最详尽的cisco-VPN完全配置手册

xiaofeng110ln
2 ℃
2020-03-10

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

最详尽的ciscoVPN完全配置手册（1）VPN配置手册－－－VpnAccessServerVPN配置之一：vpnaccessserver网络拓扑：PC---------Router---------RouterpcR2R1PC配置:IPAddress：10.1.1.1/24DefaultGateway：10.1.1.254R1接口ip：（VPNAccessServer）FastEthernet0/0：20.1.1.254/24Serial1/0：172.16.1.1/24R2接口ip：（PrivateNetwork）Serial1/0：：172.16.1.2/24FastEthernet0/0：10.1.1.254/242610的IOS为c2600-jk8o3s-mz.122-8.T5.binR1步骤：1.配置isakmppolicy：cryptoisakmppolicy1hashmd5authenticationpre-sharegroup22.配置vpnclient地址池cryptoisakmpclientconfigurationaddress-poollocalpool192iplocalpoolpool192192.168.1.1192.168.1.2543.配置vpnclient有关参数cryptoisakmpclientconfigurationgroupvclient-group（vclient-group就是在vpnclient的连接配置中需要输入的groupauthenticationname。）keyvclient-key（vclient-key就是在vpnclient的连接配置中需要输入的groupauthenticationpassword。）poolpool192（client的ip地址从这里选取）（以上两个参数必须配置，其他参数还包括domain、dns、wins等，根据情况进行配置。）4.配置ipsectransform-setcryptoipsectransform-setvclient-tfsesp-desesp-md5-hmac5.配置map模板crydynamic-maptemplate-map1settransform-setvclient-tfs（和第四步对应）6.配置vpnmapcrymapvpnmap1ipsec-isakmpdynamictemplate-map（使用第五步配置的map模板）cryptomapvpnmapisakmpauthorizationlistvclient-group（使用第三步配置的参数authorization）cryptomapvpnmapclientconfigurationaddressrespond（响应client分配地址的请求）说明几点：（1）vpnclient使用的ippool地址不能与Router内部网络ip地址重叠。（2）172.16.1.0网段模拟公网地址，10.1.1.0、20.1.1.0网段用于内部地址，192.168.1.0网段用于vpn通道。R1的配置：r1#r1#shrunBuildingconfiguration...Currentconfiguration:1521bytes!version12.2servicetimestampsdebuguptimeservicetimestampsloguptimenoservicepassword-encryption!hostnamer1!EnablePasswordcisco!ipsubnet-zero!ipauditnotifylogipauditpomax-events100!cryptoisakmppolicy1hashmd5authenticationpre-sharegroup2cryptoisakmpclientconfigurationaddress-poollocalpool192!cryptoisakmpclientconfigurationgroupvclient-groupkeyvclient-key-ciscopoolvclient-pool!cryptoipsectransform-setvclient-tfsesp-desesp-md5-hmac!cryptodynamic-maptemplate-map1settransform-setvclient-tfs!cryptomapvpnmapisakmpauthorizationlistvclient-groupcryptomapvpnmapclientconfigurationaddressrespondcryptomapvpnmap1ipsec-isakmpdynamictemplate-map!faxinterface-typefax-mailmtareceivemaximum-recipients0!interfaceFastEthernet0/0ipaddress20.1.1.254255.255.255.0!interfaceSerial1/0ipaddress172.16.1.1255.255.255.0cryptomapvpnmapnofair-queue!iplocalpoolvclient-pool192.168.1.1192.168.1.254ipclasslessiproute0.0.0.00.0.0.0Serial1/0noiphttpserverippimbidir-enable!callrsvp-sync!mgcpprofiledefault!dial-peercorcustom!linecon0loginpassciscolineaux0linevty04loginpasscisco!endr1#R2的配置：r2#r2#shrunBuildingconfiguration...Currentconfiguration:714bytes!version12.2servicetimestampsdebuguptimeservicetimestampsloguptimenoservicepassword-encryption!hostnamer2!EnablePasswordcisco!ipsubnet-zero!callrsvp-sync!interfaceFastEthernet0/0ipaddress10.1.1.254255.255.255.0!interfaceSerial1/0ipaddress172.16.1.2255.255.255.0clockrate64000!ipclasslessiproute0.0.0.00.0.0.0Serial1/0iphttpserver!dial-peercorcustom!linecon0loginpassciscolineaux0linevty04loginpasscisco!endr2#VPNClient4.01的配置：建一个connectionentry，参数配置:name:任意起一个host:填入vpnaccessserver的s0/0地址172.16.1.1groupauahentication：name：vclient-grouppassword：vclient-key-cisco测试：（1）在pc上运行VPNclient，连接vpnaccessserver。（2）ipconfig/all，查看获取到的ip地址与其他参数。（3）在router，showcryisasa,看连接是否成功。（4）从router，pingclient已经获取到的ip地址，通过。（5）从client，pingr2的e0/0配置的地址172.16.2.1，通过。（6）查看vpnclient软件的status--statistics,可以看到加密与解密的数据量。（7）R1上showcryipsa,也可以查看加密与解密的数据量。常用调试命令：showcryptoisakmpsashowcryptoipsecsaclearcryptosaclearcryptoisakmpdebugcryptoisakmpdebugcryptoipsecsitetositevpn的配置（采用pre-share）实验网络拓扑：Router------------------RouterR1R2R1接口ip:s1/0：192.168.1.1/24f0/0：172.16.1.2/24R2接口ip：s1/0：192.168.1.2/24f0/0：172.16.2.1/242610的IOS为c2600-jk9s-mz.122-17.bin步骤：以R1为例进行配置1.配置路由2.定义加密数据的aclaccess101permitip172.16.1.00.0.0.255172.16.2.00.0.0.2553.定义isakmppolicycryptoisakmppolicy1authenticationpre-share（采用pre-sharekey进行验证）（authentication参数必须配置，其他参数如group、hash、encr、lifetime等，如果进行配置，需要注意两个路由器上的对应参数配置必须相同。）4.定义pre-sharekeycryptoisakmpkeypre-share-keyaddress192.168.1.2（其中pre-share-key为key，两个路由器上要一样，其中192.168.1.2为peer路由器的ip地址。）5.定义transform-setcryptoipsectransform-setvpn-tfsesp-3desesp-sha-hmac（其中vpn-tfs为transform-setname，后面两项为加密传输的算法）（modetransport/tunneltunnel为默认值，此配置可选）6.定义cryptomapentrycrymapvpn-map10ipsec-isakmp（其中vpn-map为mapname，10是entry号码，ipsec-isakmp表示采用isakmp进行密钥管理）matchaddress101（定义进行加密传输的数据，与第二步对应）setpeer192.168.1.2（定义peer路由器的ip）settransform-setvpn-tfs（与第五步对应）（如果一个接口上要对应多个vpnpeer，可以定义多个entry，每个entry对应一个peer）7.将cryptomap应用到接口上interf0(vpn通道入口)crymapvpn-map8.同样方法配置r2路由器。R1的完整配置：r1#shrunBuildingconfiguration...Currentconfiguration:1064bytes!version12.2servicetimestampsdebuguptimeservicetimestampsloguptimenoservicepassword-encryption!hostnamer1!ipsubnet-zero!noipdomain-lookup!cryptoisakmppolicy1authenticationpre-sharecryptoisakmpkeypre-share-keyaddress192.168.1.2!cryptoipsectransform-setvpn-tfsesp-3desesp-sha-hmac!cryptomapvpn-map10ipsec-isakmpsetpeer192.168.1.2settransform-setvpn-tfsmatchaddress101!callrsvp-sync!interfaceEthernet0/0ipaddress172.16.1.1255.255.255.0nokeepalivehalf-duplex!interfaceSerial1/0ip