« Back
in 安全 VPN 思科 read.

DMVPN(2)

实验:

 

hub端配置:

crypto isakmp policy 10
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!

crypto ipsec transform-set trans esp-des esp-md5-hmac
  mode transport(加密点等于通信点,可以节省20个字节) !

crypto ipsec profile DMVPN
  set transform-set trans  

interface Tunnel0
  ip address 172.16.0.1 255.255.255.0
  no ip redirects
  no ip next-hop-self eigrp 100(关闭 eigrp下一跳指向自己)
  ip nhrp authentication testnhrp认证,所有dmvpn节点都要保持一致)

  ip nhrp map multicast dynamicnhrp组播映射,允许nhrp自动添加spoke路由器到nhrp组播映射,show ip nhrp multicast可以查看,这条命令只需要在hub端配置)

  ip nhrp network-id 100(定义一个dmvpn域,在同一个域内的路由器 id一致)

  no ip split-horizon eigrp 100(关闭eigrp水平分割)

  tunnel source FastEthernet0/0

  tunnel mode gre multipoint(设置tunnel模式为多点GREhub端总是多点GRE

  tunnel key 1234(定义一个tunnel key,所有节点要保持一致)

  tunnel protection ipsec profile DMVPN(关联接口到ipsec profile

 

Spoke1配置:

crypto isakmp policy 10
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!

crypto ipsec transform-set trans esp-des esp-md5-hmac
  mode transport(加密点等于通信点,可以节省20个字节)
!

crypto ipsec profile DMVPN
  set transform-set trans  

interface Tunnel0
  ip address 172.16.0.2 255.255.255.0
  no ip redirects
  ip nhrp authentication testnhrp认证,所有dmvpn节点都要保持一致)

  ip nhrp map 172.16.0.1 10.1.12.1(到hubnhrp映射,第一iphub tunnel接口地址,第二个iphub 物理接口地址)

  ip nhrp map multicast 10.1.12.1(nhrp组播映射,ip是hub的物理接口地址)

  ip nhrp network-id 100(定义一个dmvpn域,在同一个域内的路由器 id一致)

  ip nhrp nhs 172.16.0.1(指定nhrp server,iphub tunnel接口地址)

  tunnel source FastEthernet0/0

  tunnel mode gre multipoint(设置tunnel模式为多点GRE,spoke端可以是p2p gre模式)

  tunnel key 1234(定义一个tunnel key,所有节点要保持一致)

  tunnel protection ipsec profile DMVPN(关联接口到ipsec profile

 

Spoke2配置:

crypto isakmp policy 10
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!

crypto ipsec transform-set trans esp-des esp-md5-hmac
  mode transport
!

crypto ipsec profile DMVPN
  set transform-set trans

interface Tunnel0
  ip address 172.16.0.3 255.255.255.0
  no ip redirects
  ip nhrp authentication test
  ip nhrp map 172.16.0.1 10.1.12.1
  ip nhrp map multicast 10.1.12.1
  ip nhrp network-id 100
  ip nhrp nhs 172.16.0.1
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1234
  tunnel protection ipsec profile DMVPN
 

show命令: