��

�ҵ�IT֮·

�� — 2009-11-20 00:01

       ��϶��˵��.�ҵĳ��Ա֮·,�ҵ��֮·ѽ.��д�ĸ��˾��.��Ҳ��дд�ҵ�IT֮·.˵˵��ô�ߵ��·�ġ�
       ��Ҫ˵˵�ҵ��Ļ�ˮƽ��ֻ��˸��һ�꼶��Ϊʲô��ж�û�ж��ˣ��е�ԭί��ģ��2002��б�ҵ��Ƕ�һ��Ƚϲ��ĸ��ѧУ��һ��ѧУ�Ĵ��ѧ��ܺ�˳��Ķ��ѧ�ġ��ʱ��룬��ܹ��ѧ�ż��ˡ��첻��Ըѽ��һ��ѧ�ڡ��Ҿ�һֱ�о��岻�ʣ�ѧϰ��Ҳѧ�ˡ��һ�θ��գ��һҹ֮��˼�붼�յ�ģ��ˣ��֪��ô�Լ��ô�ߵ�ҽԺ�ģ��ҽԺסԺһס��ǰ��¡��Ժ֮�󣬴Ӵ��Ļ��䣬��Ǻ��ѧУ�Ǹ��½�ѧУ��ҽ��ҵ�ѧϰ�ó̡��мҽ��ĺ��ġ�
��꣬�ң��ꡣ��һ��ݴ򹤡��ڹ��ˮ�簲װ��һ�ɾ��ꡣ��Ҳ��˲��ٿࡣ��Ҫ̧ˮ��ӣ��ص��豸��û�취��ֻ��Ӳ��ͷƤ̧��һ��һ��Ҳ��ѹ��ˡ��ҵĸ��ӱȽϵ͡��ף��һ�㡣��ҳ��˲��ٵĿ࣬��ʵ��ã��ʧ��ڹ��
��˭��֪��Ժ��ô��ġ��ڣ��꣱��¼��绰��һ�ȥȥ��졣˵�ұ��ϵ��ˡ��Ҷ��š��ҵ��֮·��һ·˳�磬һ��ʮ��ˣ��飬��֮�󡣾�Ȼ��һ��˱ȽϷ��ϡ��꣱��·ݽ��˲��ӡ��ĵط��ڴ��˾�װ��
��˵��ں��ˡ�˵��ҵ�IT ֮·��ôһ��Ҳ��IT��أ�
��Ҫ�±��µ�ѵ��֮�гԵĿ��Ҳ��˵�ˡ��˵��ҳԹ��˴�δ��Ŀࡣ�Կ�Ҳ��ǰ׳��ˡ��±��ʱ��ұ��ֵ��ǵ��ģ��Ĺ��ͬ��֮�У��Һ��һ��ֵܡ��Ǻ��˵ġ�
��Ӵ�֮��ҵ��о��˵��ԡ�֮��ȥ�ϼ��ؽ��רҵѧϰ��˵��רҵѧϰ��ʱ��˼Ҿͽ��˸��ʴ��֡��ʲô��Ȼ�ǲ��ᡣ
��ص��λ��Ҳ��ҵ�ѧϰ֮·��ǵ��ҵ�һ�ε��ȥ��೤��鿴��ͨ�ϣ��Ҳ�֪��һ��ping����ѧ�ĵ�һ����Ҽǵú��Ű೤��棬��ѧ�˲��ٶ��Ϥ��豸��Լ��ֵ�࣬��ˡ��ĵ�һ��ĺܳ�ʵ��ÿ�춼�ڽ��ֵ��е�ʱ��Ҿ��˺ü��Լ��м��硣ͨѶ��ȡ�
��ת�۽��˵ڶ��ꡣҲ��ȥ��ˣ��һ��Ҳ��ѧϰ�Ĺؼ�֮�ꡣ��죬��ֻ��ǰ༸��Լ��Ҵ��ˮ��ͷ��ʼ��ԡ��ų��Ҫ��Ӳ��档��л��˲��پ��顣��ֻ��֪��ġ��Ҫ��Ƶ��أ�Ҫ�ܷ��Ҷ��û�취��ֻ��ѧ��һ��繤��ʦ�̡̳��һ��ָ�ϡ��飬ѧ��˼�iss��վ��ѧ��SQLserver��ݿ⡣��Ƶ��شӼ��ͷ��裬��ö�ѧ��ˡ��Ҳ�ͻ��µ�ʱ�䡣��ģ��Ҳ��ǰ�ļ��Ǹɣ��˲��ܽ��⣬�Ҷ�Ŭ��о��⣬�Լ��ѧ��֪ʶ��ѵ��֮�ࡣ�ҾͿС��繤��ʦ�̡̳��Ȿ��д��̫��ܶ�ط��Ҳ��ˡ��Ǿ��ϸ��ҲŪ��ͨ�Ż��TCP/IP��ͽ��֪ʶ��·�ɽ��֪ʶ��ѧϰ�˼򵥵Ľ��·��á�
��ҷ��֣��Խ��ѧϰ��Խ��ֵ�֪ʶ�ܵ�һ��ණ��ʵ��һ��ӡ��һ��ѧϰ��ֲ��ܺͱ��˽��ǲ��ġ�ֻ��ϲ��ӵľ��ʲô��û�С��ⶼû�취��Ҳ��ϡ�
��2007��ģ��·ݡ��һ��·ݡ��ҽ��ң��ľ���ص��ϼҡ��ص��Ȼ��ʲô��û�С��ţ��ƾ��ҵ�֪ʶ��ҵ�ѧϰ��Ӧ��ܹ��һ�ݹ��ġ��ӣ��Ҿ��Ͼ��ǰһ��ͬѧ�⣬��ı�ݹ��棬�ŷ��ǰѧ��֪ʶ�Ƕ�ô��١��֪ʶ��̫�ࡣ��ֱ��޴�ѧ��֪��ҵ��֪ʶ��顣
       ��3�·ݣ��ӦƸ��Ͼ�һ�Ҵ�Ƶ꣬��Ա��ճ��У��ά��̿ؽ��ά��ά��ǰ�ܶ��Ծ��֪ʶ��ͬʱҲѧ��µ�֪ʶ��
��ѧϰlinux��
     ��ҵĵ�·��Խ��Խ��ġ�һ�ж�Դ��ѧϰ��

