Easy VPN 实验(3)

来源：网络收集时间：2020-04-16 下载这篇文档手机版

说明：文章内容仅供预览，部分内容可能不全，需要完整文档或者需要复制内容，请下载word后使用。下载word有问题请添加微信号:或QQ：处理（尽可能给您提供完整文档），感谢您的支持与谅解。

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: Serial1/2 Username: cisco Group: test

Assigned address: 172.16.1.201 Uptime: 00:02:26

Session status: UP-ACTIVE

Peer: 10.1.2.2 port 500 fvrf: (none) ivrf: (none) Phase1_id: test Desc: (none)

IKE SA: local 10.1.1.1/500 remote 10.1.2.2/500 Active Capabilities:CDX connid:1002 lifetime:23:57:16

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.1.201 Active SAs: 2, origin: dynamic crypto map

Inbound: #pkts dec'ed 341 drop 0 life (KB/Sec) 4512820/3453 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4512860/3453 EZVPN-Server#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 172.16.0.0/32 is subnetted, 1 subnets S 172.16.1.201 [1/0] via 10.1.2.2 10.0.0.0/24 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, Serial1/2

C 192.168.1.0/24 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 is directly connected, Serial1/2 10) 测试PC到WEB的连通性在 PC上ping WEB Server：

C:\\Documents and Settings\\cx>ping 192.168.1.244 –n 2

Pinging 192.168.1.244 with 32 bytes of data:

Reply from 192.168.1.244: bytes=32 time=173ms TTL=127 Reply from 192.168.1.244: bytes=32 time=125ms TTL=127 Reply from 192.168.1.244: bytes=32 time=161ms TTL=127 Reply from 192.168.1.244: bytes=32 time=77ms TTL=127

Ping statistics for 192.168.1.244:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 77ms, Maximum = 173ms, Average = 134ms

哈哈哈又成功了，下面再来看看能不能访问WEB页面,如下图：

^_^。。。。。。OK也能访问，实验成功！

哈哈哈，基本的Easy VPN的实验我们就做完了！ 11) 对比Easy VPN远程硬件客户端三种模式的区别

注意：(这里是采用EZVPN Between Router to Router这个实验环境测试的)

? 客户端模式（Client Mode）：在这个模式下PCs和主机在VPN连接的私有网络中不

使用任何目的服务器IP地址空间里的IP地址，而是采用特定的NAT或PAT的配置来实现到Server端的通讯。客户端模式自动配置NAT、PAT和ACLS来实现VPN的连接。当VPN连接启动时配置被自动创建。当VPN通道关闭时，NAT、PAT和ACLS的配置将自动删除。

? 网络扩展模式（Network Extension Mode）：这种模式明确规定，客户端PCs和主机

通过这个逻辑的网络上的隧道和全路由表到达目的网络。在这个模式中NAT和PAT将不被使用，允许客户端PCs和主机直接访问目标网段的PCs和主机。 ? 网络扩展模式加（Network Extension Plus Mode）：网络扩展模式plus:这种模式等同

与网络扩展模式，在这个模式中增加了一个新的特性，就是能够通过MC和自动分配功能为回环接口请求IP地址，在Cisco Easy VPN远端会为这个接口自动创建IPSec SAs。这个接口主要被用来排错（用ping，Telnet或SSH）。

我们通过下列命令来改变模式：

EZVPN-Client（config）#crypto ipsec client ezvpn name

EZVPN- Client（config-crypto-ezvpn）#mode { client | network-extension | network-plus } 我们使用上面的实验环境来对比这三种模式的差别：客户端模式：

1.在EZVPN- Client上配置并检测 crypto ipsec client ezvpn R6-Client group test key VPNKEY peer 10.1.1.1 mode client connect auto

username cisco password cisco xauth userid mode local exit

EZVPN-Clinet#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 4 Tunnel name : R6-Client

Inside interface list: FastEthernet0/0 Outside interface: Serial1/2 Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 172.16.1.204 Mask: 255.255.255.255 Default Domain: cisco.com Save Password: Disallowed Current EzVPN Peer: 10.1.1.1

EZVPN-Clinet#show ip interface brief

Interfac IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.100.1 YES manual up up

