SITE-to-SITE VPN
Tunnels нет
deny NAT from interested ACL


<HQ>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
 encr 3des
 hash md5
 auth pre-share
 group 5
 lifetime 86400
</isakmp pol1>
<PSK>
0.0.0.0 ???
cry isakmp key CISCO address 10.0.1.2
cry isakmp key CISCO address 10.1.1.2
</PSK>
</ISAKMP>
<IPSEC>
    <ACL INSIDE>
IP access-list ext INSIDE
deny ip 192.169.1.0 0.0.0.255 192.168.1.0 0.0.0.255 (50 matches)
deny ip 192.169.3.0 0.0.0.255 192.168.3.0 0.0.0.255 (60 matches)
permit ip 192.169.1.0 0.0.0.255 any (1 match)
permit ip 192.169.2.0 0.0.0.255 any (2 matches)
permit ip 192.169.3.0 0.0.0.255 any (2 matches)
permit ip 192.169.4.0 0.0.0.255 any (1 match)
permit icmp 192.169.1.0 0.0.0.255 any
permit icmp 192.169.2.0 0.0.0.255 any
permit icmp 192.169.3.0 0.0.0.255 any
permit icmp 192.169.4.0 0.0.0.255 any
    </ACL INSIDE>
    <ACL VPN-TRAFFIC>
ip access-list extended VPN-TRAFFIC
permit ip 192.169.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.169.3.0 0.0.0.255 192.168.3.0 0.0.0.255
    </ACL VPN-TRAFFIC>
    <TS: TS-SPOKEXX>
crypto ipsec transform-set TS-SPOKEXX esp-3des esp-md5-hmac
    </TS: TS-SPOKEXX>
    <Crypto MAP CM_SPOKEXX>
crypto map CM_SPOKEXX 10 ipsec-isakmp
set peer 10.0.1.2
set peer 10.1.1.2
set transform-set TS-SPOKEXX
match address VPN-TRAFFIC
    </Crypto MAP CM_SPOKEXX>
</IPSEC>
<IF OUT+CM>
int gi 0/0
 crypto map CMAP CM_SPOKEXX
</IF OUT+CM>
</HQ>

<SPOKE-I>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
 encr 3des
 hash md5
 auth pre-share
 group 5
 lifetime 86400
</isakmp pol1>
<PSK>
cry isakmp key CISCO address 10.2.1.2
</PSK>
</ISAKMP>
<IPSEC>
    <ACL INSIDE>
Extended IP access list INSIDE
deny ip 192.168.1.0 0.0.0.255 192.169.1.0 0.0.0.255 (26 matches)
permit ip 192.168.1.0 0.0.0.255 any
permit icmp 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit icmp 192.168.2.0 0.0.0.255 any
    </ACL INSIDE>
    <ACL VPN-TRAFFIC>
ip access-list extended VPN-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 192.169.1.0 0.0.0.255
    </ACL VPN-TRAFFIC>
    <TS: TS-HQ>
crypto ipsec transform-set TS-HQ esp-3des esp-md5-hmac
    </TS: TS-HQ>
    <Crypto MAP CM_HQ>
crypto map CM_HQ 10 ipsec-isakmp
set peer 10.2.1.2
set transform-set TS-HQ
match address VPN-TRAFFIC
    </Crypto MAP CM_HQ>
</IPSEC>
<IF OUT+CM>
int gi 0/0
 crypto map CM_HQ
</IF OUT+CM>
</HQ>

<SPOKE-II>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
 encr 3des
 hash md5
 auth pre-share
 group 5
 lifetime 86400
</isakmp pol1>
<PSK>
cry isakmp key CISCO address 10.2.1.2
</PSK>
</ISAKMP>
<IPSEC>
    <ACL INSIDE>
IP access-list ext INSIDE
deny ip 192.168.3.0 0.0.0.255 192.169.3.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any (7 matches)
permit icmp 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit icmp 192.168.4.0 0.0.0.255 any
    </ACL INSIDE>
    <ACL VPN-TRAFFIC>
ip access-list extended VPN-TRAFFIC
permit ip 192.168.3.0 0.0.0.255 192.169.3.0 0.0.0.255
    </ACL VPN-TRAFFIC>
    <TS: TS-HQ>
crypto ipsec transform-set TS-HQ esp-3des esp-md5-hmac
    </TS: TS-HQ>
    <Crypto MAP CM_HQ>
crypto map CM_HQ 10 ipsec-isakmp
set peer 10.2.1.2
set transform-set TS-HQ
match address VPN-TRAFFIC
    </Crypto MAP CM_HQ>
</IPSEC>
<IF OUT+CM>
int gi 0/0
 crypto map CM_HQ
</IF OUT+CM>
</HQ>










