利用Internet 出口线路建立VPN通道 实现 总、分公司之间的互联,是目前许多公司热衷的方案。以往要建立这样的VPN,需要至少一端使用静态的IP 地址 。当前很多公司都通过ADSL方式上网,如果要求电信提供静态 地址 ,费用将会大大增加(如深圳512K固定IP的ADSL
利用Internet 出口线路建立VPN通道实现总、分公司之间的互联,是目前许多公司热衷的方案。以往要建立这样的VPN,需要至少一端使用静态的IP地址。当前很多公司都通过ADSL方式上网,如果要求电信提供静态地址,费用将会大大增加(如深圳512K固定IP的ADSL月租是RMB5000)。现在Cisco IOS 12.3(4)T中新增了根据DNS名称来建立VPN peer 的命令,借助希网(3322.org)、88ip等动态域名解释系统的配合,可以在VPN两端都使用动态地址的ADSL线路,节省大笔费用。
实际环境中局域网内应在一台机器上运行动态域名解释客户端程序,以将主机名nbo.3322.org注册到服务器,注册地址是路由器的外网端口地址。
配置:
VPN-1(省略了部分无关配置):
version 12.3
!
hostname vpn-1
!
aaa new-model
!
aaa authentication login authen group radius local
aaa authorization network author local
aaa session-id common
ip subnet-zero
!
ip cef
ip name-server 202.96.134.133
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set s2s esp-des esp-sha-hmac
!
crypto dynamic-map dymap 1
set transform-set s2s
match address 110
!
crypto map mymap 1 ipsec-isakmp dynamic dymap
!
interface FastEthernet0/0
description VPN
ip address 202.11.22.11 255.255.255.248
ip nat outside
crypto map mymap
!
interface FastEthernet0/1
description INSIDE_GATEWAY
ip address 172.16.10.110 255.255.0.0
ip nat inside
!
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
no ip http server
!
access-list 110 permit ip 172.16.0.0 0.0.255.255 172.30.1.0 0.0.0.255
access-list 120 deny
ip 172.16.0.0 0.0.255.255 172.30.1.0 0.0.0.255
access-list 120 permit ip 172.16.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 120
!
end
VPN-2(省略了部分无关配置):
version 12.3
!
hostname vpn-2
!
username mize password 0 http://mize.netbuddy.org
no aaa new-model
ip subnet-zero
!
ip cef
ip name-server 202.96.134.133
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco hostname nbo.3322.org
!
crypto ipsec transform-set s2s esp-des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer nbo.3322.org dynamic
set transform-set s2s
match address 110
!
interface FastEthernet0/0
ip address 202.11.22.43 255.255.255.248
ip nat outside
crypto map mymap
!
interface FastEthernet0/1
ip address 172.30.1.1 255.255.255.0
ip nat inside
!
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
access-list 110 permit ip 172.30.1.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 120 deny
ip 172.30.1.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 120 permit ip 172.30.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 120
!
end
相关调试命令:
show cry isa sa
show cry ipsec sa