Konfigurieren von dynamischem Multipoint-VPN mithilfe von GRE over IPsec mit OSPF, NAT und der Cisco IOS Firewall

Download-Optionen

PDF (294.2 KB)
Mit Adobe Reader auf verschiedenen Geräten anzeigen
ePub (92.5 KB)
In verschiedenen Apps auf iPhone, iPad, Android, Sony Reader oder Windows Phone anzeigen
Mobi (Kindle) (90.1 KB)
Auf einem Kindle-Gerät oder einer Kindle-App auf mehreren Geräten anzeigen

Aktualisiert:30. November 2006

Dokument-ID:43068

Inklusive Sprache

In dem Dokumentationssatz für dieses Produkt wird die Verwendung inklusiver Sprache angestrebt. Für die Zwecke dieses Dokumentationssatzes wird Sprache als „inklusiv“ verstanden, wenn sie keine Diskriminierung aufgrund von Alter, körperlicher und/oder geistiger Behinderung, Geschlechtszugehörigkeit und -identität, ethnischer Identität, sexueller Orientierung, sozioökonomischem Status und Intersektionalität impliziert. Dennoch können in der Dokumentation stilistische Abweichungen von diesem Bemühen auftreten, wenn Text verwendet wird, der in Benutzeroberflächen der Produktsoftware fest codiert ist, auf RFP-Dokumentation basiert oder von einem genannten Drittanbieterprodukt verwendet wird. Hier erfahren Sie mehr darüber, wie Cisco inklusive Sprache verwendet.

Informationen zu dieser Übersetzung

Cisco hat dieses Dokument maschinell übersetzen und von einem menschlichen Übersetzer editieren und korrigieren lassen, um unseren Benutzern auf der ganzen Welt Support-Inhalte in ihrer eigenen Sprache zu bieten. Bitte beachten Sie, dass selbst die beste maschinelle Übersetzung nicht so genau ist wie eine von einem professionellen Übersetzer angefertigte. Cisco Systems, Inc. übernimmt keine Haftung für die Richtigkeit dieser Übersetzungen und empfiehlt, immer das englische Originaldokument (siehe bereitgestellter Link) heranzuziehen.

Inhalt

Einleitung

Voraussetzungen

Anforderungen

Verwendete Komponenten

Konventionen

Konfigurieren

Netzwerkdiagramm

Konfigurationen

Überprüfung

Fehlerbehebung

Befehle für die Fehlerbehebung

Zugehörige Informationen

Einleitung

Dieses Dokument enthält eine Beispielkonfiguration für Dynamic Multipoint VPN (DMVPN) unter Verwendung von Generic Routing Encapsulation (GRE) over IPsec mit Open Shortest Path First (OSPF), Network Address Translation (NAT) und der Cisco IOS® Firewall.

Voraussetzungen

Anforderungen

Bevor ein mGRE- (Multipoint GRE) und ein IPsec-Tunnel eingerichtet werden können, müssen Sie mithilfe des Befehls crypto isakmp policy eine IKE-Richtlinie (Internet Key Exchange) definieren.

Hinweis: Verwenden Sie das Tool für die Suche nach Befehlen (nur registrierte Kunden), um weitere Informationen zu den in diesem Abschnitt verwendeten Befehlen zu erhalten.

Verwendete Komponenten

Die Informationen in diesem Dokument basierend auf folgenden Software- und Hardware-Versionen:

Cisco IOS® Softwareversion 12.2(15)T1 auf dem Hub-Router und Cisco IOS Softwareversion 12.3(1.6) auf den Spoke-Routern
Cisco 3620 als Hub-Router, zwei Cisco 1720 Router und ein Cisco 3620 Router als Spoke-Router

Die Informationen in diesem Dokument beziehen sich auf Geräte in einer speziell eingerichteten Testumgebung. Alle Geräte, die in diesem Dokument benutzt wurden, begannen mit einer gelöschten (Nichterfüllungs) Konfiguration. Wenn Ihr Netz Live ist, überprüfen Sie, ob Sie die mögliche Auswirkung jedes möglichen Befehls verstehen.

