Easy VPN 实验.docx
- 文档编号:23966509
- 上传时间:2023-05-23
- 格式:DOCX
- 页数:48
- 大小:511.66KB
Easy VPN 实验.docx
《Easy VPN 实验.docx》由会员分享,可在线阅读,更多相关《Easy VPN 实验.docx(48页珍藏版)》请在冰豆网上搜索。
EasyVPN实验
EasyVPN实验
一、EZVPNBetweenRoutertoRouter1)概述CiscoEasyVPN用一致的策略和密钥管理方式在单一的部署中可以整合所有的EasyVPNRemote设备(Cisco路由器、CiscoPIX防火墙、CiscoVPN3002硬件客户端或软件客户端)这极大地简化了远程端管理和配置。
说的简单
一、EZVPNBetweenRoutertoRouter
1) 概述
CiscoEasyVPN用一致的策略和密钥管理方式在单一的部署中可以整合所有的EasyVPNRemote设备(Cisco路由器、CiscoPIX防火墙、CiscoVPN3002硬件客户端或软件客户端)这极大地简化了远程端管理和配置。
说的简单点就是在Server端配置复杂的策略和密钥管理等命令,而在我们的客户端上只要配置很简单的几条命令就能和Server端建立VPN链路的一种技术,主要的目的当然就是简化远端设备的配置和管理。
2) 实验环境
具体的拓扑结构和IP地址划分如下:
3) 实验的目的
通过使用EasyVPN技术来实现,远程客户端的用户能够直接访问到服务器端内部的WEB服务器,简单来说就是客户端PC能ping通服务器端内部的WEB服务器,并能通过IE浏览WEB服务器主页。
4) 基本实验环境的配置和测试
在这一步我们将配置路由器的基本连通性和一些基本的配置命令并用ping测试。
EZVPN-Server的基本配置
enable
conft
hostnameEZVPN-Server
enablesecretcisco
noipdomain-lookup
lineconsole0
exec-timeout00
loggingsyn
exit
linevty04
exec-timeout00
passwordcisco
login
exit
interfaceserial1/2
ipaddress10.1.1.1255.255.255.0
noshutdown
exit
interfacefastethernet0/0
ipaddress192.168.1.251255.255.255.0
noshutdown
exit
iproute0.0.0.00.0.0.0serial1/2
EZVPN-Client的基本配置
enable
conft
hostnameEZVPN-Client
enablesecretcisco
noipdomain-lookup
lineconsole0
exec-timeout00
loggingsyn
exit
linevty04
exec-timeout00
passwordcisco
login
exit
interfaceserial1/2
ipaddress10.1.2.2255.255.255.0
noshutdown
exit
interfacefastethernet0/0
ipaddress192.168.100.1255.255.255.0
noshutdown
exit
iproute0.0.0.00.0.0.0serial1/2
ISP的基本配置
enable
conft
hostnameISP
enablesecretcisco
noipdomain-lookup
lineconsole0
exec-timeout00
loggingsyn
exit
linevty04
exec-timeout00
passwordcisco
login
exit
interfaceserial1/0
ipaddress10.1.1.2255.255.255.0
noshutdown
exit
interfaceserial1/1
ipaddress10.1.2.1255.255.255.0
noshutdown
exit
在EZVPN-Client进行ping测试:
EZVPN-Client#ping10.1.1.1
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto10.1.1.1,timeoutis2seconds:
!
!
!
!
!
Successrateis100percent(5/5),round-tripmin/avg/max=140/163/192ms
EZVPN-Client#ping192.168.1.244
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto192.168.1.244,timeoutis2seconds:
…..
Successrateis0percent(0/5)
在EZVPN-Server进行ping测试:
EZVPN-Server#ping10.1.2.2
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto10.1.2.2,timeoutis2seconds:
!
!
!
!
!
Successrateis100percent(5/5),round-tripmin/avg/max=72/95/140ms
EZVPN-Server#ping192.168.100.21
Typeescapesequencetoabort.
Sending5,100-byteICMPEchosto192.168.100.21,timeoutis2seconds:
…..
