1、RRI要求:GW1和GW2上不可以配置任何静态路由,使用RRI自动产生静态路由Inside.1和Inside.2分别属于两个内网的路由器,分别于两个GW1和GW2运行ospf,GW1和GW2使用VPN使得1.1.1.0和2.2.2.0可以进行通信第一步:基础配置(包括直连接口,两个内网的ospf等等) 这里我不做过多的说明了 很简单就把show run放上 说明下version全是12.4的RRI的配置和12.2有点小不一样Inside.1#show run interface Serial1/1 ip address 1
2、.1.1.1 255.255.255.0 serial restart-delay 0router ospf 12 router-id 1.1.1.1 log-adjacency-changes network 1.1.1.1 0.0.0.0 area 0GW1#show run interface Serial1/0 ip address 1.1.1.10 255.255.255.0 serial restart-delay 0interface Serial1/1 ip address 202.100.1.1 255.
3、255.255.0 serial restart-delay 0router ospf 12 router-id 2.2.2.2 log-adjacency-changes network 1.1.1.10 0.0.0.0 area 0ip route 202.100.2.1 255.255.255.255 202.100.1.10(到对方加密点的路由)Inside.2#show run interface Serial1/3 ip address 2.2.2.2 255.255.255.0 serial restart-
4、delay 0router ospf 29 router-id 4.4.4.4 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 0GW2#show run interface Serial1/0 ip address 202.100.2.1 255.255.255.0 serial restart-delay 0interface Serial1/2 ip address 2.2.2.10 255.255.255.0 serial restart-delay 0rout
5、er ospf 29 router-id 3.3.3.3 log-adjacency-changes network 2.2.2.10 0.0.0.0 area 0ip route 202.100.1.1 255.255.255.255 202.100.2.10(对方加密点的路由)第二步:配置lan-to-lan的VPNGW1(config)#do show run
6、 b crypto crypto isakmp policy 10 authentication pre-sharecrypto isakmp key ci
7、sco address 202.100.2.1crypto ipsec transform-set weiba esp-3des esp-md5-hmac crypto map redhat 10 ipsec-isakmp set peer 202.100.2.1 set transform-set weiba match address vpnip access-list extended vpn permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255interface Serial
8、1/1 ip address 202.100.1.1 255.255.255.0crypto map redhatGW2(config)#do show run
10、isakmp set peer 202.100.1.1 set transform-set weiba match address vpnip access-list extended vpn permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255interfac