Cisco DMVPN和GETVPN混合配置实例

KS#show run
Building configuration...

Current configuration : 2641 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
ip cef
!
no ip domain lookup
ip domain name mlp.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
archive
 log config
  hidekeys
!
crypto keyring ks-key
  pre-shared-key address 202.100.10.1 key ks
  pre-shared-key address 202.100.20.1 key ks
  pre-shared-key address 202.100.30.1 key ks
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp profile ks-isakmp-pro
   keyring ks-key
   match identity address 202.100.10.1 255.255.255.255
   match identity address 202.100.20.1 255.255.255.255
   match identity address 202.100.30.1 255.255.255.255
!
!
crypto ipsec transform-set ks-set esp-des esp-md5-hmac
 mode transport
!
crypto ipsec profile ks-ipsec-pro
 set transform-set ks-set
 set isakmp-profile ks-isakmp-pro
!
crypto gdoi group get-group-1
 identity number 123654
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa vpnkey
  rekey transport unicast
  sa ipsec 1
   profile ks-ipsec-pro
   match address ipv4 gre
   replay counter window-size 64
  address ipv4 202.100.100.1
!
interface Loopback0
 ip address 1.10.4.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 39.1.100.1 255.255.255.0
 ip ospf network point-to-point
!
interface Tunnel0
 no ip address
!
!
interface Serial1/0
 ip address 202.100.100.1 255.255.255.0
 serial restart-delay 0
!
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.100.2
no ip http server
no ip http secure-server
!
!
!
ip access-list extended gre
 permit gre any any
!
!
!
control-plane
!
!

gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
end
-----------------------------------------------

hub-GM1#show run
Building configuration...

Current configuration : 2474 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hub-GM1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name mlp.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
 log config
  hidekeys
!
crypto keyring get-key
  pre-shared-key address 202.100.100.1 key ks
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp profile hub-isakmp-pro
   keyring get-key
   match identity address 202.100.100.1 255.255.255.255
!
!
crypto gdoi group get-group-1
 identity number 123654
 server address ipv4 202.100.100.1
!
!
crypto map hub-map 10 gdoi
 set group get-group-1
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.10.5.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 39.1.101.1 255.255.255.0
 ip ospf network point-to-point
!
interface Tunnel0
 bandwidth 1000
 ip address 1.1.10.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication one.auth
 ip nhrp map multicast dynamic
 ip nhrp network-id 10
 ip nhrp holdtime 360
 ip nhrp redirect
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 2012
!
!
interface Serial1/0
 ip address 202.100.10.1 255.255.255.0
 serial restart-delay 0
 crypto map hub-map
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.10.2
ip route 39.1.10.0 255.255.255.0 1.1.10.2
ip route 39.1.20.0 255.255.255.0 1.1.10.3
no ip http server
no ip http secure-server
!
control-plane
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
end

-------------------------------------------------

GM2#show run
Building configuration...

Current configuration : 2198 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GM2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name mlp.com
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
archive
 log config
  hidekeys
!
crypto keyring gm1-key
  pre-shared-key address 202.100.100.1 key ks
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp profile gm1-isakmp-pro
   keyring gm1-key
   match identity address 202.100.100.1 255.255.255.255
!
!
crypto gdoi group get-group-1
 identity number 123654
 server address ipv4 202.100.100.1
!
!
crypto map gm1-map 10 gdoi
 set group get-group-1
!
interface Loopback0
 ip address 1.10.6.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 39.1.10.1 255.255.255.0
 ip ospf network point-to-point
!
interface Tunnel0
 bandwidth 1000
 ip address 1.1.10.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication one.auth
 ip nhrp map 1.1.10.1 202.100.10.1
 ip nhrp map multicast 202.100.10.1
 ip nhrp network-id 10
 ip nhrp holdtime 360
 ip nhrp nhs 1.1.10.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 2012
!
interface Serial1/0
 ip address 202.100.20.1 255.255.255.0
 serial restart-delay 0
 clock rate 64000
 invert txclock
 crypto map gm1-map
!
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.100.20.2
ip route 39.1.0.0 255.255.0.0 1.1.10.1
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end
---------------------------------

CKS#show cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
202.100.100.1   202.100.30.1    GDOI_IDLE         1008 ACTIVE
202.100.30.1    202.100.100.1   GDOI_REKEY           0 ACTIVE
202.100.100.1   202.100.20.1    GDOI_IDLE         1004 ACTIVE
202.100.100.1   202.100.10.1    GDOI_IDLE         1016 ACTIVE

IPv6 Crypto ISAKMP SA

KS#show cry gdoi ks
Total group members registered to this box: 3

Key Server Information For Group get-group-1:
    Group Name               : get-group-1
    Group Identity           : 123654
    Group Members            : 3
    IPSec SA Direction       : Both
    ACL Configured:
        access-list gre

