client-to-site VPN配置
拓扑图如下:
client-to-site VPN
client:192.168.110.0/24 路由器内网:10.0.1.0/24 外网:210.41.166.124
//启用3A认证
aaa new-model
aaa authentication login vpn-en local
aaa authorization network vpn-or local
//3A用户名和密码
username root password 123456
ip local pool vpn-pool 192.168.110.1 192.168.110.254
ip route 0.0.0.0 0.0.0.0 210.41.166.1
//相互之间不进行NAT转换
access-list 100 deny ip 10.0.1.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 100 permit ip any any
//定义感兴趣的流
access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.110.0 0.0.0.255
//实现NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload
//IKE 1阶段
crypto isakmp policy 20
encr 3des
hash sha
authentication pre-share
group 2
//IKE 2阶段
crypto ipsec transform-set vpn-client esp-3des esp-sha-hmac
//对发建立VPN连接的用户名myvpn和密码123cisco
crypto isakmp client configuration group myvpn
key 123cisco
pool vpn-pool
acl 101
//配置动态映射表
crypto dynamic-map dymap 20
set transform-set vpn-client
reverse-route
//授权
crypto map test client authentication list vpn-en
//认证
crypto map test isakmp authorization list vpn-or
//客户端回应
crypto map test client configuration address respond
crypto map test 20 ipsec-isakmp dynamic dymap
//内网
int fa0/0
ip address 10.0.1.254 255.255.255.0
ip nat inside
//外网
int fa0/1
ip address 210.41.166.124 255.255.255.0
ip nat outside
crypto map test
site-to-siteVPN 配置
拓扑图如下:
site-to-site VPN
R1路由器内网:10.0.1.0/24 外网:210.41.166.124
R2路由器内网:10.0.2.0/24 外网:210.41.166.123
R1
//相互之间不进行NAT转换
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 100 permit ip any any
//定义感兴趣的流
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip local pool vpn-pool 192.168.110.1 192.168.110.254
ip route 0.0.0.0 0.0.0.0 210.41.166.1
//实现NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload
//IKE 1阶段
crypto isakmp policy 20
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key cisco address 210.41.166.123
//IKE第二阶段
crypto ipsec transform-set ccnp esp-3des esp-sha-hmac
//建立地址映射
crypto map vpn-map 20 ipsec-isakmp
set peer 210.41.166.123
set transform-set ccnp
match address 101
//内网
int fa0/0
ip address 10.0.1.254 255.255.255.0
ip nat inside
//外网
int fa0/1
ip address 210.41.166.124 255.255.255.0
ip nat outside
crypto map vpn-map
R2
//相互之间不进行NAT转换
access-list 100 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip any any
//定义感兴趣的流
access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
//实现NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload
//IKE 1阶段
crypto isakmp policy 20
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key cisco address 210.41.166.124
//IKE第二阶段
crypto ipsec transform-set ccnp esp-3des esp-sha-hmac
//建立地址映射
crypto map vpn-map 20 ipsec-isakmp
set peer 210.41.166.124
set transform-set ccnp
match address 101
//内网
int fa0/0
ip address 10.0.2.254 255.255.255.0
ip nat inside
//外网
int fa0/1
ip address 210.41.166.123 255.255.255.0
ip nat outside
crypto map vpn-map
OK !!!