SPOKE1,SPOKE2,VPN-gateway为C网络边界路由器,loopback0接口模拟企业内部PC,C网络运行的IGP为OSPF,CE2为OSPF DR。为了防止OSPFneighbor关系不同步进而造成OSPF database不同步,因此CE1,CE2的tunnel 0接口的ospf priority配置为0。将各个分支tunnel 0接口ospf 网络类型配置为broadcast(默认ospf 网络类型为点到多点),这样分支路由器才能在前往目标前缀的路由中将合适的分支指定为下一跳,这样分支之间的数据流就可以直接进行收发而无需经由VPN gateway中转,进而可以动态建立分支与分支之间的IPSEC VPN连接。如果C网络使用距离矢量路由选择协议时,必须禁用水平分割,这样中心路由器才能将路由选择更新从收到他们的mGRE接口重新通告出去。链路状态路由选择协议将自动确定合适的下一跳(网络类型为broadcast)。VPN-gateway为NHRP NHS。
SPOKE1 configuration
SPOKE1#sh run
Building configuration...
Current configuration : 1879 bytes !
version 12.4
service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
hostname SPOKE1 !
boot-start-marker boot-end-marker ! !
no aaa new-model ip cef ! ! ! !
no ip domain lookup !
multilink bundle-name authenticated ! ! ! ! !
crypto isakmp policy 10 hash md5
authentication pre-share group 2
crypto isakmp key xinjialove address 0.0.0.0 0.0.0.0 ! !
crypto ipsec transform-set xinjialove esp-des esp-md5-hmac mode transport !
crypto ipsec profile xinjialove set transform-set xinjialove ! ! ! ! ! !
interface Loopback0
ip address 1.1.1.1 255.255.255.255 !
interface Tunnel0
ip address 192.168.1.1 255.255.255.0 no ip redirects
ip nhrp authentication cisco
ip nhrp map 192.168.1.2 172.16.2.2 ip nhrp map multicast 172.16.2.2 ip nhrp network-id 1 ip nhrp nhs 192.168.1.2
ip nhrp cache non-authoritative ip ospf network broadcast ip ospf priority 0
tunnel source Serial1/1 tunnel mode gre multipoint tunnel key 0
tunnel protection ipsec profile xinjialove !
interface FastEthernet0/0 no ip address shutdown duplex half !
interface Serial1/0 no ip address
shutdown
serial restart-delay 0 !
interface Serial1/1
ip address 172.16.1.1 255.255.255.0 serial restart-delay 0 clock rate 000 !
interface Serial1/2 no ip address shutdown
serial restart-delay 0 !
interface Serial1/3 no ip address shutdown
serial restart-delay 0 !
interface FastEthernet2/0 no ip address shutdown duplex half !
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0 !
ip route 0.0.0.0 0.0.0.0 Serial1/1 no ip http server
no ip http secure-server ! ! !
logging alarm informational ! ! ! ! !
control-plane ! ! ! ! ! !
gatekeeper shutdown !
!
line con 0
logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! ! end
SPOKE1#
SPOKE2 configuration
SPOKE2#sh run
Building configuration...
Current configuration : 1854 bytes !
version 12.4
service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
hostname SPOKE2 !
boot-start-marker boot-end-marker ! !
no aaa new-model ip cef ! ! ! !
no ip domain lookup !
multilink bundle-name authenticated ! ! ! !
crypto isakmp policy 10 hash md5
authentication pre-share group 2
crypto isakmp key xinjialove address 0.0.0.0 0.0.0.0
! !
crypto ipsec transform-set xinjialove esp-des esp-md5-hmac mode transport !
crypto ipsec profile xinjialove set transform-set xinjialove ! ! ! ! ! !
interface Loopback0
ip address 3.3.3.3 255.255.255.255 !
interface Tunnel0
ip address 192.168.1.3 255.255.255.0 no ip redirects
ip nhrp authentication cisco
ip nhrp map 192.168.1.2 172.16.2.2 ip nhrp map multicast 172.16.2.2 ip nhrp network-id 1 ip nhrp nhs 192.168.1.2
ip nhrp cache non-authoritative ip ospf network broadcast ip ospf priority 0
tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 0
tunnel protection ipsec profile xinjialove !
interface FastEthernet0/0 no ip address shutdown duplex half !
interface Serial1/0
ip address 172.16.3.1 255.255.255.0 serial restart-delay 0 !
interface Serial1/1 no ip address shutdown
serial restart-delay 0 !
interface Serial1/2 no ip address shutdown
serial restart-delay 0
!
interface Serial1/3 no ip address shutdown
serial restart-delay 0 !
interface FastEthernet2/0 no ip address shutdown duplex half !
router ospf 1
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0 !
ip route 0.0.0.0 0.0.0.0 Serial1/0 no ip http server
no ip http secure-server ! ! !
logging alarm informational ! ! ! ! !
control-plane ! ! ! ! ! !
gatekeeper shutdown ! !
line con 0
logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end
SPOKE2#
VPN-gateway configuration
VPN-gateway#sh run Building configuration...
