Lan-to-Lan,ezvpn共存！

network

Lan-to-Lan,ezvpn共存！


首先看一下拓扑，如上图所示：这是一个模拟器环境，中间Internet 部分为直连，这样后面就有许多路由问题要考虑，这么设计，主要是为了加深对ipsec vpn的理解。当然，中间放一台Internet路由器，HUB，D1，D2全部指默认路由是完全可以的！
一，如上图所示:中间互联网部分为直连。
1，HUB与D1建立lan-to-lan VPN；同时HUB还将做为easy vpn server。
2，D2将分别以Client模式，Network-extension模式拨到HUB路由器实现与其内网的通信（这里只测试了Client模式）
3，所有站点路由器均为身后的网络做了PAT转换。
4，实现D2，D1内网的通信，流量需要通过HUB转发。
二，分析
LAN-TO-LAN EZVPN分析：
1，HUB与D1加密点为直连路由，通信点路由，我们需要增加静态路由。
2，HUB与D2加密点为直连路由，通信点路由，D2需要增加到HUB通信点的静态路由。HUB到D2的通信点路由RRI产生。
3，为了实现D2能够正常访问互联网和HUB内部服务器，已经在HUB上做了隧道分离，并deny掉内网到pool的流量。
三，基本配置，HUB,D1
HUB和D1建立lan-to-lan，和D2建立EZVPN
HUB为isakmp profile敲法，D1为普通敲法，下面给出sh run
HUB#sh run

version 12.4
!
hostname HUB
!
aaa new-model
!
aaa authentication login remote local
aaa authorization network remote local
!  
username cisco password 0 cisco
!
crypto keyring lan
  pre-shared-key address 202.100.1.1 key cisco
!
crypto isakmp policy 10
authentication pre-share
group 2
!
crypto isakmp client configuration group ccie
key cisco
pool cciepool
acl 101
！
crypto isakmp profile lan
   keyring lan
   match identity address 202.100.1.1 255.255.255.255
！
crypto isakmp profile easy
   match identity group ccie
   client authentication list remote
   isakmp authorization list remote
   client configuration address respond        
!
crypto ipsec transform-set ccsp esp-des esp-md5-hmac
!
crypto dynamic-map easy 20
set transform-set ccsp
set isakmp-profile easy
reverse-route
!
crypto map lan 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set ccsp
set isakmp-profile lan
match address vpn
crypto map lan 100 ipsec-isakmp dynamic easy
!
interface Loopback0
ip address 172.17.11.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
ip nat outside
crypto map lan
!
ip local pool cciepool 10.1.1.1 10.1.1.10
!
ip route 192.168.1.0 255.255.255.0 202.100.1.1 通信点路由
!
ip nat inside source list nat interface FastEthernet0/0 overload
ip access-list extended nat
deny   ip 172.17.11.0 0.0.0.255 10.1.1.0 0.0.0.255
deny   ip 172.17.11.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.17.11.0 0.0.0.255 any
ip access-list extended vpn
permit ip 172.17.11.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 172.17.11.0 0.0.0.255 10.1.1.0 0.0.0.255
!
end

D1#sh run
!
version 12.4
!
hostname D1
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.10
!
crypto ipsec transform-set ccsp esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.100.1.10
set transform-set ccsp
match address vpn
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
ip nat outside
crypto map cisco
!
ip route 172.17.11.0 255.255.255.0 202.100.1.10
!
ip nat inside source list nat interface FastEthernet0/0 overload
!
ip access-list extended nat
deny   ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vpn
permit ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255
!
end

