拓扑:
underlay接口及路由配置略。
HUB:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
domain abc
authentication advpn local
#
local-user hub class network
password sim hub123
service-type advpn
#
local-user spoke class network
password sim spoke123
service-type advpn
#
#
#
vam server advpn-domain abc id 1
pre-shared-key sim H3CIE
authentication-method chap domain abc
server enable
hub-group 0
hub private-address 192.168.1.1
spoke private-address range 192.168.1.0 192.168.1.255
#
#
#
vam client name hub
advpn-domain abc
server primary ip-address 1.0.0.1
pre-shared-key sim H3CIE
user hub password sim hub123
client enable
#
#
#
ipsec transform-set 1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec profile 1 isakmp
transform-set 1
ike-profile 1
#
ike profile 1
keychain 1
#
ike keychain 1
pre-shared-key address 0.0.0.0 0.0.0.0 key sim H3C
#
#
#
interface Tunnel0 mode advpn udp
ip address 192.168.1.1 255.255.255.0
source GigabitEthernet0/0
tunnel protection ipsec profile 1
vam client hub
#
#
#
ip route-static 172.16.2.0 24 192.168.1.2
ip route-static 172.16.3.0 24 192.168.1.3
#
SPOKE1:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
vam client name spoke
advpn-domain abc
server primary ip-address 1.0.0.1
pre-shared-key sim H3CIE
user spoke password sim spoke123
client enable
#
#
#
ipsec transform-set 1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec profile 1 isakmp
transform-set 1
ike-profile 1
#
ike profile 1
keychain 1
#
ike keychain 1
pre-shared-key address 0.0.0.0 0.0.0.0 key sim H3C
#
#
#
interface Tunnel0 mode advpn udp
ip address 192.168.1.2 255.255.255.0
source GigabitEthernet0/0
tunnel protection ipsec profile 1
vam client spoke
#
#
#
ip route-static 172.16.1.0 24 192.168.1.1
SPOKE2:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
vam client name spoke
advpn-domain abc
server primary ip-address 1.0.0.1
pre-shared-key sim H3CIE
user spoke password sim spoke123
client enable
#
#
#
ipsec transform-set 1
esp encryption-algorithm des-cbc
esp authentication-algorithm md5
#
ipsec profile 1 isakmp
transform-set 1
ike-profile 1
#
ike profile 1
keychain 1
#
ike keychain 1
pre-shared-key address 0.0.0.0 0.0.0.0 key sim H3C
#
#
#
interface Tunnel0 mode advpn udp
ip address 192.168.1.3 255.255.255.0
source GigabitEthernet0/0
tunnel protection ipsec profile 1
vam client spoke
#
#
#
ip route-static 172.16.1.0 24 192.168.1.1
验证:
SPOKE1访问HUB:
SPOKE2访问HUB:
按理说,由于ipsec提供了认证和保护,vam server和client之间并不需要认证,但经过测试,删掉认证之后,公网IP和tunnel IP的映射关系无法形成(思科不存在这个问题)。
本配置中ipsec封装模式默认为传输模式(ESP直接封装原始数据,不封装内层IP头),所以并不需要配置感兴趣流。
要想SPOKE1和SPOKE2通信,分别写到对方的静态路由即可。
