实验
在路由器上实现Easy VPN 拓扑图:
命令配置:
R1
R1#conf t
R1(config)#int f0/0
R1(config-if)#ip address 192.168.11.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#ex
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.11.2
R2
R2#conf t
R2(config)#int f0/0
R2(config-if)#ip address 192.168.11.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#ex
R2(config)#int f1/0
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#ex
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.3
AAA认证:
R2(config)#aaa new-model
R2(config)#aaa authentication login vpn_1 local
R2(config)#aaa authorization network vpn_2 local
创建本地用户密码:
R2(config)#username benet password abc-123
创建VPN访问ACL:
R2(config)#ip access-list extended vpn_acl
R2(config-ext-nacl)#permit ip 192.168.11.0 0.0.0.255 any
创建本地地址池:
R2(config)#ip local pool benet-pool 192.168.12.10 192.168.12.222 //于现有内网不同网段
创建客户端认证组和密码:
R2(config)#crypto isakmp client configuration group vpn-group
R2(config-isakmp-group)#key abc-123
R2(config-isakmp-group)#dns 192.168.12.2
R2(config-isakmp-group)#pool benet-pool
R2(config-isakmp-group)#acl vpn_acl
IKE认证配置:
R2(config-isakmp-group)#exit
R2(config)#CRYPto ISAkmp POLicy 1
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
创建VPN传输集:
R2(config-isakmp)#exit
R2(config)#crypto ipsec transform-set benet esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#mode tunnel
创建动态MAP:
R2(cfg-crypto-trans)#ex
R2(config)#crypto dynamic-map benet-dymap 1
R2(config-crypto-map)#set transform-set benet
创建静态MAP:
R2(config-crypto-map)#ex
R2(config)#crypto map benet-1 client authentication list vpn_1
R2(config)#crypto map benet-1 isakmp authorization list vpn_2
R2(config)#crypto map benet-1 client configuration address respond
R2(config)#crypto map benet-1 1000 ipsec-isakmp dynamic benet-dymap
应用到接口:
R2(config)#int f1/0
R2(config-if)#cryp
R2(config-if)#crypto map benet-1
R3
R3#conf t
R3(config)#int f0/0
R3(config-if)#ip address 192.168.23.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#ex
R3(config)#int f1/0
R3(config-if)#ip address 192.168.34.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#ex
R3(config)#int f2/0
R3(config-if)#ip address 192.168.190.2 255.255.255.0
R3(config-if)#no sh
R4
R4#conf t
R4(config)#int f0/0
R4(config-if)#ip address 192.168.34.4 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#ex
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.34.3
使用软件登录到 用之前设置的账号密码
双击后登录benet账号密码
然后就ping通测试
会用到创建的地址池的ip地址