还是老样子不多说,先上实验的拓扑图:
实验拓扑图很简单,Internet模拟公网,Server和Client分别只一个默认路由到Internet,1.1.1.1和10.10.10.0/24分别是Server和Client的内部网络。还有一台XP的电脑接入公网。
Server:
hostname Server
!
aaa new-model
!
aaa authentication login vpn local
aaa authorization network vpn local
!
ip cef
!
username cisco password 0 cisco
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 20 periodic
!
crypto isakmp client configuration group iteachs.com
key cisco
dns 8.8.8.8 8.8.4.4
pool myvpn
!
crypto isakmp profile cisco
match identity group iteachs.com
client authentication list vpn
isakmp authorization list vpn
client configuration address respond
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto dynamic-map cisco 10
set transform-set cisco
set isakmp-profile cisco
reverse-route
!
crypto map cisco 10 ipsec-isakmp dynamic cisco
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
crypto map cisco
!
ip local pool myvpn 100.100.100.100 100.100.100.200
ip classless
ip route 0.0.0.0 0.0.0.0 202.100.1.2
!
Internet:
hostname Internet
!
ip cef
!
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.80.100 255.255.255.0
!
Client:
hostname Client
!
ip cef
!
crypto ipsec client ezvpn cisco
connect manual
group iteachs.com key cisco
mode client
peer 202.100.1.1
xauth userid mode interactive
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.80.201 255.255.255.0
crypto ipsec client ezvpn cisco
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
crypto ipsec client ezvpn cisco inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.80.100
!
R4:
hostname R4
!
ip cef
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
XP:
Host:202.100.1.1
Name:iteachs.com
Password:cisco
Confirm Password:cisco
VPN调试:
Client拨号测试
Client#crypto ipsec client ezvpn connect
Client#
Dec 1 15:08:10.287: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=iteachs.com Client_public_addr=192.168.80.201 Server_public_addr=202.100.1.1 Assigned_client_addr=100.100.100.108
Client#
Dec 1 15:08:11.943: %LINK-3-UPDOWN: Interface Loopback1, changed state to up
Dec 1 15:08:12.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
ClientVPN信息查看
Client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : cisco
Inside interface list: FastEthernet0/1
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 100.100.100.108
Mask: 255.255.255.255
DNS Primary: 8.8.8.8
DNS Secondary: 8.8.4.4
Save Password: Disallowed
Current EzVPN Peer: 202.100.1.1
没有流量前的NAT转换
Client#show ip nat translations
R4的PING测试
R4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/72/112 ms
ClientNAT查看
Client#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 100.100.100.108:24 10.1.1.2:24 1.1.1.1:24 1.1.1.1:24
XP的测试图:
所有测试都完成,一切OK。RemoteVPN和EzVPN的Isakmp-Profile简单配置
文章评论