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

��Զ��VPNʵ��

�� — 2009-04-25 18:21

��ã�

Hub Router

hostname Hub
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco47 address 0.0.0.0 //0.0.0.0ָ��Զ˿�Ϊ��
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto map vpnmap1 local-address Ethernet0
crypto map vpnmap1 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set trans2
match address 101
crypto map vpnmap1 20 ipsec-isakmp
set peer 172.16.2.1
set transform-set trans2
match address 102
. . .
crypto map vpnmap1 <10*n> ipsec-isakmp
set peer 172.16..1
set transform-set trans2
match address
!
interface Tunnel1
bandwidth 1000
ip address 10.0.0.1 255.255.255.252
ip mtu 1400
delay 1000
tunnel source Ethernet0
tunnel destination 172.16.1.1
!
interface Tunnel2
bandwidth 1000
ip address 10.0.0.5 255.255.255.252
ip mtu 1400
delay 1000
tunnel source Ethernet0
tunnel destination 172.16.2.1
!
. . .
!
interface Tunnel
bandwidth 1000
ip address 10.0.0.<4n-3> 255.255.255.252
ip mtu 1400
delay 1000
tunnel source Ethernet0
tunnel destination 172.16..1
!
interface Ethernet0
ip address 172.17.0.1 255.255.255.0
crypto map vpnmap1
!
interface Ethernet1
ip address 192.168.0.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.0.0 0.0.0.255
no auto-summary
!
access-list 101 permit gre host 172.17.0.1 host 172.16.1.1
access-list 102 permit gre host 172.17.0.1 host 172.16.2.1
...
access-list permit gre host 172.17.0.1 host 172.16..1

Spoke1 Router

hostname Spoke1
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco47 address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto map vpnmap1 local-address Ethernet0
crypto map vpnmap1 10 ipsec-isakmp
set peer 172.17.0.1
set transform-set trans2
match address 101
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.2 255.255.255.252
ip mtu 1400
delay 1000
tunnel source Ethernet0
tunnel destination 172.17.0.1
!
interface Ethernet0
ip address 172.16.1.1 255.255.255.252
crypto map vpnmap1
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
no auto-summary
!
access-list 101 permit gre host 172.16.1.1 host 172.17.0.1

ע�⣺��Cisco IOS 12.2(13)T ǰcrypto map vpnmap��ͬʱӳ�䵽��ӿں��е��˿��ϣ��Cisco IOS 12.2(13)T ֮��ֻҪӳ�䵽��ӿ��ϾͿ��

�Ķ�ȫ��
��ciscoѧϰ �鿴��

IPSEC vpn ��෽��HSRP+IPsec vpn

�� — 2009-04-23 09:16

��Ҫ˵��

R6-----10.0.0.0----R1-----10.1.1.0----R2----10.2.2.0--fa0/1--R3--fa0/0

--fa0/1-R4--fa0/0---10.3.3.0----R5

��

R3��

IPSEC VPN:

crypto isakmp policy 10 //��isakmp ��
encr aes
authentication pre-share
group 2
lifetime 180
crypto isakmp key cisco address 10.1.1.1 //Ԥ��Կ��ip��ַΪR1��s1/1�˿�IP��ַ
crypto isakmp aggressive-mode disable //ȡ��ģʽ
!
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
!
crypto map to_R1 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set set1
match address 110

