路由器配置easy vpn
配置AAA和IKE
R1(config)# aaa new-model
R1(config)# aaa authentication login benet-authen local
R1(config)# aaa authorization network benet-author local
R1(config)# username benet secret cisco
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# encryption 3des
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentioncation pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# exit
配置组策略
R1(config)# ip local pool benet-pool 192.168.1.200 192.168.1.210
R1(config)# ip access-list extended split-acl
R1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any
R1(config-ext-nacl)# exit
R1(config)# crypto isakmp client configuration group test-group
R1(config-isakmp-group)# key benet-key
R1(config-isakmp-group)# pool benet-pool
R1(config-isakmp-group)# dns 192.168.1.10
R1(config-isakmp-group)# acl split-acl
R1(config-isakmp-group)# split-dns benet.com
R1(config-isakmp-group)# exit
配置MAP并应用
R1(config)# crypto ipsec transform-set benet-set esp-3des esp-sha-hmac
R1(cfg-crypto-tran)#exit
R1(config)# crypto dynamic-map benet-dymap 1
R1(config-crypto-m)# set transform-set benet-set
R1(config-crypto-m)# exit
R1(config)# crypto map benet-stamap 1000 ipsec-isakmp dynamic benet-dymap
R1(config)# crypto map benet-stamap client authentication list benet-authen
R1(config)# crypto map benet-stamap isakmp authorization list benet-author
R1(config)# crypto map benet-stamap client configuration address respond?
R1(config)# int f0/1
R1(config)# crypto map benet-stamap
ASA配置 easy vpn
XAUTH的配置
防火墙默认启用AAA,只需在本地创建用户名和密码
ASA(config)# username benet password cisco
定义组策略
ASA(config)# ip local pool benet-pool 192.168.1.200-192.168.1.210
ASA(config)# group-policy test-group {internal|external}
ASA(config)# group-policy test-group attributes
ASA(config-group-policy)# dns-server value 192.168.1.10
ASA(config-group-policy)# address-pool value benet-pool
ASA(config-group-policy)# split-tunnel-policy tunnelspecified
ASA(config-group-policy)# split-tunnel-network-list value split-acl
ASA(config-group-policy)# split-dns benet.com
防火墙上默认组策略
ASA# show run all group- policy DfltGrpPolicy
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
定义隧道组
ASA(config)# ip local pool benet-pool 192.168.1.200-192.168.1.210
ASA(config)# tunnel-group benet-group type ipsec-ra
ASA(config)# tunnel-group benet-group general-attributes
ASA(config-general)# address-pool benet-pool
ASA(config-general)# default-group-policy test-group
ASA(config-general)# exit
ASA(config)# tunnel-group benet-group ipsec-attributes
ASA(config-ipsec)# pre-shared-key benet-key
定义用户组
ASA(config)# username benet attributes
ASA(config-username)# vpn-group-policy test-group
ASA(config-username)# vpn-tunnel-protocol [ipsec] [webvpn]
配置IKE
ASA(config)# username benet password cisco
ASA(config)# crypto isakmp enable outside
ASA(config)# crypto isakmp policy 10
ASA(config-isakmp-policy)# encryption 3des
ASA(config-isakmp-policy)# hash sha
ASA(config-isakmp-policy)# authentication pre-share
ASA(config-isakmp-policy)# group 2
ASA(config-isakmp-policy)# exit
配置组策略和隧道组
ASA(config)# ip local pool benet-pool 192.168.1.200-192.168.1.210
ASA(config)# access-list split-acl permit ip 192.168.1.0 255.255.255.0 any
ASA(config)# group-policy test-group internal
ASA(config)# group-policy test-group attributes
ASA(config-group-policy)# split-tunnel-policy tunnelspecified
ASA(config-group-policy)# split-tunnel-network-list value split-acl
ASA(config-group-policy)# exit
ASA(config)# tunnel-group benet-group type ipsec-ra
ASA(config)# tunnel-group benet-group general-attributes
ASA(config-tunnel-general)# address-pool benet-pool
ASA(config-tunnel-general)# default-group-policy test-group
ASA(config-tunnel-general)# exit
ASA(config)# tunnel-group benet-group ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key benet-key
ASA(config-tunnel-ipsec)# exit
配置MAP并应用
ASA(config)# crypto ipsec transform-set benet-set esp-3des esp-sha-
hmac
ASA(config)# crypto dynamic-map benet-dymap 1 set transform-set
benet-set
ASA(config)# crypto map benet-stamap 1000 ipsec-isakmp dynamic
benet-dymap
ASA(config)# crypto map benet-stamap int outside