引用 | 編輯
clarktsin
2009-05-15 17:15 |
樓主
|
||
x0
一、實驗環境: 1.固定IP端(FTTB/固定制DSL…) Ⅰ.公網IP一組,Cisco 1841路由器一台 Ⅱ.路由器 IOS feature Code 附帶 k8/k9 的版本 2.非固定IP端(PPPoE撥接上網) Ⅰ.非固定制ADSL+Cisco 1721路由器一台 Ⅱ.路由器 IOS feature Code 附帶 y7及k8/k9 的版本 二、架構圖: 三、配置及說明: hostname C1721_PPPoE ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 28800 crypto isakmp key SeCrEt address 220.166.83.66 crypto isakmp keepalive 10 10 ! crypto ipsec transform-set MySet esp-des esp-md5-hmac ! crypto map VPN 10 ipsec-isakmp set peer 220.166.83.66 set transform-set MySet match address 101 ! interface FastEthernet0 ip address 10.254.254.46 255.255.255.252 ! interface Dialer0 此為PPPoE虛擬撥號介面 ip address negotiated crypto map VPN ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! access-list 101 permit ip 10.254.254.44 0.0.0.3 192.168.16.0 0.0.0.255 hostname C1841_Fixed_IP ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 28800 crypto isakmp key SeCrEt address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 10 ! crypto ipsec transform-set MySet esp-des esp-md5-hmac ! crypto dynamic-map DyMap 100 set transform-set MySet reverse-route remote-peer 220.166.83.1 ! crypto map VPN 200 ipsec-isakmp dynamic DyMap ! interface FastEthernet0/1 ip address 220.166.83.66 255.255.255.0 crypto map VPN ! ip route 0.0.0.0 0.0.0.0 220.166.83.1 四、驗證 C1721_PPPoE#show crypto isakmp sa dst src state conn-id slot status 220.166.83.66 218.170.50.162 QM_IDLE 1 0 ACTIVE C1721_PPPoE#ping 192.168.16.254 source 10.254.254.46 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.16.254, timeout is 2 seconds: Packet sent with a source address of 10.254.254.46 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/72/92 ms C1721_PPPoE# 五、補充: 就以上架構而言,當C1721 PPPoE動建或IPSec Lifetime逾時就會導致整個VPN中斷。若要重建VPN也只能仰賴C1721定義的關注流量去觸發IKE會談;但若今天流量發起者為C1841該如何解決。 在不動架構的情況下,唯一的方法就週期性的從C1721送流量至C1841,在GRE Over IPSec的架構下可以靠DPD/Routing Protocol 來解決,但在PPPoE架構下可能得配置一個RTR 來週期發送icmp包,如此即能決解上述問題。 RTR語法如下: C1721_PPPoE#sh run | b rtr 99 rtr 99 type echo protocol ipIcmpEcho 192.168.16.254 source-ipaddr 10.254.254.46 timeout 1000 rtr schedule 99 life forever start-time now ! line con 0 line aux 0 line vty 0 4 exec-timeout 0 0 authorization exec Local_Auth logging synchronous ! end C1721_PPPoE# x0
|