Hub - 3620-B
Speiche 1 - 3620-A
Speiche 2 - 1720-b
Speiche 3 - 1720-A

Hub - 3620-B
W2N-6.16-3620-B#write terminal Building configuration... Current configuration : 2613 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname W2N-6.16-3620-B ! logging queue-limit 100 ! memory-size iomem 10 ip subnet-zero ! ! ip cef no ip domain lookup ! !--- This is the Cisco IOS Firewall configuration and what to inspect. !--- This is applied outbound on the external interface. ip inspect name in2out rcmd ip inspect name in2out ftp ip inspect name in2out tftp ip inspect name in2out tcp timeout 43200 ip inspect name in2out http ip inspect name in2out udp ip audit po max-events 100 ! ! ! !--- Create an Internet Security Association and Key Management !--- Protocol (ISAKMP) policy for Phase 1 negotiations. crypto isakmp policy 5 authentication pre-share group 2 !--- Add dynamic pre-shared key. crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0 crypto isakmp nat keepalive 20 ! ! !--- Create the Phase 2 policy for actual data encryption. crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac ! !--- Create an IPsec profile to be applied dynamically !--- to the GRE over IPsec tunnels. crypto ipsec profile dmvpnprof set transform-set dmvpnset ! ! ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! mta receive maximum-recipients 0 ! ! ! !--- This is the inbound interface. interface Loopback1 ip address 192.168.117.1 255.255.255.0 ip nat inside ! !--- Create a GRE tunnel template to be applied !--- to all the dynamically created GRE tunnels. interface Tunnel1 description MULTI-POINT GRE TUNNEL for BRANCHES bandwidth 1000 ip address 172.16.0.1 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication dmvpn ip nhrp map multicast dynamic ip nhrp network-id 99 ip nhrp holdtime 300 no ip route-cache ip ospf network broadcast no ip mroute-cache delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile dmvpnprof ! !--- This is the outbound interface. interface FastEthernet0/0 ip address 14.24.117.1 255.255.0.0 ip nat outside ip access-group 100 in ip inspect in2out out no ip mroute-cache duplex auto speed auto ! interface Serial0/0 no ip address shutdown clockrate 2000000 no fair-queue ! interface FastEthernet0/1 no ip address no ip mroute-cache duplex auto speed auto ! !--- Enable a routing protocol to send/receive dynamic !--- updates about the private networks. router ospf 1 log-adjacency-changes network 172.16.0.0 0.0.0.255 area 0 network 192.168.117.0 0.0.0.255 area 0 ! !--- Except the private network traffic from the NAT process. ip nat inside source route-map nonat interface FastEthernet0/0 overload ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 14.24.1.1 ip route 2.0.0.0 255.0.0.0 14.24.121.1 ! ! ! !--- Allow ISAKMP, ESP, and GRE traffic inbound. !--- Cisco IOS Firewall opens other inbound access as needed. access-list 100 permit udp any host 14.24.117.1 eq 500 access-list 100 premit esp any host 14.24.117.1 access-list 100 permit gre any host 14.24.117.1 access-list 100 deny ip any any !--- Except the private network traffic from the NAT process. access-list 110 deny ip 192.168.117.0 0.0.0.255 192.168.118.0 0.0.0.255 access-list 110 deny ip 192.168.117.0 0.0.0.255 192.168.116.0 0.0.0.255 access-list 110 deny ip 192.168.117.0 0.0.0.255 192.168.120.0 0.0.0.255 access-list 110 permit ip 192.168.117.0 0.0.0.255 any ! !--- Except the private network traffic from the NAT process. route-map nonat permit 10 match ip address 110 ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! ! end W2N-6.16-3620-B#

Hub - 3620-B

W2N-6.16-3620-B#write terminal
Building configuration...

Current configuration : 2613 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname W2N-6.16-3620-B
!
logging queue-limit 100
!
memory-size iomem 10
ip subnet-zero
!
!
ip cef
no ip domain lookup
!

!--- This is the Cisco IOS Firewall configuration and what to inspect. !--- This is applied outbound on the external interface.

ip inspect name in2out rcmd
ip inspect name in2out ftp
ip inspect name in2out tftp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out http
ip inspect name in2out udp
ip audit po max-events 100
!
!
!

!--- Create an Internet Security Association and Key Management !--- Protocol (ISAKMP) policy for Phase 1 negotiations.

crypto isakmp policy 5
 authentication pre-share
 group 2

!--- Add dynamic pre-shared key.

crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
crypto isakmp nat keepalive 20
!
!

