DMVPN+EZVPN

更新时间：2023-03-18 10:42:01 阅读量：资格考试认证文档下载

说明：文章内容仅供预览，部分内容可能不全。下载后的文档，内容与下面显示的完全一致。下载之前请确认下面内容是否您想要的，是否完整无缺。

DMV品牌推荐度：
相关推荐

DMVPN+EZVPN

经过上次交流对贵公司的网络的基本情况有了初步的了解，就针对DMVPN部署是有一些设备、协议上要求和限制（DMVPN通过mGRE实现，限制参考下面注：）。贵公司苏州总部有一条internet出口使用的路由器作为接入设备，可以使用路由器实现DMVPN或者使用ASA部署EZVPN作为代替方案现实分部到总部互联。

注：

★GRE Tunnel只支持路由器，不支持VPN集中器和PIX以及ASA。（因为ASA或PIX本身的安全机制限制）

★GRE支持的协议有IP ，Decnet，IPX，Appletalk。

★GRE可分为point-to-point GRE和multipoint GRE（mGRE）两种。

★point-to-point GRE只能在两台路由器之间建立。

★multipoint GRE（mGRE）也可以在两台以上的路由器之间建立。

★point-to-point GRE支持IP单播，组播，以及IGP动态路由协议和非IP协议。

★multipoint GRE（mGRE）只支持单播，组播以及动态IGP路由协议，不支持非IP协议。

以苏州总部路由器为HUB，上海、南通路由器为spoke的DMVPN配置实例如下（省略一些无关配置）：

苏州路由器（HUB）配置：

cryptoisakmp policy 10 hash md5

authentication pre-share !

cryptoisakmp key cisco123 address 0.0.0.0 0.0.0.0 !

cryptoipsec transform-set strong esp-3des esp-md5-hmac !

cryptoipsec profile cisco

set security-association lifetime seconds 120 set transform-set strong !

interface Tunnel0

ip address 192.168.1.1 255.255.255.0 no ip redirects ipmtu 1440

ipnhrp authentication cisco123 ipnhrp map multicast dynamic

ipnhrp network-id 1 no ip split-horizon eigrp 90 no ip next-hop-self eigrp 90 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0

tunnel protection ipsec profile cisco !

interface FastEthernet0/0

ip address 209.168.202.225 255.255.255.0 duplex auto speed auto !

interface FastEthernet0/1 ip address 1.1.1.1 255.255.255.0 duplex auto speed auto !

routereigrp 90

network 1.1.1.0 0.0.0.255 network 192.168.1.0 no auto-summary !

ip http server

no ip http secure-server ip classless

ip route 0.0.0.0 0.0.0.0 209.168.202.226

上海路由器（spoke）配置：

cryptoisakmp policy 10 hash md5

authentication pre-share

cryptoisakmp key cisco123 address 0.0.0.0 0.0.0.0 ! !

cryptoipsec transform-set strong esp-3des esp-md5-hmac mode transport !

cryptoipsec profile cisco

set security-association lifetime seconds 120 set transform-set strong ! !

no voice hpi capture buffer no voice hpi capture destination !

interface Tunnel0

ip address 192.168.1.3 255.255.255.0 no ip redirects ipmtu 1440

ipnhrp authentication cisco123 ipnhrp map multicast dynamic

ipnhrp map 192.168.1.1 209.168.202.225 ipnhrp map multicast 209.168.202.225 ipnhrp network-id 1 ipnhrpholdtime 300 ipnhrpnhs 192.168.1.1 no ip split-horizon eigrp 90 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0

tunnel protection ipsec profile cisco !

interface FastEthernet0/0

ip address 209.168.202.130 255.255.255.0 duplex auto speed auto !

interface FastEthernet0/1 ip address 3.3.3.3 255.255.255.0 duplex auto speed auto ! !

routereigrp 90

network 3.3.3.0 0.0.0.255 network 192.168.1.0 no auto-summary !

ip http server

no ip http secure-server ip classless

ip route 0.0.0.0 0.0.0.0 209.168.202.225 ip route 2.2.2.0 255.255.255.0 Tunnel0

南通路由器（spoke）配置：

!cryptoisakmp policy 10 hash md5

authentication pre-share

cryptoisakmp key cisco123 address 0.0.0.0 0.0.0.0 !

!crypto ipsec transform-set strong esp-3des esp-md5-hmac cryptoipsec profile cisco

set security-association lifetime seconds 120 set transform-set strong ! !

interface Tunnel0

ip address 192.168.1.3 255.255.255.0 no ip redirects ipmtu 1440

ipnhrp authentication cisco123 ipnhrp map multicast dynamic

ipnhrp map 192.168.1.1 209.168.202.225 ipnhrp map multicast 209.168.202.225 ipnhrp network-id 1 ipnhrpnhs 192.168.1.1 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0

tunnel protection ipsec profile cisco !

interface FastEthernet0/0

ip address 209.168.202.130 255.255.255.0 duplex auto speed auto !

interface FastEthernet0/1 ip address 3.3.3.3 255.255.255.0 duplex auto speed auto !

routereigrp 90

network 3.3.3.0 0.0.0.255 network 192.168.1.0 no auto-summary !

ip http server

no ip http secure-server ip classless

本文来源：https://www.bwwdw.com/article/d9th.html

相关文章：