本文转载自思科的官方网站

hub端为总部静态IP路由器,spoke为多个分支段ADSL接入路由器

hub端路由器配置如下:

hostname Hub

!

username cisco password 7 0201024E070A0E2649
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
!
 
    
!--- Keyring that defines wildcard pre-shared key.
 
    
crypto keyring spokes
 
    
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
 
    
!
 
    
crypto isakmp policy 10
 
    
encr 3des
 
    
authentication pre-share
 
    
group 2
 
    
!
 
    
 
    
!--- ××× Client configuration for group "testgroup"
 
    
!--- (this name is configured in the ××× Client).
 
    
crypto isakmp client configuration group testgroup
 
    
key cisco321
 
    
dns 1.1.1.1 2.2.2.2
 
    
wins 3.3.3.3 4.4.4.4
 
    
domain cisco.com
 
    
pool ippool
 
    
!
 
    
 
    
!--- Profile for LAN-to-LAN connection, that references
 
    
!--- the wildcard pre-shared key and a wildcard
 
    
!--- identity (this is what is broken in
 
    
!--- Cisco bug ID CSCea77140) and no Xauth.
 
    
 
    
crypto isakmp profile L2L
 
    
description LAN-to-LAN for spoke router(s) connection
 
    
keyring spokes
 
    
match identity address 0.0.0.0
 
    
 
    
!--- Profile for ××× Client connections, that matches
 
    
!--- the "testgroup" group and defines the Xauth properties.
 
    
crypto isakmp profile ×××client
 
    
description ××× clients profile
 
    
match identity group testgroup
 
    
client authentication list clientauth
 
    
isakmp authorization list groupauthor
 
    
client configuration address respond
 
    
!
 
    
!
 
    
crypto ipsec transform-set myset esp-3des esp-sha-hmac
 
    
!
 
    
 
    
!--- Two instances of the dynamic crypto map
 
    
!--- reference the two previous IPsec profiles.
 
    
 
    
crypto dynamic-map dynmap 5
 
    
set transform-set myset
 
    
set isakmp-profile ×××client
 
    
crypto dynamic-map dynmap 10
 
    
set transform-set myset
 
    
set isakmp-profile L2L
 
    
!
 
    
!
 
    
 
    
!--- Crypto-map only references the two
 
    
!--- instances of the previous dynamic crypto map.
 
    
crypto map mymap 10 ipsec-isakmp dynamic dynmap
 
    
!
 
    
interface FastEthernet0/0
 
    
description Outside interface
 
    
ip address 10.48.67.181 255.255.255.224
 
    
no ip mroute-cache
 
    
duplex auto
 
    
speed auto
 
    
crypto map mymap
 
    
!
 
    
interface FastEthernet0/1
 
    
description Inside interface
 
    
ip address 10.1.1.1 255.255.254.0
 
    
duplex auto
 
    
speed auto
 
    
no keepalive
 
    
!
 
    
ip local pool ippool 10.5.5.1 10.5.5.254
 
    
ip classless
 
    
ip route 0.0.0.0 0.0.0.0 10.48.66.181
 
    
spoke端为ADSL接入
 
    
crypto isakmp policy 1
 
    
encryption 3des
 
    
authentication pre-share
 
    
group 2
 
    
crypto isakmp key cisco123 address 128.107.9.9
 
    
crypto ipsec transform-set name-i-choose esp-3des esp-sha-hmac
 
    
crypto map map110 ipsec-isakmp
 
    
set transform-set name-i-choose
 
    
set peer 128.107.9.9
 
    
match address 101
 
    
access-list 101 permit ip 10.99.1.0 0.0.0.255 10.0.0.0 0.255.255.255
 
    
access-list 101 permit greany any
 
    
int dialer 2
 
    
crypto map map1