KS#SHOW cry gdoi
GROUP INFORMATION

Group Name               : get-group-1 (Unicast)
    Group Identity           : 123654
    Group Members            : 3
    IPSec SA Direction       : Both
    Active Group Server      : Local
    Group Rekey Lifetime     : 86400 secs
    Group Rekey
        Remaining Lifetime   : 72982 secs
    Rekey Retransmit Period  : 10 secs
    Rekey Retransmit Attempts: 2
    Group Retransmit
        Remaining Lifetime   : 0 secs

IPSec SA Number        : 1
      IPSec SA Rekey Lifetime: 3600 secs
      Profile Name           : ks-ipsec-pro
      Replay method          : Count Based
      Replay Window Size     : 64
      SA Rekey
         Remaining Lifetime  : 3043 secs
      ACL Configured         : access-list gre

Group Server list        : Local

KS#show cry gdoi ks member

Group Member Information :

Number of rekeys sent for group get-group-1 : 4

Group Member ID   : 202.100.10.1
Group ID          : 123654
Group Name        : get-group-1
Key Server ID     : 202.100.100.1
Rekeys sent       : 3
Rekeys retries    : 0
Rekey Acks Rcvd   : 3
Rekey Acks missed : 0

Sent seq num :    1    2    3    0
Rcvd seq num :    1    2    3    0

Group Member ID   : 202.100.20.1
Group ID          : 123654
Group Name        : get-group-1
Key Server ID     : 202.100.100.1
Rekeys sent       : 4
Rekeys retries    : 0
Rekey Acks Rcvd   : 4
Rekey Acks missed : 0

Sent seq num :    3    0    0    0
Rcvd seq num :    3    0    0    0

Group Member ID   : 202.100.30.1
Group ID          : 123654
Group Name        : get-group-1
Key Server ID     : 202.100.100.1
Rekeys sent       : 3
Rekeys retries    : 0
Rekey Acks Rcvd   : 3
Rekey Acks missed : 0

Sent seq num :    1    2    3    0
Rcvd seq num :    1    2    3    0

hub-GM1# show cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
202.100.100.1   202.100.10.1    GDOI_IDLE         1013 ACTIVE
202.100.10.1    202.100.100.1   GDOI_REKEY        1014 ACTIVE

IPv6 Crypto ISAKMP SA

GM2#SHOW CRY ISA SA
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.100.1   202.100.20.1    GDOI_IDLE         1001    0 ACTIVE
202.100.20.1    202.100.100.1   GDOI_REKEY        1002    0 ACTIVE
202.100.20.1    202.100.100.1   GDOI_REKEY        1003    0 ACTIVE

IPv6 Crypto ISAKMP SA

GM3#SHOW cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.100.100.1   202.100.30.1    GDOI_IDLE         1001    0 ACTIVE
202.100.30.1    202.100.100.1   GDOI_REKEY        1002    0 ACTIVE

IPv6 Crypto ISAKMP SA

hub-GM1#show cry ipsec sa

interface: Serial1/0
    Crypto map tag: hub-map, local addr 202.100.10.1

protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   current_peer 0.0.0.0 port 848
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 189, #pkts encrypt: 189, #pkts digest: 189
    #pkts decaps: 245, #pkts decrypt: 245, #pkts verify: 245
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

local crypto endpt.: 202.100.10.1, remote crypto endpt.: 0.0.0.0
     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
     current outbound spi: 0x3A6B4932(980109618)
     PFS (Y/N): N, DH group: none

hub-GM1#show cry engin connections active
Crypto Engine Connections

ID  Type    Algorithm           Encrypt  Decrypt IP-Address
   15  IPsec   DES+MD5                   0       60 0.0.0.0
   16  IPsec   DES+MD5                  62        0 0.0.0.0
   19  IPsec   DES+MD5                   0        0 0.0.0.0
   20  IPsec   DES+MD5                   0        0 0.0.0.0
 1013  IKE     SHA+DES                   0        0 202.100.10.1
 1014  IKE     SHA+3DES                  0        0

GM3#ping 39.1.10.1 so 39.1.20.1 re 10

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 39.1.10.1, timeout is 2 seconds:
Packet sent with a source address of 39.1.20.1
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 136/257/416 ms

GM2#ping 39.1.101.1 so 39.1.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 39.1.101.1, timeout is 2 seconds:
Packet sent with a source address of 39.1.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 164/191/228 ms

hub-GM1#ping 39.1.20.1 so 39.1.101.1 re 10

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 39.1.20.1, timeout is 2 seconds:
Packet sent with a source address of 39.1.101.1
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 172/193/212 ms

http://pan.baidu.com/s/1bns376R(责任编辑:admin)

