...誉天Cisco/Linux/Oracle认证+IT系统运维

文章来源: CISCO中文社区

使用CISCO客户端的EZVPN配置方法，近日整理了一下，发上来，好的话请支持哈。

EZVPN server的配置   部分图片不能转载原文请参见 ：http://www.51chongdian.com/52network/dispbbs.asp?boardid=124&id=12659

使用cisco的客户端的EZVPN  

EZVPN server的配置：
hostname SERVER
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Wo/W$hfrOeI3NxEM0m8sFiegdS/
!
username cisco password 0 cisco
memory-size iomem 5
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ezvpn local
aaa authorization network ezvpn local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
crypto isakmp policy 10

encr 3des

authentication pre-share

group 2
!
crypto isakmp client configuration group ccie

key itmop
dns 10.10.10.110
domain cisco.com
pool ccie
acl 100
save-password

crypto ipsec transform-set ccnp esp-3des esp-sha-hmac
crypto dynamic-map dezvpn 10

set transform-set ccnp

reverse-route
crypto map abc client authentication list ezvpn
crypto map abc isakmp authorization list ezvpn
crypto map abc client configuration address respond
crypto map abc 10 ipsec-isakmp dynamic dezvpn
interface Ethernet0/0

no ip address
shutdown
half-duplex
!
interface Ethernet0/1

ip address 172.16.23.3 255.255.255.0

half-duplex

crypto map abc
!
interface Ethernet0/2

ip address 10.10.10.100 255.255.255.0

half-duplex
!

ip local pool ccie 192.168.1.50 192.168.1.100
ip http server
no ip http secure-server
ip classless
ip route 172.16.0.0 255.255.255.0 172.16.23.2
line con 0

exec-timeout 0 0

logging synchronous
line aux 0
line vty 0 4
!
!
End


中间router：

r2#sh run
Building configuration...

Current configuration : 846 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
no ip domain lookup
ip cef
ip ips po max-events 100
no ftp-server write-enable
interface Ethernet0/0

no ip address

shutdown

half-duplex
!
interface Ethernet0/1

ip address 172.16.23.2 255.255.255.0

half-duplex
!
interface Ethernet0/2

ip address 172.16.0.1 255.255.255.0

half-duplex
!
interface Ethernet0/3

no ip address

shutdown

half-duplex
!
ip http server
no ip http secure-server
ip classless
control-plane
line con 0

exec-timeout 0 0

logging synchronous
line aux 0
line vty 0 4
!
!
End


PC做的VPN客户端

监控：
r3#sh crypto ipsec sa
interface: Ethernet0/1
Crypto map tag: abc, local addr. 172.16.23.3
protected vrf:
local
ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.52/255.255.255.255/0/0)
current_peer: 172.16.0.105:500
PERMIT, flags={}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.23.3, remote crypto endpt.: 172.16.0.105
path mtu 1500, media mtu 1500
current outbound spi: 861DEEFF
inbound esp sas:
spi: 0x4A4FD3F3(1246745587)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 3, crypto map: abc
crypto engine type: Software, engine_id: 1
sa timing: remaining key lifetime (k/sec): (4524103/1165)
ike_cookies: 4A903E7A D86EEA22 40900E13 9BF9B7C9
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x861DEEFF(2250108671)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 4, crypto map: abc
crypto engine type: Software, engine_id: 1
sa timing: remaining key lifetime (k/sec): (4524102/1165)
ike_cookies: 4A903E7A D86EEA22 40900E13 9BF9B7C9
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:

r3#sh crypto isakmp sa
dst                   src                 state     conn-id slot
172.16.23.3 172.16.0.105     QM_IDLE    2          0

r3#sh crypto session
Crypto session current status

Interface: Ethernet0/1
Session status: UP-ACTIVE
Peer: 172.16.0.105/500

IKE SA: local 172.16.23.3/500 remote 172.16.0.105/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.1.52
Active SAs: 2, origin: dynamic crypto map

CISCO EZVPN 配置 VPN IOS CCSP 网络安全