综合项目 IPSec VPN配置综合实训

１湖南工业职业技术学院信息工程系项目名称：IPSecVPN配置综合实训专业班级：计网S09-1授课教师：杨丽莎姓名学号：李慎铭03李洋13２综合项目IPSecVPN配置综合实训一、实训描述某公司有两个分部，现要在公司和分部之间、分部和远程客户端之间搭建IPSecVPN，实现内网的互访。二、实训拓扑图三、实训要求1.公司ZBvpn、分部FBvpn、分部FBezvpn和远程客户端webvpnclient之间通过路由器ISP相连，配置路由器实现Internet功能，实现网络互通。2.公司和分部FBvpn实现IPSecVPN。3.公司和分部FBezvpn之间使用硬件客户端配置实现EZVPN。4.分部FBvpn和远程客户端webvpnclient之间实现无客户端SSLVPN分部FBvpn和远程客户端webvpnclient。5.提交项目报告，内容包括：项目描述３项目实现过程根据项目要求，可以得出如下配置过程：ZBVPN的IPSecVPN配置：步骤一网络连通性配置步骤二感兴趣流量配置步骤三ISAKMP策略配置，配置使用预共享密钥进行认证步骤四建立密钥环步骤五建立ISAKMP/IKE的配置文件步骤六配置转换集步骤七配置动态密码图1.建立动态密码图2.使用动态密码图步骤八应用到节点EZVPN配置：步骤一网络连通性配置步骤二IKE第一阶段策略（IKE第一阶段策略，注意DH组必须配置成为2）步骤三第1.5阶段配置1.定义XAUTH认证策略，策略名为xauth-authen，使用“local”本地用户数据库进行认证2.定义MODE-CFG的授权策略，名字为mcfg-author使用本地配置策略进行授权3.XAUTH认证用用户名和密码4.定义推送给客户端的地址池，名字为vpnclient步骤四第2阶段转换集与动态map配置步骤五第2阶段cryptomap配置步骤六应用到节点步骤七配置VPN硬件客户模式步骤八手动触发EzVPN连接分部FBvpn和远程客户端webvpnclient之间的SSLVPN配置：步骤一网络连通性配置步骤二配置AAA认证步骤三建立SSLVPN网关步骤四建立SSLVPN环境步骤五配置SSLVPN界面步骤六配置SSLVPN群组策略步骤七HTTPROUTER路由器WEB服务的配置４步骤八配置VPN远程访问客户端C0项目配置命令总部IPsecVPN配置：ZBvpn#showrunBuildingconfiguration...Currentconfiguration:1668bytesversion12.4servicetimestampsdebugdatetimemsecservicetimestampslogdatetimemsecnoservicepassword-encryptionhostnameZBvpnboot-start-markerboot-end-markernoaaanew-modelipcefnoipdomainlookupmultilinkbundle-nameauthenticatedcryptokeyringhngypre-shared-keyaddress0.0.0.00.0.0.0keyhngycryptoisakmppolicy10encr3deshashmd5authenticationpre-sharegroup2cryptoisakmpprofilehngykeyringhngymatchidentityaddress0.0.0.0initiatemodeaggressivecryptoipsectransform-sethngyesp-3desesp-md5-hmac５cryptodynamic-maphngy10settransform-sethngysetisakmp-profilehngymatchaddress100cryptomaphngy1000ipsec-isakmpdynamichngyinterfaceLoopback0ipaddress1.1.1.1255.255.255.0interfaceEthernet0/0noipaddressshutdownduplexautointerfaceGigabitEthernet0/0noipaddressshutdownduplexfullspeed1000media-typegbicnegotiationautointerfaceSerial1/0noipaddressshutdownserialrestart-delay0interfaceSerial1/1ipaddress202.1.1.2255.255.255.0serialrestart-delay0cryptomaphngyinterfaceSerial1/2noipaddressshutdownserialrestart-delay0６interfaceSerial1/3noipaddressshutdownserialrestart-delay0iproute0.0.0.00.0.0.0202.1.1.1noiphttpservernoiphttpsecure-serverloggingalarminformationalaccess-list100permitip1.1.1.00.0.0.2552.2.2.00.0.0.255control-planegatekeepershutdownlinecon0exec-timeout00loggingsynchronousstopbits1lineaux0stopbits1linevty04end总部EZVPN配置：ZBvpn#showrunBuildingconfiguration...Currentconfiguration:2754bytesversion12.4servicetimestampsdebugdatetimemsecservicetimestampslogdatetimemsecnoservicepassword-encryptionhostnameZBvpnboot-start-marker７boot-end-markeraaanew-modelaaaauthenticationloginxauth-authenlocalaaaauthorizationnetworkmcfg-authorlocalaaasession-idcommonipcefnoipdomainlookupmultilinkbundle-nameauthenticatedusernameciscopassword0ciscocryptokeyringhngypre-shared-keyaddress0.0.0.00.0.0.0keyhngycryptoisakmppolicy10encr3deshashmd5authenticationpre-sharegroup2cryptoisakmppolicy11hashmd5authenticationpre-sharegroup2cryptoisakmpclientconfigurationgrouphngykeyhngypoolhngycryptoisakmpclientconfigurationgroupvpnclientkeyhngypoolvpnclientaclSplitsave-passwordcryptoisakmpprofilehngykeyringhngy８matchidentityaddress0.0.0.0initiatemodeaggressivecryptoipsectransform-sethngyesp-desesp-md5-hmaccryptoipsectransform-setezvpnesp-desesp-md5-hmaccryptodynamic-mapezvpn11settransform-setezvpncryptodynamic-maphngy10settransform-sethngysetisakmp-profilehngymatchaddress100cryptomapezvpnclientauthenticationlistxauth-authencryptomapezvpnisakmpauthorizationlistmcfg-authorcryptomapezvpnclientconfigurationaddressrespondcryptomapezvpn10ipsec-isakmpdynamichngycryptomapezvpn11ipsec-isakmpdynamicezvpncryptomaphngyclientauthenticationlistxauth-authencryptomaphngyisakmpauthorizationlistmcfg-authorcryptomaphngyclientconfigurationaddressrespondcryptomaphngy1000ipsec-isakmpdynamichngyinterfaceLoopback0ipaddress1.1.1.1255.255.255.0interfaceEthernet0/0noipaddressshutdownduplexautointerfaceGigabitEthernet0/0noipaddressshutdownduplexfullspeed1000９media-typegbicnegotiationautointerfaceSerial1/0noipaddressshutdownserialrestart-delay0interfaceSerial1/1ipaddress202.1.1.2255.255.255.0serialrestart-delay0cryptomapezvpninterfaceSerial1/2noipaddressshutdownserialrestart-delay0interfaceSerial1/3noipaddressshutdownserialrestart-delay0iplocalpoolhngy123.1.1.100123.1.1.200iplocalpoolvpnclient123.1.2.100123.1.2.200iproute0.0.0.00.0.0.0202.1.1.1noiphttpservernoiphttpsecure-serveripaccess-listextendedSplitpermitip1.1.1.00.0.0.255anyloggingalarminformationalaccess-list100permitip1.1.1.00.0.0.2552.2.2.00.0.0.255control-planegatekeepershutdown１０linecon0exec-timeout00loggingsynchronousstopbits1lineaux0stopbits1linevty04End分部VPN配置：FBvpn#showrunBuildingconfiguration...Currentconfiguration:4018bytesversion12.4servicetimestampsdebugdatetimemsecservicetimestampslogdatetimemsecnoservicepassword-encryptionhostnameFBvpnboot-start-markerboot-end-markeraaanew-modelaaaauthenticationloginWebvpnlocalaaasession-idcommonipcefnoipdomainlookupmultilinkbundle-nameauthenticatedcryptopkitrustpointTP-self-sign