实验五GETVPN拓扑:

-------------------------------------------ASA------------------------------------------

ASA(config)# int g0

ASA(config-if)# nameif Outside

INFO: Security level for "Outside" set to 0 by default.

ASA(config-if)# ip add 202.100.1.10 255.255.255.0

ASA(config-if)# no sh

ASA(config-if)# int g1

ASA(config-if)# nameif Inside

INFO: Security level for "Inside" set to 100 by default.

ASA(config-if)# ip add 202.100.2.10 255.255.255.0

ASA(config-if)# no sh

!

ASA(config)# router eigrp 100

ASA(config-router)# net 202.100.2.0 255.255.255.0

!

ASA(config)# router ospf 1

ASA(config-router)# net 202.100.1.0 255.255.255.0 a 0

!

ASA(config)# router eigrp 100

ASA(config-router)# redistribute ospf 1 metric  1 1 1 1 1500

!

ASA(config)# router ospf 1

ASA(config-router)# redistribute eigrp 100 subnets

!

ASA(config)# access-list out extended permit icmp any any

ASA(config)# access-list out extended permit udp any any eq isakmp

ASA(config)# access-list out extended permit esp any any

ASA(config)# access-list out extended permit udp any any eq 848

ASA(config)# access-group out in int Outside

!

----------------------------------------R1(KS)------------------------------------------

R1(config)#int f1/0

R1(config-if)#ip add 202.100.2.1 255.255.255.0

R1(config-if)#no sh

!

R1(config)#router eigrp 100

R1(config-router)#no auto-summary

R1(config-router)#network 202.100.2.0 0.0.0.255

!

R1(config)#ip domain name qytang.net

R1(config)#crypto key generate rsa label getvpn modulus 1024 exportable

The name for the keys will be: getvpn

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be exportable...[OK]

*Mar  1 00:22:36.055: %SSH-5-ENABLED: SSH 1.99 has been enabled

!

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#encryption 3des

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#group 2

!

R1(config)#crypto isakmp key cisco add 202.100.1.2

R1(config)#crypto isakmp key cisco add 202.100.1.3

!

R1(config)#ip access-list extended getvpn-traffic

R1(config-ext-nacl)#permit ip host 2.2.2.2 host 3.3.3.3

R1(config-ext-nacl)#permit ip host 3.3.3.3 host 2.2.2.2

!

R1(config)#crypto ipsec transform-set getset esp-3des esp-sha-hmac

!

R1(config)#crypto ipsec profile gdoi-p

R1(ipsec-profile)#set transform-set getset

!

R1(config)#crypto gdoi group mygroup

R1(config-gdoi-group)#identity number 8888

R1(config-gdoi-group)#server local

R1(gdoi-local-server)#address ipv4 202.100.2.1

R1(gdoi-local-server)#rekey authentication mypubkey rsa getvpn

R1(gdoi-local-server)#rekey transport unicast

R1(gdoi-local-server)#sa ipsec 1

R1(gdoi-sa-ipsec)#match add ipv4 getvpn-traffic

R1(gdoi-sa-ipsec)#profile gdoi-p

--------------------------------------R2(GM)------------------------------------------

R2(config)#int lo 0

R2(config-if)#ip add 2.2.2.2 255.255.255.255

R2(config-if)#int f2/0

R2(config-if)#ip add 202.100.1.2 255.255.255.0

R2(config-if)#no sh

!

R2(config)#router ospf 1

R2(config-router)#network 2.2.2.2 0.0.0.0 a 0

R2(config-router)#net 202.100.1.0 0.0.0.255 a 0

!

R2(config)#crypto isakmp policy 10

R2(config-isakmp)#encryption 3des

R2(config-isakmp)#authentication pre-share

R2(config-isakmp)#group 2

!

R2(config)#crypto isakmp key cisco add 202.100.2.1

!

R2(config)#crypto gdoi group mygroup

R2(config-gdoi-group)#identity number 8888

R2(config-gdoi-group)#server add ipv4 202.100.2.1

!

R2(config)#crypto map cisco 10 gdoi

R2(config-crypto-map)#set group mygroup

!

R2(config)#int f2/0

R2(config-if)#crypto map cisco

!

----------------R3(GM,尽量粘贴R2,修改红色字部分)----------------------

R3(config)#int lo 0

R3(config-if)#ip add 3.3.3.3 255.255.255.255

R3(config-if)#int f3/0

R3(config-if)#ip add 202.100.1.3 255.255.255.0

R3(config-if)#no sh

R3(config-if)#exit

R3(config)#router ospf 1

R3(config-router)#network 3.3.3.3 0.0.0.0 a 0

R3(config-router)#net 202.100.1.0 0.0.0.255 a 0

R3(config-router)#exit

R3(config)#crypto isakmp policy 10

R3(config-isakmp)#encryption 3des

R3(config-isakmp)#authentication pre-share

R3(config-isakmp)#group 2

R3(config-isakmp)#exit

R3(config)#crypto isakmp key cisco add 202.100.2.1

R3(config)#crypto gdoi group mygroup

R3(config-gdoi-group)#identity number 8888

R3(config-gdoi-group)#server add ipv4 202.100.2.1

R3(config-gdoi-group)#crypto map cisco 10 gdoi

R3(config-crypto-map)#set group mygroup

R3(config-crypto-map)#int f3/0

R3(config-if)#crypto map cisco

测试: