VPN配置实例
Intranet 内联网配置:
Figure 3-8: Intranet VPN Scenario Physical Elements
Headquarters Router 配置

hq-sanjose# show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hq-sanjose
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:hq-sanjose-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.24.2.5
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
mode transport
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
/pre>
  
set peer 172.24.2.5
set transform-set proposal1
match address 101
!
interface Tunnel0
bandwidth 180
ip address 172.17.3.3 255.255.255.0
no ip directed-broadcast
tunnel source 172.17.2.4
tunnel destination 172.24.2.5
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.3.3 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.6.4 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.17.2.4 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
/pre>
  
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.4.0 255.255.255.0 Tunnel0
!
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
/pre>
  

Remote Office Router 配置:
ro-rtp# show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ro-rtp
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:ro-rtp-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.17.2.4
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
mode transport
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp

set peer 172.17.2.4
set transform-set proposal1
match address 101
!
interface Tunnel1
bandwidth 180
ip address 172.24.3.6 255.255.255.0
no ip directed-broadcast
tunnel source 172.24.2.5
tunnel destination 172.17.2.4
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.4.2 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.24.2.5 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive

 
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.3.0 255.255.255.0 Tunnel1
ip route 10.1.6.0 255.255.255.0 Tunnel1
!
access-list 101 permit gre host 172.24.2.5 host 172.17.2.4
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Extranet外联网配置:

Figure 3-9: Extranet VPN Scenario Physical Elements

Headquarters Router配置:

hq-sanjose# show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hq-sanjose
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:hq-sanjose-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.24.2.5
crypto isakmp key test67890 address 172.23.2.7
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
ode transport
!
crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.24.2.5
set transform-set proposal1
match address 101
!
crypto map s4second local-address Serial2/0
crypto map s4second 2 ipsec-isakmp
set peer 172.23.2.7
set transform-set proposal4
match address 111
!
interface Tunnel0
bandwidth 180
ip address 172.17.3.3 255.255.255.0
no ip directed-broadcast
tunnel source 172.17.2.4
tunnel destination 172.24.2.5
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.3.3 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.6.4 255.255.255.0
no ip directed-broadcast
ip nat inside
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.17.2.4 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
interface Serial2/0
ip address 172.16.2.2 255.255.255.0
no ip directed-broadcast
ip nat outside
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s4second
!
router bgp 10
network 10.2.2.2 mask 255.255.255.0
network 172.16.2.0 mask 255.255.255.0
!
ip route 10.1.4.0 255.255.255.0 Tunnel0
!
ip nat inside source static 10.1.6.5 10.2.2.2
!
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5
access-list 111 permit ip host 10.2.2.2 host 10.1.5.3
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Business Partner Router 配置:
bus-ptnr# show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname bus-ptnr
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:bus-ptnr-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test67890 address 172.16.2.2
!
crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac
!
!
crypto map s4second local-address Serial1/0
crypto map s4second 2 ipsec-isakmp
 
set peer 172.16.2.2
set transform-set proposal4
match address 111
!
interface FastEthernet0/0
ip address 10.1.5.2 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.23.2.7 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s4second
!
router bgp 10
network 10.1.5.0 mask 255.255.255.0
network 172.16.2.0 mask 255.255.255.0
!
access-list 111 permit ip host 10.1.5.3 host 10.2.2.2
!
line con 0
transport input none
line aux 0
line vty 0 4