Lab 1: DMVPN, dùng OSPF. R3 là Hub, R2 và R1 là Spoke Cấu hình router Hub R3. R3#show run ! version 12.3 hostname R3 ! crypto isakmp policy 20 hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no crypto isakmp ccm ! crypto ipsec transform-set VPN esp-des ! crypto ipsec profile VPN set transform-set VPN ! interface Tunnel1 ip address 1.1.1.10 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp network-id 99 ip ospf network broadcast ip ospf hello-interval 30 ip ospf priority 200 tunnel source Serial0/1/0 tunnel mode gre multipoint tunnel key 999 tunnel protection ipsec profile VPN ! ! Cổng loopback thay thế cho LAN của router HUB. interface Loopback0 ip address 10.0.3.1 255.255.255.0 ip ospf network point-to-point ! interface Serial0/1/0 ip address 172.30.3.2 255.255.255.0 ! router ospf 1 log-adjacency-changes passive-interface Serial0/1/0 network 1.1.1.0 0.0.0.255 area 0 network 10.0.3.0 0.0.0.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/1/0 ! end R2#show run ! version 12.4 ! hostname R2 ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set VPN esp-des ! crypto ipsec profile VPN set transform-set VPN ! interface Loopback0 ip address 10.0.2.1 255.255.255.0 ip ospf network point-to-point ! interface Tunnel0 ip address 1.1.1.2 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication cisco123 ip nhrp map 1.1.1.10 172.30.3.2 ip nhrp map multicast 172.30.3.2 ip nhrp network-id 99 ip nhrp nhs 1.1.1.10 ip nhrp cache non-authoritative ip ospf network broadcast ip ospf hello-interval 30 ip ospf priority 0 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 999 tunnel protection ipsec profile VPN ! interface FastEthernet0/0 ip address 172.30.2.2 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes passive-interface FastEthernet0/0 network 1.1.1.0 0.0.0.255 area 0 network 10.0.2.0 0.0.0.255 area 0 ! ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ! end R1#show run ! version 12.4 ! hostname R1 ! crypto isakmp policy 20 hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set DMVPN-Transform esp-des ! crypto ipsec profile DMVPN set transform-set DMVPN-Transform ! interface Tunnel0 ip address 1.1.1.1 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication cisco123 ip nhrp map multicast 1.1.1.1 ip nhrp map 1.1.1.10 172.30.3.2 ip nhrp network-id 99 ip nhrp nhs 1.1.1.10 ip nhrp cache non-authoritative ip ospf network broadcast ip ospf hello-interval 30 ip ospf priority 0 tunnel source FastEthernet0/1 tunnel mode gre multipoint tunnel key 999 tunnel protection ipsec profile DMVPN ! interface FastEthernet0/0 ip address 10.0.1.12 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 172.30.1.2 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes passive-interface FastEthernet0/1 network 1.1.1.0 0.0.0.255 area 0 network 10.0.1.0 0.0.0.255 area 0 ! ip route 0.0.0.0 0.0.0.0 172.30.1.1 ! end Kiểm tra hoạt động R3#show crypto map Crypto Map "Tunnel1-head-0" 65536 ipsec-isakmp Profile name: VPN Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ VPN, } Crypto Map "Tunnel1-head-0" 65537 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 172.30.2.2 Extended IP access list access-list permit gre host 172.30.3.2 host 172.30.2.2 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ VPN, } Crypto Map "Tunnel1-head-0" 65538 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 172.30.1.2 Extended IP access list access-list permit gre host 172.30.3.2 host 172.30.1.2 Current peer: 172.30.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ VPN, } Interfaces using crypto map Tunnel1-head-0: Tunnel1 R3# show crypto isa sa dst src state conn-id slot status 172.30.3.2 172.30.1.2 QM_IDLE 2 0 ACTIVE 172.30.3.2 172.30.2.2 QM_IDLE 1 0 ACTIVE R3#show ip nhrp 1.1.1.1/32 via 1.1.1.1, Tunnel1 created 00:36:53, expire 01:46:29 Type: dynamic, Flags: authoritative unique registered NBMA address: 172.30.1.2 1.1.1.2/32 via 1.1.1.2, Tunnel1 created 00:51:42, expire 01:47:19 Type: dynamic, Flags: authoritative unique registered NBMA address: 172.30.2.2 R3#show ip route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Tunnel1 172.30.0.0/24 is subnetted, 1 subnets C 172.30.3.0 is directly connected, Serial0/1/0 10.0.0.0/24 is subnetted, 3 subnets O 10.0.2.0 [110/11112] via 1.1.1.2, 00:00:56, Tunnel1 C 10.0.3.0 is directly connected, Loopback0 O 10.0.1.0 [110/11112] via 1.1.1.1, 00:00:56, Tunnel1 S* 0.0.0.0/0 is directly connected, Serial0/1/0 R2#show cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 172.30.1.2 172.30.2.2 QM_IDLE 1002 0 ACTIVE 172.30.3.2 172.30.2.2 QM_IDLE 1001 0 ACTIVE 172.30.2.2 172.30.1.2 QM_IDLE 1003 0 ACTIVE IPv6 Crypto ISAKMP SA R2#show cry ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 172.30.2.2 protected vrf: (none) local ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/47/0) current_peer 172.30.