DM***+EZ***_第1张图片

互联基本配置

!Internet:


int f0/0

ip add 100.1.1.1 255.255.255.0

no shut 

exit

int f1/1

ip add 200.1.1.1 255.255.255.0

no shut

exit

int f1/0

ip add 210.1.1.1 255.255.255.0

no shut

exit

int f2/0 

ip add 220.1.1.1 255.255.255.0

no shut

exit



!Beijing-Center:


int f0/0

ip add 100.1.1.2 255.255.255.0

no shut

exit

int f1/0

ip add 1.1.1.1 255.255.255.0

no shut

exit



!Shanghai分部:


int f0/0

ip add 210.1.1.2 255.255.255.0

no shut 

exit

int f1/0

ip add 2.2.2.2 255.255.255.0

no shut

exit


!PC2

ip 2.2.2.1/24 2.2.2.2 


!ShenZhen分部:


int f0/0 

ip add 220.1.1.2 255.255.255.0

no shut

exit

int f1/0

ip add 3.3.3.3 255.255.255.0

no shut

exit



PC3

ip 3.3.3.1/24 3.3.3.3 


!VMware 虚拟机安装的XP系统,VPCS做客户端EZ×××拨入后无法ping通内网段,只能使用虚拟机。

NoteBook

ip 200.1.1.2/24 200.1.1.1



BeiJing-Center:

ip route 0.0.0.0 0.0.0.0 100.1.1.1


ShangHai:

ip route 0.0.0.0 0.0.0.0 210.1.1.1


ShenZhen:

ip route 0.0.0.0 0.0.0.0 220.1.1.1





!======BeiJing-center=============EZ×××部分===================================

username cisco password 0 cisco

aaa new-model

!

!


!--- Xauth is configured for local authentication.


aaa authentication login userauthen local

aaa authorization network naton local 





!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for Easy ××× Clients.



crypto isakmp policy 20

hash md5

authentication pre-share

group 2

exit

!



!--- ××× Client configuration for group "naton"

!--- (this name is configured in the ××× Client).



crypto isakmp client configuration group naton

key naton

dns 1.1.11.10 1.1.11.11

wins 1.1.11.12 1.1.11.13

domain cisco.com

pool natonpool

exit

 



!--- Profile for ××× Client connections, matches the 

!--- "hw-client-group" group and defines the XAuth properties. 


crypto isakmp profile ×××client

match identity group naton

client authentication list userauthen

isakmp authorization list naton

client configuration address respond

exit

 





!--- Create the Phase 2 policy for actual data encryption.


crypto ipsec transform-set strong esp-3des esp-md5-hmac 

 mode transport

exit

!






!--- This dynamic crypto map references the ISAKMP 

!--- Profile ××× Client above.

!--- Reverse route injection is used to provide the 

!--- DM××× networks access to any Easy ××× Client networks.


crypto dynamic-map dynmap 10

 set transform-set strong 

 set isakmp-profile ×××client

 reverse-route

exit

!

!



!--- Crypto map only references the dynamic crypto map above.

 

crypto map dynmap 1 ipsec-isakmp dynamic dynmap 

!




interface FastEthernet0/0

crypto map dynmap

exit

!



ip local pool natonpool 1.1.11.60 1.1.11.80









!=====BeiJing-center============DM×××部分=============================

!--- Keyring that defines the wildcard pre-shared key.



crypto keyring dm***spokes 

pre-shared-key address 0.0.0.0 0.0.0.0 key naton123

exit

!


!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for DM××× spokes.


crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

exit

!





!--- Profile for LAN-to-LAN connection, references 

!--- the wildcard pre-shared key and a wildcard 

!--- identity (this is what is broken in 

!--- Cisco bug ID CSCea77140)

!--- and no XAuth.

 

crypto isakmp profile DM×××

keyring dm***spokes

match identity address 0.0.0.0 

exit

!

!


crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac 

 mode transport

exit


!--- Create an IPsec profile to be applied dynamically to the 

!--- generic routing encapsulation (GRE) over IPsec tunnels.


crypto ipsec profile naton-dm-ips

set security-association lifetime seconds 120

set transform-set naton-dm 

set isakmp-profile DM×××

exit

!



