2023年7月4日发(作者:)
最详尽的cisco VPN完全配置手册(1)
VPN配置手册---Vpn Access Server
VPN 配置之一:vpn access server
网络拓扑:
PC---------Router---------Router
PC配置:
IP Address:10.1.1.1/24
Default Gateway:10.1.1.254
R1接口ip: (VPN Access Server)
FastEthernet 0/0:20.1.1.254/24
Serial 1/0:172.16.1.1/24
R2接口ip: (Private Network)
Serial 1/0::172.16.1.2/24
FastEthernet 0/0:10.1.1.254/24
2610的IOS为
R1步骤:
1.配置isakmp policy:
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
2.配置vpn client地址池 crypto isakmp client configuration address-pool local pool192
ip local pool pool192 192.168.1.1 192.168.1.254
3.配置vpn client有关参数
crypto isakmp client configuration group vclient-group
(vclient-group就是在vpn client的连接配置中需要输入的group authentication name。)
key vclient-key
(vclient-key就是在vpn client的连接配置中需要输入的group authentication password。)
pool pool192 (client的ip地址从这里选取 )
(以上两个参数必须配置,其他参数还包括domain、dns、wins等,根据情况进行配置。)
4.配置ipsec transform-set
crypto ipsec transform-set vclient-tfs esp-des esp-md5-hmac
5.配置map模板
cry dynamic-map template-map 1
set transform-set vclient-tfs (和第四步对应)
6.配置vpnmap
cry map vpnmap 1 ipsec-isakmp dynamic template-map
(使用第五步配置的map模板 )
crypto map vpnmap isakmp authorization list vclient-group
(使用第三步配置的参数authorization)
crypto map vpnmap client configuration address respond
(响应client分配地址的请求)
说明几点:
(1)vpn client使用的ip pool地址不能与Router内部网络ip地址重叠。 (2)172.16.1.0 网段模拟公网地址,10.1.1.0、20.1.1.0 网段用于内部地址,192.168.1.0 网段用于vpn通道。
R1的配置:
r1#
r1#sh run
Current configuration : 1521 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
Enable Password cisco
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp client configuration address-pool local pool192
!
crypto isakmp client configuration group vclient-group key vclient-key-cisco
pool vclient-pool
!
crypto ipsec transform-set vclient-tfs esp-des esp-md5-hmac
!
crypto dynamic-map template-map 1
set transform-set vclient-tfs
!
crypto map vpnmap isakmp authorization list vclient-group
crypto map vpnmap client configuration address respond
crypto map vpnmap 1 ipsec-isakmp dynamic template-map
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
interface FastEthernet0/0
ip address 20.1.1.254 255.255.255.0
!
interface Serial1/0
ip address 172.16.1.1 255.255.255.0
crypto map vpnmap
no fair-queue
!
ip local pool vclient-pool 192.168.1.1 192.168.1.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
no ip http server
ip pim bidir-enable
!
call rsvp-sync
!
mgcp profile default !
dial-peer cor custom
!
line con 0
login
pass cisco
line aux 0
line vty 0 4
login
pass cisco
!
end
r1#
R2的配置:
r2#
r2#sh run
Current configuration : 714 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r2
!
Enable Password cisco
!
ip subnet-zero !
call rsvp-sync
!
interface FastEthernet0/0
ip address 10.1.1.254 255.255.255.0
!
interface Serial1/0
ip address 172.16.1.2 255.255.255.0
clockrate 64000
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip http server
!
dial-peer cor custom
!
line con 0
login
pass cisco
line aux 0
line vty 0 4
login
pass cisco
!