Cisco DMVPN和GETVPN混合配置实例,布布扣,bubuko.com

时间: 2024-10-14 05:54:26

Cisco DMVPN和GETVPN混合配置实例的相关文章

cisco冗余GETVPN配置实例

GCKS(config)#do show run Building configuration... Current configuration : 3260 bytes ! upgrade fpd auto version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname GCKS ! boot-st

cisco+H3C交换机SSH配置实例

Cisco交换机+H3C交换机SSH配置(cisco关闭Telnet) Cisco交换机 进入交换机配置模式: a)        CoreSW#configure terminal 配置交换机名称: a)        CoreSW(config)#hostname CoreSW(可选配置). 配置domain-name: a)        CoreSW(config)#ip domain-namexxxxx.com(名称按自己要求而定). 配置登录用户和密码(如有本地用户可不创建). a)

【网络】VPN和代理服务器的区别

来自:http://www.zhihujingxuan.com/19311.html [scotttony的回答(41票)]: VPN和ssh哪个比较好, 要看你怎么定义是“好”. ssh作为一个创建在应用层和传输层基础上的安全协议,位于网络协议的较高层(相对于VPN来说).我使用ssh一般作为socks5代理(有人说是位于会话层,未经证实).将http的报文封装在ssh的数据包里,在客户端和服务器之间传输. ssh代理用起来很方便,搭配火狐的autoproxy扩展之类,可以很容易做到哪些网站通

Cisco实例1—构建高可用性DMVPN网络3—硬件准备

既然是Cisco方案,那肯定是用Cisco设备啦.不过Cisco设备系列型号那么多,该怎么合理选用呢?买越贵的越好? 恩,这个肯定是.不过...会有公司预算是充足到只买贵的不买对的吗?杀鸡用牛刀也太浪费了.那么怎么选择设备呢? 首先,我们来看下表: 表中列出了当前主要Cisco设备的性能参数. 考虑到将来扩展,一般可以按照留有一半的性能余量做参考. 项目公司这边库存有一些Cisco880.881.1811,所以也想尽量用上.然后再新购些1921.2921等设备. 最后分配100人以下分部用880

Cisco路由器上配置L2L IPSec VPN实例

实例一 Cisco路由器实现L2L IPSecVPN(--自明教教主) 拓扑图: 描述: 通讯点:PC1的1.1.1.1和Site2的2.2.2.2 加密点:Site1的202.100.1.1和Site2的61.128.1.1 要求:通信点间通过IPSEC VPN实现安全通信 PC1: 基础配置: en config t no ip domain-lookup line vty 0 15 logging synchronous exec-timeout 0 0 password cisco ex

(四)Cisco dhcp snooping实例2-多交换机环境(DHCP服务器和DHCP客户端位于不同VLAN)

试验拓扑 环境:dhcp server和客户端处于不同网段的情况 dhcp server的配置 no ip routing ip dhcp pool vlan27 network 172.28.27.0 255.255.255.0 default-router 172.28.27.254 dns-server 172.28.28.15 172.28.28.16 ip default-gateway 172.28.28.254 L3-switch的配置 interface Vlan27 ip dh

(三)Cisco dhcp snooping实例1-单交换机(DHCP服务器和DHCP客户端位于同一VLAN)

环境:cisco dhcp server和客户端都属于vlan27,dhcp server 接在交换机G0/1,客户端接在交换机的G0/2 cisco dhcp server相关配置 ip dhcp pool vlan27 network 192.168.27.0 255.255.255.0 default-router 192.168.27.1 dns-server 192.168.27.1 interface Vlan27 ip dhcp relay information trusted

Cisco 1262N胖AP配置多SSID实例

环境描述: 实验环境是一般的企业网络架构,如下图所示. 目标:在AP中配置9个SSID,并通过DHCP服务器获取对应VLAN的IP地址. DHCP服务器的配置和三层交换机的VLAN配置,DHCP中继配置就不再详述,如不明白,可以给我留言或查看我的其它博客.本文只重点介绍AP的配置.  配置思路如下: 1.创建SSID     2.在dot11Radio 0接口调用     3.创建dot11Radio 0.*子接口     4.创建GigabitEthernet0.*子接口 注意:AP连接的交换

Cisco 3800 路由器配置实例

en conf t hostname Cisco3800 interface Loopback0 ip address 6.6.6.6 255.255.255.0 interface FastEthernet0/0 description WAN ip address 119.200.27.50 255.255.255.252 ip nat ouside interface FastEthernet0/1 description LAN ip address 192.168.6.1 255.25