拓扑:
R1:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key 6 CCIE address 0.0.0.0
!配置策略和认证
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
mode transport
!配置传输组和封装方法以及运行模式(传输模式)
crypto ipsec profile MYPRO
set transform-set MYSET
!配置IPSec保护文件并应用传输组
!
!
!
!
!
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0 #配置tun 0的地址
no ip redirects
ip nhrp map multicast dynamic #设置nhrp的映射表为动态学习
ip nhrp network-id 10 #设置nhrp的组号(和所有spoke的组号相同)
ip nhrp redirect #重定向spoke之间的路由
ip ospf network point-to-multipoint #设置隧道间的ospf网络为点到多点(默认为点到点)
tunnel source Ethernet0/0 #设置tun 0的源端口
tunnel mode gre multipoint #设置gre为多点
tunnel protection ipsec profile MYPRO #应用IPSec保护文件到tun 0
!
interface Ethernet0/0
ip address 202.0.14.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
router ospf 1
network 10.0.0.1 0.0.0.0 area 0
network 192.168.1.254 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 99 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.0.14.4
!
!
!
access-list 99 permit 192.168.1.0 0.0.0.255
!
R2:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key 6 CCIE address 0.0.0.0
!
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile MYPRO
set transform-set MYSET
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip nhrp map 10.0.0.1 202.0.14.1 #静态绑定hub的映射表
ip nhrp map multicast 202.0.14.1 #将到hub的组播转换为目的地址为hub公网地址的单播
ip nhrp network-id 10
ip nhrp nhs 10.0.0.1 #设置nhrp的注册地址为hub的隧道地址
ip nhrp shortcut #设置捷径模式(去往其他spoke的流量走直连)
ip ospf network point-to-multipoint
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile MYPRO
!
interface Ethernet0/0
ip address 202.0.25.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
router ospf 1
network 10.0.0.2 0.0.0.0 area 0
network 192.168.2.254 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 99 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.0.25.5
!
!
!
access-list 99 permit 192.168.2.0 0.0.0.255
R3:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key 6 CCIE address 0.0.0.0
!
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile MYPRO
set transform-set MYSET
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.0.0.3 255.255.255.0
no ip redirects
ip nhrp map 10.0.0.1 202.0.14.1
ip nhrp map multicast 202.0.14.1
ip nhrp network-id 10
ip nhrp nhs 10.0.0.1
ip nhrp shortcut
ip ospf network point-to-multipoint
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile MYPRO
!
interface Ethernet0/0
ip address 202.0.36.3 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
router ospf 1
network 10.0.0.3 0.0.0.0 area 0
network 192.168.3.254 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 99 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.0.36.6
!
!
!
access-list 99 permit 192.168.3.0 0.0.0.255