end
r2#
VPN Client 4.01的配置:
建一个connection entry,参数配置:
name:任意起一个
host:填入vpn access server的s0/0地址 172.16.1.1
group auahentication: name:vclient-group
password:vclient-key-cisco
测试:
(1) 在pc上运行VPN client,连接vpn access server。
(2) ipconfig/all,查看获取到的ip地址与其他参数。
(3) 在router,show cry isa sa,看连接是否成功。
(4) 从router,ping client已经获取到的ip地址,通过。
(5) 从client,ping r2的e0/0配置的地址172.16.2.1,通过。
(6) 查看vpn client软件的status--statistics,可以看到加密与解密的数据量。
(7) R1上show cry ip sa, 也可以查看加密与解密的数据量。
常用调试命令:
show crypto isakmp sa
show crypto ipsec sa
clear crypto sa
clear crypto isakmp
debug crypto isakmp
debug crypto ipsec
site to site vpn的配置(采用pre-share)
实验网络拓扑:
Router------------------Router
R1接口ip:
s1/0:192.168.1.1/24 f0/0:172.16.1.2/24
R2接口ip:
s1/0:192.168.1.2/24 f0/0:172.16.2.1/24
2610的IOS为 步骤:
以R1为例进行配置
1.配置路由
2.定义加密数据的acl
access 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
3.定义isakmp policy
crypto isakmp policy 1
authentication pre-share (采用pre-share key进行验证)
(authentication参数必须配置,其他参数如group、hash、encr、lifetime等, 如果进行配置,需要注意两个路由器上的对应参数配置必须相同。)
4.定义pre-share key
crypto isakmp key pre-share-key address 192.168.1.2
(其中pre-share-key 为key,两个路由器上要一样,其中192.168.1.2为peer路由器的ip地址。 )
5.定义transform-set
crypto ipsec transform-set vpn-tfs esp-3des esp-sha-hmac
(其中vpn-tfs为transform-set name,后面两项为加密传输的算法)
(mode transport/tunnel tunnel为默认值,此配置可选)
6.定义crypto map entry
cry map vpn-map 10 ipsec-isakmp
(其中vpn-map为map name,10 是entry 号码,ipsec-isakmp表示采用isakmp进行密钥管理)
match address 101 (定义进行加密传输的数据,与第二步对应)
set peer 192.168.1.2 (定义peer路由器的ip)
set transform-set vpn-tfs (与第五步对应)
(如果一个接口上要对应多个vpn peer,可以定义多个entry,每个entry对应一个peer)
7.将crypto map应用到接口上
inter f0 (vpn通道入口)
cry map vpn-map
8.同样方法配置r2路由器。
R1的完整配置:
r1#sh run
Current configuration : 1064 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
ip subnet-zero
!
no ip domain-lookup
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key pre-share-key address 192.168.1.2
!
crypto ipsec transform-set vpn-tfs esp-3des esp-sha-hmac
!
crypto map vpn-map 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set vpn-tfs
match address 101
!
call rsvp-sync
!
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0 no keepalive
half-duplex
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.0
!
router ospf 100
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
login
!
end
r1#
R2的完整配置:
r2#sh run
Current configuration : 1103 bytes
! version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r2
!
username r1 password 0 cisco
ip subnet-zero
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key pre-share-key address 192.168.1.1
!
crypto ipsec transform-set vpn-tfs esp-3des esp-sha-hmac
!
crypto map vpn-map 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set vpn-tfs
match address 101
!
call rsvp-sync
!
!
interface Ethernet0/0
ip address 172.16.2.1 255.255.255.0
no keepalive
half-duplex
!
interface Serial1/0
ip address 192.168.1.2 255.255.255.0
clockrate 64000 crypto map vpn-map
!
router ospf 100
log-adjacency-changes
network 172.16.2.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
!
