IPSec VPN点到多点

S1/1S1/0S1/1S1/0S1/1S1/2S1/3S1/1S1/2S1/3F0/0F0/0F0/0F0/0Internet上海北京天津南京作者QQ:343782043如图，XX公司总部和3个分支做IPSecVPN互联，总部上海分别和3个分支做IPSecVPN，访问VPN的同时，同时总部和分支用户均可以访问Internet基本配置：上海Router：F0/0-172.16.1.1/24,S1/1-61.100.100.98/252Internet:R1:S1/0-61.100.100.97/30,S1/1-61.100.100.101/30Internet:R2:S1/0-61.100.100.102/30,S1/1-61.100.100.105/30S1/2-61.100.100.109/30,S1/3-61.100.100.113/30北京Router：F0/0-192.168.1.1/24,S1/1-61.100.100.100.106/30天津Router：F0/0-192.168.2.1/24,S1/2-61.100.100.100.110/30南京Router：F0/0-192.168.3.1/24,S1/3-61.100.100.100.114/30InternetR1/R2运行OSPF,模拟公网，上海/北京/天津/南京的路由器上写默认路由，下一跳指给Internet注意事项：1．由于总部上海需要和每个分支建立IPSecVPN,因此3个分支调用一个MAP2．各个站点做NAT的时候需要写ACL将VPN的流量排除,防止VPN流量被NAT转换，导致IPSecVPN建立不成功上海cryptoisakmppolicy1encr3deshashmd5authenticationpre-sharegroup2lifetime3600!cryptoisakmppolicy2encr3deshashmd5authenticationpre-sharegroup2lifetime3600!cryptoisakmppolicy3encr3deshashmd5authenticationpre-sharegroup2lifetime3600cryptoisakmpkey6cisco1address61.100.100.106cryptoisakmpkey6cisco2address61.100.100.110cryptoisakmpkey6cisco3address61.100.100.114!!cryptoipsectransform-setvpn1esp-3desesp-md5-hmaccryptoipsectransform-setvpn2esp-3desesp-md5-hmaccryptoipsectransform-setvpn3esp-3desesp-md5-hmac!cryptomapmap1ipsec-isakmpsetpeer61.100.100.106settransform-setvpn1setpfsgroup2matchaddress100cryptomapmap2ipsec-isakmpsetpeer61.100.100.110settransform-setvpn2setpfsgroup2matchaddress110cryptomapmap3ipsec-isakmpsetpeer61.100.100.114settransform-setvpn3setpfsgroup2matchaddress120!!interfaceFastEthernet0/0ipaddress172.16.1.1255.255.255.0ipnatinside!interfaceSerial1/1ipaddress61.100.100.98255.255.255.252ipnatoutsidecryptomapmap!iproute0.0.0.00.0.0.061.100.100.97!ipnatinsidesourcelistnonat-vpninterfaceSerial1/1overload!ipaccess-listextendednonat-vpndenyip172.16.1.00.0.0.255192.168.1.00.0.0.255denyip172.16.1.00.0.0.255192.168.2.00.0.0.255denyip172.16.1.00.0.0.255192.168.3.00.0.0.255permitip172.16.1.00.0.0.255any!access-list100permitip172.16.1.00.0.0.255192.168.1.00.0.0.255access-list110permitip172.16.1.00.0.0.255192.168.2.00.0.0.255access-list120permitip172.16.1.00.0.0.255192.168.3.00.0.0.255北京cryptoisakmppolicy1encr3deshashmd5authenticationpre-sharegroup2lifetime3600cryptoisakmpkey6cisco1address61.100.100.98!cryptoipsectransform-setvpn1esp-3desesp-md5-hmac!cryptomapmap1ipsec-isakmpsetpeer61.100.100.98settransform-setvpn1setpfsgroup2matchaddress100!interfaceFastEthernet0/0ipaddress192.168.1.1255.255.255.0ipnatinside!interfaceSerial1/1ipaddress61.100.100.106255.255.255.252ipnatoutsidecryptomapmap!iproute0.0.0.00.0.0.061.100.100.105!ipnatinsidesourcelistnonat-vpninterfaceSerial1/1overload!ipaccess-listextendednonat-vpndenyip192.168.1.00.0.0.255172.16.1.00.0.0.255permitip192.168.1.00.0.0.255any!access-list100permitip192.168.1.00.0.0.255172.16.1.00.0.0.255天津cryptoisakmppolicy2encr3deshashmd5authenticationpre-sharegroup2lifetime3600cryptoisakmpkey6cisco2address61.100.100.98!cryptoipsectransform-setVPN2esp-3desesp-md5-hmac!cryptomapmap2ipsec-isakmpsetpeer61.100.100.98settransform-setVPN2setpfsgroup2matchaddress110!interfaceFastEthernet0/0ipaddress192.168.2.1255.255.255.0ipnatinside!interfaceSerial1/2ipaddress61.100.100.110255.255.255.252ipnatoutsidecryptomapmap!!iproute0.0.0.00.0.0.061.100.100.109!ipnatinsidesourcelistnonat-vpninterfaceSerial1/2overload!ipaccess-listextendednonat-vpndenyip192.168.2.00.0.0.255172.16.1.00.0.0.255permitip192.168.2.00.0.0.255any!access-list110permitip192.168.2.00.0.0.255172.16.1.00.0.0.255南京cryptoisakmppolicy3encr3deshashmd5authenticationpre-sharegroup2lifetime3600cryptoisakmpkey6cisco3address61.100.100.98!cryptoipsectransform-setvpn3esp-3desesp-md5-hmac!cryptomapmap3ipsec-isakmpsetpeer61.100.100.98settransform-setvpn3setpfsgroup2matchaddress120!interfaceFastEthernet0/0ipaddress192.168.3.1255.255.255.0ipnatinside!interfaceSerial1/3ipaddress61.100.100.114255.255.255.252ipnatoutsidecryptomapmap!iproute0.0.0.00.0.0.061.100.100.113!ipnatinsidesourcelistnonat-vpninterfaceSerial1/3overload!ipaccess-listextendednonat-vpndenyip192.168.3.00.0.0.255172.16.1.00.0.0.255permitip192.168.3.00.0.0.255any!access-list120permitip192.168.3.00.0.0.255172.16.1.00.0.0.255