备注:
IPsec VPN有两种类型,一种为L2L,另外一种为Remote VPN。本实验演示如何在PIX或ASA防火墙上配置Remote VPN,也称为EasyVPN。
EasyVPN能够有效的解决IPsec VPN客户端配置复杂特点,通常在PC客户端安装EasyVPN Client软件,并且简单的配置即可完成。
EasyVPN在常规的IPsec VPN基本上增加了阶段1.5的配置,即用户名和密码和客户端相关IP参数(Mode Configuration)配置。阶段1.5可以进一步增加VPN的安全性。
PIX1配置
!—启用outside接口isakmp
crypto isakmp enable outside
!—配置阶段一策略
crypto isakmp policy 10
authentication pre-share
group 2
hash md5
!—指定VPN的隧道组类型,ra即remote access
tunnel-group myezvpn type ipsec-ra
!—配置阶段一的预共享密钥
tunnel-group myezvpn ipsec-attributes
pre-share-key wangyuan
!—配置easy vpn客户端阶段1.5的XAUTH的用户帐号和密码
username stanley password wangyuan
!—配置easy vpn的为本地认证
tunnel-group myezvpn general-attributes
authentication-server-group LOCAL
!—配置用于隧道分离的ACL
access-list split-acl permit ip 192.168.1.0 255.255.255.0 any
!—配置内部组策略
!—配置相关的默认域名称,DNS,隧道分离和VPN空闲断开时间
group-policy myezvpn-policy internal
group-policy myezvpn-policy attributes
default-domain value wangyuan.com
dns-server value 192.168.1.2
vpn-idle-timeout 600
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
!—配置用于客户端IP地址池
ip local pool myezvpn-pool 10.1.1.1-10.1.1.100
tunnel-group myezvpn general-attributes
!—指定用于分配客户端IP地址的地址池名称
address-pool myezvpn-pool
!—配置myezvpn组调用myezvpn-policy组策略
default-group-policy myezvpn
!—配置阶段二策略
crypto ipsec transform-set myezvpn-set esp-des esp-md5-hmac
!—配置动态加密图指定阶段二策略
crypto dynamic-map myezvpn-dymap 10 set transform-set myezvpn-set
!—配置静态加密图调用动态加密图
crypto map myezvpn-map 10 ipsec-isakmp dynamic myezvpn-dymap
!—将加密图应用到outside接口
crypto map myezvpn-map interface outside
PC1的Easy VPN Client配置
图示:
Router0的Easy VPN Client配置
crypto ipsec client ezvpn myezvpn
connect auto
group mygroup-1 key wangyuan
mode client
peer 202.103.1.2
username stanley password wangyuan
interface loopback 0
crypto ipsec client ezvpn myezvpn inside
interface fa0/0
crypto ipsec client ezvpn myezvpn outside
ip route 0.0.0.0 0.0.0.0 fastethernet0/0
转载请注明:爱开源 » PIXASA IPsec VPN – Easy VPN 基本配置