IPSEC ×××实验四：Easy ×××

拓朴图：

实验目的

1、实现移动用户PC2能够使用*** client软件通过easy***登陆到R1，实现PC2能ping通PC1

2、PC2能PING通R1的同时，还能够上外网，即PC2能ping通R5

实验思路

1、在真实情况中，PC2只是一个移动的用户，因此R2 R3 R5的配置就可以忽略了，只要PC2能够上internet就行。
2、最主要的配置就是R1上

 

 

配置命令

 

1、建立easy***登陆帐号和密码

username cisco password 0 cisco

2、配置AAA

aaa new-model
aaa authentication login userauthen local
aaa authorization network userauthor local

3、配置策略

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2

4、配置路由分割ACL（注：实验中配置命名列表无效，因此使用扩展列表）

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

5、建立clientpool，为客户端分配的IP地址

ip local pool ezpool 10.10.10.1 10.10.10.100

6、配置客户端组

crypto isakmp client configuration group luotao
 key cisco123
 dns 202.96.134.133
 wins 1.1.1.1
 domain luotao.com
 pool ezpool
 acl 100

7、配置变换集

crypto ipsec transform-set myset esp-3des esp-md5-hmac

8、配置动态视图

crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
9、配置×××视图

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list userauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

10、将×××视图应用到接口

interface Serial1/1
 crypto map clientmap

 

配置完成

 

 

 最后上配置文件

Router#sh run
Building configuration...

Current configuration : 1998 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network userauthor local
!
!
aaa session-id common
ip cef
!        
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco password 0 cisco
!
!
!        
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group luotao
 key cisco123
 dns 202.96.134.133
 wins 1.1.1.1
 domain luotao.com
 pool ezpool
 acl 100
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list userauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
 ip address 192.168.2.2 255.255.255.0
!
interface Loopback1
 ip address 192.168.3.2 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex half
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!        
interface Serial1/1
 ip address 1.1.1.1 255.255.255.0
 serial restart-delay 0
 crypto map clientmap
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex half
!
ip local pool ezpool 10.10.10.1 10.10.10.100
ip route 0.0.0.0 0.0.0.0 Serial1/1
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end

转载于:https://blog.51cto.com/windows1009/698555