思科路由器DMvpn配置

Hello World, Hello Blog

Posted by Haike Nan on March 27, 2021

拓扑:

R1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key 6 CCIE address 0.0.0.0
!配置策略和认证
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
 mode transport
!配置传输组和封装方法以及运行模式(传输模式)
crypto ipsec profile MYPRO
 set transform-set MYSET
!配置IPSec保护文件并应用传输组
!
!
!
!
!
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0 #配置tun 0的地址
 no ip redirects
 ip nhrp map multicast dynamic #设置nhrp的映射表为动态学习
 ip nhrp network-id 10 #设置nhrp的组号(和所有spoke的组号相同)
 ip nhrp redirect #重定向spoke之间的路由
 ip ospf network point-to-multipoint #设置隧道间的ospf网络为点到多点(默认为点到点)
 tunnel source Ethernet0/0 #设置tun 0的源端口
 tunnel mode gre multipoint #设置gre为多点
 tunnel protection ipsec profile MYPRO #应用IPSec保护文件到tun 0
!
interface Ethernet0/0
 ip address 202.0.14.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
interface Ethernet0/1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
router ospf 1
 network 10.0.0.1 0.0.0.0 area 0
 network 192.168.1.254 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 99 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.0.14.4
!
!
!
access-list 99 permit 192.168.1.0 0.0.0.255
!

R2:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key 6 CCIE address 0.0.0.0
!
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile MYPRO
 set transform-set MYSET
!
!
!
!
!
!
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip nhrp map 10.0.0.1 202.0.14.1 #静态绑定hub的映射表
 ip nhrp map multicast 202.0.14.1 #将到hub的组播转换为目的地址为hub公网地址的单播
 ip nhrp network-id 10
 ip nhrp nhs 10.0.0.1 #设置nhrp的注册地址为hub的隧道地址
 ip nhrp shortcut #设置捷径模式(去往其他spoke的流量走直连)
 ip ospf network point-to-multipoint
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile MYPRO
!
interface Ethernet0/0
 ip address 202.0.25.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
interface Ethernet0/1
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
router ospf 1
 network 10.0.0.2 0.0.0.0 area 0
 network 192.168.2.254 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 99 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.0.25.5
!
!
!
access-list 99 permit 192.168.2.0 0.0.0.255

R3:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key 6 CCIE address 0.0.0.0
!
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile MYPRO
 set transform-set MYSET
!
!
!
!
!
!
!
interface Tunnel0
 ip address 10.0.0.3 255.255.255.0
 no ip redirects
 ip nhrp map 10.0.0.1 202.0.14.1
 ip nhrp map multicast 202.0.14.1
 ip nhrp network-id 10
 ip nhrp nhs 10.0.0.1
 ip nhrp shortcut
 ip ospf network point-to-multipoint
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile MYPRO
!
interface Ethernet0/0
 ip address 202.0.36.3 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
interface Ethernet0/1
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
router ospf 1
 network 10.0.0.3 0.0.0.0 area 0
 network 192.168.3.254 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 99 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.0.36.6
!
!
!
access-list 99 permit 192.168.3.0 0.0.0.255