!--- Create a GRE tunnel template which is applied to 

!--- all the dynamically created GRE tunnels.



router eigrp 10

network 1.1.1.0 0.0.0.255

network 10.0.0.0 0.0.0.255

no auto-summary


interface Tunnel0

ip address 10.0.0.1 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication naton123

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 300

no ip split-horizon eigrp 10

no ip next-hop-self eigrp 10

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile naton-dm-ips

exit

!




=====ShangHai============DM×××部分=============================


!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for DM××× spokes.


crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

exit

!



!

crypto isakmp key naton123 address 0.0.0.0 0.0.0.0


crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac 

 mode transport

exit


!--- Create an IPsec profile to be applied dynamically to the 

!--- generic routing encapsulation (GRE) over IPsec tunnels.


crypto ipsec profile naton-dm-ips

set security-association lifetime seconds 120

set transform-set naton-dm 

exit



router eigrp 10

network 2.2.2.0 0.0.0.255

network 10.0.0.0 0.0.0.255

no auto-summary





interface Tunnel0

ip address 10.0.0.2 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication naton123

ip nhrp map 10.0.0.1 100.1.1.2

ip nhrp map multicast 100.1.1.2

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile naton-dm-ips






=====ShenZhen============DM×××部分=============================


!--- Create an ISAKMP policy for Phase 1 negotiations.

!--- This policy is for DM××× spokes.


crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

exit

!



!

crypto isakmp key naton123 address 0.0.0.0 0.0.0.0


crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac 

 mode transport

exit


!--- Create an IPsec profile to be applied dynamically to the 

!--- generic routing encapsulation (GRE) over IPsec tunnels.


crypto ipsec profile naton-dm-ips

set security-association lifetime seconds 120

set transform-set naton-dm 

exit



router eigrp 10

network 3.3.3.0 0.0.0.255

network 10.0.0.0 0.0.0.255

no auto-summary





interface Tunnel0

ip address 10.0.0.3 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication naton123

ip nhrp map 10.0.0.1 100.1.1.2

ip nhrp map multicast 100.1.1.2

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile naton-dm-ips


测试iPS:

Beijing-Cent:

#sh crypto ips sa

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 100.1.1.2


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (100.1.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (210.1.1.2/255.255.255.255/47/0)

   current_peer 210.1.1.2 port 500


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (100.1.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (220.1.1.2/255.255.255.255/47/0)

   current_peer 220.1.1.2 port 500

ShangHai:

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 210.1.1.2


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (210.1.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (100.1.1.2/255.255.255.255/47/0)

   current_peer 100.1.1.2 port 500

Shenzhen:

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 220.1.1.2


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (220.1.1.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port


BeiJing-Center#sh crypto isakmp sa 

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

100.1.1.2       220.1.1.2       QM_IDLE           1002 ACTIVE

100.1.1.2       210.1.1.2       QM_IDLE           1001 ACTIVE


ShangHai#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

100.1.1.2       210.1.1.2       QM_IDLE           1001 ACTIVE


ShenZhen#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

100.1.1.2       220.1.1.2       QM_IDLE           1001 ACTIVE


BeiJing-Center#sh crypto engine connections activ

Crypto Engine Connections


   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address

  139  IPsec   3DES+SHA                  0       13       13 100.1.1.2

  140  IPsec   3DES+SHA                 13        0        0 100.1.1.2

  141  IPsec   3DES+SHA                  0        3        3 100.1.1.2

  142  IPsec   3DES+SHA                  2        0        0 100.1.1.2

 1001  IKE     MD5+3DES                  0        0        0 100.1.1.2

 1002  IKE     MD5+3DES                  0        0        0 100.1.1.2


BeiJing-Center##ping 2.2.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/98/232 ms

BeiJing-Center##ping 3.3.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/78/100 ms


NoteBook

进入虚拟机添加IP地址200.1.1.2 255.255.255.0 200.1.1.1,安装cisco ××× Client 配置如下(name:naton,password:naton):

双击***,输入用户名cisco,密码cisco,显示拨入成功;

ping 总部服务器地址全通,Easy ×××配置成功。


DM***+EZ***_第2张图片

本实验全部完成,请提出意见或建议,谢谢。