Comprehensive Experiment DMVPN + EZVPN + VPN & amp; OSPF + route re-release

Last Update:2015-12-19 Source: Internet

Author: User

Tags bug id hmac

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Comprehensive Experiment DMVPN + EZVPN + VPN & OSPF + route re-release
Basic interconnection configuration! Internet: conf tint f0/0ip add 100.1.1.1 255.255.0no shut exit int f1/0ip add 210.1.1.1 255.255.0no shutexit int f1/1ip add 200.1.1.1 255.255.255.0no shutexit! Beijing-Center: route # conf tint f0/0ip add route nat Route shutexitint f1/0ip add 10.0.2.5 nat route shutexitint f1/1ip add 10.1.1.49 route shutexitip Route 0.0.0.0 0.0.0.0 route 172.16.0.0 255.255.255.0.0 access-list extended internet10 per ip 172.16.0.0 0.0.255.255 anyexit Naton-Core # conf tint f0/0ip add 10.0.2.6 255.255.2 55.0no shutexitip routingip route 0.0.0.0 0.0.0.0 10.0.2.5exitvlan datavlan 10 vlan 20 exit PC2: ip 172.16.2.230/24 172.18.2.1! Shanghai Branch: conf tint f0/0ip add 210.1.1.2 nat then shutexitint f1/0ip add 10.1.2.5 nat then shutexitint f1/1ip add 10.1.1.50 then shutexitip route 0.0.0.0 0.0.0.0 then route 255.255.255.0.0 nat inside source list internet int f0/0 overloadip access-list extended internet10 per ip 172.18.0.0 0.0.255.255 anyexit Core # conf Tint f0/0ip add 10.1.2.6 route shutexitip routingip route 0.0.0.0 0.0.0 route datavlan 10 vlan 20 exitconf tint vlan 20 ip add route shutexitint vlan 1ip add route limit f1/15 switchport mode limit access vlan 20 exit PC2: ip 172.18.2.230/24 172.18.2.1! ======= BeiJing-center ================= EZVPN section =============== ======================== username cisco password 0 ciscoaaa new-model !!! --- Xauth is configured for local authentication. aaa authentication login userauthen localaaa authorization network naton local! --- Create an ISAKMP policy for Phase 1 negotiations .! --- This policy is for Easy VPN Clients. crypto isakmp policy 20 hash md5authentication pre-sharegroup 2 exit!! --- VPN Client configuration for group "naton "! --- (This name is configured in the VPN Client). crypto isakmp client configuration group natonkey natondns 1.1.11.10 1.1.11.11wins 1.1.11.12 1.1.11.13domain cisco. compool natonpoolexit! --- Profile for VPN Client connections, matches! --- "Hw-client-group" group and defines the XAuth properties. crypto isakmp profile VPNclientmatch identity group natonclient authentication list userauthenisakmp authorization list natonclient configuration address respondexit! --- Create the Phase 2 policy for actual data encryption. crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transportexit!! --- This dynamic crypto map references the ISAKMP! --- Profile VPN Client above .! --- Reverse route injection is used to provide! --- DMVPN networks access to any Easy VPN Client networks. crypto dynamic-map dynmap 10 set transform-set strong set isakmp-profile VPNclient reverse-routeexit !!! --- Crypto map only references the dynamic crypto map abve. crypto map dynmap 1 ipsec-isakmp dynamic dynmap! Interface FastEthernet0/0 crypto map dynmapexit! Ip local pool natonpool 1.1.11.60 1.1.11.80! ===== BeiJing-center =============== DMVPN section =================== =============! --- Keyring that defines the wildcard pre-shared key. crypto keyring dmvpnspokes pre-shared-key address 0.0.0.0 0.0.0 key naton123exit!! --- Create an ISAKMP policy for Phase 1 negotiations .! --- This policy is for DMVPN spokes. crypto isakmp policy 10 encr 3 deshash md5authentication pre-Authentication exit!! --- Profile for LAN-to-LAN connection, references! --- The wildcard pre-shared key and a wildcard! --- Identity (this is what is broken in! --- Cisco bug ID CSCea77140 )! --- And no XAuth. crypto isakmp profile DMVPNkeyring dmvpnspokesmatch identity address 0.0.0.0 exit !! Crypto ipsec transform-set naton-dmesp-3des esp-sha-hmac mode transportexit! --- Create an IPsec profile to be applied dynamically to! --- Generic routing encapsulation (GRE) over IPsec tunnels. crypto ipsec profile naton-dm-ipsset security-association lifetime seconds 120 set transform-set naton-dm set isakmp-profile DMVPNexit!!! --- Create a GRE tunnel template which is applied! --- All the dynamically created GRE tunnels. router VPN 10 network 10.0.0.0 255.network 10.0.2.0 0.0.0.7 network 255.255.auto-scaling ospf 1 metric 1000 100 255 1500 1 interface Tunnel0ip address 10.0.0.1 255.ip redirectsip mtu 1440ip nhrp authentication extends nhrp map multicast dynamicip nhrp network-id 1ip nhrp holdtime 300no ip split-horizon eigr P 10no ip next-hop-self VPN 10 tunnel source FastEthernet0/0 tunnel mode gre multipointtunnel key 0 tunnel protection ipsec profile naton-dm-ipsexit! ======= ShangHai =============== DMVPN section ======================== =========! --- Create an ISAKMP policy for Phase 1 negotiations .! --- This policy is for DMVPN spokes. crypto isakmp policy 10 encr 3 deshash md5authentication pre-Authentication exit!! Crypto isakmp key naton123 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac mode transportexit! --- Create an IPsec profile to be applied dynamically to! --- Generic routing encapsulation (GRE) over IPsec tunnels. crypto ipsec profile naton-dm-ipsset security-association lifetime seconds 120 set transform-set naton-dm exit router VPN 10 network 10.0.0.0 255.network 10.1.2.0 0.0.0.7 network 10.1.2.192 0.0.63no auto-summary interface Tunnel0ip address 10.0.0.2 255.255.255.0no ip redirectsip mtu 1440ip nhrp authentication naton123ip nhrp map 10. 0.0.1 100.1.1.2ip nhrp map multicast 100.1.1.2ip nhrp network-id 1ip nhrp holdtime 300ip nhrp ISP protocol source FastEthernet0/0 tunnel mode gre multipointtunnel key 0 tunnel protection ipsec profile naton-dm-ips ====== = ShenZhen ============= DMVPN section =========================== =====! --- Create an ISAKMP policy for Phase 1 negotiations .! --- This policy is for DMVPN spokes. crypto isakmp policy 10 encr 3 deshash md5authentication pre-Authentication exit!! Crypto isakmp key naton123 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set naton-dm esp-3des esp-sha-hmac mode transportexit! --- Create an IPsec profile to be applied dynamically to! --- Generic routing encapsulation (GRE) over IPsec tunnels. crypto ipsec profile naton-dm-ipsset security-association lifetime seconds 120 set transform-set naton-dm exit router VPN 10 network 3.3.3.0 255.10.0.0.0 255.auto-summary interface Tunnel0ip address 10.0.0.3 255.255.255.0no ip redirectsip mtu 1440ip nhrp authentication extends nhrp map 10.0.0.1 extends nhrp map multicast extends nhrp network-id 1ip nhrp holdtime 300ip nhrp ISP protocol source FastEthernet0/0 tunnel mode gre multipointtunnel key 0 tunnel protection ipsec profile naton- dm-ips

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More