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24 #pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23 R2#show ip nhrp 1.1.1.1/32 via 1.1.1.1, Tunnel0 created 00:37:07, expire 01:21:51 Type: dynamic, Flags: router NBMA address: 172.30.1.2 1.1.1.10/32 via 1.1.1.10, Tunnel0 created 00:53:55, never expire Type: static, Flags: nat used NBMA address: 172.30.3.2 R2#show ip route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Tunnel0 172.30.0.0/24 is subnetted, 1 subnets C 172.30.2.0 is directly connected, FastEthernet0/0 10.0.0.0/24 is subnetted, 3 subnets C 10.0.2.0 is directly connected, Loopback0 O 10.0.3.0 [110/11112] via 1.1.1.10, 00:00:44, Tunnel0 O 10.0.1.0 [110/11112] via 1.1.1.1, 00:00:44, Tunnel0 S* 0.0.0.0/0 is directly connected, FastEthernet0/0 R1#show ip nhrp 1.1.1.2/32 via 1.1.1.2, Tunnel0 created 00:35:47, expire 01:08:22 Type: dynamic, Flags: router NBMA address: 172.30.2.2 1.1.1.10/32 via 1.1.1.10, Tunnel0 created 00:36:48, never expire Type: static, Flags: used NBMA address: 172.30.3.2 Lab 2: DMVPN dùng EIGRP sh run Building configuration Current configuration : 1658 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! crypto isakmp policy 20 hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set DMVPN-Transform esp-des ! crypto ipsec profile DMVPN set transform-set DMVPN-Transform ! interface Tunnel0 ip address 172.16.1.3 255.255.255.0 no ip redirects ip mtu 1416 ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip nhrp authentication cisco123 ip nhrp map 172.16.1.1 172.30.1.2 ip nhrp map multicast 172.30.1.2 ip nhrp network-id 99 ip nhrp nhs 172.16.1.1 no ip split-horizon eigrp 1 tunnel source FastEthernet0/1 tunnel mode gre multipoint tunnel key 999 tunnel protection ipsec profile DMVPN ! interface FastEthernet0/0 ip address 10.0.3.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 172.30.3.2 255.255.255.0 duplex auto speed auto ! router eigrp 1 network 10.0.0.0 network 172.16.0.0 no auto-summary ! ip classless ip route 172.30.1.0 255.255.255.0 172.30.3.1 ip route 172.30.2.0 255.255.255.0 172.30.3.1 ! end R3# R1#sh run ! version 12.3 ! hostname R1 ! ! crypto isakmp policy 20 hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no crypto isakmp ccm ! ! crypto ipsec transform-set DMVPN-Transform esp-des ! crypto ipsec profile DMVPN set transform-set DMVPN-Transform ! interface Tunnel1 ip address 172.16.1.1 255.255.255.0 no ip redirects ip mtu 1416 ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp network-id 99 no ip split-horizon eigrp 1 tunnel source Serial0/2/0 tunnel mode gre multipoint tunnel key 999 tunnel protection ipsec profile DMVPN ! interface FastEthernet0/0 ip address 10.0.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/2/0 ip address 172.30.1.2 255.255.255.0 clockrate 64000 ! router eigrp 1 network 10.0.0.0 network 172.16.0.0 no auto-summary [...]... R2 ! ! crypto isakmp policy 20 hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no crypto isakmp ccm ! crypto ipsec transform-set DMVPN- Transform esp-des ! crypto ipsec profile DMVPN set transform-set DMVPN- Transform ! interface Tunnel0 ip address 172.16.1.2 255.255.255.0 no ip redirects ip mtu 1416 ip hold-time eigrp 1 35 no ip next-hop-self eigrp 1 ip nhrp authentication... map multicast 172.30.1.2 ip nhrp network-id 99 ip nhrp nhs 172.16.1.1 no ip split-horizon eigrp 1 tunnel source FastEthernet0/1 tunnel mode gre multipoint tunnel key 999 tunnel protection ipsec profile DMVPN ! interface FastEthernet0/0 ip address 10.0.2.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 172.30.2.2 255.255.255.0 duplex auto speed auto ! router eigrp 1 network . cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set DMVPN- Transform esp-des ! crypto ipsec profile DMVPN set transform-set DMVPN- Transform ! interface Tunnel0 ip address 1.1.1.1 255.255.255.0 . cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set DMVPN- Transform esp-des ! crypto ipsec profile DMVPN set transform-set DMVPN- Transform ! interface Tunnel0 ip address 172.16.1.3. 0.0.0.0 no crypto isakmp ccm ! ! crypto ipsec transform-set DMVPN- Transform esp-des ! crypto ipsec profile DMVPN set transform-set DMVPN- Transform ! interface Tunnel1 ip address 172.16.1.1