HSRP:

interface FastEthernet0/0 //�ڲ��ӿ��ã�ΪR5��
ip address 10.3.3.3 255.255.255.0
duplex auto
speed auto
standby 0 track FastEthernet0/1 //ȫ��HSRP
standby 10 ip 10.3.3.1
standby 10 priority 105
standby 10 preempt
standby 10 name R5gateway
!
interface FastEthernet0/1 //��ӿ��ã�Ϊ�֣У��
ip address 10.2.2.3 255.255.255.0
duplex auto
speed auto
standby 10 ip 10.2.2.1
standby 10 priority 105
standby 10 preempt
standby 10 name vpn��//��ֺ��Ҫ��Ҫ��붨��
standby 10 track FastEthernet0/0
crypto map to_R1 redundancy vpn //��Ҫ��ָ��ؼ��redundancy��ܵ��

HSRP��Ϊ��Ķ�� name : vpn��

�Ļ��޷��VPN�ˡ��Ϊ��crypto map ��ָ��

��PEER��ַΪHSRP��IP��ַ

R4��ͬ��

R1��Ϊ��ͨ��IPSEC vpn��һ��

��Ȼ��ṩ��·��࣬��Ϊ��״̬VPN�� ��л�ʱ��һ��ʱ��Ķ��϶��ͼ��

!!!!!!!!!!!!!......................................!!!!!!!!!!!!!

��R6 ping R5 �Ľ��shutdown��R3��FA0/0��FA0/1�ӿڣ��ͻ��·�л��м�һ��ʱ�䶪��ԭ��ΪR4��Ҫ��º�R1Э��SA��ȫ�Ự��Э�̹��ǣ��ACK��⣨��ύλ)��Э��ڼ��ݾ��.

�Ķ�ȫ��
��ciscoѧϰ �鿴��

��Cisco IOS EASY VPN Server��Cisco VPN Client

�� — 2009-04-22 09:31

         ��˵��R1ΪSKY��˾��أ��F1/0�ӿ��ӻ��û��ڳ��⣬ͨ��ӵ��ϣ��ϣ��ʵ��û�ͨ��internet��Ž��SKY��˾��R1·��ϣ��ʹ��easy vpn��ӵ�SKY��˾��192.168.0.0/24 ��

ʵ��Ҫ��
1��ͨ��cisco vpn client ��R1��ҪpingͨR1��صĵ�ַ��
2��VPN��ɹ�֮�󣬿��pingͨ 192.168.0.2��ܷ��ϵĹ��Դ

ʵ��̣�
��һ��   R1Ԥ��
R1(config)#int f0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int e1/0
R1(config-if)#ip add 192.168.1.200 255.255.255.0
R1(config-if)#no sh
R1(config-if)#end
R1#ping 192.168.1.101
//   �ڱ�ʵ��PC��IP��ַ��192.168.1.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.101, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/50/168 ms
R1#
�ڶ��   ��֤��
R1#conf t
R1(config)#aaa new-model
//   ��AAA
R1(config)#aaa authorization network vpn-client-user local
//   ��ö�Զ�̽��IPSec��ӵ��Ȩ��Ϊvpn-client-user
��   ��û��
R1(config)#ip local pool VPNDHCP 192.168.0.100 192.168.0.150
//   ��һ��ڲ��ַ�أ��ڷ��IP��ַ��Զ�̽��VPN�ͻ��ˣ��ڱ�ʵ��е�ַ�ص��ʼ��ַΪ192.168.0.100��ֹ��IP��ַΪ192.168.0.150��ں��л��øĵ�ַ��
R1(config)#crypto isakmp client configuration group vpn-client-user
//   ��Զ�̽��飬��Ϊvpn-client-user��aaa authorization network��е��һ��
R1(config-isakmp-group)#key norvel.com.cn
//   ��IKE�׶�1ʹ��Ԥ��Կ��ԿΪnorvel.com.cn
R1(config-isakmp-group)#pool VPNDHCP
//   ��ڿͻ��ӵ�Easy VPN client��IP��ַ��
R1(config-isakmp-group)#dns 221.11.1.67
//   ��ͻ��˷��DNS��ַ
R1(config-isakmp-group)#domain norvel.com.cn
//   ��÷��ͻ��˵�DNS��
R1(config-isakmp-group)#exit
R1(config)#
��Ĳ�   ��IKE�׶�1��
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#hash sha
R1(config-isakmp)#exit
R1(config)#end
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
         encryption algorithm:   Three key triple DES
         hash algorithm:         Secure Hash Standard
         authentication method:   Pre-Shared Key
         Diffie-Hellman group:   #2 (1024 bit)
         lifetime:               86400 seconds, no volume limit
Default protection suite
         encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
         hash algorithm:         Secure Hash Standard
         authentication method:   Rivest-Shamir-Adleman Signature
         Diffie-Hellman group:   #1 (768 bit)
         lifetime:               86400 seconds, no volume limit
��岽   ��ö�̬��ӳ��
R1#conf t
R1(config)#crypto ipsec transform-set R1 esp-sha-hmac esp-3des
//   ��ΪR1��ת��
R1(cfg-crypto-trans)#exit
R1(config)#crypto dynamic-map dyvpn 10
//   ��Ϊdyvpn�Ķ�̬��ӳ��
R1(config-crypto-map)#set transform-set R1
R1(config-crypto-map)#reverse-route
//  Reverse-route ��ɵ��·��,����޷�ping��豸192.168.0.2
R1(config-crypto-map)#exit
��   ��þ�̬��ӳ��
R1(config)#crypto map dyvpn isakmp authorization list vpn-client-user
//   ָ��Ӧ��ΪԶ�̽��VPN��ִ�е��Ȩ��vpn-client-user��Ʊ��aaa authorization network��е��ͬ
R1(config)#crypto map dyvpn client configuration address respond
//   ��·��Ϣ��Զ�̽��ͻ��ˣ�respond��ʹ·��ȴ��ͻ��ʾ��Щ��Ϣ��Ȼ��·��ʹ�ò��Ϣ��Ӧ
R1(config)#crypto map dyvpn 1 ipsec-isakmp dynamic dyvpn
//   ��ھ�̬ӳ��Ŀ�й��̬��ӳ��

��߲�   �ڽӿ��ϼ��̬��ӳ��
R1(config)#int e1/0
R1(config-if)#crypto map dyvpn
R1(config-if)# ^Z
�ڰ˲�   ��PC��ϴ�Cisco VPN Client��ã��New��һ��µ�VPN��

�ھŲ� ��VPN��н��ã��дeasyvpn��дVPN Server 192.168.1.200��name��дvpn-client-user��дnorvel.com.cn

��ʮ�� VPN��ӣ�ѡ��easyvpn��Connect

��ʮһ�� ӳɹ��鿴��ӵ�ͳ��Ϣ

�Ķ�ȫ��
��ciscoѧϰ �鿴��

IPSEC VPN ��

�� — 2009-04-21 12:08

��ӿڵ�ַ��Ѿ��꣬·��Ҳ��ˣ�˫��Ի��ͨ��

��Կ��֤��㷨2�֣�md5��sha1

��㷨2�֣� des��3des

IPsec��ģʽ3�֣�

AH��֤��:ah-md5-hmac(md5��֤)��ah-sha-hmac(sha1��֤)

ESP��ܲ��esp-des(des��)��esp-3des(3des��)��esp-null��ݽ��м��ܣ�

ESP��֤��esp-md5-hma(md5��֤)��esp-sha-hmac(��sha1��֤)

1 ��IKEЭ��

routerA(config��#crypto isakmp policy 1 ��IKEЭ�̲��ԣ�1�ǲ��Ա��1-1000��
ԽС��ȼ�Խ��

routerA(config-isakmap)#hash md5 ��Կ��֤��㷨

routerA(config-isakmap)#authentication pre-share ��·��ʹ��Ԥ�ȹ��Կ

routerA(config)#crypto isakmp key 123456 address 20.20.20.22 (123456��õĹ��

20.20.20.22�ǶԶ˵�IP��

ַ��

routerB(config)#crypto isakmp policy 1

routerB(config-isakmap)#hash md5

routerB(config-isakmap)#authentication pre-share

routerB(config)#crypto isakmp key 123456 address 20.20.20.21 (·��B��A��ó��

�ĶԶ�IP��ַ��20.20.20.21��Ҫһ��ģ��

2 ��IPSec��ز��

routerA(cnfog)#crypto ipsec transform-set test ah-md5-hamc esp-des (test��ģʽ��

�ơ�ah-md5-hamc esp-des��ʾ��ģʽ�в��õ��֤�ͼ�

�ܲ��

routerA(config)#acess-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

��Щ��ַ�ı��ļ��ܻ��ǲ��ܣ�

routerB(config)#crypto ipsec transform-set test ah-md5-hamc esp-des

routerB(config)#acess-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

��·��B��A��ó��Դ��Ŀ��IP��ַ��ˣ��һ��

3 ��crypto map ��Ŀ�İ�IKE��Э��Ϣ��IPSec�Ĳ��ϵ�һ��һ��֣�

routerA(config)#crypto map testmap 1 ipsec-isakmp (testmap:��crypto map��֡�

1��ȼ��ipsec-isakmp:��ʾ��IPSec��Ӳ��IKE�Զ�Э�̣�

routerA(config-crypto-map)#set peer 20.20.20.22 (ָ��VPN��·��Զ˵�IP��ַ��

routerA(config-crypto-map)#set transform-set test (IPSec��ģʽ��֣�

routerA(config-crypto-map)#match address 101 (��涨��ACL�б��ţ�

routerA(config)#crypto map testmap 1 ipsec-isakmp

routerA(config-crypto-map)#set peer 20.20.20.21 ��A·�ɵ��ֻ��ĶԶ�IP��һ��

routerA(config-crypto-map)#set transform-set test

routerA(config-crypto-map)#match address 101

4 ��crypto map ��Ӧ�õ��˿�

routerA(config)#inter s0/0 (��Ӧ��VPN�Ľӿڣ�

routerA(config-if)#crypto map testmap ��testmap��crypto map��֣�

B·�ɺ�A��ȫһ��

�鿴VPN��

�鿴��ȫ��ˣ�SA��

Router#show crypto ipsec sa

��ʾcrypto map �ڵ��

router#show crypto map

�鿴��ȼ�

router#show crypto isakmp policy

�Ķ�ȫ��
��ciscoѧϰ �鿴��

GRE OVER IPSEC VPN ��

�� — 2009-04-21 09:46

IPSec VPN ר��ģ�GRE over IPSec

��
1��R4/R5/R6֮��ͨ��Static Route��ͨ�ԣ�
2��R4<-->R6֮�佨��GRE Tunnel
3��R4<-->R6֮�佨��IPSec VPN
��Ҫ��PC3 �� PC7�ܹ��ͨ
�漰��㣺GRE Tunnel�Ľ��IPSec �� ݰ��
��ò��裺
1��R4/R5/R6֮��ͨ��Static Route��ͨ
2��֮��Ļ�ͨͨ��OSPF��R4/R6��Loopback��ͨ��OSPFѧ��
3��IPSec ��Peer��ָ�Զ�Loopack��ԭ��
4��GRE Over IPSec��ԣ�
5��
��R4/R6֮��ָ��Static·�ɵ��Զ˵�Loopback��
IPSec Peerָ�Զ˵��ӿڣ��Loopback�ڣ��Ƽ��

==============================================
��Զ�Peerʹ��Loopback��ôTunnel��IPSec��޷��ɹ��
1��R4/R6��þ�̬·�ɣ��ͨ��
R4�ϵľ�̬·�ɣ�
ip route 1.1.56.0 255.255.255.0 1.1.45.5
R6�ϵľ�̬·�ɣ�
ip route 1.1.45.0 255.255.255.0 1.1.56.5

2��R4/R6֮�佨��GRE Tunnel:
==>R4��:
interface Tunnel0
ip address 172.16.10.4 255.255.255.0
tunnel source 1.1.45.4
tunnel destination 1.1.56.6
==>R6��:
interface Tunnel0
ip address 172.16.10.6 255.255.255.0
tunnel source 1.1.56.6
tunnel destination 1.1.45.4
==>�鿴GRE״̬��
R4#show ip int b
Tunnel0                    172.16.10.4     YES manual up                    up
R6#show ip int b
Tunnel0                    172.16.10.6     YES manual up                    up

3��֮��ͨ��GRE��OSPF��ӣ�
==>R4��ã�
router ospf 110
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 0
network 172.16.10.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
==>R6��ã�
router ospf 110
network 6.6.6.6 0.0.0.0 area 0
network 172.16.10.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
==>�鿴R4/R6��·�ɱ��Ѿ��ͨ��
R4#show ip route ospf
O    6.6.6.6 [110/11112] via 172.16.10.6, 00:11:38, Tunnel0
O    172.16.1.0 [110/11112] via 172.16.10.6, 00:11:38, Tunnel0
R6#show ip route ospf
O    4.4.4.4 [110/11112] via 172.16.10.4, 00:11:23, Tunnel0
O 192.168.1.0/24 [110/11112] via 172.16.10.4, 00:11:23, Tunnel0
R6#
==>R3��ԣ�
R3#traceroute 172.16.1.1
   1 192.168.1.2 92 msec 136 msec 48 msec
   2 172.16.10.6 136 msec 132 msec 140 msec ��ǰ��ݰ��ͨ��GRE Tunnel��ת��
   3 172.16.1.1 148 msec *   168 msec
R3#

4��R4/R6֮�佨��IPSec VPN :eerָ��R4/R6�Ļ��ؿڣ�4.4.4.4/6.6.6.6
==>R6�ϵ��޸�:
crypto isakmp key cisco address 4.4.4.4
crypto map MYMAP 10 ipsec-isakmp
set peer 4.4.4.4
set transform-set TS
match address 110                                  ��ָ��Ȥ��
crypto map MYMAP local-address Loopback1 ��һ��Ҫָ��Դ��BGP�ĸ��Դ��ݰ��Ľ��Ǳ��ص��ӿ�
==>R4�ϵ��޸�:
crypto isakmp key cisco address 6.6.6.6
crypto map MYMAP 10 ipsec-isakmp
set peer 6.6.6.6
set transform-set TS
match address 110
crypto map MYMAP local-address Loopback1

