搜索
远程访问VPN创建时间:2010-01-02文章属性:原创文章来源:Mohe文章提交:Mohe服务器的配置配置本地认证授权列表aaanew-model//开启AAA认证aaaauthenticationloginauthenlocal//配置认证列表aaaauthorizationnetworkauthorlocal//配置授权列表配置本地用户密码usernamemoheprivilege10password0mohe//创建用户名密码配置阶段1策略cryptoisakmppolicy10//创建一个阶段一策略hashmd5//哈西算法MD5authenticationpre-share//认证方法共享密钥group2//DH组用2配置客户端的策略cryptoisakmpclientconfigurationgroupccie//为客户设置组属性keycisco//共享密钥poolmypool//分配地址池配置阶段二策略cryptoipsectransform-setmysetesp-desesp-sha-hmac//创建变换集实际数据的加密算法配置动态加密图cryptodynamic-mapmydyn10//创建一个动态加密图settransform-setmyset//调用阶段二变换集reverse-route//开启反向路由注入配置静态加密图cryptomapmymapclientauthenticationlistauthen//为客户使用的认证列表cryptomapmymapisakmpauthorizationlistauthor//为客户使用的授权列表cryptomapmymapclientconfigurationaddressrespond//配合请求响应cryptomapmymap10ipsec-isakmpdynamicmydyn//把动态加密图绑定到静态加密图上把静态加密图绑定到端口interfaceEthernet0/1ipaddress10.0.23.2255.255.255.0cryptomapmymap//把静态加密图绑定到端口上创建地址池iplocalpoolmypool192.168.0.100192.168.0.200客户端的配置cryptoipsecclientezvpnmyvpnconnectautogroupcciekeyciscomodeclientpeer10.0.23.2interfaceLoopback0ipaddress5.5.5.5255.255.255.255ipvirtual-reassemblycryptoipsecclientezvpnmyvpninsideinterfaceEthernet0/0ipaddress192.168.1.2255.255.255.0cryptoipsecclientezvpnmyvpniproute0.0.0.00.0.0.0192.168.1.1========================================现在不管从R5Lo0为源访问谁流量都是=加密到R2的=下面我们做隧道分离和从总部绕出去的=两种方法来访问R6=======================================绕总部上网route-mapvpnpermit10matchipaddress120setinterfaceLoopback10interfaceLoopback10ipaddress2.2.2.2255.255.255.255ipnatinsideinterfaceEthernet0/1ipaddress10.0.23.2255.255.255.0ipnatoutsideippolicyroute-mapvpnaccess-list120permitip192.168.0.00.0.0.255any利用路由图把源为192.168.0.00.0.0.255的数据送往Lo10,然后把此回环口设置为NAT的INSIDE口,只要此口添加IP地址后。R5的Lo0地址就可以与10.0.36.6通讯。并且是绕的总部隧道分离配置客户端的策略cryptoisakmpclientconfigurationgroupccie//为客户设置组属性keycisco//共享密钥poolmypool//分配地址池ACL119//添加一个ACLaccess-list119permitip192.168.0.00.0.0.255any本文未完