一、實驗環境: 1.固定IP端(FTTB/固定制DSL…)
Ⅰ.公網IP一組,Cisco 1841路由器一台
Ⅱ.路由器 IOS feature Code 附帶 k8/k9 的版本
2.非固定IP端(PPPoE撥接上網)
Ⅰ.非固定制ADSL+Cisco 1721路由器一台
Ⅱ.路由器 IOS feature Code 附帶 y7及k8/k9 的版本
二、架構圖:
三、配置及說明: hostname C1721_PPPoE
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key SeCrEt address 220.166.83.66
crypto isakmp keepalive 10 10
!
crypto ipsec transform-set MySet esp-des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 220.166.83.66
set transform-set MySet
match address 101
!
interface FastEthernet0
ip address 10.254.254.46 255.255.255.252
!
interface Dialer0 此為PPPoE虛擬撥號介面
ip address negotiated crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 101 permit ip 10.254.254.44 0.0.0.3 192.168.16.0 0.0.0.255
hostname C1841_Fixed_IP
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key SeCrEt address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 10
!
crypto ipsec transform-set MySet esp-des esp-md5-hmac
!
crypto dynamic-map DyMap 100
set transform-set MySet
reverse-route remote-peer 220.166.83.1
!
crypto map VPN 200 ipsec-isakmp dynamic DyMap
!
interface FastEthernet0/1
ip address 220.166.83.66 255.255.255.0
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 220.166.83.1
四、驗證 C1721_PPPoE#show crypto isakmp sa
dst src state conn-id slot status
220.166.83.66 218.170.50.162 QM_IDLE 1 0 ACTIVE
C1721_PPPoE#ping 192.168.16.254 source 10.254.254.46
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.254, timeout is 2 seconds:
Packet sent with a source address of 10.254.254.46
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/72/92 ms
C1721_PPPoE#
五、補充:
就以上架構而言,當C1721 PPPoE動建或IPSec Lifetime逾時就會導致整個VPN中斷。若要重建VPN也只能仰賴C1721定義的關注流量去觸發IKE會談;但若今天流量發起者為C1841該如何解決。
在不動架構的情況下,唯一的方法就週期性的從C1721送流量至C1841,在GRE Over IPSec的架構下可以靠DPD/Routing Protocol 來解決,但在PPPoE架構下可能得配置一個RTR 來週期發送icmp包,如此即能決解上述問題。
RTR語法如下:
C1721_PPPoE#sh run | b rtr 99
rtr 99
type echo protocol ipIcmpEcho 192.168.16.254 source-ipaddr 10.254.254.46
timeout 1000
rtr schedule 99 life forever start-time now
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
authorization exec Local_Auth
logging synchronous
!
end
C1721_PPPoE#