5��GRE over IPSec:��ӿ��µ��ø��Ȥ��:
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
no cdp log mismatch duplex
crypto map MYMAP
��ʱ��ָ��Ȥ��:access-list 110 permit host 1.1.1.1 host 2.2.2.3 :��ô��OSPF �ھӽ�Down��
*Dec 11 23:13:56.355: %OSPF-5-ADJCHG: Process 110, Nbr 6.6.6.6 on Tunnel0 from FULL to DOWN, Neighbor Down: Dead timer expired
��
1��GRE Tunnel�Ŀɴ��ͨ��̬·��ʵ�ֵģ�ͨ��һ��֪Ŀ��1.1.56.0��F1/1�ߣ�
2��R4�ϵ�OSPFͨ��Tunnelѧϰ��6.6.6.6��·��һ��ָ��Tunnel0
3��IPSec VPN��ָ��PeerΪ6.6.6.6��ʱ��һ��ָ��Tunnel0��粽��װGRE��SIP:1.1.45.4   DIP:1.1.56.6��R4�鿴·�ɱ��1.1.56.0��Ҫ��F1/1��粽��һ��ʱGRE��ݰ��ӵ�F1/1��պ�ƥ��ýӿ��µ��õ�IPSec��Ȥ��Ƿ�װESP��IP��ͷ��ESP| SIP:4.4.4.4 DIP:6.6.6.6��
4��ESP��ݰ��鿴·�ɱ�, ��ֵ��6.6.6.6��Ҫͨ��Tunnel 0 ��ESP�ֱ�ת��Tunnel 0��ֱ��װ��SIP:1.1.45.4   DIP:1.1.56.6��Դ��R4�ϵ�OSPF Hello��Tunnel0��F1/1֮��ѭ��Զ˵�OSPF��δ�յ�Hello��ʾDead Time Expired��
*Mar   14:43:51.743: %OSPF-5-ADJCHG: Process 110, Nbr 192.168.2.10 on Tunnel0 from FULL to DOWN, Neighbor Down   :OSPF�ھ�Down

��
==>��ֻҪ��ϻ�·��һ��ɣ�
��R4/R6֮��ָ��Static·�ɵ��Զ˵�Loopback��
IPSec Peerָ�Զ˵��ӿڣ��Loopback�ڣ��Ƽ��
�޸ķ��1��
��R4/R6��Static Route �õ�R4/R6�Զ�Loopback�ڵ��ݰ��ӿ��,��Tunnel 0:
R4(config)#ip route 6.6.6.6 255.255.255.255 1.1.45.5
R6(config)#ip route 4.4.4.4 255.255.255.255 1.1.56.5
R5(config)#ip route 6.6.6.6 255.255.255.255 1.1.56.6 ��R5��ӵ�R4/R6��·�ɣ�
R5(config)#ip route 4.4.4.4 255.255.255.255 1.1.45.4
��ʱOSPF�ھӾͿ��Դ��:��IPSec VPNҲ�ǿ��Խ��:
*Mar 14 15:21:36.395: %OSPF-5-ADJCHG: Process 110, Nbr 192.168.2.10 on Tunnel0 from LOADING to FULL, Loading Done
R4#
==================================================================================
�޸ķ��2�Ƽ��)
��R4/R6��IPSec VPNʱ,�Զ�Peerָ��ӿ�,��Loopback�ڵ�ַ:
==>R4��ã�
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 1.1.56.6
R3(config)#crypto ipsec transform-set TS esp-md5-hmac esp-null   ��Null��ݰ��ܣ��ڷ��
crypto map MAY 10 ipsec-isakmp
   set peer 1.1.56.6
   set transform-set TS
   match address GRE-VPN
ip access-list extended GRE-VPN
permit ip host 1.1.45.4 host 1.1.56.6
==>R6��ã�
crypto isakmp policy 10
   authentication pre-share
crypto isakmp key cisco address 1.1.45.4
R3(config)#crypto ipsec transform-set TS esp-md5-hmac esp-null
crypto map MAY 10 ipsec-isakmp
set peer 1.1.45.4
set transform-set TS
match address GRE-VPN
ip access-list extended GRE-VPN
permit ip host 1.1.56.6 host 1.1.45.4
==>��ԣ�R3 ping R7��
R3#ping 172.16.1.1 re 10     !!!!!!!!!!

