实验拓扑图:
1.IP地址配置
2.在R1、R3、R4上配置到ISP的默认路由(即到R2)
R1: ip route 0.0.0.0 0.0.0.0 172.16.12.2
R2: ip route 0.0.0.0 0.0.0.0 172.16.23.2
R3: ip route 0.0.0.0 0.0.0.0 172.16.24.2
3.在R1、R3、R4上配置tunnel口和NHRP
R1:
int tunnel 0
ip add 192.168.1.1 255.255.255.0
tunnel source f0/0
tunnel mode gre multipoint
tunnel key 99
ip nhrp authentication cisco123
ip nhrp network-id 999
ip nhrp map multicast dynamic
R3:
int tunnel 0
ip add 192.168.1.3 255.255.255.0
tunnel source f0/0
tunnel mode gre multipoint
tunnel key 99
ip nhrp authentication cisco123
ip nhrp network-id 999
ip nhrp nhs 192.168.1.1
ip nhrp map multicast 172.16.12.1
ip nhrp map 192.168.1.1 172.16.12.1
R4:
int tunnel 0
ip add 192.168.1.4 255.255.255.0
tunnel source f2/0
tunnel mode gre multipoint
tunnel key 99
ip nhrp authentication cisco123
ip nhrp network-id 999
ip nhrp nhs 192.168.1.1
ip nhrp map multicast 172.16.12.1
ip nhrp map 192.168.1.1 172.16.12.1
4.在R1、R3、R4配置EIGRP
R1:
router eigrp 10
no auto-summary
network 10.10.1.1 0.0.0.0
network 192.168.1.1 0.0.0.0
R3:
router eigrp 10
no auto-summary
network 10.10.3.3 0.0.0.0
network 192.168.1.3 0.0.0.0
R4:
router eigrp 10
no auto-summary
network 10.10.4.4 0.0.0.0
network 192.168.1.4 0.0.0.0
5.在R1上关闭水平分割,并把R3、R4之间的路由的下一跳指向正确的地址
no ip next-hop-self eigrp 10 *10为EIGRP进程号
no ip split-horizon eigrp 10 *关闭水平分割
查看R1、R3、R4的OSPF邻居表
6.在R1、R3、R4上配置IPSec ×××
R1:
crypto isakmp policy 10
encryption 3des
hash sha
authentication pre-share
group 2
crypto isakmp key ccna-ccnp add 0.0.0.0
exit
crypto ipsec transform-set ccie esp-3des esp-sha-hmac
crypto ipsec profile dm***
set transform-set ccie
int tunnel 0
tunnel protecion ipsec profile dm***
R3:
crypto isakmp policy 10
encryption 3des
hash sha
authentication pre-share
group 2
crypto isakmp key ccna-ccnp add 0.0.0.0
exit
crypto ipsec transform-set ccie esp-3des esp-sha-hmac
crypto ipsec profile dm***
set transform-set ccie
int tunnel 0
tunnel protecion ipsec profile dm***
R4:
crypto isakmp policy 10
encryption 3des
hash sha
authentication pre-share
group 2
crypto isakmp key ccna-ccnp add 0.0.0.0
exit
crypto ipsec transform-set ccie esp-3des esp-sha-hmac
crypto ipsec profile dm***
set transform-set ccie
int tunnel 0
tunnel protecion ipsec profile dm***
注意:R1、R3、R4上都要配置IPSec ××× !原因如下:
如果只在R3、R4上配置IPSec,而R1上不配置IPSec。 R1、R3、R4 的EIGRP邻接关系会很快断开,这是因为,DM×××会加密所有通过tunnel口的数据包,包括EIGRP数据包,在R3和R4上发出的EIGRP hello包都已加密,而R1上没有配置IPSec,和R3、R4之间无法传递hello包。
7.show crypto isakmp sa
R1:
R3:
R4: