动态地,防火墙,地址转换nat都会严重影响IPsec VPN
动态地址(站点使用动态IP)
解决方案
- 动态crypto map
- DDNS
- EzVPN
- GRE over EzVPN
1.1.1.0/24----Center(202.100.1.1/24)fa0/0)-----(10 fa0/0)Internet(fa1/0 61.128.1.10/24)----(dhcp)Branch------2.2.2.0/24
使用动态crypto map解决分支站点动态获取IP地址问题,在center和branch间建立隧道模
- IP,routing基本配置
center
int loopback0
ip address 1.1.1.1 255.255.255.0
int fa 0/0
ip address 202.100.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.10
internet
ip dhcp pool branch
network 61.128.1.0 255.255.255.0
default-route 61.128.1.10
int fa0/0
ip address 202.100.1.10 255.255.255.0
no shut
int fa 1/0
ip address 61.128.1.10 255.255.255.0
no shut
branch
int fa loopback0
ip address 2.2.2.2 255.255.255.0
int fa 1/0
ip address dhcp
no shut
2.branch dynamic IP ,but center is fix ip, so branch will config with previous method:
branch(config)crypto isakmp policy 10
auth pre-share
crypto isakmp key 0 cisco address 202.100.1.1
ip access-list ex vpn
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto map cisco 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set cisco
match address vpn
int fa 1/0
crypto map cisco
- center dynamic crypto map IPsec VPN config
crypto isakmp policy 10
auth pre-share
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto dynamic-map dmap 10
set transform-set cisco
crypto map cisco 1000(max number when connect to serval vpn) ipsec-isakmp dynamic dmap
int fa0/0
crypto map cisco