End
r2#
测试:
(1)未将map应用到接口之前,在r1,扩展ping,source 192.168.1.1 destination 172.16.2.1,通过。扩展ping,source 172.16.1.1 destination 172.16.2.1,通过。
(2)map应用到接口之后,在r1,扩展ping,source 192.168.1.1 destination 172.16.2.1,通过。
查看show crypto ipsec sa ,可以看到数据没有通过vpn 通道进行传输,因为不符合acl 101。
(3)map应用到接口之后,在r1,扩展ping,source 172.16.1.1 destination 172.16.2.1,通过。查看show cry ip sa,可以看到数据通过vpn 通道进行传输。 (4)在r2上同样进行测试。
site to site vpn(采用rsa-encrypted)
实验网络拓扑:
Router---------------------Router
R1接口ip:
s1/0:192.168.1.1/24 f0/0:172.16.1.2/24
R2接口ip:
s1/0:192.168.1.2/24 f0/0:172.16.2.1/24
2610的IOS为
步骤:
以R2为例进行配置
1.配置路由
2.定义加密数据的acl
access 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
3.生成rsa key
cry key generate rsa general-keys (生成General Purpose rsa Key )
或者 cry key generate rsa usage-keys (分别生成rsa signing key和rsa encryption key)
这里 统一用general purpose key
4.复制peer router的public key到本地router中
(1)在R1上生成general purpose key
(2)在R1上show cry key mypubkey rsa,(复制其中的General Purpose Key ) (3)在R2上,crypto key pubkey-chain rsa (设置public key)
addressed-key 10.130.23.244 (设置关联10.130.23.244ip地址的key )
key-string (定义key串 )
粘贴从R2上复制的(General Purpose Key )
(如果第三步生成了两种key,则这里复制粘贴的,应该是Encryption Key(三个key中的第二个)(双方都要互相配置)
5.定义isakmp policy
crypto isakmp policy 1
authentication rsa-encr (采用rsa Encryption key进行验证 )
(authentication参数必须配置,其他参数如group、hash、encr、lifetime等,如果进行配置,需要注意两个路由器上的对应参数配置必须相同。)
6.定义transform-set
crypto ipsec transform-set vpn-tfs esp-3des esp-sha-hmac
(其中vpn-tfs为transform-set name,后面两项为加密传输的算法 )
mode transport/tunnel (tunnel为默认值,此配置可选 )
7.定义crypto map entry
crypto map vpn-map 10 ipsec-isakmp
(其中vpn-map为map name,10 是entry 号码,ipsec-isakmp表示采用isakmp进行密钥管理 )
match address 101 (定义进行加密传输的数据,与第二步对应 )
set peer 192.168.1.1 (定义peer路由器的ip )
set transform-set vpn-tfs (与第五步对应)
(如果一个接口上要对应多个vpn peer,可以定义多个entry,每个entry对应一个peer;同样,pubkey 也要对应进行设置。
8.将crypto map应用到接口上
inter S1/0 (vpn通道入口 )
crypto map vpn-map
9.同样方法配置R2路由器。
R1完整配置:
r1# r1#sh run
Current configuration : 1379 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
ip subnet-zero
!
no ip domain-lookup
ip domain-name
!
crypto isakmp policy 1
authentication rsa-encr
!
crypto ipsec transform-set vpn-tfs esp-3des esp-sha-hmac
!
crypto key pubkey-chain rsa
addressed-key 192.168.1.2
address 192.168.1.2
key-string
305C300D 06092A86 4886F70D 00034B00 00B65771 BF
62602E8B FE20EB01 B DD2CF9C4 C3E69766 9E26BDEE C E005D012
27A7C6E9 5F9DFA10 DEBC26C8 6987C8FC 4EAC19A8 0F8DFF3A 9D 0001
quit
! crypto map vpn-map 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set vpn-tfs
match address 101
!
call rsvp-sync
!
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
no keepalive
half-duplex
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.0
crypto map vpn-map
!
router ospf 100
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
login !
end
r1#
R2完整配置:
r2#
r2#sh run
Current configuration : 1398 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r2
!
username r1 password 0 cisco
ip subnet-zero
!
ip domain-name
!
crypto isakmp policy 1
authentication rsa-encr
!
crypto ipsec transform-set vpn-tfs esp-3des esp-sha-hmac
!
crypto key pubkey-chain rsa
addressed-key 192.168.1.1 address 192.168.1.1
key-string
305C300D 06092A86 4886F70D 00034B00 00F9918D F
58E9FB6D 64334D42 ED 6B312FE9 B6239B17 84D48AFE 16D13AD4 E0EE9BC7
9FDF69F8 96569F71 A67D7A84 B8AF8A9A 9C240DA9 8058DAE6 0001
quit
!
crypto map vpn-map 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set vpn-tfs
match address 101
!
call rsvp-sync
!
interface Ethernet0/0
ip address 172.16.2.1 255.255.255.0
no keepalive
half-duplex
!
interface Serial1/0
ip address 192.168.1.2 255.255.255.0
clockrate 64000
crypto map vpn-map
!
router ospf 100
log-adjacency-changes
network 172.16.2.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip classless
no ip http server !
