CiscoIPSEC –无固定IP 总部有固定IP—ID(分支机构ID—hostname 总部来区分

总部R5 : PC4-inside F0/1 NAT F0/0 outside
分部R4 : PC5- inside F0/1 NAT F0/0 outside
分部R6 : PC6- inside F0/1 NAT F0/0 outside

说明：
R4:pre-share key 123456 localid:CiscoA
R6:pre-share key 1234567 localid:CiscoC
R5 作为总部仅仅允许相应ID 对应相应的网络访问。
采用野蛮模式互通时，作为隧道发起方和响应方的配置是有区别的。
Cisco作为隧道发起方：
crypto isakmp peer address 10.1.1.2 //发起方必须配置
set aggressive-mode password 123456 (pre-share key)
set aggressive-mode client-endpoint fqdn CiscoA （发起方定义本地ID）
Cisco作为隧道响应方：
crypto isakmp key 123456 hostname CiscoA 作为响应方对应发起方配置（安全）
crypto isakmp identity hostname

二个分支没有固定IP方式测试
R4:配置
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!

!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp peer address 10.1.1.2
set aggressive-mode password 123456
set aggressive-mode client-endpoint fqdn CiscoA
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.1.1.2
set security-association lifetime seconds 28800
set transform-set set1
set pfs group2
match address 110
!
!ip tcp synwait-time 5
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny ip 172.99.99.0 0.0.0.255 172.99.98.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip 172.99.99.0 0.0.0.255 172.99.98.0 0.0.0.255
no cdp log mismatch duplex
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end

R6:配置
!
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoC
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!!
no ip domain lookup
!
multilink bundle-name authenticated
!

archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp peer address 10.1.1.2
set aggressive-mode password 1234567
set aggressive-mode client-endpoint fqdn CiscoC
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.1.1.2
set security-association lifetime seconds 28800
set transform-set set1
set pfs group2
match address 110
!
ip tcp synwait-time 5
!

interface FastEthernet0/0
ip address 10.1.1.3 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.97.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny ip 172.99.97.0 0.0.0.255 172.99.98.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip 172.99.97.0 0.0.0.255 172.99.98.0 0.0.0.255
no cdp log mismatch duplex
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R5:
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoB
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 123456 hostname CiscoA
crypto isakmp key 1234567 hostname CiscoC
crypto isakmp identity hostname
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto dynamic-map dyna 10
set transform-set set1
match address 110
crypto dynamic-map dyna 20
set transform-set set1
match address 120
!
!
crypto map mymap 10 ipsec-isakmp dynamic dyna
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address 172.99.98.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 deny ip 172.99.98.0 0.0.0.255 172.99.99.0 0.0.0.255
access-list 100 deny ip 172.99.98.0 0.0.0.255 172.99.97.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip 172.99.98.0 0.0.0.255 172.99.99.0 0.0.0.255
access-list 120 permit ip 172.99.98.0 0.0.0.255 172.99.97.0 0.0.0.255
no cdp log mismatch duplex
!
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

原文地址：http://blog.51cto.com/372560/2177836