Successrateis0percent(0/5)
在PC上进行ping测试:
C:
\DocumentsandSettings\cx>ping192.168.100.1-n2
Pinging192.168.100.1with32bytesofdata:
Replyfrom192.168.100.1:
bytes=32time=14msTTL=255
Replyfrom192.168.100.1:
bytes=32time=6msTTL=255
Pingstatisticsfor192.168.100.1:
Packets:
Sent=2,Received=2,Lost=0(0%loss),
Approximateroundtriptimesinmilli-seconds:
Minimum=6ms,Maximum=14ms,Average=10ms
C:
\DocumentsandSettings\cx>ping10.1.2.2-n2
Pinging10.1.2.2with32bytesofdata:
Replyfrom10.1.2.2:
bytes=32time=7msTTL=255
Replyfrom10.1.2.2:
bytes=32time=5msTTL=255
Pingstatisticsfor10.1.2.2:
Packets:
Sent=2,Received=2,Lost=0(0%loss),
Approximateroundtriptimesinmilli-seconds:
Minimum=5ms,Maximum=7ms,Average=6ms
C:
\DocumentsandSettings\cx>ping10.1.1.1-n2
Pinging10.1.1.1with32bytesofdata:
Requesttimedout.
Requesttimedout.
Pingstatisticsfor10.1.1.1:
Packets:
Sent=2,Received=0,Lost=2(100%loss),
在WEB服务器上进行ping测试:
C:
\DocumentsandSettings\Administrator>ping192.168.1.251-n2
Pinging192.168.1.251with32bytesofdata:
Replyfrom192.168.1.251:
bytes=32time=67msTTL=255
Replyfrom192.168.1.251:
bytes=32time=15msTTL=255
Pingstatisticsfor192.168.1.251:
Packets:
Sent=2,Received=2,Lost=0(0%loss),
Approximateroundtriptimesinmilli-seconds:
Minimum=15ms,Maximum=67ms,Average=41ms
C:
\DocumentsandSettings\Administrator>ping10.1.1.1-n2
Pinging10.1.1.1with32bytesofdata:
Replyfrom10.1.1.1:
bytes=32time=429msTTL=255
Replyfrom10.1.1.1:
bytes=32time=155msTTL=255
Pingstatisticsfor10.1.1.1:
Packets:
Sent=2,Received=2,Lost=0(0%loss),
Approximateroundtriptimesinmilli-seconds:
Minimum=155ms,Maximum=429ms,Average=292ms
C:
\DocumentsandSettings\Administrator>ping10.1.2.2-n2
Pinging10.1.2.2with32bytesofdata:
Requesttimedout.
Requesttimedout.
Pingstatisticsfor10.1.2.2:
Packets:
Sent=2,Received=0,Lost=2(100%loss),
从上面的测试可以看出Client端的内部主机并不能访问Server端的WEB服务器,下面我们就要通过配置EasyVPN来实现互访。
5) EasyVPN的配置(不带XAUTH认证)
EZVPN-Server上的配置步骤:
1.建立IP地址池和本地用户数据库
iplocalpoolRemote-Pool172.16.1.200172.16.1.250
usernameciscopasswordcisco123
2.配置组策略搜寻
aaanew-mode
aaaauthorizationnetworkvpn-grouplocal
3.为远程VPN客户端接入建立ISAKMP策略
cryptoisakmpenable
cryptoisakmppolicy10
authenticationpre-share
encryption3des
group2
exit
showcryptoisakmppolicy
4.为MC推定义好的组策略
cryptoisakmpclientconfigurationgrouptest
keyVPNKEY //authenticationpre-share预配置认证用
domain
poolRemote-Pool
exit
5.建立变换集
cryptoipsectransform-setVPNTRANSFORMesp-3desesp-sha-hmac
exit
showcryptoipsectransform-set
6.用RRI建立动态加密映射
cryptodynamic-mapDynamic-Map10
settransform-setVPNTRANSFORM
reverse-route
exit
showcryptodynamic-map
7.将MC应用到动态加密映射
cryptomapClientMapclientconfigurationaddressrespond
cryptomapClientMapisakmpauthorizationlistvpn-group
cryptomapClientMap65535ipsec-isakmpdynamicDynamic-Map
8.将动态加密映射应用到路由器外部接口
interfaceserial1/2
cryptomapClientMap
exit
showcryptomap
10.打开IKEDPD
cryptoisakmpkeepalive2010
EZVPN-Client上的配置步骤:
1. 定义客服端IPSec加密策略
cryptoipsecclientezvpnR6-Client
grouptestkeyVPNKEY
peer10.1.1.1
modeclient
connectauto
exit
2.把策略加入接口
interfaceserial1/2
cryptoipsecclientezvpnR6-Client
exit
interfacefastethernet0/0
cryptoipsecclientezvpnR6-Clientinside
exit
6) 用show命令查看相关状态
EZVPN-Server:
EZVPN-Server#showcryptosessiondetail
Cryptosessioncurrentstatus