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

!--- Create an IPsec profile to be applied dynamically !--- to the GRE over IPsec tunnels.

crypto ipsec profile dmvpnprof
 set transform-set dmvpnset
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!

!--- This is the inbound interface.

interface Loopback1
 ip address 192.168.117.1 255.255.255.0
 ip nat inside
!

!--- Create a GRE tunnel template to be applied !--- to all the dynamically created GRE tunnels.

interface Tunnel1
 description MULTI-POINT GRE TUNNEL for BRANCHES
 bandwidth 1000
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 ip nhrp holdtime 300
 no ip route-cache
 ip ospf network broadcast
 no ip mroute-cache
 delay 1000
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile dmvpnprof
!

!--- This is the outbound interface.

interface FastEthernet0/0
 ip address 14.24.117.1 255.255.0.0
 ip nat outside
 ip access-group 100 in
 ip inspect in2out out
 no ip mroute-cache
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
 clockrate 2000000
 no fair-queue
!
interface FastEthernet0/1
 no ip address
 no ip mroute-cache
 duplex auto
 speed auto
!

!--- Enable a routing protocol to send/receive dynamic !--- updates about the private networks.

router ospf 1
 log-adjacency-changes
 network 172.16.0.0 0.0.0.255 area 0
 network 192.168.117.0 0.0.0.255 area 0
!

!--- Except the private network traffic from the NAT process.

ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 14.24.1.1
ip route 2.0.0.0 255.0.0.0 14.24.121.1
!
!
!

!--- Allow ISAKMP, ESP, and GRE traffic inbound. !--- Cisco IOS Firewall opens other inbound access as needed.

access-list 100 permit udp any host 14.24.117.1 eq 500
access-list 100 premit esp any host 14.24.117.1
access-list 100 permit gre any host 14.24.117.1  
access-list 100 deny ip any any 


!--- Except the private network traffic from the NAT process.
 
access-list 110 deny   ip 192.168.117.0 0.0.0.255 192.168.118.0 0.0.0.255
access-list 110 deny   ip 192.168.117.0 0.0.0.255 192.168.116.0 0.0.0.255
access-list 110 deny   ip 192.168.117.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 110 permit ip 192.168.117.0 0.0.0.255 any
!

!--- Except the private network traffic from the NAT process.

route-map nonat permit 10
 match ip address 110
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
!
end