Serial1/0 unassigned YES unset administratively down down Serial1/1 unassigned YES unset administratively down down Serial1/2 10.1.2.2 YES manual up up Serial1/3 unassigned YES unset administratively down down NVI0 unassigned NO unset up up Loopback0 172.16.1.204 YES manual up up

在客户端模式下我们看见EZVPN-Client 会自动创建一个loopback口，当有用户需要访问EZVPN-Server后面的主机时，EZVPN-Client会自动用loopback接口的地址做PAT。当我用客户端PC192.168.100.21访问服务器端PC192.168.1.88是，可以看到EZVPN-Client进行了PAT翻译。

EZVPN-Clinet#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 172.16.1.204:512 192.168.100.21:512 192.168.1.88:512 192.168.1.88:512 2. 在EZVPN-Server上检测 EZVPN-Server#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 172.16.0.0/32 is subnetted, 1 subnets S 172.16.1.204 [1/0] via 10.1.2.2 10.0.0.0/24 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, Serial1/2

C 192.168.1.0/24 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 is directly connected, Serial1/2

由于做了Revers- route，Server上会自动创建指向Client端 loopback接口的静态路由。网络扩展模式：

1. 在EZVPN-Client上配置并检测 crypto ipsec client ezvpn R6-Client group test key VPNKEY peer 10.1.1.1

mode network-extension connect auto

username cisco password cisco xauth userid mode local exit

EZVPN-Clinet#show crypto ipsec client ezvpn Easy VPN Remote Phase: 4 Tunnel name : R6-Client

Inside interface list: FastEthernet0/0 Outside interface: Serial1/2 Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Default Domain: cisco.com Save Password: Disallowed Current EzVPN Peer: 10.1.1.1

EZVPN-Clinet#show ip interface brief

Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.100.1 YES manual up up

在网络扩展模式中应为不需要PAT，所以 VPN连通后就相当与一个内部局域网，所以在show crypto ipsec client ezvpn结果中没有看到从服务器端地址池中获取到的IP地址因为现在不需要了。那这个时候Server端如何访问Client端的网络呢，因为在Server端配置了Revers-route，Server上会自动创建指向 Remote内部网络的静态路由。 2.在EZVPN-Server上检测 EZVPN-Server#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

C 10.1.1.0 is directly connected, Serial1/2

C 192.168.1.0/24 is directly connected, FastEthernet0/0

S 192.168.100.0/24 [1/0] via 10.1.2.2

S* 0.0.0.0/0 is directly connected, Serial1/2 网络扩展模式加：

1.在EZVPN-Client上配置并检测 crypto ipsec client ezvpn R6-Client group test key VPNKEY peer 10.1.1.1

mode network-plus connect auto

username cisco password cisco xauth userid mode local exit

EZVPN-Clinet#show crypto ipsec client ezvpn Easy VPN Remote Phase: 4 Tunnel name : R6-Client

Inside interface list: FastEthernet0/0 Outside interface: Serial1/2 Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 172.16.1.206 Mask: 255.255.255.255 Default Domain: cisco.com Save Password: Disallowed Current EzVPN Peer: 10.1.1.1

EZVPN-Clinet#show ip interface brief

Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.100.1 YES manual up up Serial1/0 unassigned YES unset administratively down down Serial1/1 unassigned YES unset administratively down down Serial1/2 10.1.2.2 YES manual up up

Serial1/3 unassigned YES unset administratively down down NVI0 unassigned NO unset up up Loopback0 172.16.1.206 YES manual up up

在这个模式下所有特性跟网络扩展模式一样但是Client端依然会创建loopback口，但是这个接口此时仅用于排错。 2.在EZVPN-Server上检测 EZVPN-Server#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

百度搜索“77cn”或“免费范文网”即可找到本站免费阅读全部范文。收藏本站方便下次阅读，免费范文网，提供经典小说综合文库Easy VPN 实验(3)在线全文阅读。

Easy VPN 实验(3).doc 将本文的Word文档下载到电脑，方便复制、编辑、收藏和打印下载失败或者文档不完整，请联系客服人员解决！

下载这篇word文档

本文链接：https://www.77cn.com.cn/wenku/zonghe/975594.html（转载请注明文章来源）

上一篇：2015年12月英语六级考试真题带答案（第三套） - 图文
下一篇：圈梁及构造柱设置要求规范优质文档首发