Code:
C-IKEConfigurationmode,D-DeadPeerDetection
K-Keepalives,N-NAT-traversal,X-IKEExtendedAuthentication
Interface:
Serial1/2
Group:
test
Assignedaddress:
172.16.1.200
Uptime:
00:
15:
27
Sessionstatus:
UP-ACTIVE
Peer:
10.1.2.2port500fvrf:
(none)ivrf:
(none)
Phase1_id:
test
Desc:
(none)
IKESA:
local10.1.1.1/500remote10.1.2.2/500Active
Capabilities:
CDconnid:
1001lifetime:
23:
44:
31
IPSECFLOW:
permitip0.0.0.0/0.0.0.0host172.16.1.200
ActiveSAs:
2,origin:
dynamiccryptomap
Inbound:
#pktsdec'ed705drop0life(KB/Sec)4577122/2672
Outbound:
#pktsenc'ed4drop0life(KB/Sec)4577204/2672
EZVPN-Server#showiproute
Codes:
C-connected,S-static,R-RIP,M-mobile,B-BGP
D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea
N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2
E1-OSPFexternaltype1,E2-OSPFexternaltype2
i-IS-IS,su-IS-ISsummary,L1-IS-ISlevel-1,L2-IS-ISlevel-2
ia-IS-ISinterarea,*-candidatedefault,U-per-userstaticroute
o-ODR,P-periodicdownloadedstaticroute
Gatewayoflastresortis0.0.0.0tonetwork0.0.0.0
172.16.0.0/32issubnetted,1subnets
S 172.16.1.200[1/0]via10.1.2.2
10.0.0.0/24issubnetted,1subnets
C 10.1.1.0isdirectlyconnected,Serial1/2
C 192.168.1.0/24isdirectlyconnected,FastEthernet0/0
S* 0.0.0.0/0isdirectlyconnected,Serial1/2
EZVPN-Client:
EZVPN-Client#showcryptoipsecclientezvpn
EasyVPNRemotePhase:
4
Tunnelname:
R6-Client
Insideinterfacelist:
FastEthernet0/0
Outsideinterface:
Serial1/2
CurrentState:
IPSEC_ACTIVE
LastEvent:
SOCKET_UP
Address:
172.16.1.200
Mask:
255.255.255.255
DefaultDomain:
SavePassword:
Disallowed
CurrentEzVPNPeer:
10.1.1.1
EZVPN-Client#showcryptosessiondetail
Cryptosessioncurrentstatus
Code:
C-IKEConfigurationmode,D-DeadPeerDetection
K-Keepalives,N-NAT-traversal,X-IKEExtendedAuthentication
Interface:
Serial1/2
Sessionstatus:
UP-ACTIVE
Peer:
10.1.1.1port500fvrf:
(none)ivrf:
(none)
Phase1_id:
10.1.1.1
Desc:
(none)
IKESA:
local10.1.2.2/500remote10.1.1.1/500Active
Capabilities:
Cconnid:
6lifetime:
23:
41:
43
IPSECFLOW:
permitiphost172.16.1.2000.0.0.0/0.0.0.0
ActiveSAs:
2,origin:
cryptomap
Inbound:
#pktsdec'ed4drop0life(KB/Sec)4469489/2536
Outbound:
#pktsenc'ed801drop0life(KB/Sec)4469396/2536
7) 测试PC到WEB的连通性
在PC上pingWEBServer:
C:
\DocumentsandSettings\cx>ping192.168.1.244
Pinging192.168.1.244with32bytesofdata:
Replyfrom192.168.1.244:
bytes=32time=173msTTL=127
Replyfrom192.168.1.244:
bytes=32time=125msTTL=127
Replyfrom192.168.1.244:
bytes=32time=161msTTL=127
Replyfrom192.168.1.244:
bytes=32time=77msTTL=127
Pingstatisticsfor192.168.1.244:
Packets:
Sent=4,Received=4,Lost=0(0%loss),
Approximateroundtriptimesinmilli-seconds:
Minimum=77ms,Maximum=173ms,Average=134ms
哈哈哈成功了,下面再来看看能不能访问WEB页面,如下图:
刚刚做的这个是不带XAUTH认证的,但是现在Cisco主推XAUTH认证,下面我们来看看如果启用XAUTH我们的配置有哪些变化。
8) EasyVPN的配置(支持XAUTH认证)
EZVPN-Server上的配置步骤:
1.配置XAUTH
aaanew-mode
aaaauthenticationloginlab-remote-accesslocal
cryptoisakmpxauthtimeout30
2.建立IP地址池和本地用户数据库
usernameciscopasswordcisco
iplocalpoolRemote-Pool172.16.1.200172.16.1.250
3.配置组策略搜寻
aaaauthorizationnetworkvpn-grouplocal
4.为远程VPN客户端接入建立ISAKMP策略
cryptoisakmpenable
cryptoisakmppolicy10
authenticationpre-share
encr
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Easy VPN 实验