cisco 双hub双dmvpn配置实例
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
VPN配置实例系列(一)cisco 双hub双dmvpn配置实例(原创)2011-08-16 17:51
(HUB-1)AIR1#show run
Building configuration...
upgrade fpd auto
version 12.4
hostname AIR1
aaa new-model
!
aaa authentication login login local none
aaa session-id common
ip source-route
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
username cisco privilege 15 secret 5 $1$2HQI$6HPxKq33L6fHLOq.mNEJ6. archive
log config
hidekeys
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key two.hub.key address
!
crypto ipsec transform-set two.hub.set esp-3des esp-md5-hmac
mode transport
!
set transform-set two.hub.set
!
interface Loopback0
ip address 1.1.4.1 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
ip address 10.0.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 600
ip ospf network broadcast
ip ospf priority 10
delay 1000
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 2012
!
interface FastEthernet0/0
ip address 172.17.3.2 255.255.255.0
duplex auto
speed auto
!
interface Serial1/1
ip address 201.0.1.2 255.255.255.0
serial restart-delay 0
router ospf 100
router-id 1.1.4.1
log-adjacency-changes
network 10.0.10.0 0.0.0.255 area 1
network 172.17.3.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 201.0.1.1
line con 0
exec-timeout 0 0
logging synchronous
login authentication login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
end
-----------------------------------------------------
(HUB-2)AIR2#show run
Building configuration...
version 12.4
hostname AIR2
enable password cisco
!
aaa new-model
!
aaa authentication login login local none
!
aaa session-id common
memory-size iomem 5
!
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
username ezvpn password 0 ezvpn
username air2 secret 5 $1$iT8A$btPfNBneo8ShHP1pJwRyt/ archive
log config
hidekeys
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key two.hub.key address .0 0.0.0.0
!
crypto ipsec transform-set two.hub.set esp-3des esp-md5-hmac mode transport
!
crypto ipsec profile two.hub.profile
set transform-set two.hub.set
interface Loopback0
ip address 1.1.7.1 255.255.255.0
!
interface Tunnel0
ip address 10.0.20.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication two.auth
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 600
ip ospf network broadcast
ip ospf priority 5
delay 1000
tunnel source Serial1/2
tunnel mode gre multipoint
tunnel key 2012
tunnel protection ipsec profile two.hub.profile
!
interface FastEthernet0/0
ip address 172.17.4.2 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 202.0.0.2 255.255.255.0
serial restart-delay 0
interface Serial1/2
ip address 201.1.1.2 255.255.255.0
serial restart-delay 0
router ospf 100
router-id 1.1.7.1
log-adjacency-changes
network 10.0.20.0 0.0.0.255 area 1
network 172.17.4.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 201.1.1.1
line con 0
exec-timeout 0 0
logging synchronous
login authentication login
line aux 0
login authentication login
line vty 0 4
exec-timeout 0 0
logging synchronous
login authentication login
!
!
end
-----------------------------------------------------------------
(SPOKE-1)IOSFW1#show run
Building configuration...
!
version 12.4
!
hostname IOSFW1
aaa new-model
aaa authentication login login local none
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
username cisco privilege 15 secret 5 $1$FfyS$.b/nQwuam1J17HEESibRB0 archive
log config
hidekeys
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key two.hub.key address
!
crypto ipsec transform-set two.hub.set esp-3des esp-md5-hmac
mode transport
!
set transform-set two.hub.set
interface Loopback0
ip address 1.1.5.1 255.255.255.0
!
interface Tunnel0
ip address 10.0.10.2 255.255.255.0
ip mtu 1400
ip nhrp ma
ip nhrp network-id 10
ip nhrp holdtime 300
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Serial1/0
tunnel key 2012
!
interface Tunnel1
ip address 10.0.20.2 255.255.255.0
ip mtu 1400
ip nhrp ma
ip nhrp network-id 10
ip nhrp holdtime 300
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Serial1/0
tunnel key 2012
!
interface Serial1/0
ip address 201.0.2.2 255.255.255.0
serial restart-delay 0
router ospf 100
router-id 1.1.5.1
log-adjacency-changes
network 10.0.10.0 0.0.0.255 area 1
network 10.0.20.0 0.0.0.255 area 1
network 192.168.10.0 0.0.0.255 area 1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 201.0.2.1
line con 0
exec-timeout 0 0
logging synchronous
login authentication login
line aux 0
line vty 0 4
!
