Cisco remote-access VPN (easy VPN)配置

王朝other·作者佚名 2006-01-10

宽屏版字体: 小|中|大|超大

配置总流程图：

配置：

version 12.3

hostname 26_2

enable secret 5 $1$nGGG$pyIANu7.xaKKQXVPqq.Dh1

!定义本地数据库

username cisco password 0 cisco

!启动AAA

aaa new-model

--------------------------------------------------------------------------

!Xauth配置部分

aaa authentication login vpn-authen local

crypto isakmp xauth timeout 20

crypto map cisco client authentication list vpn-authen

--------------------------------------------------------------------------

!组策略配置部分

aaa authorization network vpn-author local

ip local pool vpn-pool 10.2.1.10 10.2.1.20

crypto map cisco client configuration address respond

crypto isakmp client configuration group mobile

key cisco

dns 10.2.1.5

domain cisco.com

pool vpn-pool

crypto map cisco isakmp authorization list vpn-author

--------------------------------------------------------------------------

!建立ISAKMP策略

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

hash sha

--------------------------------------------------------------------------

!设置转换集

crypto ipsec transform-set vpn-set esp-3des esp-sha-hmac

!用RRI建立动态加密映射

crypto dynamic-map vpn-dyn 10

set transform-set vpn-set

reverse-route

--------------------------------------------------------------------------

!将组策略、Xauth应用到动态映射

crypto map cisco 10 ipsec-isakmp dynamic vpn-dyn

--------------------------------------------------------------------------

interface FastEthernet0/0

ip address 10.2.1.1 255.255.255.0

duplex auto

speed auto

--------------------------------------------------------------------------

!加载map

interface Serial0/0

ip address 17.1.1.2 255.255.255.0

crypto map cisco

--------------------------------------------------------------------------

!打开IKE DPD（可选）

crypto isakmp keepalive 20 10