cisco 双hub双dmvpn配置实例.doc

VPN配置实例系列（一）cisco 双hub双dmvpn配置实例（原创）2011-08-16 17:51（HUB-1）AIR1#show runBuilding configuration.upgrade fpd autoversion 12.4hostname AIR1aaa new-model!aaa authentication login login local noneaaa session-id commonip source-routeip cefno ip domain lookupno ipv6 cef!multilink bundle-name authenticatedusername cisco privilege 15 secret 5 $1$2HQI$6HPxKq33L6fHLOq.mNEJ6.archivelog confighidekeys!crypto isakmp policy 10hash md5authentication pre-sharegroup 2crypto isakmp key two.hub.key address !crypto ipsec transform-set two.hub.set esp-3des esp-md5-hmacmode transport!crypto ipsec profile fileset transform-set two.hub.set!interface Loopback0ip address ip ospf network point-to-point!interface Tunnel0ip address no ip redirectsip mtu 1400ip nhrp authentication two.authip nhrp map multicast dynamicip nhrp network-id 10ip nhrp holdtime 600ip ospf network broadcastip ospf priority 10delay 1000tunnel source Serial1/1tunnel mode gre multipointtunnel key 2012tunnel protection ipsec profile file!interface FastEthernet0/0ip address duplex autospeed auto!interface Serial1/1ip address serial restart-delay 0router ospf 100router-id log-adjacency-changesnetwork 55 area 1network 55 area 0!ip forward-protocol ndip route line con 0exec-timeout 0 0logging synchronouslogin authentication loginstopbits 1line aux 0stopbits 1line vty 0 4!end-(HUB-2)AIR2#show runBuilding configuration.version 12.4hostname AIR2enable password cisco!aaa new-model!aaa authentication login login local none!aaa session-id commonmemory-size iomem 5!ip cefno ip domain lookupip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!multilink bundle-name authenticatedusername ezvpn password 0 ezvpnusername air2 secret 5 $1$iT8A$btPfNBneo8ShHP1pJwRyt/archivelog confighidekeys!crypto isakmp policy 10hash md5authentication pre-sharegroup 2crypto isakmp key two.hub.key address !crypto ipsec transform-set two.hub.set esp-3des esp-md5-hmacmode transport!crypto ipsec profile fileset transform-set two.hub.setinterface Loopback0ip address !interface Tunnel0ip address no ip redirectsip mtu 1400ip nhrp authentication two.authip nhrp map multicast dynamicip nhrp network-id 10ip nhrp holdtime 600ip ospf network broadcastip ospf priority 5delay 1000tunnel source Serial1/2tunnel mode gre multipointtunnel key 2012tunnel protection ipsec profile file!interface FastEthernet0/0ip address duplex autospeed auto!interface Serial1/0ip address serial restart-delay 0interface Serial1/2ip address serial restart-delay 0router ospf 100router-id log-adjacency-changesnetwork 55 area 1network 55 area 0ip route line con 0exec-timeout 0 0logging synchronouslogin authentication loginline aux 0login authentication loginline vty 0 4exec-timeout 0 0logging synchronouslogin authentication login!end-(SPOKE-1)IOSFW1#show runBuilding configuration.!version 12.4!hostname IOSFW1aaa new-modelaaa authentication login login local noneaaa session-id commonmemory-size iomem 5ip cefno ip domain lookupip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!multilink bundle-name authenticatedusername cisco privilege 15 secret 5 $1$FfyS$.b/nQwuam1J17HEESibRB0archivelog confighidekeyscrypto isakmp policy 10hash md5authentication pre-sharegroup 2crypto isakmp key two.hub.key address !crypto ipsec transform-set two.hub.set esp-3des esp-md5-hmacmode transport!crypto ipsec profile fileset transform-set two.hub.setinterface Loopback0ip address !interface Tunnel0ip address ip mtu 1400ip nhrp authentication two.authip nhrp map ip nhrp network-id 10ip nhrp holdtime 300ip nhrp nhs ip ospf network broadcastip ospf priority 0delay 1000tunnel source Serial1/0tunnel