EZvpn是cisco私有。
有server端和client端,其中client端配置很简单,server端相比client端就稍显繁琐。
Client端三种模式:
1.Client Mode
2.Network Extension Mode
3.Network Extension Plus Mode
IP配置规则:例如,R1-R2就是12.1.1.1-12.1.1.2/24,其他类似。
本次实验只用静态路由保证可达。
Client配置如下(R2):
crypto ipsec client ezvpn ezvpn-client
connect auto
group vpnclient key cisco
mode network-plus
peer 34.1.1.4
username cisco password cisco
xauth userid mode local
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn ezvpn-client inside
!
interface FastEthernet0/1
ip address 23.1.1.2 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn ezvpn-client //用拨号口建EZvpn时就应用在Dialer口下,Dialer口关联物理接口。
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 34.1.1.0 255.255.255.0 FastEthernet0/1 23.1.1.3
ip route 45.1.1.0 255.255.255.0 FastEthernet0/1
注:写静态路由时通常一般只写下一跳,我就是这样,但是建议把出站接口和下一跳都写上,因为路由器在工作时查看路由表查到下一跳后还得去查出站接口,这样无疑会增加路由器CPU的负担。
Client配置如下(R4):
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
username cisco password cisco //这个必须与Client一致
crypto isakmp policy 10 //IKE策略配置
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpnclient //组策略信息配置
key cisco
pool EZvpnpool
acl EZvpn
save-password
crypto ipsec transform-set cisco esp-3des esp-sha-hmac //IKE
crypto dynamic-map dynamap 10 //IKE
set transform-set cisco
reverse-route
crypto map cisco client authentication list userauthen
crypto map cisco isakmp authorization list groupauthor
crypto map cisco client configuration address initiate
crypto map cisco client configuration address respond
crypto map cisco 10 ipsec-isakmp dynamic dynamap
ip access-list extended EZvpn
permit ip any any
interface FastEthernet0/0 //接口下应用前面建立的dynamap动态加密映射cisco
ip address 34.1.1.4 255.255.255.0
duplex auto
speed auto
crypto map cisco
ip local pool EZvpnpool 45.1.1.10 45.1.1.100
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 23.1.1.0 255.255.255.0 FastEthernet0/0 34.1.1.3 //路由还是规范的写
还可以show其他命令Easy VPN服务器端的IPSec SA协商所用的配置和显示加密引擎活动的连接汇总,忘记了。。。
end