dynamic-×××(第七篇)
×××的应用很广泛,也很灵活,我们要根据不同的需求创建不同的解决方案。
比如:如果分支机构的IP地址不固定,或者经常变动,或者其他原因,并且我要和总部建立IPSEC连接,这个问题怎么解决呢?
【拓扑】
【步骤】
R1:
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.101.2
crypto isakmp key cisco address 202.102.102.2
!
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto dynamic-map mymap 10
set transform-set tt
match address 100
!
crypto map cisco 1 ipsec-isakmp dynamic mymap
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.101.2
crypto isakmp key cisco address 202.102.102.2
!
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto dynamic-map mymap 10
set transform-set tt
match address 100
!
crypto map cisco 1 ipsec-isakmp dynamic mymap
.......加入正规图集
interface Tunnel1
ip address 10.0.0.2 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.102.2
!
!
interface Tunnel2
ip address 10.0.1.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.101.2
!
!
interface FastEthernet0/0
ip address 1.1.1.254 255.255.255.0
duplex auto
speed auto
ip address 10.0.0.2 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.102.2
!
!
interface Tunnel2
ip address 10.0.1.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.101.2
!
!
interface FastEthernet0/0
ip address 1.1.1.254 255.255.255.0
duplex auto
speed auto
interface Serial0/0/0
ip address 202.102.100.2 255.255.255.252
ip address 202.102.100.2 255.255.255.252
crypto map cisco
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 3.3.3.0 255.255.255.0 10.0.0.1
ip route 2.2.2.0 255.255.255.0 10.0.1.2
!
access-list 100 permit ip host 202.102.100.2 any
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 3.3.3.0 255.255.255.0 10.0.0.1
ip route 2.2.2.0 255.255.255.0 10.0.1.2
!
access-list 100 permit ip host 202.102.100.2 any
!
R2:
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.100.2
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 202.102.100.2
set transform-set tt
match address 100
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.100.2
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 202.102.100.2
set transform-set tt
match address 100
access-list 100 permit ip host 202.102.101.2 host 202.102.100.2
ip route 1.1.1.0 255.255.255.0 10.0.1.1 ......一定注意
ip route 3.3.3.0 255.255.255.0 10.0.1.1...... 一定注意
ip route 1.1.1.0 255.255.255.0 10.0.1.1 ......一定注意
ip route 3.3.3.0 255.255.255.0 10.0.1.1...... 一定注意
interface Tunnel2
ip address 10.0.1.2 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.100.2
!
!
interface FastEthernet0/0
ip address 2.2.2.254 255.255.255.0
duplex auto
speed auto
ip address 10.0.1.2 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.100.2
!
!
interface FastEthernet0/0
ip address 2.2.2.254 255.255.255.0
duplex auto
speed auto
interface Serial0/0/0
ip address 202.102.101.2 255.255.255.252
crypto map mymap
ip address 202.102.101.2 255.255.255.252
crypto map mymap
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 1.1.1.0 255.255.255.0 10.0.1.1
ip route 3.3.3.0 255.255.255.0 10.0.1.1
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 1.1.1.0 255.255.255.0 10.0.1.1
ip route 3.3.3.0 255.255.255.0 10.0.1.1
R3:
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.100.2
!
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 202.102.100.2
set transform-set tt
match address 100
hash md5
authentication pre-share
lifetime 1000
!
crypto isakmp key cisco address 202.102.100.2
!
!
crypto ipsec transform-set tt ah-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 202.102.100.2
set transform-set tt
match address 100
access-list 100 permit ip host 202.102.102.2 host 202.102.100.2
ip route 1.1.1.0 255.255.255.0 10.0.0.2 ......一定注意
ip route 2.2.2.0 255.255.255.0 10.0.0.2 ......一定注意
ip route 1.1.1.0 255.255.255.0 10.0.0.2 ......一定注意
ip route 2.2.2.0 255.255.255.0 10.0.0.2 ......一定注意
interface Tunnel1
ip address 10.0.0.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.100.2
!
!
interface FastEthernet0/0
ip address 3.3.3.254 255.255.255.0
duplex auto
speed auto
ip address 10.0.0.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 202.102.100.2
!
!
interface FastEthernet0/0
ip address 3.3.3.254 255.255.255.0
duplex auto
speed auto
interface Serial0/0/0
ip address 202.102.102.2 255.255.255.252
crypto map mymap
ip address 202.102.102.2 255.255.255.252
crypto map mymap
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 1.1.1.0 255.255.255.0 10.0.0.2
ip route 2.2.2.0 255.255.255.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 1.1.1.0 255.255.255.0 10.0.0.2
ip route 2.2.2.0 255.255.255.0 10.0.0.2
【测试】
【说明】
可能还有点错误!你可以先试试。
这个和前面写的不同的是R1的配置!建立dynamip ***
然后加入正规图集!
转载于:https://blog.51cto.com/liningxiao/240265