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
!
end
r2#
测试:
(1)未将map应用到接口之前,在r1,扩展ping,source 192.168.1.1 destination 172.16.2.1,通过。扩展ping,source 172.16.1.1 destination 172.16.2.1,通过。
(2)map应用到接口之后,在r1,扩展ping,source 192.168.1.1 destination 172.16.2.1,通过。
查看show crypto ipsec sa ,可以看到数据没有通过vpn 通道进行传输,因为不符合acl 101。
(3)map应用到接口之后,在r1,扩展ping,source 172.16.1.1 destination 172.16.2.1,通过。查看show cry ip sa,可以看到数据通过vpn 通道进行传输。
(4)在r2上同样进行测试。
vpn client(network-extension mode)
实验网络拓扑:
PC----Switch-----Router
|
| Router
VPN Client R3 接口IP:
f0/0: 10.1.1.2/24
f0/1: 10.2.2.1/24
VPN Access Server R1 接口IP:
e0/0:10.1.1.100/24
s1/0:172.16.1.1/24
Private Network R2 接口IP:
s1/0: 172.16.1.2/24
f0/0: 172.16.2.1/24
PC配置:
IP: 10.1.1.1/28
GW: 10.1.1.100
R1、R2的IOS为
R3 的IOS为
步骤:
配置R1路由器设置为vpn server。
1.配置isakmp policy:
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
2.配置vpn client地址池
crypto isakmp client configuration address-pool local pool192
ip local pool pool192 192.168.1.1 192.168.1.254
3.配置vpn client有关参数
crypto isakmp client configuration group vclient-group
(vclient-group就是在vpn client的连接配置中需要输入的group authentication name。)
key vclient-key
(vclient-key就是在vpn client的连接配置中需要输入的group authentication password。)
pool pool192 (client的ip地址从这里选取 )
(以上两个参数必须配置,其他参数还包括domain、dns、wins等,根据情况进行配置。)
4.配置ipsec transform-set
crypto ipsec transform-set vclient-tfs esp-des esp-md5-hmac
5.配置map模板
cry dynamic-map template-map 1
set transform-set vclient-tfs (和第四步对应)
6.配置vpnmap
cry map vpnmap 1 ipsec-isakmp dynamic template-map
(使用第五步配置的map模板 )
crypto map vpnmap isakmp authorization list vclient-group
(使用第三步配置的参数authorization)
crypto map vpnmap client configuration address respond
(响应client分配地址的请求)
7.配置静态路由
ip route 192.168.1.0 255.255.255.0 fastethernet0
配置R3路由器,设置vpn client参数
ipsec client ezvpn vclient (定义crypto-ezvpn name)
mode network-extension
(设置为网络扩展模式)
group vclient-group key vclient-key
(设置登录vpn server的组名与组口令)
peer 10.1.1.100
(设置vpn server的ip地址,如果启用dns,则可以用hostname)
connect auto
(设置为自动连接。如果设为手动,则必须使用cry ip client
ezvpn connect vclient (命令来启动vpn通道。)
local-address f0/0
(设置vpn通道本地地址,选用f0/0,可以保证vpn server找到它)
2.定义加密数据入口,这里为f0/1
inter f0/1
cry ip client ezvpn vclient inside
3.定义加密数据出口,这里为连接vpn server的f0/0
inter f0/0
cry ip client ezvpn vclient outside
4.设置ip dhcp服务
(cisco推荐使用dhcp来进行本地网络ip的分配。此步骤可选。)
service dhcp (启动dhcp 服务)
ip dhcp pool dhcppool (定义dhcp pool name)
network 10.2.2.1/24 (定义可分配的IP地址段)
default-router 10.2.2.1 (定义dhcp client的默认网关)
lease 1 0 0 (设置ip保留时间)
import all (如果配置了上级dhcp server,则接受其所有参数)
ip dhcp excluded-address 10.2.2.1 (将router上的地址排除)
R1的配置:
r1#
r1#sh run
Current configuration : 1521 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp client configuration address-pool local pool192
!