Current configuration : 1829 bytes !
version 12.4
service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
hostname VPN-gateway !
boot-start-marker boot-end-marker ! !
no aaa new-model ip cef ! ! ! !
no ip domain lookup !
multilink bundle-name authenticated ! ! ! !
crypto isakmp policy 10 hash md5
authentication pre-share group 2
crypto isakmp key xinjialove address 0.0.0.0 0.0.0.0 ! !
crypto ipsec transform-set xinjialove esp-des esp-md5-hmac mode transport !
crypto ipsec profile xinjialove set transform-set xinjialove ! ! ! ! ! !
interface Loopback0
ip address 2.2.2.2 255.255.255.255 !
interface Tunnel0
ip address 192.168.1.2 255.255.255.0 no ip redirects
ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp nhs 192.168.1.2
ip nhrp cache non-authoritative ip ospf network broadcast ip ospf priority 100
tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0
tunnel protection ipsec profile xinjialove !
interface FastEthernet0/0
ip address 172.16.2.2 255.255.255.0 duplex half !
interface Serial1/0 no ip address shutdown
serial restart-delay 0 !
interface Serial1/1 no ip address shutdown
serial restart-delay 0 !
interface Serial1/2 no ip address shutdown
serial restart-delay 0 !
interface Serial1/3 no ip address shutdown
serial restart-delay 0 !
interface FastEthernet2/0 no ip address shutdown duplex half !
router ospf 1
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0 !
ip route 0.0.0.0 0.0.0.0 172.16.2.1 no ip http server
no ip http secure-server ! ! !
logging alarm informational ! ! ! ! !
control-plane ! ! ! ! ! !
gatekeeper shutdown ! !
line con 0
logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end
VPN-gateway#
Internet configuration
Internet#sh run
Building configuration...
Current configuration : 1099 bytes !
version 12.4
service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
hostname Internet !
boot-start-marker boot-end-marker ! !
no aaa new-model ip cef ! ! ! !
no ip domain lookup !
multilink bundle-name authenticated ! ! ! !
interface Loopback0 no ip address !
interface FastEthernet0/0
ip address 172.16.2.1 255.255.255.0 duplex half !
interface Serial1/0
ip address 172.16.1.2 255.255.255.0 serial restart-delay 0 !
interface Serial1/1
ip address 172.16.3.2 255.255.255.0 serial restart-delay 0 clock rate 000 !
interface Serial1/2 no ip address shutdown
serial restart-delay 0 !
interface Serial1/3 no ip address shutdown
serial restart-delay 0 !
interface FastEthernet2/0 no ip address shutdown duplex half !
ip route 1.1.1.1 255.255.255.255 Serial1/0 no ip http server
no ip http secure-server ! ! !
logging alarm informational ! ! ! ! !
control-plane ! ! ! ! ! !
gatekeeper shutdown ! !