!
end
---------------------------------------------------------------------
(SPOKE-2)IOSFW2#show run
Building configuration...
version 12.4
no service password-encryption
!
hostname IOSFW2
enable password cisco
!
aaa new-model
aaa authentication login login local none
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
username iosfw2 secret 5 $1$.S/B$cBe/jtBt23/MpNaFaZ1320 archive
log config
hidekeys
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key two.hub.key address .0 0.0.0.0
!
crypto ipsec transform-set two.hub.set esp-3des esp-md5-hmac mode transport
!
crypto ipsec profile two.hub.profile
set transform-set two.hub.set
interface Loopback0
ip address 1.1.6.1 255.255.255.0
!
interface Tunnel0
ip address 10.0.10.3 255.255.255.0
ip mtu 1400
ip nhrp authentication two.auth
ip nhrp ma.1 201.0.1.2
ip nhrp network-id 10
ip nhrp holdtime 300
ip nhrp nhs 10.0.10.1
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Serial1/0
tunnel destination 201.0.1.2
tunnel key 2012
tunnel protection ipsec profile two.hub.profile
!
interface Tunnel1
ip address 10.0.20.3 255.255.255.0
ip mtu 1400
ip nhrp authentication two.auth
ip nhrp ma.1 201.1.1.2
ip nhrp network-id 10
ip nhrp holdtime 300
ip nhrp nhs 10.0.20.1
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source Serial1/0
tunnel destination 201.1.1.2
tunnel key 2012
tunnel protection ipsec profile two.hub.profile interface Serial1/0
ip address 201.0.3.2 255.255.255.0
serial restart-delay 0
router ospf 100
router-id 1.1.6.1
log-adjacency-changes
network 10.0.10.0 0.0.0.255 area 1
network 10.0.20.0 0.0.0.255 area 1
network 192.168.20.0 0.0.0.255 area 1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 201.0.3.1
line con 0
exec-timeout 0 0
logging synchronous
login authentication login
line aux 0
login authentication login
line vty 0 4
exec-timeout 0 0
logging synchronous
login authentication login
!
!
end
IOSFW1#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
201.0.1.2 201.0.2.2 QM_IDLE 1011 0 ACTIVE
201.1.1.2 201.0.2.2 QM_IDLE 1014 0 ACTIVE
IOSFW2#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
201.1.1.2 201.0.3.2 QM_IDLE 1002 0 ACTIVE
201.0.1.2 201.0.3.2 QM_IDLE 1001 0 ACTIVE
IOSFW1#show cry ipsec sa
protected vrf: (none)
local ident (addr/mask/prot/port): (201.0.2.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (201.0.1.2/255.255.255.255/47/0) current_peer 201.0.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 921, #pkts encrypt: 921, #pkts digest: 921
#pkts decaps: 976, #pkts decrypt: 976, #pkts verify: 976
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 201.0.2.2, remote crypto endpt.: 201.0.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x116D44B0(292373680)
IOSFW2#show cry ipsec sa
protected vrf: (none)
local ident (addr/mask/prot/port): (201.0.3.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (201.0.1.2/255.255.255.255/47/0) current_peer 201.0.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 791, #pkts encrypt: 791, #pkts digest: 791
#pkts decaps: 849, #pkts decrypt: 849, #pkts verify: 849
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 201.0.3.2, remote crypto endpt.: 201.0.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0 current outbound spi: 0x38CD88C8(952993992)
IOSFW1#show cry engine connect active
Crypto Engine Connections
IOSFW2#show cry engine connection active
Crypto Engine Connections
IOSFW1#show ip ospf nei
Neighbor ID Pri State Dead Time Address Interface .1 5 FULL/DR 00:00:36 10.0.20.1 Tunnel1
1.1.4.1 10 FULL/DR 00:00:37 10.0.10.1 Tunnel0 IOSFW2#show ip ospf nei
Neighbor ID Pri State Dead Time Address Interface .1 5 FULL/DR 00:00:34 10.0.20.1 Tunnel1
1.1.4.1 10 FULL/DR 00:00:33 10.0.10.1 Tunnel0。