destination tunnel key 2012tunnel protection ipsec profile file!interface Tunnel1ip address ip mtu 1400ip nhrp authentication two.authip nhrp map ip nhrp network-id 10ip nhrp holdtime 300ip nhrp nhs ip ospf network broadcastip ospf priority 0delay 1000tunnel source Serial1/0tunnel destination tunnel key 2012tunnel protection ipsec profile file!interface Serial1/0ip address serial restart-delay 0router ospf 100router-id log-adjacency-changesnetwork 55 area 1network 55 area 1network 55 area 1!ip forward-protocol ndip route line con 0exec-timeout 0 0logging synchronouslogin authentication loginline aux 0line vty 0 4!end-(SPOKE-2)IOSFW2#show runBuilding configuration.version 12.4no service password-encryption!hostname IOSFW2enable password cisco!aaa new-modelaaa authentication login login local noneaaa session-id commonmemory-size iomem 5ip cefno ip domain lookupip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!multilink bundle-name authenticated!username iosfw2 secret 5 $1$.S/B$cBe/jtBt23/MpNaFaZ1320archivelog confighidekeys!crypto isakmp policy 10hash md5authentication pre-sharegroup 2crypto isakmp key two.hub.key address !crypto ipsec transform-set two.hub.set esp-3des esp-md5-hmacmode transport!crypto ipsec profile fileset transform-set two.hub.setinterface Loopback0ip address !interface Tunnel0ip address ip mtu 1400ip nhrp authentication two.authip nhrp map ip nhrp network-id 10ip nhrp holdtime 300ip nhrp nhs ip ospf network broadcastip ospf priority 0delay 1000tunnel source Serial1/0tunnel destination tunnel key 2012tunnel protection ipsec profile file!interface Tunnel1ip address ip mtu 1400ip nhrp authentication two.authip nhrp map ip nhrp network-id 10ip nhrp holdtime 300ip nhrp nhs ip ospf network broadcastip ospf priority 0delay 1000tunnel source Serial1/0tunnel destination tunnel key 2012tunnel protection ipsec profile fileinterface Serial1/0ip address serial restart-delay 0router ospf 100router-id log-adjacency-changesnetwork 55 area 1network 55 area 1network 55 area 1ip forward-protocol ndip route line con 0exec-timeout 0 0logging synchronouslogin authentication loginline aux 0login authentication loginline vty 0 4exec-timeout 0 0logging synchronouslogin authentication login!endIOSFW1#show cry isa saIPv4 Crypto ISAKMP SAdst src state conn-id slot status QM_IDLE 1011 0 ACTIVE QM_IDLE 1014 0 ACTIVEIOSFW2#show cry isa saIPv4 Crypto ISAKMP SAdst src state conn-id slot status QM_IDLE 1002 0 ACTIVE QM_IDLE 1001 0 ACTIVEIOSFW1#show cry ipsec sainterface: Tunnel0Crypto map tag: Tunnel0-head-0, local addr protected vrf: (none)local ident (addr/mask/prot/port): (/55/47/0)remote ident (addr/mask/prot/port): (/55/47/0)current_peer port 500PERMIT, flags=origin_is_acl,#pkts encaps: 921, #pkts encrypt: 921, #pkts digest: 921#pkts decaps: 976, #pkts decrypt: 976, #pkts verify: 976#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 2, #recv errors 0local crypto endpt.: , remote crypto endpt.: path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0current outbound spi: 0x116D44B0(292373680)IOSFW2#show cry ipsec sainterface: Tunnel0Crypto map tag: Tunnel0-head-0, local addr protected vrf: (none)local ident (addr/mask/prot/port): (/55/47/0)remote ident (addr/mask/prot/port): (/55/47/0)current_peer port 500PERMIT, flags=origin_is_acl,#pkts encaps: 791, #pkts encrypt: 791, #pkts digest: 791#pkts decaps: 849, #pkts decrypt: 849, #pkts verify: 849#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 1, #recv errors 0local crypto endpt.: , remote crypto endpt.: path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0current outbound spi: 0x38CD88C8(952993992)IOSFW1#show cry en