client-to-site VPN配置
拓撲圖如下:
client-to-site VPN
client:192.168.110.0/24 路由器內網:10.0.1.0/24 外網:210.41.166.124
//啓用3A認證
aaa new-model
aaa authentication login vpn-en local
aaa authorization network vpn-or local
//3A用戶名和密碼
username root password 123456
ip local pool vpn-pool 192.168.110.1 192.168.110.254
ip route 0.0.0.0 0.0.0.0 210.41.166.1
//相互之間不進行NAT轉換
access-list 100 deny ip 10.0.1.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 100 permit ip any any
//定義感興趣的流
access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.110.0 0.0.0.255
//實現NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload
//IKE 1階段
crypto isakmp policy 20
encr 3des
hash sha
authentication pre-share
group 2
//IKE 2階段
crypto ipsec transform-set vpn-client esp-3des esp-sha-hmac
//對發建立VPN連接的用戶名myvpn和密碼123cisco
crypto isakmp client configuration group myvpn
key 123cisco
pool vpn-pool
acl 101
//配置動態映射表
crypto dynamic-map dymap 20
set transform-set vpn-client
reverse-route
//授權
crypto map test client authentication list vpn-en
//認證
crypto map test isakmp authorization list vpn-or
//客戶端迴應
crypto map test client configuration address respond
crypto map test 20 ipsec-isakmp dynamic dymap
//內網
int fa0/0
ip address 10.0.1.254 255.255.255.0
ip nat inside
//外網
int fa0/1
ip address 210.41.166.124 255.255.255.0
ip nat outside
crypto map test
site-to-siteVPN 配置
拓撲圖如下:
site-to-site VPN
R1路由器內網:10.0.1.0/24 外網:210.41.166.124
R2路由器內網:10.0.2.0/24 外網:210.41.166.123
R1
//相互之間不進行NAT轉換
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 100 permit ip any any
//定義感興趣的流
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip local pool vpn-pool 192.168.110.1 192.168.110.254
ip route 0.0.0.0 0.0.0.0 210.41.166.1
//實現NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload
//IKE 1階段
crypto isakmp policy 20
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key cisco address 210.41.166.123
//IKE第二階段
crypto ipsec transform-set ccnp esp-3des esp-sha-hmac
//建立地址映射
crypto map vpn-map 20 ipsec-isakmp
set peer 210.41.166.123
set transform-set ccnp
match address 101
//內網
int fa0/0
ip address 10.0.1.254 255.255.255.0
ip nat inside
//外網
int fa0/1
ip address 210.41.166.124 255.255.255.0
ip nat outside
crypto map vpn-map
R2
//相互之間不進行NAT轉換
access-list 100 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip any any
//定義感興趣的流
access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
//實現NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload
//IKE 1階段
crypto isakmp policy 20
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key cisco address 210.41.166.124
//IKE第二階段
crypto ipsec transform-set ccnp esp-3des esp-sha-hmac
//建立地址映射
crypto map vpn-map 20 ipsec-isakmp
set peer 210.41.166.124
set transform-set ccnp
match address 101
//內網
int fa0/0
ip address 10.0.2.254 255.255.255.0
ip nat inside
//外網
int fa0/1
ip address 210.41.166.123 255.255.255.0
ip nat outside
crypto map vpn-map
OK !!!