要求:
1、R5为ISP只能配置IP地址
2、R1,R2,R3建立MGRE环境,R1为中心站点
3、R1环回192.168.1.0/24,R2-R4类似
4、R1,R2,R3使用OSPF
5、R1--R4间建立IPSec VPN
R1
int s0/1
ip add 15.1.1.1 255.255.255.0
no shutdown
int lo0
ip add 192.168.1.1 255.255.255.0
int t0
ip add 10.1.1.1 255.255.255.0
no shutdown
tunnel source s0/1
tunnel mode gre mu
ip nhrp map multicast dy
ip nhrp network-id 100
ip route 0.0.0.0 0.0.0.0 15.1.1.5
R2
int s0/2
ip add 25.1.1.2 255.255.255.0
no shutdown
int lo0
ip add 192.168.2.2 255.255.255.0
int t0
ip add 10.1.1.2 255.255.255.0
no shutdown
tunnel source s0/1
tunnel mode gre mu
ip nhrp nhs 10.1.1.1
ip nhrp map 10.1.1.1 15.1.1.1
ip nhrp network-id 100
ip nhrp map multicast 15.1.1.1
ip route 0.0.0.0 0.0.0.0 15.1.1.5
R3
int s0/3
ip add 35.1.1.3 255.255.255.0
no shutdown
int lo0
ip add 192.168.3.3 255.255.255.0
int t0
ip add 10.1.1.3 255.255.255.0
no shutdown
tunnel source s0/1
tunnel mode gre mu
ip nhrp nhs 10.1.1.1
ip nhrp map 10.1.1.1 15.1.1.1
ip nhrp network-id 100
ip nhrp map multicast 15.1.1.1
ip route 0.0.0.0 0.0.0.0 15.1.1.5
R4
int s0/0
ip add 45.1.1.4 255.255.255.0
no shutdown
int lo0
ip add 192.168.4.4 255.255.255.0
ip route 0.0.0.0 0.0.0.0 15.1.1.5
R5
int s0/1
ip add 15.1.1.5 255.255.255.0
no shutdown
int s0/2
ip add 25.1.1.5 255.255.255.0
no shutdown
int s0/3
ip add 35.1.1.5 255.255.255.0
no shutdown
int s0/0
ip add 45.1.1.5 255.255.255.0
no shutdown
至此,MGRE环境配置完成
起OSPF
R1
router ospf 1
router-id 1.1.1.1
network 10.1.1.1 0.0.0.0 a 0
network 192.168.1.1 0.0.0.0 a 0
R2
router ospf 1
router-id 2.2.2.2
network 10.1.1.2 0.0.0.0 a 0
network 192.168.2.2 0.0.0.0 a 0
R3
router ospf 1
router-id 3.3.3.3
network 10.1.1.3 0.0.0.0 a 0
network 192.168.3.3 0.0.0.0 a 0
由于tunnel 0在ospf中默认的工作方式为点到点,当R1和R2,R3都要建邻时就会出现路由翻滚。
解决方法:应修改tunnel口的工作方式为点到多点或广播。如果修改为广播,需要注意DR位置。
R1,R2,R3
int t0
ip ospf network point-to-mutlipoint
IPSec VPN
R1
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
R1的私有地址访问R4的私有地址时才走IPSec VPN
crypto isakmp policy 10
encryption 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 cisco123 address 45.1.1.4 传到R4,定义共享秘钥为cisco123;
crypto ipsec transform-set xxx esp-3des esp-md5-hmac
mode tunnel
crypto map openlab 10 ipsec-isakmp
set transform-set xxx
set peer 45.1.1.4
match address 100
调用
interface s0/1
crypto map openlab
R4
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp policy 10
encryption 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 cisco123 address 15.1.1.1
crypto ipsec transform-set xxx esp-3des esp-md5-hmac
mode tunnel
crypto map openlab 10 ipsec-isakmp
set transform-set xxx
set peer 15.1.1.1
match address 100
interface s0/0
crypto map openlab
注:VPN的建立需要流量的触发。
QM表示隧道建立完成