!

!--- Defines the traffic encrypted using IPsec.

access-list 101 permit ip 12.12.12.0 0.0.0.255 13.13.13.0 0.0.0.255

!
!

!--- Output is suppressed.


!
line con 0
line aux 0
line vty 0 4
login   
!
end[/quote]