拓扑:
R1是Hub,R2和R3是spoke,带固定公网IP,R4是spoke,不带固定公网IP
需求是,spoke之间可以通过hub互相通信,但是不需要跟hub通信,但R4无固定公网IP
接口IP已提前设置好,并每一台路由器设置一个环回口IP,用于测试互相通信。
R2,R2,R4配置方式相同,R4无固定公网IP,也不影响配置,因为Hub是由固定公网IP的
R2 配置
ip access-list extended pe
permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
permit ip 2.2.2.0 0.0.0.255 4.4.4.0 0.0.0.255
ip route 3.3.3.0 255.255.255.0 12.1.1.1
ip route 4.4.4.0 255.255.255.0 12.1.1.1
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 12.1.1.1
crypto ipsec transform-set r2 esp-aes esp-sha-hmac
mode tunnel
crypto map vpn 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set r2
match address pe
interface Ethernet0/0
ip address 12.1.1.2 255.255.255.0
duplex auto
crypto map vpn
R3配置
ip access-list extended per
permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 3.3.3.0 0.0.0.255 4.4.4.0 0.0.0.255
ip route 2.2.2.0 255.255.255.0 13.1.1.1
ip route 4.4.4.0 255.255.255.0 13.1.1.1
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 13.1.1.1
crypto ipsec transform-set r3 esp-aes esp-sha-hmac
mode tunnel
crypto map vpn 10 ipsec-isakmp
set peer 13.1.1.1
set transform-set r3
match address per
interface Ethernet0/0
ip address 13.1.1.3 255.255.255.0
duplex auto
crypto map vpn
R4配置
ip route 2.2.2.0 255.255.255.0 14.1.1.1
ip route 3.3.3.0 255.255.255.0 14.1.1.1
ip access-list extended vpn
permit ip 4.4.4.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key test address 14.1.1.1
crypto ipsec transform-set r3 esp-des esp-md5-hmac
mode tunnel
crypto map vpn 10 ipsec-isakmp
set peer 14.1.1.1
set transform-set r3
match address vpn
interface Ethernet0/0
ip address dhcp
duplex auto
crypto map vpn
R1 配置
ip route 2.2.2.0 255.255.255.0 12.1.1.2
ip route 3.3.3.0 255.255.255.0 13.1.1.3
ip route 4.4.4.0 255.255.255.0 14.1.1.4
//路由先先好
crypto isakmp key cisco address 12.1.1.2
crypto isakmp key cisco address 13.1.1.3
//针对R2和R3的配置
crypto isakmp key test address 0.0.0.0
//针对R4的配置,当然也可以和R2R3公用这一条,不指定对端IP
ip access-list extended r2
permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 4.4.4.0 0.0.0.255 2.2.2.0 0.0.0.255
ip access-list extended r3
permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255
分别设置R2和R3的兴趣流,要和spoke相互匹配
crypto ipsec transform-set r1 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
//这里为了便于区分,特地分开写,并且是使用不同的散列算法
crypto map r2 10 ipsec-isakmp
set peer 12.1.1.2
set transform-set r1
match address r2
!
crypto map r3 10 ipsec-isakmp
set peer 13.1.1.3
set transform-set r1
match address r3
interface Ethernet0/0
ip address 13.1.1.1 255.255.255.0
duplex auto
crypto map r3
!
interface Ethernet0/1
ip address 12.1.1.1 255.255.255.0
duplex auto
crypto map r2
//r2和r3的配置完成
crypto map test 100 ipsec-isakmp dynamic dymap
crypto dynamic-map dymap 10
set transform-set test
//由于R4无固定公网IP,所以使用dynamic-map,然后crypto map 调用dynamic-map即可
R4可以正常ping通R2和R3
R2和R3可以正常通信
目前三台路由器时间互通已经完成,然后将R4的出接口关闭再开启,重新拿到一台IP,再次测试,验证及时R4无固定公网IP,也可以正常通信。
即使R4接口IP变了,无需更改配置,依旧可以正常通信
本实验未涉及NAT,如果spoke端存在NAT,在做NAT的ACL的时候,把ipsec的流量deny掉即可,否则原本希望走ipsec的流量,会被nat出去,导致通信失败。
总结:由固定公网IP的分支站点,使用普通配置即可,无固定公网IP的站点,使用crypot map调用dynamic-map的方式即可。需要注意的是兴趣流一定要匹配,对应的路由不能少。