ץȡR5/R6֮��ͨ�Ű�:��ͼ:
��п��Կ��,PING�ȷ�װGREȻ��ٷ�װIPSec,ȷʵʵ��GRE over IPSec�Ĺ��:

==>OSPF��Hello��,��IPSec�ĸ��Ȥ��,Ҳ��:
0000 ca 00 0f 70 00 00 cc 00 07 18 f0 01 08 00 45 c0
0010 00 84 01 1f 00 00 fe 32 b4 62 01 01 01 01 02 02   32:50=ESP
0020 02 03 24 52 35 e7 00 00 00 02 45 c0 00 58 00 93   4:version   5:ͷ��=5*4=20
0030 00 00 ff 2f b4 1d 01 01 01 01 02 02 02 03 00 00   2f:47=GRE
0040 08 00 45 c0 00 40 01 1e 00 00 01 59 d1 7e 03 03   0x0800=IP   59:89=OSPF
0050 03 01 e0 00 00 05 02 02 00 20 06 06 06 06 00 00   224.0.0.5   6.6.6.6
0060 00 00 d0 f3 00 00 00 00 00 00 00 00 00 00 05 c4   ................
0070 52 07 00 00 13 6c ff f6 00 03 00 01 00 04 00 00   R....l..........
0080 00 01 01 02 02 04 20 03 a5 e4 2a 0c 23 7f 3d 87   ...... ...*.#.=.
0090 eb cc
��::
1:R3#ping 172.16.1.1
2:��ʱR4:�鿴·�ɱ�:��֪Ҫ��Tunnel 0��ȥ��1)
3:��һ��Tunnel 0 �ͱ��װGRE , ��µ�IP��ͷ:SIP:1.1.45.4 DIP:1.1.56.6
��ʱ��ݰ��֡��ʽΪ: DATA|SIP|DIP|GRE|SIP|DIP     1.1.45.4--->1.1.56.6
4:��ʱGRE�ٴβ鿴RT , ��ֵ��1.1.56.6/24 , ��F1/1, ��F1/1�е��˼��MAP ,��GRE��ݰ�ƥ��Ȥ��(access-list GRE-VPN) ,
5:��GRE��ֱ�ESP��װ , ��һ��µı�ͷ:SIP:1.1.45.4   DIP:1.1.56.6
��ʱ��ݰ��֡��ʽΪ: DATA|SIP|DIP|GRE|SIP|DIP|ESP|SIP|DIP   :��û��GRE��IP��ͷ��ESP��IP��ͷ��һ��.
192.168.1.1---->172.16.1.1
ESP��1.1.45.4--->1.1.56.6
GRE��1.1.45.4--->1.1.56.6

�Ķ�ȫ��
��ciscoѧϰ �鿴��

��һ��Ͽ�

�� — 2009-03-23 20:00

    ��ڹ��ȥ�Ͽ��ˣ��4500�鰡��˵��ǲ�С��Ŀ��ȡ��ǰ��˰��뿪��ǿ��Һü��µĹ��ʰ��Ҫ��ѧ��ǿɾ��ˡ��
      ��NA�γ̵��ʦ��IE��ᣬ�Ҹо�ͦ��ģ��Ķ��ͦ��ģ��cisco�Ķ��о��Ǯû�а׻��ǵ�һ�죬��Ҫ��ciscoһЩ��Ķ��署��OSIģ�ͣ��·��Щ��ö��ǰ�Լ��Ĵ��ࡣ
      ��ֻص��ˣ��뿪ѧУ����7,8��ˣ��ҵ��鱾ʼ�ն�û�з��£��ѧ�Ķ��ٶ�ѧ�˵㡣��Լ�һ��˿��ʼ��ǲ��ܺܺõ�ѧϰ�ġ��˱�Ǯ�ˣ��úõģ�ȫ��ѧϰ�ˡ�
     �Ժ�Ŀ��Ҷ�Ҫ��Ǯ��Ҫ�лر��ģ�Ҳ��Ͷ�ʰɡ�
       ��Ͱɡ��Լ��ܳɹ��ġ�

