RemoteVPN和EzVPN的Isakmp-Profile简单配置

还是老样子不多说，先上实验的拓扑图：

实验拓扑图很简单，Internet模拟公网，Server和Client分别只一个默认路由到Internet，1.1.1.1和10.10.10.0/24分别是Server和Client的内部网络。还有一台XP的电脑接入公网。

Server：

hostname Server
!
aaa new-model
!
aaa authentication login vpn local
aaa authorization network vpn local 
!
ip cef
!
username cisco password 0 cisco
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 20 periodic
!
crypto isakmp client configuration group iteachs.com
 key cisco
 dns 8.8.8.8 8.8.4.4
 pool myvpn
!
crypto isakmp profile cisco
   match identity group iteachs.com
   client authentication list vpn
   isakmp authorization list vpn
   client configuration address respond
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto dynamic-map cisco 10
 set transform-set cisco 
 set isakmp-profile cisco
 reverse-route
!
crypto map cisco 10 ipsec-isakmp dynamic cisco
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 202.100.1.1 255.255.255.0
 crypto map cisco
!
ip local pool myvpn 100.100.100.100 100.100.100.200

ip classless

ip route 0.0.0.0 0.0.0.0 202.100.1.2
!

Internet：

hostname Internet
!
ip cef
!
interface FastEthernet0/0
 ip address 202.100.1.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.80.100 255.255.255.0
!

Client:

hostname Client
!
ip cef
!
crypto ipsec client ezvpn cisco
 connect manual
 group iteachs.com key cisco
 mode client
 peer 202.100.1.1
 xauth userid mode interactive
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.80.201 255.255.255.0
 crypto ipsec client ezvpn cisco
!
interface FastEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 crypto ipsec client ezvpn cisco inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.80.100
!

R4:

hostname R4
!
ip cef
!
interface FastEthernet0/0
 ip address 10.1.1.2 255.255.255.0
 speed auto
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1

XP：

Host：202.100.1.1
Name：iteachs.com
Password：cisco
Confirm Password：cisco

VPN调试：
Client拨号测试

Client#crypto ipsec client ezvpn connect 
Client#
Dec  1 15:08:10.287: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=  Group=iteachs.com  Client_public_addr=192.168.80.201  Server_public_addr=202.100.1.1  Assigned_client_addr=100.100.100.108  
Client#
Dec  1 15:08:11.943: %LINK-3-UPDOWN: Interface Loopback1, changed state to up
Dec  1 15:08:12.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up

ClientVPN信息查看

Client#show crypto ipsec client ezvpn 
Easy VPN Remote Phase: 4

Tunnel name : cisco
Inside interface list: FastEthernet0/1
Outside interface: FastEthernet0/0 
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 100.100.100.108
Mask: 255.255.255.255
DNS Primary: 8.8.8.8
DNS Secondary: 8.8.4.4
Save Password: Disallowed
Current EzVPN Peer: 202.100.1.1

没有流量前的NAT转换

Client#show ip nat translations

R4的PING测试

R4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/72/112 ms

ClientNAT查看

Client#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 100.100.100.108:24 10.1.1.2:24       1.1.1.1:24         1.1.1.1:24

XP的测试图：

所有测试都完成，一切OK。RemoteVPN和EzVPN的Isakmp-Profile简单配置