IPSec-VPN專(zhuān)題七：DMVPN-核心冗余架構(gòu)

DMVPN中使用多個(gè)NHS服務(wù)器，實(shí)現(xiàn)冗余：

1：R1/R2/R3/R4：直接配置路由可達(dá)：?jiǎn)⒂肙SPF協(xié)議：

2：R1/R2/R3/R4：配置GRETunnel：（支持組播）

3：R1/R2/R3/R4：配置NHRP：

==>R1的配置：（主NHS）

interfaceTunnel0

ipaddress172.16.1.1255.255.255.0

noipredirects

ipnhrpnetwork-id10

ipnhrpmapmulticastdynamic

：從NHRP的注冊(cè)消息中指定組播發(fā)送的目的地址

tunnelsourceFastEthernet0/0

tunnelmodegremultipoint

tunnelkey123

end

==>R2的配置：（備份NHS）

interfaceTunnel0

ipaddress172.16.1.2255.255.255.0

ipnhrpmapmulticastdynamic

ipnhrpnetwork-id10

ipnhrpmap172.16.1.1202.101.1.1

：指定主NHS服務(wù)器，如果自己NHRP失敗，可以向172.16.1.1咨詢

ipnhrpnhs172.16.1.1

delay1000

tunnelsourceFastEthernet0/0

tunnelmodegremultipoint

tunnelkey123

end

==>Branch1的配置：

interfaceTunnel0

ipaddress172.16.1.3255.255.255.0

noipredirects

ipnhrpmap172.16.1.1202.101.1.1

ipnhrpmap172.16.1.2202.101.1.5

ipnhrpmapmulticast202.101.1.1

ipnhrpmapmulticast202.101.1.4

ipnhrpnetwork-id10

ipnhrpnhs172.16.1.1

：優(yōu)先級(jí)由Internet路由來(lái)決定：

ipnhrpnhs172.16.1.2

tunnelsourceFastEthernet0/0

tunnelmodegremultipoint

tunnelkey123

end

==>Branch2的配置：

interfaceTunnel0

ipaddress172.16.1.4255.255.255.0

noipredirects

ipnhrpmap172.16.1.1202.101.1.1

ipnhrpmap172.16.1.2202.101.1.5

ipnhrpmapmulticast202.101.1.1

ipnhrpmapmulticast202.101.1.4

ipnhrpnetwork-id10

ipnhrpnhs172.16.1.1

ipnhrpnhs172.16.1.2

tunnelsourceFastEthernet0/0

tunnelmodegremultipoint

tunnelkey123

end

4：R1/R2/R3/R4：在內(nèi)部網(wǎng)絡(luò)中啟用EIGRP協(xié)議：

==>根據(jù)EIGRP協(xié)議，在接口配置Feature：

interfaceTunnel0

noipnext-hop-selfeigrp90

noipsplit-horizoneigrp90

==>此時(shí)查看Branch1/2的路由：

Branch1#showiprouteeigrp

4.0.0.0/32issubnetted,1subnets

D

4.4.4.4[90/285084416]via172.16.1.4,00:00:01,Tunnel0

[90/285084416]via172.16.1.4,00:00:01,Tunnel0

D

192.168.1.0/24[90/284702976]via172.16.1.2,00:00:01,Tunnel0

[90/284702976]via172.16.1.1,00:00:01,Tunnel0

Branch2#showiprouteeigrp

3.0.0.0/32issubnetted,1subnets

D

3.3.3.3[90/285084416]via172.16.1.3,00:00:13,Tunnel0

[90/285084416]via172.16.1.3,00:00:13,Tunnel0

D

192.168.1.0/24[90/284702976]via172.16.1.2,00:02:47,Tunnel0

[90/284702976]via172.16.1.1,00:02:47,Tunnel0

5：R1/R2/R3/R4：配置IPSecVPN：

cryptoisakmppolicy10

authenticationpre-share

encrydes

group2

hashmd5

cryptoisakmpkeydmvpnaddress0.0.0.00.0.0.0

cryptoipsectransform-setDMVPNesp-desesp-md5-hmac

cryptoipsecprofiledmvpn-profile

settransform-setDMVPN

!

intt0

tunnelprotectionipsecprofiledmvpn-profile

6：測(cè)試：

R3pingR4:

Branch1#ping4.4.4.4soulo0

!!!!!

Branch1#showipnhrp

172.16.1.1/32via172.16.1.1,Tunnel0created00:19:34,neverexpire

Type:static,Flags:authoritativeused

NBMAaddress:202.101.1.1

172.16.1.2/32via172.16.1.2,Tunnel0created00:19:34,neverexpire

Type:static,Flags:authoritativeused

NBMAaddress:202.101.1.5

172.16.1.4/32via172.16.1.4,Tunnel0created00:01:24,expire01:47:52

Type:dynamic,Flags:router

NBMAaddress:1.1.45.4

Branch1#showcryptoengineconnactive

IDInterface

IP-Address

State

Algorithm

Encrypt

Decrypt

10FastEthernet0/0

1.1.35.3

set

HMAC_MD5+DES_56_CB

0

0

11Tunnel0

172.16.1.3

set

HMAC_MD5+DES_56_CB

0

0

2001Tunnel0

1.1.35.3

set

DES+MD5

0

0

2002Tunnel0

1.1.35.3

set

DES+MD5

33

0

2003FastEthernet0/0

1.1.35.3

set

DES+MD5

0

3

2004Tunnel0

1.1.35.3

set

DES+MD5

4

0

2005Tunnel0

1.1.35.3

set

DES+MD5

0

28

2006Tunnel0

1.1.35.3

set

DES