line con 0
logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! ! end
Internet#
Show信息(只展示SPOKE2 与VPN-gateway的信息,SPOKE1与SPOKE2大同小异因此忽略)
VPN-gateway#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 0 FULL/DROTHER 00:00:37 192.168.1.1 Tunnel0 3.3.3.3 0 FULL/DROTHER 00:00:30 192.168.1.3 Tunnel0 VPN-gateway#sh cry isa sa IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.2.2 172.16.3.1 QM_IDLE 1002 0 ACTIVE 172.16.2.2 172.16.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
VPN-gateway#sh cry ipse sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.2.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) current_peer 172.16.1.1 port 500 PERMIT, flags={origin_is_acl,}
#pkts encaps: 308, #pkts encrypt: 308, #pkts digest: 308 #pkts decaps: 306, #pkts decrypt: 306, #pkts verify: 306 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 172.16.2.2, remote crypto endpt.: 172.16.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xACC377A1(28491297)
inbound esp sas:
spi: 0xD41C8FC5(35581605)
transform: esp-des esp-md5-hmac , in use settings ={Transport, }
conn id: 1, flow_id: 1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4474774/1345) IV size: 8 bytes
replay detection support: Y Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xACC377A1(28491297) transform: esp-des esp-md5-hmac , in use settings ={Transport, }
conn id: 2, flow_id: 2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4474774/1343) IV size: 8 bytes
replay detection support: Y Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.3.1/255.255.255.255/47/0) current_peer 172.16.3.1 port 500 PERMIT, flags={origin_is_acl,}
#pkts encaps: 308, #pkts encrypt: 308, #pkts digest: 308 #pkts decaps: 302, #pkts decrypt: 302, #pkts verify: 302 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 172.16.2.2, remote crypto endpt.: 172.16.3.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x10182812(270018578)
inbound esp sas:
spi: 0x34DC2EF2(886845170)
transform: esp-des esp-md5-hmac , in use settings ={Transport, }
conn id: 3, flow_id: 3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4562923/1345) IV size: 8 bytes
replay detection support: Y Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x10182812(270018578)
transform: esp-des esp-md5-hmac , in use settings ={Transport, }
conn id: 4, flow_id: 4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4562922/1344) IV size: 8 bytes
replay detection support: Y Status: ACTIVE
outbound ah sas:
outbound pcp sas: VPN-gateway#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.16.2.1 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/11112] via 192.168.1.1, 00:27:12, Tunnel0 2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0 3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/11112] via 192.168.1.3, 00:27:12, Tunnel0 172.16.0.0/24 is subnetted, 1 subnets
C 172.16.2.0 is directly connected, FastEthernet0/0 C 192.168.1.0/24 is directly connected, Tunnel0 S* 0.0.0.0/0 [1/0] via 172.16.2.1 VPN-gateway#
SPOKE2#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 100 FULL/DR 00:00:34 192.168.1.2 Tunnel0 SPOKE2#sh cry isa sa IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.3.1 172.16.1.1 QM_IDLE 1002 0 ACTIVE 172.16.2.2 172.16.3.1 QM_IDLE 1001 0 ACTIVE 172.16.1.1 172.16.3.1 QM_IDLE 1003 0 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE2#sh cry ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.3.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.3.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) current_peer 172.16.1.1 port 500 PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 172.16.3.1, remote crypto endpt.: 172.16.1.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0 current outbound spi: 0x1469C8EF(342477039)
inbound esp sas:
spi: 0x5AA55914(1520785684)
transform: esp-des esp-md5-hmac , in use settings ={Transport, }
conn id: 7, flow_id: 7, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (45785/1398) IV size: 8 bytes
replay detection support: Y Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1469C8EF(342477039)
transform: esp-des esp-md5-hmac , in use settings ={Transport, }
conn id: 8, flow_id: 8, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (45785/1397) IV size: 8 bytes
replay detection support: Y Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.3.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.2.2/255.255.255.255/47/0) current_peer 172.16.2.2 port 500 PERMIT, flags={origin_is_acl,}
#pkts encaps: 309, #pkts encrypt: 309, #pkts digest: 309 #pkts decaps: 315, #pkts decrypt: 315, #pkts verify: 315 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 76, #recv errors 0
local crypto endpt.: 172.16.3.1, remote crypto endpt.: 172.16.2.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0 current outbound spi: 0x34DC2EF2(886845170)
inbound esp sas:
spi: 0x10182812(270018578)
transform: esp-des esp-md5-hmac , in use settings ={Transport, }
conn id: 1, flow_id: 1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4448851/1278) IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x34DC2EF2(886845170)
transform: esp-des esp-md5-hmac , in use settings ={Transport, }
conn id: 2, flow_id: 2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4448852/1277) IV size: 8 bytes
replay detection support: Y Status: ACTIVE
outbound ah sas:
outbound pcp sas: SPOKE2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/11112] via 192.168.1.1, 00:28:17, Tunnel0 2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11112] via 192.168.1.2, 00:28:17, Tunnel0 3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0 172.16.0.0/24 is subnetted, 1 subnets
C 172.16.3.0 is directly connected, Serial1/0 C 192.168.1.0/24 is directly connected, Tunnel0 S* 0.0.0.0/0 is directly connected, Serial1/0 SPOKE2#
DMVPN连通性测试
SPOKE1#ping 2.2.2.2 source loop 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/81/112 ms SPOKE1#ping 3.3.3.3 source loop 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/56/72 ms
因篇幅问题不能全部显示,请点此查看更多更全内容
Copyright © 2019- huatuo9.cn 版权所有 赣ICP备2023008801号-1
违法及侵权请联系:TEL:199 18 7713 E-MAIL:2724546146@qq.com
本站由北京市万商天勤律师事务所王兴未律师提供法律服务