« Back
in 安全 VPN 思科 read.

IOS remote vpn(2)

IOS remote vpn

 

配置方法一:

Server端配置

Aaa new-model
Aaa authentication login ezvpn local
Aaa authorization network ezvpn local
 

Username cisco password cisco
Ip local pool ippool 100.1.1.1 100.1.1.100
 

Crypto isakmp policy 10
  Hash md5
  Authentication pre-share
  Group 2

Crypto isakmp client configuration group ezvpn
  Key cisco
  Dns 10.1.12.1
  Wins 10.1.12.1
  Domain cisco.com
  Pool ippool

Crypto ipsec transform-set ezvpn esp-des esp-md5-hmac

Crypto dynamic-map ezvpn 10
  Set transform-set ezvpn
  Reverse-route

Crypto map cisco 10 ipsec-isakmp dynamic ezvpn
Crypto map cisco client configuration address respond
Crypto map cisco client authentication list ezvpn
Crypto map cisco isakmp authorization list ezvpn

Int f0/0
 Crypto map cisco



client端配置
Crypto ipsec client ezvpn ezvpn
  Connect manual
  Group ezvpn key cisco
  Mode network-plus
  Peer 10.1.23.2

Int f0/0
  Crypto ipsec client ezvpn ezvpn

Int f0/1
  Crypto ipsec client ezvpn ezvpn inside

 

配置方法二:

Server端配置

Aaa new-model
Aaa authentication login ezvpn local
Aaa authorization network ezvpn local

Username cisco password cisco

Crypto isakmp policy 10
 Auth pre-share
 Group 2
 Hash md5

Ip local pool ippool 20.1.1.1 20.1.1.100

Crypto isakmp client configuration group ezvpn
 Key cisco
 Dns 10.1.12.1
 Wins 10.1.12.1
 Pool ippool

Crypto isakmp profile ezvpn
 Match identity group ezvpn
 Client authentication list ezvpn
 Isakmp authorization list ezvpn
 Client configuration address respond

Crypto ipsec transform-set ezvpn esp-des esp-md5-hmac

Crypto dynamic-map ezvpn 10
 Set transform-set ezvpn
 Set isakmp-profile ezvpn
 Reverse-route

Crypto map cisco 10 ipsec-isakmp dynamic ezvpn

Int f0/0
 Crypto map cisco

client端配置同上

 

配置方法三:

Server端配置

Aaa new-model
Aaa authentication login ezvpn local
Aaa authorization network ezvpn local

Username cisco password cisco

Crypto isakmp policy 10
 Hash md5
 Authentication pre-share
 Group 2

Ip local pool ippool 20.1.1.1 20.1.1.10

Crypto isakmp client configuration group ezvpn
 Key cisco
 Dns 10.1.12.1
 Wins 10.1.12.1
 Domain cisco.com
 Pool ippool

Crypto isakmp profile ezvpn
 Match identity group ezvpn
 Client authentication list ezvpn
 Isakmp authorization list ezvpn
 Client configuration address respond
 Virtual-template 100

Crypto ipsec transform-set ezvpn esp-des esp-md5-hmac

Crypto ipsec profile ezvpn
 Set transform-set ezvpn
 Set isakmp-profile ezvpn

Interface virtual-template 100 type tunnel
 Ip unnumbered f0/0
 Tunnel source f0/0
 Tunnel mode ipsec ipv4
 Tunnel protection ipsec profile ezvpn

EZVPN client特性:

Web-Based Activation

xauth userid mode http-intercept (client端上一定要开启ip http server)

 

Show命令:

show crypto route 服务端查看RRI或VTI产生的路由

show crypto ipsec client ezvpn 客户端查看成功拨入后的配置

sh ip local pool 查看地址池使用情况

sh ip nat statistics 查看NAT,仅限mode为client情况下

sh crypto session 查看加密会话的情况
 

sh crypto session

 

sh crypto session brief

 

Clear命令:

clear crypto ipsec client ezvpn 在客户端上断开ezvpn连接