四，实现D2，D1互通
D1，D2互通分析：
这时D2是以Client模式拨到HUB路由器
1，HUB推给D2的组策略ACL中增加到D1内网的流量需要加密
2，HUB到D1的感兴趣流，增加pool到D1网内网的流量需要加密
3，D1到HUB的感兴趣流，增加内网到pool的流量需要加密，并从NAT中deny掉
路由增加：
D2增加到达D1内网的静态路由
D1增加到达pool的静态路由
下面给出HUB的全部ACL
HUB#sh access-lists
Extended IP access list 101
    10 permit ip 172.17.11.0 0.0.0.255 10.1.1.0 0.0.0.255
    20 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
Extended IP access list nat
    5 deny ip 172.17.11.0 0.0.0.255 10.1.1.0 0.0.0.255 (35 matches)
    10 deny ip 172.17.11.0 0.0.0.255 192.168.1.0 0.0.0.255 (48 matches)
    20 permit ip 172.17.11.0 0.0.0.255 any (1 match)
Extended IP access list vpn
    10 permit ip 172.17.11.0 0.0.0.255 192.168.1.0 0.0.0.255 (94 matches)
    20 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 (60 matches)
D1的ACL
D1#sh access-lists
Extended IP access list nat
    5 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 (15 matches)
    10 deny ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255 (48 matches)
    20 permit ip 192.168.1.0 0.0.0.255 any (1 match)
Extended IP access list vpn
    10 permit ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255 (94 matches)
    20 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 (59 matches)
下面给出全部的sh run
HUB#sh run
version 12.4
!
aaa new-model
!
aaa authentication login remote local
aaa authorization network remote local
!      
username cisco password 0 cisco
!
crypto keyring lan
  pre-shared-key address 202.100.1.1 key cisco
!
crypto isakmp policy 10
authentication pre-share
group 2
!
crypto isakmp client configuration group ccie
key cisco
pool cciepool
acl 101
crypto isakmp profile lan
   keyring lan
   match identity address 202.100.1.1 255.255.255.255
crypto isakmp profile easy
   match identity group ccie
   client authentication list remote
   isakmp authorization list remote
   client configuration address respond
!         
crypto ipsec transform-set ccsp esp-des esp-md5-hmac
!
crypto dynamic-map easy 20
set transform-set ccsp
set isakmp-profile easy
reverse-route
!
crypto map lan 10 ipsec-isakmp
set peer 202.100.1.1
set transform-set ccsp
set isakmp-profile lan
match address vpn
crypto map lan 100 ipsec-isakmp dynamic easy
!
interface Loopback0
ip address 172.17.11.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
ip nat outside
crypto map lan
!
ip local pool cciepool 10.1.1.1 10.1.1.10
!
ip route 192.168.1.0 255.255.255.0 202.100.1.1
!
ip nat inside source list nat interface FastEthernet0/0 overload
!
ip access-list extended nat
deny   ip 172.17.11.0 0.0.0.255 10.1.1.0 0.0.0.255
deny   ip 172.17.11.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.17.11.0 0.0.0.255 any
ip access-list extended vpn
permit ip 172.17.11.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 172.17.11.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!
D1#sh run
hostname D1
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.10
!
crypto ipsec transform-set ccsp esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.100.1.10
set transform-set ccsp
match address vpn
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
ip nat outside
crypto map cisco
!
ip route 10.1.1.0 255.255.255.0 202.100.1.10
ip route 172.17.11.0 255.255.255.0 202.100.1.10
!
ip nat inside source list nat interface FastEthernet0/0 overload
!
ip access-list extended nat
deny   ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vpn
permit ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!
D2#sh run
hostname D2
!
crypto ipsec client ezvpn cisco
connect manual
group ccie key cisco
mode client
peer 202.100.1.10
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip nat inside
crypto ipsec client ezvpn cisco inside
!
interface Loopback1
ip address 10.1.1.3 255.255.255.255
!
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
ip nat outside
crypto ipsec client ezvpn cisco
!
ip route 172.17.11.0 255.255.255.0 202.100.1.10
ip route 192.168.1.0 255.255.255.0 202.100.1.10
!
ip nat inside source list nat interface FastEthernet0/0 overload
!
ip access-list extended nat
permit ip 192.168.2.0 0.0.0.255 any
!

最后给出官方文档
lan-to-lan easy isakmp_profiles.pdf (109.69 KB)