GRE-over-IPSEC
Tunnels 10.0.0.0/252
HQ/SPOKE-I  12/21 10.0.0.1/10.0.0.2
HQ/SPOKE-II 13/31 10.0.0.5/10.0.0.6

<HQ>
<Tunnels>
<Tunnel12>
int Tunnel 12
description ###TO SPOKE-I###
ip address 10.0.0.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 10.2.1.2
tunnel destination 10.0.1.2
</Tunnel12>
<Tunnel13>
int Tunnel 13
description ###TO SPOKE-I###
ip address 10.0.0.5 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 10.2.1.2
tunnel destination 10.1.1.2
</Tunnel12>
<route>
ip route 192.168.1.0 255.255.255.0 Tunnel12
ip route 192.168.2.0 255.255.255.0 Tunnel12
ip route 192.168.3.0 255.255.255.0 Tunnel13
ip route 192.168.4.0 255.255.255.0 Tunnel13
</route>
</Tunnels>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
 encr 3des
 hash md5
 auth pre-share
 group 5
 lifetime 86400
</isakmp pol1>
<PSK>
0.0.0.0 ???
cry isakmp key CISCO address 10.0.1.2
cry isakmp key CISCO address 10.1.1.2
</PSK>
</ISAKMP>
<IPSEC>
    <TS: TS-SPOKEXX>
crypto ipsec transform-set TS-SPOKEXX esp-3des esp-md5-hmac
mode trans
    </TS: TS-SPOKEXX>
    <ipsec profile P_SPOKEXX>
crypt ipsec profile P_SPOKEXX-GRE
set security-assoc lifetime sec 86400
set transform-set TS-SPOKEXX
    </ipsec profile P_SPOKEXX>
</IPSEC>
</HQ>

<SPOKE-I>
<Tunnel21>
int Tunnel 21
description ###TO HQ###
ip address 10.0.0.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 10.0.1.2
tunnel destination 10.2.1.2
</Tunnel21>
<route>
ip route 192.169.1.0 255.255.255.0 Tunnel21
ip route 192.169.2.0 255.255.255.0 Tunnel21
ip route 192.169.3.0 255.255.255.0 Tunnel21
ip route 192.169.4.0 255.255.255.0 Tunnel21
</route>

<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
encr 3des
hash md5
auth pre-share
group 5
lifetime 86400
</isakmp pol1>
<PSK>
cry isakmp key CISCO address 10.2.1.2
</PSK>
</ISAKMP>
<IPSEC>
<TS>
crypt ipsec transform-set HQ esp-3des esp-md5-hmac
mode transport
</TS>
<ipsec profile P_HQ-GRE>
crypto ipsec profile P_HQ-GRE
set security-assoc lifetime sec 86400
set transform-set HQ
</ipsec profile P_HQ-GRE>
</IPSEC>
</SPOKE-I>

<SPOKE-II>
<Tunnel31>
int Tunnel 31
description ###TO HQ###
ip address 10.0.0.6 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 10.1.1.2
tunnel destination 10.2.1.2
</Tunnel21>
<route>
ip route 192.169.1.0 255.255.255.0 Tunnel31
ip route 192.169.2.0 255.255.255.0 Tunnel31
ip route 192.169.3.0 255.255.255.0 Tunnel31
ip route 192.169.4.0 255.255.255.0 Tunnel31
</route>
<ISAKMP>
<isakmp pol1>
cry isakmp pol 1
encr 3des
hash md5
auth pre-share
group 5
lifetime 86400
</isakmp pol1>
<PSK>
cry isakmp key CISCO address 10.2.1.1
</PSK>
</ISAKMP>
<IPSEC>
<TS>
crypto ipsec transform-set HQ esp-3des esp-md5-hmac
mode transport
</TS>
<ipsec pol P_HQ-GRE>
cry ipsec profile P_HQ-GRE
set security-assoc lifetime sec 86400
set transform-set HQ
</ipsec pol P_HQ-GRE>
</IPSEC>
</SPOKE-II>
Подписаться на: Сообщения (Atom)