经典的IPSec VPN需要两端有固定的ip地址,这在实际情况中很难满足.一般是中心站点有固定的ip,分支站点采用adsl拨号上网,在这种情况下,布署站点对站点的IPSec VPN可以采用以下三种方法:
- 动态crypto map
- DDNS
- EzVPN
现介绍动态crypto map的配置
R1的配置
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
<由于R3端是动态地址,所以只能使用8个零来匹配任意地址,
也就是不管R3使用什么地址,只要有相同的预共享秘钥,
就能建立IPSec VPN,当然这种配置并不安全,推荐使用证书认证>
!
crypto ipsec transform-set trans13 esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dymap 10
set transform-set trans13
<动态crypto map配置模式下只需设置转换集,任意的peer和感兴趣流都可以被中心站点接受,其实中心站点也无法设置peer和感兴趣流,因为R3端地址和身后网络中心站点并不知晓>
!
!
crypto map cisco 10000 ipsec-isakmp dynamic dymap
<一般一台路由器只有一个互联网接口中,一个接口只能同时调用一个crypto map,
如果这台路由器希望同时和多个对等体,建立多个ipsec vpn,
可以通过配置多个crypto map的序号(id)来实现.
例如,crypto map cisco 10配置和站点一的ipsec vpn,
crypto map cisco 20配置和站点二的ipsec vpn,
一般动态crypto map的序号惊城为最后(最大)的一个,
这样配置的主要目的是为了让那些序号小的明细的crypto map策略优先得以匹配,
如果匹配不上明细策略,剩余的ipsec vpn连接请求由动态crypto map来处理.
这次配置中序号被配置为10000,主要是为了提醒大家注意,
动态crypto map应该配置成为最大的一个序号.>
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 12.12.12.1 255.255.255.0
duplex auto
crypto map cisco
!
interface Ethernet0/1
no ip address
shutdown
duplex auto
!
interface Ethernet0/2
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no ip address
shutdown
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 12.12.12.2
R2上配置
ip dhcp pool R2
network 23.23.23.0 255.255.255.0
default-router 23.23.23.2
<配置DHCP地址池,为R3动态分配ip地址>
!
!
interface Ethernet0/0
ip address 12.12.12.2 255.255.255.0
duplex auto
!
interface Ethernet0/1
ip address 23.23.23.2 255.255.255.0
duplex auto
R2上配置
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 12.12.12.1
!
crypto ipsec transform-set trans13 esp-des esp-md5-hmac
mode tunnel
!
crypto map map13 10 ipsec-isakmp
set peer 12.12.12.1
set transform-set trans13
match address vpn13
<公司中心站点有固定地址,可以使用set peer命令>
!
interface Loopback1
ip address 3.3.3.3 255.255.255.0
!
interface Ethernet0/1
ip address dhcp
duplex auto
crypto map map13
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 23.23.23.2
!
ip access-list extended vpn13
permit ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
在R3上ping R1,看能不能成功
R3#ping 1.1.1.1 source 3.3.3.3 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/5/8 ms
R3#
R3先ping R1后,建立了ipsec sa,然后R1就可ping通 R3.
R1 ping R3
R1#ping 3.3.3.3 source 1.1.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 4/5/8 ms
R1#