路由器DVTI与相同PAT设备后的不同路由器建立L2L(2)

  match identity address 30.1.1.6

  virtual-template 1
---------isakmp profie中identity地址必须是真实地址，而不是NAT后地址
②第二阶段：
crypto ipsec transform-set transet esp-3des esp-sha-hmac 
③ipsec profile关联第一阶段和第二阶段策略：
crypto ipsec profile ipsecprofile
set transform-set transet 
set isakmp-profile isakmpprofile
④Dynamic VTI配置:
interface Loopback100
ip address 172.16.1.1 255.255.255.0
interface Virtual-Template1 type tunnel
ip unnumbered Loopback100
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile
备注：不能在virtual-template接口直接配置IP地址。
B.R5(Spoke):
①第一阶段：
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
②第二阶段：
crypto ipsec transform-set transet esp-3des esp-sha-hmac 
③ipsec profile关联第二阶段策略：
crypto ipsec profile ipsecprofile
set transform-set transet 
④Static VTI配置:
interface Tunnel0
ip address 172.16.1.5 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 202.100.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile

C.R6(Spoke):
①第一阶段：
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
②第二阶段：
crypto ipsec transform-set transet esp-3des esp-sha-hmac 
③ipsec profile关联第二阶段策略：
crypto ipsec profile ipsecprofile
set transform-set transet 
④Static VTI配置:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 202.100.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecprofile

C.动态路由配置：
①R1
router eigrp 10
network 172.16.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
②R5
router eigrp 10
network 172.16.1.0 0.0.0.255
network 192.168.2.0
no auto-summary

③R6
router eigrp 10
network 172.16.1.0 0.0.0.255
network 192.168.3.0
no auto-summary

五.验证：

R1#show ip int brief 
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up      
FastEthernet0/1            unassigned      YES unset  administratively down down    
Virtual-Access1            unassigned      YES unset  down                  down    
Virtual-Template1          172.16.1.1      YES TFTP   down                  down    
Virtual-Access2            172.16.1.1      YES TFTP   up                    up      
Virtual-Access3            172.16.1.1      YES TFTP   up                    up      
Loopback0                  192.168.1.1     YES manual up                    up      
Loopback100                172.16.1.1      YES manual up                    up      
R1#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.1.1.1        202.100.2.4     QM_IDLE           1006    0 ACTIVE
10.1.1.1        202.100.2.4     QM_IDLE           1005    0 ACTIVE

R1#show crypto engine connections active 
Crypto Engine Connections

  ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
  11 Fa0/0      IPsec 3DES+SHA                  0      475 10.1.1.1
  12 Fa0/0      IPsec 3DES+SHA                491        0 10.1.1.1
  13 Fa0/0      IPsec 3DES+SHA                  0      242 10.1.1.1
  14 Fa0/0      IPsec 3DES+SHA                244        0 10.1.1.1
1005 Fa0/0      IKE   MD5+3DES                  0        0 10.1.1.1
1006 Fa0/0      IKE   MD5+3DES                  0        0 10.1.1.1