拓扑:
R1:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600 crypto isakmp key 6 CCIE address 0.0.0.0 !配置策略和认证 ! crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac mode transport !配置传输组和封装方法以及运行模式(传输模式) crypto ipsec profile MYPRO set transform-set MYSET !配置IPSec保护文件并应用传输组 ! ! ! ! ! ! interface Tunnel0 ip address 10.0.0.1 255.255.255.0 #配置tun 0的地址 no ip redirects ip nhrp map multicast dynamic #设置nhrp的映射表为动态学习 ip nhrp network-id 10 #设置nhrp的组号(和所有spoke的组号相同) ip nhrp redirect #重定向spoke之间的路由 ip ospf network point-to-multipoint #设置隧道间的ospf网络为点到多点(默认为点到点) tunnel source Ethernet0/0 #设置tun 0的源端口 tunnel mode gre multipoint #设置gre为多点 tunnel protection ipsec profile MYPRO #应用IPSec保护文件到tun 0 ! interface Ethernet0/0 ip address 202.0.14.1 255.255.255.0 ip nat outside ip virtual-reassembly in ! interface Ethernet0/1 ip address 192.168.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! router ospf 1 network 10.0.0.1 0.0.0.0 area 0 network 192.168.1.254 0.0.0.0 area 0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 99 interface Ethernet0/0 overload ip route 0.0.0.0 0.0.0.0 202.0.14.4 ! ! ! access-list 99 permit 192.168.1.0 0.0.0.255 !
R2:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600 crypto isakmp key 6 CCIE address 0.0.0.0 ! ! crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile MYPRO set transform-set MYSET ! ! ! ! ! ! ! interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip nhrp map 10.0.0.1 202.0.14.1 #静态绑定hub的映射表 ip nhrp map multicast 202.0.14.1 #将到hub的组播转换为目的地址为hub公网地址的单播 ip nhrp network-id 10 ip nhrp nhs 10.0.0.1 #设置nhrp的注册地址为hub的隧道地址 ip nhrp shortcut #设置捷径模式(去往其他spoke的流量走直连) ip ospf network point-to-multipoint tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile MYPRO ! interface Ethernet0/0 ip address 202.0.25.2 255.255.255.0 ip nat outside ip virtual-reassembly in ! interface Ethernet0/1 ip address 192.168.2.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! router ospf 1 network 10.0.0.2 0.0.0.0 area 0 network 192.168.2.254 0.0.0.0 area 0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 99 interface Ethernet0/0 overload ip route 0.0.0.0 0.0.0.0 202.0.25.5 ! ! ! access-list 99 permit 192.168.2.0 0.0.0.255
R3:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600 crypto isakmp key 6 CCIE address 0.0.0.0 ! ! crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile MYPRO set transform-set MYSET ! ! ! ! ! ! ! interface Tunnel0 ip address 10.0.0.3 255.255.255.0 no ip redirects ip nhrp map 10.0.0.1 202.0.14.1 ip nhrp map multicast 202.0.14.1 ip nhrp network-id 10 ip nhrp nhs 10.0.0.1 ip nhrp shortcut ip ospf network point-to-multipoint tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile MYPRO ! interface Ethernet0/0 ip address 202.0.36.3 255.255.255.0 ip nat outside ip virtual-reassembly in ! interface Ethernet0/1 ip address 192.168.3.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! router ospf 1 network 10.0.0.3 0.0.0.0 area 0 network 192.168.3.254 0.0.0.0 area 0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 99 interface Ethernet0/0 overload ip route 0.0.0.0 0.0.0.0 202.0.36.6 ! ! ! access-list 99 permit 192.168.3.0 0.0.0.255