W2N-6.16-3620-B#

Speiche 1 - 3620-A
W2N-6.16-3620-A#write terminal Building configuration... Current configuration : 2678 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname W2N-6.16-3620-A ! boot system flash slot0:c3620-ik9o3s7-mz.122-15.T1.bin logging queue-limit 100 ! memory-size iomem 15 ip subnet-zero ! ! ip cef no ip domain lookup ! !--- This is the Cisco IOS Firewall configuration and what to inspect. !--- This is applied outbound on the external interface. ip inspect name in2out rcmd ip inspect name in2out tftp ip inspect name in2out udp ip inspect name in2out tcp timeout 43200 ip inspect name in2out realaudio ip inspect name in2out vdolive ip inspect name in2out netshow ip audit po max-events 100 ! ! ! !--- Create an ISAKMP policy for !--- Phase 1 negotiations. crypto isakmp policy 5 authentication pre-share group 2 !--- Add dynamic pre-shared key. crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0 ! ! !--- Create the Phase 2 policy for actual data encryption. crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac ! !--- Create an IPsec profile to be applied dynamically !--- to the GRE over IPsec tunnels. crypto ipsec profile dmvpnprof set transform-set dmvpnset ! ! ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! mta receive maximum-recipients 0 ! ! ! !--- This is the inbound interface. interface Loopback1 ip address 192.168.118.1 255.255.255.0 ip nat inside ! !--- Create a GRE tunnel template to be applied to !--- all the dynamically created GRE tunnels. interface Tunnel1 description HOST DYNAMIC TUNNEL bandwidth 1000 ip address 172.16.0.2 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication dmvpn ip nhrp map multicast dynamic ip nhrp map 172.16.0.1 14.24.117.1 ip nhrp map multicast 14.24.117.1 ip nhrp network-id 99 ip nhrp holdtime 300 ip nhrp nhs 172.16.0.1 no ip route-cache ip ospf network broadcast no ip mroute-cache delay 1000 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile dmvpnprof ! !--- This is the outbound interface. interface Ethernet0/0 ip address 14.24.118.1 255.255.0.0 ip nat outside ip access-group 100 in ip inspect in2out out no ip mroute-cache half-duplex ! interface Ethernet0/1 no ip address half-duplex ! interface Ethernet0/2 no ip address shutdown half-duplex ! interface Ethernet0/3 no ip address shutdown half-duplex ! !--- Enable a routing protocol to send/receive dynamic !--- updates about the private networks. router ospf 1 log-adjacency-changes redistribute connected network 172.16.0.0 0.0.0.255 area 0 network 192.168.118.0 0.0.0.255 area 0 ! !--- Except the private network traffic from the NAT process. ip nat inside source route-map nonat interface Ethernet0/0 overload ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 14.24.1.1 ip route 2.0.0.0 255.0.0.0 14.24.121.1 ! ! ! !--- Allow ISAKMP, ESP, and GRE traffic inbound. !--- Cisco IOS Firewall opens inbound access as needed. access-list 100 permit udp any host 14.24.118.1 eq 500 access-list 100 premit esp any host 14.24.118.1 access-list 100 permit gre any host 14.24.118.1 access-list 100 deny ip any any !--- Except the private network traffic from the NAT process. access-list 110 deny ip 192.168.118.0 0.0.0.255 192.168.117.0 0.0.0.255 access-list 110 deny ip 192.168.118.0 0.0.0.255 192.168.116.0 0.0.0.255 access-list 110 deny ip 192.168.118.0 0.0.0.255 192.168.120.0 0.0.0.255 access-list 110 permit ip 192.168.118.0 0.0.0.255 any ! !--- Except the private network traffic from the NAT process. route-map nonat permit 10 match ip address 110 ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! ! end W2N-6.16-3620-A#

Speiche 1 - 3620-A

W2N-6.16-3620-A#write terminal
Building configuration...

Current configuration : 2678 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname W2N-6.16-3620-A
!
boot system flash slot0:c3620-ik9o3s7-mz.122-15.T1.bin
logging queue-limit 100
!
memory-size iomem 15
ip subnet-zero
!
!
ip cef
no ip domain lookup
!

!--- This is the Cisco IOS Firewall configuration and what to inspect. !--- This is applied outbound on the external interface.

ip inspect name in2out rcmd
ip inspect name in2out tftp
ip inspect name in2out udp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out realaudio
ip inspect name in2out vdolive
ip inspect name in2out netshow
ip audit po max-events 100
!
!
!

!--- Create an ISAKMP policy for !--- Phase 1 negotiations.

crypto isakmp policy 5
 authentication pre-share
 group 2

!--- Add dynamic pre-shared key.

crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
!
!

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

!--- Create an IPsec profile to be applied dynamically !--- to the GRE over IPsec tunnels.

crypto ipsec profile dmvpnprof
 set transform-set dmvpnset
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!

!--- This is the inbound interface.

interface Loopback1
 ip address 192.168.118.1 255.255.255.0
 ip nat inside
!

!--- Create a GRE tunnel template to be applied to !--- all the dynamically created GRE tunnels.

interface Tunnel1
 description HOST DYNAMIC TUNNEL
 bandwidth 1000
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 14.24.117.1
 ip nhrp map multicast 14.24.117.1
 ip nhrp network-id 99
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.0.1
 no ip route-cache
 ip ospf network broadcast
 no ip mroute-cache
 delay 1000
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile dmvpnprof
!

!--- This is the outbound interface.

interface Ethernet0/0
 ip address 14.24.118.1 255.255.0.0
 ip nat outside
 ip access-group 100 in
 ip inspect in2out out
 no ip mroute-cache
 half-duplex
!
interface Ethernet0/1
 no ip address
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!

!--- Enable a routing protocol to send/receive dynamic !--- updates about the private networks.

router ospf 1
 log-adjacency-changes
 redistribute connected
 network 172.16.0.0 0.0.0.255 area 0
 network 192.168.118.0 0.0.0.255 area 0
!

!--- Except the private network traffic from the NAT process.
 
ip nat inside source route-map nonat interface Ethernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 14.24.1.1
ip route 2.0.0.0 255.0.0.0 14.24.121.1

!
!
!

!--- Allow ISAKMP, ESP, and GRE traffic inbound. !--- Cisco IOS Firewall opens inbound access as needed.

access-list 100 permit udp any host 14.24.118.1 eq 500
access-list 100 premit esp any host 14.24.118.1
access-list 100 permit gre any host 14.24.118.1  
access-list 100 deny ip any any


!--- Except the private network traffic from the NAT process.
 
access-list 110 deny   ip 192.168.118.0 0.0.0.255 192.168.117.0 0.0.0.255
access-list 110 deny   ip 192.168.118.0 0.0.0.255 192.168.116.0 0.0.0.255
access-list 110 deny   ip 192.168.118.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 110 permit ip 192.168.118.0 0.0.0.255 any
!

!--- Except the private network traffic from the NAT process.
 
route-map nonat permit 10
 match ip address 110
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
!
end

W2N-6.16-3620-A#

Speiche 2 - 1720-b
1720-b#write terminal Building configuration... Current configuration : 2623 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname 1720-b ! logging queue-limit 100 enable password cisco ! username 7206-B password 0 cisco ip subnet-zero ! ! no ip domain lookup ! ip cef !--- This is the Cisco IOS Firewall configuration and what to inspect. !--- This is applied outbound on the external interface. ip inspect name in2out rcmd ip inspect name in2out tftp ip inspect name in2out udp ip inspect name in2out tcp timeout 43200 ip inspect name in2out realaudio ip inspect name in2out vdolive ip inspect name in2out netshow ip audit po max-events 100 vpdn-group 1 request-dialin protocol pppoe ! ! ! ! ! !--- Create an ISAKMP policy for !--- Phase 1 negotiations. crypto isakmp policy 5 authentication pre-share group 2 !--- Add dynamic pre-shared key. crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0 ! ! !--- Create the Phase 2 policy for actual data encryption. crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac ! !--- Create an IPsec profile to be applied dynamically !--- to the GRE over IPsec tunnels. crypto ipsec profile dmvpnprof set transform-set dmvpnset ! ! ! ! ! !--- This is the inbound interface. interface Loopback1 ip address 192.168.116.1 255.255.255.0 ip nat inside ! !--- Create a GRE tunnel template to be applied to !--- all the dynamically created GRE tunnels. interface Tunnel1 description HOST DYNAMIC TUNNEL bandwidth 1000 ip address 172.16.0.3 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication dmvpn ip nhrp map multicast dynamic ip nhrp map 172.16.0.1 14.24.117.1 ip nhrp map multicast 14.24.117.1 ip nhrp network-id 99 ip nhrp holdtime 300 ip nhrp nhs 172.16.0.1 no ip route-cache ip ospf network broadcast no ip mroute-cache delay 1000 tunnel source Dialer1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile dmvpnprof ! interface Ethernet0 no ip address half-duplex ! interface FastEthernet0 no ip address no ip mroute-cache speed auto pppoe enable pppoe-client dial-pool-number 1 ! !--- This is the outbound interface. interface Dialer1 ip address 2.2.2.10 255.255.255.0 ip inspect in2out out ip access-group 100 in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap chap callin ! !--- Enable a routing protocol to send/receive dynamic !--- updates about the private networks. router ospf 1 log-adjacency-changes redistribute connected network 172.16.0.0 0.0.0.255 area 0 network 192.168.116.0 0.0.0.255 area 0 ! !--- Except the private network traffic from the NAT process. ip nat inside source route-map nonat interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 14.24.1.1 ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! ! ! !--- Allow ISAKMP, ESP, and GRE traffic inbound. !--- Cisco IOS Firewall opens inbound access as needed. access-list 100 permit udp any host 14.24.116.1 eq 500 access-list 100 premit esp any host 14.24.116.1 access-list 100 permit gre any host 14.24.116.1 access-list 100 deny ip any any !--- Except the private network traffic from the NAT process. access-list 110 deny ip 192.168.116.0 0.0.0.255 192.168.117.0 0.0.0.255 access-list 110 deny ip 192.168.116.0 0.0.0.255 192.168.118.0 0.0.0.255 access-list 110 deny ip 192.168.116.0 0.0.0.255 192.168.120.0 0.0.0.255 access-list 110 permit ip 192.168.116.0 0.0.0.255 any dialer-list 1 protocol ip permit ! !--- Except the private network traffic from the NAT process. route-map nonat permit 10 match ip address 110 ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! no scheduler allocate end 1720-b#

Speiche 2 - 1720-b

1720-b#write terminal
Building configuration...

