点对多点 IPsec+GRE 配置

试验拓扑：

基本配置：

Hub Router
hostname Hub
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco47 address 0.0.0.0 //0.0.0.0指定对端可为任意
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto map vpnmap1 local-address Ethernet0
crypto map vpnmap1 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set trans2
match address 101
crypto map vpnmap1 20 ipsec-isakmp
set peer 172.16.2.1
set transform-set trans2
match address 102
. . .
crypto map vpnmap1 <10*n> ipsec-isakmp
set peer 172.16.<n>.1
set transform-set trans2
match address <n+100>
!
interface Tunnel1
bandwidth 1000
ip address 10.0.0.1 255.255.255.252
ip mtu 1400
delay 1000
tunnel source Ethernet0
tunnel destination 172.16.1.1
!
interface Tunnel2
bandwidth 1000
ip address 10.0.0.5 255.255.255.252
ip mtu 1400
delay 1000
tunnel source Ethernet0
tunnel destination 172.16.2.1
!
. . .
!
interface Tunnel<n>
bandwidth 1000
ip address 10.0.0.<4n-3> 255.255.255.252
ip mtu 1400
delay 1000
tunnel source Ethernet0
tunnel destination 172.16.<n>.1
!
interface Ethernet0
ip address 172.17.0.1 255.255.255.0
crypto map vpnmap1
!
interface Ethernet1
ip address 192.168.0.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.0.0 0.0.0.255
no auto-summary
!
access-list 101 permit gre host 172.17.0.1 host 172.16.1.1
access-list 102 permit gre host 172.17.0.1 host 172.16.2.1
...
access-list <n+100> permit gre host 172.17.0.1 host 172.16.<n>.1
Spoke1 Router
hostname Spoke1
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco47 address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto map vpnmap1 local-address Ethernet0
crypto map vpnmap1 10 ipsec-isakmp
set peer 172.17.0.1
set transform-set trans2
match address 101
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.2 255.255.255.252
ip mtu 1400
delay 1000
tunnel source Ethernet0
tunnel destination 172.17.0.1
!
interface Ethernet0
ip address 172.16.1.1 255.255.255.252
crypto map vpnmap1
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
no auto-summary
!
access-list 101 permit gre host 172.16.1.1 host 172.17.0.1

注意：在Cisco IOS 12.2(13)T 前crypto map vpnmap必须同时映射到物理接口和所有的隧道端口上，而在Cisco IOS 12.2(13)T 之后只要映射到物理接口上就可以了

John Winning's Blog

导航

2008-11-26 18:25:31

Tags: CISCO GRE VPN VPN 配置

分类:VPN | 评论:0

网站分类

标签云

最近发表

最新评论及回复

Powered By Z-Blog 1.8 Spirit Build 80722

Copyright 2007-2010 John Winning's Blog. All Rights Reserved.

John Winning's Blog

导航

2008-11-26 18:25:31

点对多点 IPsec+GRE 配置

Tags: CISCO GRE VPN VPN 配置

分类:VPN | 评论:0 if(GetCookie("password")){ document.write(" | <a href=\"http://www.godupgod.com/cmd.asp?act=ArticleEdt&type=fckeditor&id=123\" />编辑</a>")}

网站分类

标签云

最近发表

最新评论及回复

Powered By Z-Blog 1.8 Spirit Build 80722

Copyright 2007-2010 John Winning's Blog. All Rights Reserved.<a href="http://www.51.la/?1556818" target="_blank"><img alt="&#x6211;&#x8981;&#x5566;&#x514D;&#x8D39;&#x7EDF;&#x8BA1;" src="http://img.users.51.la/1556818.asp" style="border:none" /></a>

分类:VPN | 评论:0

Copyright 2007-2010 John Winning's Blog. All Rights Reserved.