解決中心端不能主動發起的問題,採用DDNS技術,爲每一個分支端申請一個動態域名,中心可以把peer設置成分支的DDNS發起連接
路由器動態域名配置:
Ip ddns update method 名字
HTTP
Add http://用戶名:密碼@<s>/nic/update?system=dyndns&hostname=<h>&myip=<a> interval maximum 28 0 0 0 ——————?先敲ctrl+V再敲?
Interface Dialer 1
Ip ddns update hostname “註冊的域名”
Ip ddns update 名字 host members.dyndns.org
IPsec *** 動態域名配置
Ip name-server 202.106.0.20 ——————路由器解析域名的DNS服務器
Crypto isakmp key 0 cisco 61.149.0.0 255.255.0.0
Crypto isakmp key 0 cisco 222.129.0.0 255.255.0.0
——設置分支端可能獲取的網段,也可以用8個0
Crypto map cisco 10 ipsec-isakmp
Set peer 域名 dynamic(如果不輸入dynamic就會一次固定ip地址和域名)
Set transform-set cisco
Match address ***
動態域名解析
爲了解決動態MAP中心端不能主動發起的問題,還有兩端都是動態獲取地址的問題,可以採用動態域名解析技術(DDNS)。爲每個分支機構申請一個動態域名,中心端可以把每個peer設置成分支機構的動態域名來主動發起連接。
配置
配置ddns
ip ddns update method method_name
add http://username:password@<s>/nic/update?system=dyndns&hostname=<h>&myip=<a>(這裏的用戶名密碼是從DDNS提供商那裏得到的用戶名密碼,後面的是固定的)
exit
interval maximum day hour minute second
interface dialaer1
ip ddns update hostname register_domain_name
ip ddns update method_name host DDNS_ISP_domain(把動態域名提供商提供的註冊到的二級域名關聯到這個dailer接口上,這個接口會從這個二級域名獲取IP地址)
ip name-server DNS_IP
crypto isakmp key 0 keystring address IP mask
(設置分支機構可能獲取的網段,也可以用8個0代替,這裏不能設置host,只有在證書認證環境下用host)
crypto map crypto_map_name number ipsec-isakmp
set peer register_domain_name dynamic(必須配置dynamic,不然就直接向DNS服務器解析那個註冊域名刷到配置上了)
set transform-set tr_set_name
match address acl
其餘配置跟L2L一樣。
aaa authentication login linepro line none
aaa authentication login x1.5 local
aaa authorization network x1.5 local
username cisco password cisco
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
exit
ip local pool ***.pool 172.16.1.11 172.16.1.20
crypto isakmp client configuration group zxg
key cisco
pool ***.pool
crypto isakmp profile cisco
match identity group zxg
client authentication list x1.5
isakmp authorization list x1.5
client configuration address respond
crypto ipsec transform-set cisco esp-des esp-md5-hmac
crypto dynamic-map cisco 10
set transform-set cisco
set isakmp-profile cisco
exit
crypto map cisco 10 ipsec-isakmp dynamic cisco
*PPPOEserver配置:*
GW:int f0/0
no sh
no ip add (無需配置IP)
pppoe enable (激活PPPOE功能)
username pppoeuser password 0 cisco
ip local pool pppoe.pool 202.100.1.100 202.100.1.200
bba-group pppoe global
virtual-template 1
int virtual-template 1
ip unnumbered lo 0
peer default ip add pool leon
ppp authentication pap (國內很多運營商的默認策略)
router PPPOE Client 配置(1)
PPPOE Client:
int f0/0
no ip add (無需配置ip)
pppoe-client dial-pool-number 1(激活PPPOE客戶端功能)
int dialer 1
ip add negotiated
ip mtu 1492 (減去PPPOE+PPP頭部的8個字節)
encapsulation ppp
dialer pool 1
ppp authentication pap callin (callout 不認證對端)
ppp pap sent-username pppoeuser password 0 cisco
ip access-list ex pat
permit ip 20.1.1.0 0.0.0.255 any
ip nat inside source list pat interface dialer 1 overload
int lo 0
ip add 20.1.1.1 255.255.255.0 (mon)
ip nat inside
int dialer 1
ip nat outside
ip route 0.0.0.0 0.0.0.0 dialer1 permanent (永久的)