Current configuration : 2623 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1720-b
!
logging queue-limit 100
enable password cisco
!
username 7206-B password 0 cisco
ip subnet-zero
!
!
no ip domain lookup
!
ip cef

!--- This is the Cisco IOS Firewall configuration and what to inspect. !--- This is applied outbound on the external interface.

ip inspect name in2out rcmd
ip inspect name in2out tftp
ip inspect name in2out udp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out realaudio
ip inspect name in2out vdolive
ip inspect name in2out netshow
ip audit po max-events 100
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
!
!

!--- Create an ISAKMP policy for !--- Phase 1 negotiations.

crypto isakmp policy 5
 authentication pre-share
 group 2

!--- Add dynamic pre-shared key.

crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
!
!


!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

!--- Create an IPsec profile to be applied dynamically !--- to the GRE over IPsec tunnels.

crypto ipsec profile dmvpnprof
 set transform-set dmvpnset
!
!
!
!
!

!--- This is the inbound interface.

interface Loopback1
 ip address 192.168.116.1 255.255.255.0
 ip nat inside
!

!--- Create a GRE tunnel template to be applied to !--- all the dynamically created GRE tunnels.

interface Tunnel1
 description HOST DYNAMIC TUNNEL
 bandwidth 1000
 ip address 172.16.0.3 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 14.24.117.1
 ip nhrp map multicast 14.24.117.1
 ip nhrp network-id 99
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.0.1
 no ip route-cache
 ip ospf network broadcast
 no ip mroute-cache
 delay 1000
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile dmvpnprof
!
interface Ethernet0
 no ip address
 half-duplex
!
interface FastEthernet0
 no ip address
 no ip mroute-cache
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
!

!--- This is the outbound interface.

interface Dialer1
 ip address 2.2.2.10 255.255.255.0
 ip inspect in2out out
 ip access-group 100 in encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
!

!--- Enable a routing protocol to send/receive dynamic !--- updates about the private networks.

router ospf 1
 log-adjacency-changes
 redistribute connected
 network 172.16.0.0 0.0.0.255 area 0
 network 192.168.116.0 0.0.0.255 area 0
!

!--- Except the private network traffic from the NAT process.
 
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 14.24.1.1
ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server
no ip http secure-server
!
!
!

!--- Allow ISAKMP, ESP, and GRE traffic inbound. !--- Cisco IOS Firewall opens inbound access as needed.

access-list 100 permit udp any host 14.24.116.1 eq 500
access-list 100 premit esp any host 14.24.116.1
access-list 100 permit gre any host 14.24.116.1  
access-list 100 deny ip any any



!--- Except the private network traffic from the NAT process.
 
access-list 110 deny   ip 192.168.116.0 0.0.0.255 192.168.117.0 0.0.0.255
access-list 110 deny   ip 192.168.116.0 0.0.0.255 192.168.118.0 0.0.0.255
access-list 110 deny   ip 192.168.116.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 110 permit ip 192.168.116.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!

!--- Except the private network traffic from the NAT process.
 
route-map nonat permit 10
 match ip address 110
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
no scheduler allocate
end

1720-b#

Speiche 3 - 1720-A
W2N-6.16-1720-A#write terminal Building configuration... Current configuration : 2303 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname W2N-6.16-1720-A ! logging queue-limit 100 ! memory-size iomem 25 ip subnet-zero ! ! no ip domain lookup ! ip cef !--- This is the Cisco IOS Firewall configuration and what to inspect. !--- This is applied outbound on the external interface. ip inspect name in2out rcmd ip inspect name in2out tftp ip inspect name in2out udp ip inspect name in2out tcp timeout 43200 ip inspect name in2out realaudio ip inspect name in2out vdolive ip inspect name in2out netshow ip audit notify log ip audit po max-events 100 ! ! ! ! !--- Create an ISAKMP policy for !--- Phase 1 negotiations. crypto isakmp policy 5 authentication pre-share group 2 !--- Add dynamic pre-shared key. crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0 ! ! !--- Create the Phase 2 policy for actual data encryption. crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac ! !--- Create an IPsec profile to be applied dynamically !--- to the GRE over IPsec tunnels. crypto ipsec profile dmvpnprof set transform-set dmvpnset ! ! ! ! ! !--- This is the inbound interface. interface Loopback1 ip address 192.168.120.1 255.255.255.0 ip nat inside ! !--- Create a GRE tunnel template to be applied to !--- all the dynamically created GRE tunnels. interface Tunnel1 description HOST DYNAMIC TUNNEL bandwidth 1000 ip address 172.16.0.4 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication dmvpn ip nhrp map multicast dynamic ip nhrp map 172.16.0.1 14.24.117.1 ip nhrp map multicast 14.24.117.1 ip nhrp network-id 99 ip nhrp holdtime 300 ip nhrp nhs 172.16.0.1 ip ospf network broadcast no ip mroute-cache delay 1000 tunnel source FastEthernet0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile dmvpnprof ! interface Ethernet0 no ip address no ip mroute-cache half-duplex ! !--- This is the outbound interface. interface FastEthernet0 ip address 14.24.120.1 255.255.0.0 ip nat outside ip inspect in2out out ip access-group 100 in no ip mroute-cache speed auto ! !--- Enable a routing protocol to send/receive dynamic !--- updates about the private networks. router ospf 1 log-adjacency-changes redistribute connected network 172.16.0.0 0.0.0.255 area 0 network 192.168.120.0 0.0.0.255 area 0 ! !--- Except the private network traffic from the NAT process. ip nat inside source route-map nonat interface FastEthernet0 overload ip classless ip route 0.0.0.0 0.0.0.0 14.24.1.1 ip route 2.0.0.0 255.0.0.0 14.24.121.1 no ip http server no ip http secure-server ! ! ! !--- Allow ISAKMP, ESP, and GRE traffic inbound. !--- Cisco IOS Firewall opens inbound access as needed. access-list 100 permit udp any host 14.24.116.1 eq 500 access-list 100 premit esp any host 14.24.116.1 access-list 100 permit gre any host 14.24.116.1 access-list 100 deny ip any any access-list 110 permit ip 192.168.120.0 0.0.0.255 any !--- Except the private network traffic from the NAT process. access-list 110 deny ip 192.168.120.0 0.0.0.255 192.168.116.0 0.0.0.255 access-list 110 deny ip 192.168.120.0 0.0.0.255 192.168.117.0 0.0.0.255 access-list 110 deny ip 192.168.120.0 0.0.0.255 192.168.118.0 0.0.0.255 access-list 110 permit ip 192.168.120.0 0.0.0.255 any ! !--- Except the private network traffic from the NAT process. route-map nonat permit 10 match ip address 110 ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! end W2N-6.16-1720-A#

Speiche 3 - 1720-A

W2N-6.16-1720-A#write terminal
Building configuration...

Current configuration : 2303 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname W2N-6.16-1720-A
!
logging queue-limit 100
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain lookup
!
ip cef

!--- This is the Cisco IOS Firewall configuration and what to inspect. !--- This is applied outbound on the external interface.

ip inspect name in2out rcmd
ip inspect name in2out tftp
ip inspect name in2out udp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out realaudio
ip inspect name in2out vdolive
ip inspect name in2out netshow
ip audit notify log
ip audit po max-events 100
!
!
!
!

!--- Create an ISAKMP policy for !--- Phase 1 negotiations.

crypto isakmp policy 5
 authentication pre-share
 group 2

!--- Add dynamic pre-shared key.

crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
!
!

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

!--- Create an IPsec profile to be applied dynamically !--- to the GRE over IPsec tunnels.

crypto ipsec profile dmvpnprof
 set transform-set dmvpnset
!
!
!
!
!

!--- This is the inbound interface.

interface Loopback1
 ip address 192.168.120.1 255.255.255.0
 ip nat inside
!

!--- Create a GRE tunnel template to be applied to !--- all the dynamically created GRE tunnels.

interface Tunnel1
 description HOST DYNAMIC TUNNEL
 bandwidth 1000
 ip address 172.16.0.4 255.255.255.0
 no ip redirects
 ip mtu 1416
 ip nhrp authentication dmvpn
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 14.24.117.1
 ip nhrp map multicast 14.24.117.1
 ip nhrp network-id 99
 ip nhrp holdtime 300
 ip nhrp nhs 172.16.0.1
 ip ospf network broadcast
 no ip mroute-cache
 delay 1000
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile dmvpnprof
!
interface Ethernet0
 no ip address
 no ip mroute-cache
 half-duplex
!

