Shulou(Shulou.com)06/01 Report--

Dynamic MAP:

Applicable situation: if the center has a fixed IP address and the branch does not have a fixed IP address, if both ends are CISCO devices, this scheme is not recommended. It is recommended to use EZ × ×. If not all CISCO products, this is the only solution.

Topology description: R2HUB R4 and R5 is SPOKE. R5's E0 MAP 0 address is for DHCP to get dynamic MAP configuration: R2: crypto isakmp policy 10 authentication pre-share! Crypto isakmp key cisco address 0.0.0.0 0.0.0.0 / / the peer address is 8 zeros because R2 wants to establish IPSEC × × with R4 and R5 at the same time, and the address of R5 is obtained automatically by DHCP, so R2 can only write 8 zeros. Crypto ipsec transform-set set esp-des esp-md5-hmac! Crypto dynamic-map dymap 10 / / create a dynamic MAP, because you don't know the peer address, so there are no commands such as match add and set peer set transform-set set! Crypto map map 10 ipsec-isakmp / / to create a static MAP,policy10 is a static MAP with R4, because R4 has a static address, so you can combine match add and set peer set peer 34.1.1.4 set transform-set set match address r4list crypto map map 1000 ipsec-isakmp dynamic dymap / / with the just created dynamic MAP and static MAP, and the policy sequence number bound to the dynamic MAP should be larger, so that the static MAP has priority to find it! Ip route 0.0.0.0 0.0.0.0 Ethernet0/1! Summary of ip access-list extended r4list permit ip 192.168.1.0 0.0.255 192.168.4.0 0.0.0.255 dynamic MAP: compared with static MAP, dynamic MAP can only write 8 zeros in IKE secret key exchange because it does not know the address of the peer and the address where the IPSEC tunnel is established. In addition, there are no set peer and match add commands in MAP, because there is no set peer if you don't know the address of the peer. Because you don't know the traffic that the other party needs to encrypt (that is, the private address), of course there is no match add to match the stream of interest, so the hub side cannot know the address of the spoke side. If you still want to communicate at two points, you can only initiate a session from the SPOKE side to the hub side, and then establish the IKE SA and IPSEC SA before the HUB can actively access the SPOKE.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.