Easy VPN 实验 一、EZVPN Between Router to Router 1) 概述 Cisco Easy VPN用一致的策略和密钥管理方式在单一的部署中可以整合所有的Easy VPN Remote设备(Cisco路由器、Cisco PIX防火墙、Cisco VPN3002硬件客户端或软件客户端)这极大地简化了远程端管理和配置。说的简单
一、EZVPN Between Router to Router
1) 概述
Cisco Easy VPN用一致的策略和密钥管理方式在单一的部署中可以整合所有的Easy VPN Remote设备(Cisco路由器、Cisco PIX防火墙、Cisco VPN3002硬件客户端或软件客户端)这极大地简化了远程端管理和配置。说的简单点就是在Server端配置复杂的策略和密钥管理等命令,而在我们的客 户端上只要配置很简单的几条命令就能和Server端建立VPN链路的一种技术,主要的目的当然就是简化远端设备的配置和管理。 2) 实验环境
具体的拓扑结构和IP地址划分如下:
3) 实验的目的
通过使用Easy VPN技术来实现,远程客户端的用户能够直接访问到服务器端内部的WEB服务器,简单来说就是客户端PC能ping通服务器端内部的WEB服务器,并能通 过IE浏览WEB服务器主页。
4) 基本实验环境的配置和测试
在这一步我们将配置路由器的基本连通性和一些基本的配置命令 并用ping测试。 EZVPN-Server的基本配置 enable conf t
hostname EZVPN-Server enable secret cisco no ip domain-lookup line console 0 exec-timeout 0 0 logging syn exit
line vty 0 4
exec-timeout 0 0 password cisco login exit
interface serial 1/2
ip address 10.1.1.1 255.255.255.0 no shutdown exit
interface fastethernet 0/0
ip address 192.168.1.251 255.255.255.0 no shutdown exit
ip route 0.0.0.0 0.0.0.0 serial 1/2 EZVPN- Client的基本配置 enable conf t
hostname EZVPN-Client enable secret cisco no ip domain-lookup line console 0 exec-timeout 0 0 logging syn exit
line vty 0 4
exec-timeout 0 0 password cisco login exit
interface serial 1/2
ip address 10.1.2.2 255.255.255.0 no shutdown exit
interface fastethernet 0/0
ip address 192.168.100.1 255.255.255.0 no shutdown exit
ip route 0.0.0.0 0.0.0.0 serial 1/2 ISP的基 本配置 enable conf t
hostname ISP enable secret cisco no ip domain-lookup line console 0
exec-timeout 0 0 logging syn exit
line vty 0 4
exec-timeout 0 0 password cisco login exit
interface serial 1/0
ip address 10.1.1.2 255.255.255.0 no shutdown exit
interface serial 1/1
ip address 10.1.2.1 255.255.255.0 no shutdown exit
在 EZVPN-Client进行ping测试: EZVPN-Client#ping 10.1.1.1 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/163/192 ms EZVPN-Client#ping 192.168.1.244 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.244, timeout is 2 seconds: …..
Success rate is 0 percent (0/5)
在EZVPN-Server进行ping测试: EZVPN-Server#ping 10.1.2.2 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/95/140 ms EZVPN-Server#ping 192.168.100.21 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.21, timeout is 2 seconds: …..
Success rate is 0 percent (0/5) 在PC上进行ping测试:
C:\\Documents and Settings\\cx>ping 192.168.100.1 -n 2 Pinging 192.168.100.1 with 32 bytes of data:
Reply from 192.168.100.1: bytes=32 time=14ms TTL=255 Reply from 192.168.100.1: bytes=32 time=6ms TTL=255 Ping statistics for 192.168.100.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 14ms, Average = 10ms C:\\Documents and Settings\\cx>ping 10.1.2.2 -n 2 Pinging 10.1.2.2 with 32 bytes of data:
Reply from 10.1.2.2: bytes=32 time=7ms TTL=255 Reply from 10.1.2.2: bytes=32 time=5ms TTL=255 Ping statistics for 10.1.2.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
Minimum = 5ms, Maximum = 7ms, Average = 6ms C:\\Documents and Settings\\cx>ping 10.1.1.1 -n 2 Pinging 10.1.1.1 with 32 bytes of data: Request timed out. Request timed out.
Ping statistics for 10.1.1.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss), 在WEB服务器上进行ping测试:
C:\\Documents and Settings\\Administrator>ping 192.168.1.251 -n 2 Pinging 192.168.1.251 with 32 bytes of data:
Reply from 192.168.1.251: bytes=32 time=67ms TTL=255 Reply from 192.168.1.251: bytes=32 time=15ms TTL=255 Ping statistics for 192.168.1.251:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 67ms, Average = 41ms C:\\Documents and Settings\\Administrator>ping 10.1.1.1 -n 2 Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time=429ms TTL=255 Reply from 10.1.1.1: bytes=32 time=155ms TTL=255 Ping statistics for 10.1.1.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
Minimum = 155ms, Maximum = 429ms, Average = 292ms C:\\Documents and Settings\\Administrator>ping 10.1.2.2 -n 2 Pinging 10.1.2.2 with 32 bytes of data: Request timed out. Request timed out.
Ping statistics for 10.1.2.2:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
从上面的测试可以看出Client端的内部主机并不能访问Server端的WEB 服务器,下面我们就要通过配置Easy VPN来实现互访。
5) Easy VPN的配置(不带XAUTH认证) EZVPN- Server上的配置步骤:
1.建立IP地址池和本地用户数据库
ip local pool Remote-Pool 172.16.1.200 172.16.1.250 username cisco password cisco123 2.配置组策略搜寻 aaa new-mode
aaa authorization network vpn-group local
3.为远程VPN客户端接入建立ISAKMP策略 crypto isakmp enable crypto isakmp policy 10 authentication pre-share encryption 3des group 2 exit
show crypto isakmp policy 4.为MC推定义好的组策略
crypto isakmp client configuration group test
key VPNKEY //authentication pre-share 预配置认证用 domain cisco.com pool Remote-Pool exit
5. 建立变换集
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac exit
show crypto ipsec transform-set 6.用RRI建立动态加密映射
crypto dynamic-map Dynamic-Map 10 set transform-set VPNTRANSFORM reverse-route exit
show crypto dynamic-map
7.将MC应用到动态加密映射
crypto map ClientMap client configuration address respond crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map 8.将动态 加密映射应用到路由器外部接口 interface serial 1/2 crypto map ClientMap exit
show crypto map 10. 打开IKE DPD
crypto isakmp keepalive 20 10 EZVPN-Client上的配置步骤: 1. 定 义客服端IPSec加密策略 crypto ipsec client ezvpn R6-Client
百度搜索“77cn”或“免费范文网”即可找到本站免费阅读全部范文。收藏本站方便下次阅读,免费范文网,提供经典小说综合文库Easy VPN 实验在线全文阅读。
相关推荐: