我这里有一现成配置, 静态VPN, site-to-site 及 client-to-site互相访口都没问题( q! r) h% C, P' H8 V1 D
即:都能访问中心端的10.28.0.0网段
- |3 Q8 N b% _6 O x" C3 j4 Q B2 @9 [+ H/ g S
aaa new-model% `, }1 \/ W% j6 \8 h$ f
!$ V' Q) Y1 d) E
!) j1 ?' h* I4 l5 C6 R, _
aaa authentication login default local
. G( r3 _4 c& Z: E2 a0 Q, _aaa authorization network vpn_group local : P3 X" w! Q; w
aaa session-id common2 F* c+ e6 e( c$ v' h
ip subnet-zero
: ^/ \. v3 o9 L- u% y!
( f: i! p8 D2 P! [!. m* m6 w) z0 d8 d$ J
crypto isakmp policy 15 m3 o/ D9 J; |
encr 3des( |& D3 A+ z- R4 f6 l5 m/ L. U
authentication pre-share
9 q# b/ g9 a7 `4 j, r1 `( @4 }3 `4 c group 2
9 |5 Q9 u% K- a& `, _!
; y% H+ \. Y$ u2 G1 j& rcrypto isakmp policy 2
7 a3 F/ C1 e- S4 V, o hash md54 u% ^( f) Z9 X( W" g) |
authentication pre-share- d" y; D0 `) L# I1 Q
!0 ]# j( Z, H. ^
crypto isakmp policy 3) Z( ?( `- h6 _8 w7 B& E: C# R
authentication pre-share) [6 m* J8 s; j- z0 M& h" T1 ^
crypto isakmp key 123456 address 0.0.0.0 0.0.0.0
: c- @0 U5 O3 M+ B- c, N!
3 j5 o6 V" ?+ B ^+ M/ r4 V6 Xcrypto isakmp client configuration group vpn_group) W5 I8 F: d+ K2 _0 q K# Z
key abc123
- J) k9 ]. J; B# h6 E5 w pool vpn_pool8 P) ?' b1 W/ U
!$ B, H' O- r7 q% G0 z: j
crypto ipsec security-association lifetime seconds 86400
: q6 r2 I0 {: x/ }6 E!
# g, r/ a: u" jcrypto ipsec transform-set basic-des esp-des esp-md5-hmac 6 r1 k" a: }4 o, ]2 }; @# r5 x2 L
crypto ipsec transform-set basic2-des esp-des esp-sha-hmac
* A8 } z8 f% n# c+ n: _- C9 bcrypto ipsec transform-set advan-3des esp-3des esp-md5-hmac
1 d4 V2 B& F' e& y& m1 s1 Icrypto ipsec transform-set advan2-3des esp-3des esp-sha-hmac * c/ t5 `9 A" t' U5 @
!! ~) K) k9 ^0 S0 h
crypto dynamic-map adsl 1
% b3 K0 Q- }% V set transform-set basic-des 1 T* j* m, r' C1 f4 b+ [6 C$ y
match address 1115 U4 b7 |# ^- d: D, i
crypto dynamic-map adsl 2; W T7 }) L3 E; g/ x
set transform-set basic-des : O. K" _- `' G0 T; C
match address 112
5 E) Y' {$ A2 l+ D$ j% v, tcrypto dynamic-map adsl 3, z4 c) K1 ]2 n: Q! s5 G
set transform-set basic-des
7 n" m5 L& n3 j. I9 K match address 113
5 U4 a1 H* A* N; L...; O: {; X3 s: q0 L2 P
!
6 p* f3 y! r! }4 y0 w! W- acrypto dynamic-map client 1! n3 F6 ]! P+ H
set transform-set advan-3des
( L6 |' J$ j1 t! w5 \8 A6 n!" N3 g. i1 g; c
!& p' X }* W2 _) S: I2 D/ J% O
crypto map vpn isakmp authorization list vpn_group/ i" I6 K# e9 K% k& e
crypto map vpn client configuration address respond
1 _4 B( _- m( @crypto map vpn 1 ipsec-isakmp . g$ Z9 ^8 n9 ?. G" w
set peer 195.6.174.202
1 L$ R- j) N/ n7 g5 W set transform-set basic-des
! K! W( g- p4 q$ v# _" [% A match address 1109 _( I5 y# k: T0 y% ~* {* \8 E
crypto map vpn 98 ipsec-isakmp dynamic adsl . f: o! ?; W5 D6 L4 ^! G
crypto map vpn 99 ipsec-isakmp dynamic client 8 ~: q w( F4 W- D" g$ M
!
8 n( V# T& T$ [! D. c....% x6 Z0 C, P, ]4 @
interface FastEthernet0/1
2 b P* m# ]% r- W: D description Internet Connection6 Q1 m& Y @( A5 f8 E) ]# X
ip address 222.202.209.27 255.255.255.09 C3 u6 a5 W* K b8 c
ip nat outside p, _: Q6 ?! l R# Z
duplex auto
: ~# }' P6 p' y" G speed auto6 G2 Y% W t5 T# {- R# j; [
no cdp enable$ H% i' I a. @9 L
crypto map vpn3 c' Q0 R( t, V8 Q: }, v
!
" g" I* H1 O4 M y- sip local pool vpn_pool 192.201.0.1 192.201.0.30
! m( |" x3 F) u- Z" mno ip http server
+ b# L2 q; p% h: C' ono ip http secure-server
& _7 Z4 g6 b, c: E" h' c3 \% }ip classless3 V0 C) Z$ {( a. z4 |% L
ip route 0.0.0.0 0.0.0.0 222.202.209.254
* \: ~+ Z8 f+ ~8 O- F! H5 _5 X!9 c4 h, F: X, S
!
! S& F( S p" D4 w" C, paccess-list 110 permit ip 10.28.0.0 0.0.0.255 10.203.50.32 0.0.0.15, i: X/ w3 ]2 V: k5 a
access-list 110 permit ip 10.28.0.0 0.0.0.255 10.204.2.0 0.0.0.255
|) s! W8 P" B+ C( ^0 raccess-list 110 permit ip 10.28.0.0 0.0.0.255 10.229.0.0 0.0.255.2556 j. B$ f e) t. F
access-list 110 permit ip 10.28.0.0 0.0.0.255 10.251.0.0 0.0.255.255
# T G1 z q" xaccess-list 111 permit ip 10.28.0.0 0.0.0.255 192.201.1.0 0.0.0.255
2 c5 m, y: i7 |& N5 Raccess-list 112 permit ip 10.28.0.0 0.0.0.255 192.201.2.0 0.0.0.255 B" G+ W- h6 u% o& ]% C
access-list 113 permit ip 10.28.0.0 0.0.0.255 192.201.3.0 0.0.0.255$ O8 r$ y9 b! z: O y# k# y
.... |