Tag: VPN

  1. DMVPN(2)

    实验:   hub端配置: crypto isakmp policy 10   hash md5   authentication pre-share   group 2   crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set trans esp-des esp-md5-hmac   mode transport(加密点等于通信点,可以节省20个字节) ! crypto ipsec profile DMVPN   set transform-set trans  …

    on 安全 VPN 思科

  2. DMVPN(1)

    DMVPN两种技术的结合: Next Hop Resolution Protocol (NHRP): Creates a distributed mapping database of VPN(tunnel interface) to real (public interface) addresses   Multipoint GRE Tunnel Interface: Single GRE interface to support multipleGRE/IPsec tunnels and endpoints Simplifies size and complexity of configuration Supports dynamic tunnel creation   NHRP消息类型: Registration: spoke向hub注册用的信息 Resolution:…

    on 安全 VPN 思科

  3. ASA Remote VPN

    ASA remote vpn   crypto isakmp policy 10   authentication pre-share   encryption des   hash md5   group 2   lifetime 86400 username vpntest password vpntest tunnel-group ezvpn type remote-access   ip local pool ippool 20.1.1.1-20.1.1.10 tunnel-group ezvpn…

    on 安全 VPN 思科

  4. IOS remote vpn(2)

      配置方法一: Server端配置 Aaa new-model Aaa authentication login ezvpn local Aaa authorization network ezvpn local   Username cisco password cisco Ip local pool ippool 100.1.1.1 100.1.1.100   Crypto isakmp policy 10   Hash md5   Authentication pre-share   Group 2 Crypto isakmp client configuration…

    on 安全 VPN 思科

  5. IOS remote vpn(1)

    Non-supported Protocols   Supported Protocols   Remote access种类: Remote vpn (client为pc) EZVPN(client为设备)   三种类型: client: server端反向注入的路由是 到client获取地址的路由;自动添加loopback0 和 PAT;client能访问server,server不能访问client network extension:server端反向注入的路由是 到client内部接口的路由;不添加loopback0 和 pat;client 和 server之间能够互相访问 network extension plus:server端反向注入的路由是 到client内部接口的路由;会添加loopback0,但不会添加pat,loopback用于网管   split tunnel mode: 1. tunnel everything 加密所有 2.…

    on 安全 VPN 思科

  6. Redundancy VPN

      R1配置: crypto isakmp policy 10   hash md5   authentication pre-share   group 2 crypto isakmp key cisco address 10.1.1.254 crypto isakmp keepalive 10 periodic crypto ipsec transform-set trans esp-des esp-md5-hmac crypto map cisco 10 ipsec-isakmp   set peer 10.1.1.254   set transform-set…

    on 安全 VPN 思科

  7. VPN实验杂记三

    1.disabling xauth for static ipsec peers 2.ezvpn 添加xauth userid mode http-intercept 3.tunnel 分割的DNS 4.check on claer-text packets 解密后流量在set ip access-group 151 in这里放 5.DF 老的IP头部和新产生的IP头部DF位的关系 6.ezvpn 12.4以前不支持证书,12.4以后要支持证书需要加上第一阶段策略 7.invalid spi recovery 错误的SPI回馈 8.show crypto session 包括了第一阶段、第二阶段信息 9.clear crypto session…

    on 安全 VPN 思科