動態(tài)獲取地址VPN解決方案

GW1:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 64.1.1.0 255.255.255.0 //對方可能獲得IP地址范圍的IP地址，可以是0.0.0.0 0.0.0.0
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto dynamic-map dymap 10 //配置動態(tài)MAP
set transform-set SET
set pfs group5
!
crypto map cisco 1000 ipsec-isakmp dynamic dymap //關聯(lián)動態(tài)MAP
!

interface Loopback0
ip address 1.1.1.1 255.255.255.0
!

interface FastEthernet1/0
ip address 202.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map cisco //應用普通MAP
!

ip route 0.0.0.0 0.0.0.0 202.1.1.10

Internet:

ip dhcp excluded-address 64.1.1.10
!
ip dhcp pool VPN
network 64.1.1.0 255.255.255.0
default-router 64.1.1.10
!
interface FastEthernet1/0
ip address 202.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 64.1.1.10 255.255.255.0
duplex auto
speed auto

GW2:

crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 202.1.1.1
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 202.1.1.1
set transform-set SET
set pfs group5
match address vpn
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet1/0
ip address dhcp
duplex auto
speed auto
crypto map cisco
!
ip route 0.0.0.0 0.0.0.0 64.1.1.10
ip route 0.0.0.0 0.0.0.0 64.1.1.10 254
!
ip access-list extended vpn
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

只能GW2發(fā)起IPSec流量，GW1不能先發(fā)起

服務器租用/服務器托管中國五強！虛擬主機域名注冊頂級提供商！15年品質保障！--億恩科技[ENKJ.COM]