ip access-list extended 1001
permit ip 192.168.0.0 255.255.0.0 any exit
其余的配置均相同。
VPN3020的配置
configure terminal hostname MPSec mode route interface untrusted ip 1.1.1.1 255.255.0.0 ip route 0.0.0.0 0.0.0.0 1.1.1.254 sshd web port 443 web idle enable web idle 999 web domain-name maipu.com end ! firewall config configure firewall enable log firewall policy urlfilter permit policy dnat permit policy snat permit policy ldnat permit policy access-list input permit policy access-list forward permit policy access-list output permit enable state input enable state forward enable state output enable log defend end ! vpn config configure vpn service ipsec crypto isakmp identity address crypto isakmp key maipu any ip access-list extended 1001 permit ip 192.168.0.0 255.255.0.0 any exit crypto map map1 ipsec-isakmp match address 1001 set peer any set authentication pre-share exit crypto map map1 on untrusted end [NextPage] MP801的配置 MP801a和MP801b的配置(MP801c和MP801d的配置略) MP801a的配置 MP801b的配置 ip access-list extended 1001 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 exit ip access-list extended 1002 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 permit ip 192.168.0.0 0.0.0.255 any exit ip access-list extended 1001 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 exit ip access-list extended 1002 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255 permit ip 192.168.1.0 0.0.0.255 any exit crypto isakmp key maipu address 1.1.1.1 crypto ipsec transform-set tr1 esp-des esp-md5-hmac mode tunnel exit crypto map map1 1 ipsec-isakmp match address 1001 set peer 1.1.1.1 set transform-set tr1 set security-association lifetime seconds 28800 dialer-list 1 protocol ip permit crypto isakmp key maipu address 1.1.1.1 crypto ipsec transform-set tr1 esp-des esp-md5-hmac mode tunnel exit crypto map map1 1 ipsec-isakmp match address 1001 set peer 1.1.1.1 set transform-set tr1 set security-association lifetime seconds 28800 set security-association lifetime kilobytes 4608000 exit interface dialer0 ip address negotiated dialer in-band dialer pool 1 dialer-group 1 encapsulation ppp ppp pap sent-username 01234mp@169 password 01234mp ip nat outside crypto map map1 exit interface fastethernet0 ip address 192.168.0.1 255.255.255.0 ip nat inside exit interface ethernet0/0 pppoe-client dial-pool-number 1 exit set security-association lifetime kilobytes 4608000 exit interface fastethernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside exit interface ethernet0/0 ip address 2.2.2.1 255.255.255.0 crypto map map1 exit ip nat inside source list 1002 interface Ethernet0/0 overload ip route 0.0.0.0 0.0.0.0 2.2.2.254 ip nat inside source list 1002 interface dialer0 overload ip route 0.0.0.0 0.0.0.0 dialer0 [NextPage] 3.6.路由器??路由器(与OSPF、GRE混用) 3.6.1.网络描述:
网络描述:NET1和NET2原本是两个独立内部网络,内部是走动态路由协议OSPF,现在由于网络建设的需要,需要将NET1和NET2互联起来。并且希望继续走动态路由器协议。考虑到其成本,准备采用VPN网络。
网络分析:采用VPN网络,是能够将局域网互联起来,但是当两个局域网包含了很多子网的时候(都需要走动态路由协议),如果对每一个网络都配置一条数据流,其网络将会很难管理维护。最致命的是,用户还需要走OSPF,OSPF是组播报文,根据IPSec协议的规定,IPSec是不能对组播报文加密的。因此,我们可以采用GRE来封装OSPF的组播报文,然后将GRE进行ESP封装。同时,我们考虑到MP1762可能是动态拨号接入,因此,在配置GRE的时候,其源地址无法固定。我们的解决方案是采用MP1762上面的某一个环回地址作为其源地址,目的地址就是MP2692的外网口地址。
3.6.2.配置脚本
略。