思科路由器EzVPN測試

R1：

int f0/0

ip add 10.1.1.1 255.255.255.0

no sh

R2：

ip add 10.1.1.2 255.255.255.0

int f0/1

ip add 202.100.1.2 255.255.255.0

R3：

ip add 202.100.1.3 255.255.255.0

ip add 202.100.2.3 255.255.255.0

R4：

ip add 202.100.2.4 255.255.255.0

ip add 20.1.1.4 255.255.255.0

R5：

ip add 20.1.1.5 255.255.255.0

PC:

ip address 202.100.1.100/24

3.路由配置：

R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2

R2(config)#ip route 0.0.0.0 0.0.0.0 202.100.1.3

R4(config)#ip route 0.0.0.0 0.0.0.0 202.100.2.3

R5(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.4

4.EzVPN伺服器配置

①第一階段：

crypto isakmp policy 10

authentication pre-share

en des

group 2

hash md5

crypto isakmp client configuration group ipsecgroup

key cisco

②第1.5階段XAUTH配置

aaa new-model

aaa authentication login noacs line none

line console 0

 login authentication noacs

line aux 0

username xll password xll

aaa authentication login xauth-authen local

③第1.5階段MODE-CFG配置

ip local pool ippool 123.1.1.100 123.1.1.200

aaa authorization network mcfg-author local

 pool ippool

④第2階段轉換集與動态map配置

crypto ipsec transform-set ezvpnset esp-des esp-md5-hmac

crypto dynamic-map dymap 10

set transform-set ezvpnset

⑤第2階段crypto map配置

crypto map cry-map client authentication list xauth-authen

crypto map cry-map isakmp authorization list mcfg-author

crypto map cry-map client configuration address respond

crypto map cry-map 10 ipsec-isakmp dynamic dymap

interface fastEthernet 0/0

crypto map cry-map

5.EzVPN硬體用戶端配置

①EzVPN基本配置

crypto ipsec client ezvpn Ez-Client

connect manual

group ipsecgroup key cisco

mode client 

peer 202.100.2.4

interface FastEthernet 0/0

crypto ipsec client ezvpn Ez-Client inside

interface FastEthernet 0/1

crypto ipsec client ezvpn Ez-Client outside

②手動觸發EzVPN連接配接

R2#crypto ipsec client ezvpn connect

R2#

*Mar  1 00:19:58.175: EZVPN(Ez-Client): Pending XAuth Request, Please enter the following command:

*Mar  1 00:19:58.175: EZVPN: crypto ipsec client ezvpn xauth

R2#crypto ipsec client ezvpn xauth

Username: xll

Password: 

*Mar  1 00:20:11.035: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=  Group=ipsecgroup  Client_public_addr=202.100.1.2  Server_public_addr=202.100.2.4  Assigned_client_addr=123.1.1.101  

*Mar  1 00:20:12.543: %LINK-3-UPDOWN: Interface Loopback10000, changed state to up

*Mar  1 00:20:13.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up

R2#show ip int br

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.2        YES NVRAM  up                    up      

FastEthernet0/1            202.100.1.2     YES NVRAM  up                    up      

NVI0                       unassigned      NO  unset  up                    up      

Loopback10000              123.1.1.101     YES manual up                    up  

本文轉自 碧雲天 51CTO部落格，原文連結：http://blog.51cto.com/333234/847164，如需轉載請自行聯系原作者