!--- This is the outbound interface.

interface FastEthernet0
 ip address 14.24.120.1 255.255.0.0
 ip nat outside
 ip inspect in2out out
 ip access-group 100 in
 no ip mroute-cache
 speed auto
!

!--- Enable a routing protocol to send/receive dynamic !--- updates about the private networks.

router ospf 1
 log-adjacency-changes
 redistribute connected
 network 172.16.0.0 0.0.0.255 area 0
 network 192.168.120.0 0.0.0.255 area 0
!

!--- Except the private network traffic from the NAT process.

ip nat inside source route-map nonat interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 14.24.1.1
ip route 2.0.0.0 255.0.0.0 14.24.121.1
no ip http server
no ip http secure-server
!
!
!

!--- Allow ISAKMP, ESP, and GRE traffic inbound. !--- Cisco IOS Firewall opens inbound access as needed.

access-list 100 permit udp any host 14.24.116.1 eq 500
access-list 100 premit esp any host 14.24.116.1
access-list 100 permit gre any host 14.24.116.1  
access-list 100 deny ip any any
access-list 110 permit ip 192.168.120.0 0.0.0.255 any

!--- Except the private network traffic from the NAT process.

access-list 110 deny   ip 192.168.120.0 0.0.0.255 192.168.116.0 0.0.0.255
access-list 110 deny   ip 192.168.120.0 0.0.0.255 192.168.117.0 0.0.0.255
access-list 110 deny   ip 192.168.120.0 0.0.0.255 192.168.118.0 0.0.0.255
access-list 110 permit ip 192.168.120.0 0.0.0.255 any
!

!--- Except the private network traffic from the NAT process.

route-map nonat permit 10
 match ip address 110
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
end

W2N-6.16-1720-A#

Überprüfung

Nutzen Sie diesen Abschnitt, um zu überprüfen, ob Ihre Konfiguration ordnungsgemäß funktioniert.

Das Output Interpreter-Tool (OIT) (nur registrierte Kunden) unterstützt bestimmte show-Befehle. Verwenden Sie das OIT, um eine Analyse der show-Befehlsausgabe anzuzeigen.

show crypto isakmp sa: Zeigt den Status der ISAKMP-Sicherheitszuordnung (SA) an.
show crypto engine connections active: Zeigt die Gesamtzahl der Verschlüsselungen/Entschlüsselungen pro SA an.
show crypto ipsec sa: Zeigt die Statistiken der aktiven Tunnel an.
show ip route: Zeigt die Routing-Tabelle an.
show ip ospf neighbor: Zeigt OSPF-Nachbarinformationen auf Schnittstellenbasis an.
show ip nhrp: Zeigt den IP Next Hop Resolution Protocol (NHRP)-Cache an, der optional auf dynamische oder statische Cache-Einträge für eine bestimmte Schnittstelle beschränkt ist.

Fehlerbehebung

In diesem Abschnitt finden Sie Informationen zur Behebung von Fehlern in Ihrer Konfiguration.

Befehle für die Fehlerbehebung

Hinweis: Lesen Sie den Artikel Wichtige Informationen zu Debug-Befehlen, bevor Sie Debug-Befehle verwenden.

debug crypto ipsec: Zeigt IPsec-Ereignisse an.
debug crypto isakmp: Zeigt Meldungen zu IKE-Ereignissen an.
debug crypto engine (Verschlüsselungsmodul debuggen): Zeigt Informationen vom Verschlüsselungsmodul an.

Weitere Informationen zur Fehlerbehebung von IPsec finden Sie unter IP Security Troubleshooting - Understanding and Using debug commands.

Zugehörige Informationen

Revisionsverlauf

Überarbeitung	Veröffentlichungsdatum	Kommentare
1.0	28-May-2003	Erstveröffentlichung

War dieses Dokument hilfreich?

Feedback

Cisco kontaktieren

Eine Supportanfrage öffnen
(Erfordert einen Cisco Servicevertrag)