如下圖
AR1是私網spoke,AR4是公網hub,並且AR1與AR4上各有一個環回
要求:
AR1的環回與AR4的環回建立DSvpn,且經過IPsec進行傳輸加密,在進入公網時還要進行nat轉換
注意
IPSec vpn進行加密傳輸時只能使用野蠻模式,並只能用命名寫法,在邊界轉換nat時需要在開啓私網端開啓nat-T技術,命令爲nat traversal
配置:
AR1
ike proposal 10
#
ike peer a v1
exchange-mode aggressive
pre-shared-key cipher 123
ike-proposal 10
local-id-type name
nat traversal
ike local-name a
#
ipsec proposal 10
#
ipsec profile ie
ike-peer a
proposal 10
#
interface GigabitEthernet0/0/0
ip address 12.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 200.1.1.1 255.255.255.255
#
interface Tunnel0/0/0
ip address 1.1.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
ospf network-type p2mp
ipsec profile ie
nhrp network-id 100
nhrp entry 1.1.1.4 100.1.34.2 register
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.0.0.0 0.255.255.255
network 200.0.0.0 0.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
AR2
interface GigabitEthernet0/0/0
ip address 12.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.1.23.1 255.255.255.0
nat static global 100.1.23.100 inside 12.1.1.1 netmask 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 100.1.23.2
AR3
interface GigabitEthernet0/0/0
ip address 100.1.23.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.1.34.1 255.255.255.0
AR4
ike proposal 10
#
ike peer a v1
exchange-mode aggressive
pre-shared-key cipher 123
ike-proposal 10
local-id-type name
nat traversal
ike local-name a
#
ipsec proposal 10
#
ipsec profile ie
ike-peer a
proposal 10
#
interface GigabitEthernet0/0/0
ip address 100.1.34.2 255.255.255.0
#
interface LoopBack0
ip address 200.4.4.4 255.255.255.255
#
interface Tunnel0/0/0
ip address 1.1.1.4 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
ospf network-type p2mp
ipsec profile ie
nhrp entry multicast dynamic
nhrp network-id 100
#
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 1.0.0.0 0.255.255.255
network 200.0.0.0 0.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 100.1.34.1
測試驗證
發現信息已被加密傳輸