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

��ҳľ��http://ddddsss123.cn/1/rr.htm

�� — 2009-02-26 11:00

��ҳ��360��ʾ��http://ddddsss123.cn/1/rr.htm��³�� ҳ��һ�� -_-o ��־��֪��Ӧ�ý��

-_-o

�򿪲��ַ��ᷢ��Ƶ��룬��ע��

��Ž�ͼ��Ŀǰ��û��ҵ��صĽ��취��IE��ʱ��Ҳ��ð�װPA561401.CAB�ļ��ʾ��һ��OFFICE��

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

Cisco·��ƽⷽ��

�� — 2008-12-14 21:04

Ϊ��ѧccna��ÿ��·��ƽⷽ��ƪ��¼��׶��͸�ת��ˡ��⻹��Ա���Ա��Ժ��Ҫʱ�ٹ��鿴��

show version !��üĴ��ֵ

• show flash ��Flash�е�IOS

• show startup-config ��NVRAM�е��ļ�

• show running-config ��RAM�е��ļ�

1. ·��ܲ��Ļָ�.��2600Ϊ��

2600��3600��ϵ��·��裺

1��·��60��ڰ��ctrl+break��

2��rommon>confreg 0x2142

3��rommon>reset

4��router#copy startup-config running-config

5��router(config)#no enable secrect //��ɾ��Ҳ��Ը��,��Ϊɾ��

6��router(config-line)#no enable password

7��router#copy running-config startup

8��router(config)#config-register 0x2102

9��router#reload

2500ϵ��·��裺

1��·��60��ڰ��ctrl+break��

2��>o/r 0x2142

3��>i

��ಽ��2600��3600һ��

2��ָ��2950Ϊ��

��𽻻��MODE��뵽switch:ģʽ ��

C2950 Boot Loader (C2950-HBOOT-M) Version 12.1(11r)EA1, RELEASE SOFTWARE (fc1)

Compiled Mon 22-Jul-02 17:18 by antonino

WS-C2950-24 starting...

Base ethernet MAC Address: 00:13:1a:9a:2b:80

Xmodem file system is available.

The system has been interrupted prior to initializing the

flash filesystem. The following commands will initialize

the flash filesystem, and finish loading the operating

system software:

flash_init

load_helper

boot

switch: flash_init

Initializing Flash...

flashfs[0]: 4 files, 1 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories

flashfs[0]: Total bytes: 7741440

flashfs[0]: Bytes used: 3090944

flashfs[0]: Bytes available: 4650496

flashfs[0]: flashfs fsck took 6 seconds.

...done initializing flash.

Boot Sector Filesystem (bs:) installed, fsid: 3

Parameter Block Filesystem (pb:) installed, fsid: 4

switch: load_helper

switch: dir

List of filesystems currently registered:

flash[0]: (read-write)

xmodem[1]: (read-only)

null[2]: (read-write)

bs[3]: (read-only)

switch: dir flash:

Directory of flash:/

2 -rwx 736 vlan.dat

3 -rwx 3086336 c2950-i6q4l2-mz.121-22.EA2.bin

5 -rwx 1558 config.text ��ʱӦ�õ��

6 -rwx 5 private-config.text

4650496 bytes available (3090944 bytes used)

switch: rename flash:config.text flash:config-old.txt //��config.text

switch: reset //��𽻻��

Are you sure you want to reset the system (y/n)?y

System resetting...

��𽻻��ڽ��Ӧ��ļ��Ϊ�ղ��Ѱ��ļ��ָ��ġ��뵽��õĶԻ�ģʽ��

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: n

Switch#dir

Directory of flash:/

2 -rwx 736 Mar 01 1993 00:19:14 +00:00 vlan.dat

3 -rwx 3086336 Jan 01 1970 01:12:26 +00:00 c2950-i6q4l2-mz.121-22.EA2.bin

5 -rwx 1558 Mar 01 1993 02:36:44 +00:00 config-old.txt

6 -rwx 5 Mar 01 1993 02:36:44 +00:00 private-config.text

7741440 bytes total (4650496 bytes free)

Switch#copy config-old.txt running-config

Destination filename [running-config]?

1558 bytes copied in 1.152 secs (1352 bytes/sec)

sw#config t

Enter configuration commands, one per line. End with CNTL/Z.

sw(config)#line console 0

sw(config-line)#no pass cisco ��console��

sw(config)#no enable secret ��enable��

sw(config)#no enable password ��enable��

sw#write //��±��

��Ϊ��ɾ��ɹ��ܶ��Բ�ɾ��ֱ�Ӹ��ľ�OK��

�Ķ�ȫ��
��ciscoѧϰ �鿴��

�øɵ��

�� — 2008-10-27 11:48

��ڹ��ô��ʱ��ˣ��֪��Լ��æЩʲô��Ͷ��ӡ�

Ϊʲô��ˣ��Լ��ס�Ҫô��ϣ��죬��ţ��

��û��ȥѧϰ��Ҫ��һ��ȷ�ķ��

��룬Ӧ�øɵ��ˡ��ʱ��ˡ��

���� 鿴��

�������

�ҵ�IT֮·

��Զ��VPNʵ��

IPSEC vpn ���෽����HSRP+IPsec vpn

����Cisco IOS EASY VPN Server��Cisco VPN Client

IPSEC VPN ����

GRE OVER IPSEC VPN ����

��һ���Ͽ�

������ҳľ������http://ddddsss123.cn/1/rr.htm

Cisco·�������������ƽⷽ��

�øɵ�������

��

IPSEC vpn ��෽��HSRP+IPsec vpn

��Cisco IOS EASY VPN Server��Cisco VPN Client

IPSEC VPN ��

GRE OVER IPSEC VPN ��

��һ��Ͽ�

��ҳľ��http://ddddsss123.cn/1/rr.htm

Cisco·��ƽⷽ��

�øɵ��