crypto isakmp client configuration group vclient-group
key vclient-key
pool pool192
!
crypto ipsec transform-set vclient-tfs esp-des esp-md5-hmac
!
crypto dynamic-map template-map 1
set transform-set vclient-tfs
!
crypto map vpnmap isakmp authorization list vclient-group crypto map vpnmap client configuration address respond
crypto map vpnmap 1 ipsec-isakmp dynamic template-map
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
interface Ethernet0/0
ip address 10.1.1.100 255.255.255.0
half-duplex
crypto map vpnmap
!
interface Serial1/0
ip address 172.16.1.1 255.255.255.0
no fair-queue
!
router ospf 100
log-adjacency-changes
redistribute static
network 10.1.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
ip local pool pool192 192.168.1.1 192.168.1.254
ip classless
ip route 192.168.1.0 255.255.255.0 Ethernet0/0
ip http server
ip pim bidir-enable
!
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom !
line con 0
line aux 0
line vty 0 4
login
!
end
r1#
R2的配置:
r2>en
r2#sh run
Current configuration : 743 bytes
!
! Last configuration change at 09:45:04 UTC Thu Nov 4 2004
! NVRAM config last updated at 09:47:55 UTC Thu Nov 4 2004
!
version 12.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
no aaa new-model ip subnet-zero
!
ip cef
!
interface FastEthernet0
ip address 172.16.2.1 255.255.255.0
speed auto
no keepalive
!
interface Serial0
ip address 172.16.1.2 255.255.255.0
clockrate 64000
no fair-queue
!
router ospf 100
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 172.16.2.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
line con 0
line aux 0
line vty 0 4
login
!
end
r2#
R3的配置: r3#sh run
Current configuration : 1391 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
logging queue-limit 100
!
ip subnet-zero
!
ip dhcp excluded-address 10.2.2.1
!
ip dhcp pool dhcppool
import all
network 10.2.2.0 255.255.255.0
default-router 10.2.2.1
!
mpls ldp logging neighbor-changes
!
crypto ipsec client ezvpn vclient
connect auto
group vclient-group key vclient-key
local-address FastEthernet0/0
mode network-extension
peer 10.1.1.100
! no voice hpi capture buffer
no voice hpi capture destination
!
mta receive maximum-recipients 0
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
speed auto
half-duplex
crypto ipsec client ezvpn vclient
!
interface FastEthernet0/1
ip address 10.2.2.1 255.255.255.0
duplex auto
speed auto
no keepalive
crypto ipsec client ezvpn vclient inside
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 10.2.2.0 0.0.0.255 area 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 10.2.2.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
ip classless
! call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
r3#
测试:
1. 配置好R3上的vpn client后,自动进行vpn连接。可以通过debug cry isa、deb cry ip client ezvpn、deb cry ip等debug命令输出的信息查看过程与结果。
2. 在R1上扩展ping,source 10.1.1.100 destination 10.2.2.1,通过。
查看show cry ip sa,可以发现数据没有进行加密。
3. 在R1上扩展ping,source 172.16.1.1 destination 10.2.2.1,通过。
查看show cry ip sa,可以发现数据通过加密进行传输。
4. 在R3上扩展ping,source 10.2.2.1 destination 172.16.1.1,通过。
查看show cry ip sa,可以发现数据通过加密进行传输。
5. 在R3上扩展ping,source 10.1.1.2 destination 172.16.1.1,?通过。
查看show cry ip sa,可以发现数据不通过加密。
6. 启动pc vpn client,ping 172.16.1.1,通过。
在1720上查看show cry ip sa,可以看到数据通过加密进行传输。
7. 在pc vpn client,ping 10.2.2.1,通过。
在R1和R3上查看show cry ip sa,可以看到数据通过加密进行传输。在R1上show cry isa sa,可以看到两个vpn连接。 8. 在R3上扩展ping,source 10.2.2.1 destination 192.168.1.10(pc vpn client获得的ip),通过。查看show cry ip sa,可以发现数据通过加密进行传输。
发布者:admin,转转请注明出处:http://www.yc00.com/news/1688418537a135501.html
评论列表(0条)