综合实验

实验拓扑:

 

××× _VPN

拓扑说明:

 

R1××× serverR2××× serverL2L ×××R3为远程访问的××× clientR4为软件拨号的网关路由器,R5没有使用。R1的外网地址为100.100.100.1loopback口为192.168.1.1

R2的外网地址为100.100.100.2loopback口为192.168.2.1R3的外网地址为100.100.100.3loopback口为192.168.3.1R1的外网地址为100.100.100.4f0/0172.16.1.254PC的地址为172.16.1.1网关为172.16.1.254.

实验配置:

 

R1配置:    此颜色为L2L ×××配置      此颜色为remote ×××配置 粗体字为共有配置

aaa new-model

aaa authentication login AUTHEN local

aaa authorization network AUTHOR local

username new password 0 cisco

crypto keyring NEWCONF

  pre-shared-key address 100.100.100.2 255.255.255.0 key cisco

!

crypto isakmp policy 10

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp client configuration group ×××   //remote vpn 组属性的配置

 key abc123,

 pool ×××POOL

 acl 100

crypto isakmp profile NEWPRO   //L2L ×××isakmp profile 文件的配置

   keyring NEWCONF

   match identity address 100.100.100.2 255.255.255.0

crypto isakmp profile EZPRO    //remote ××× isakmp profile 文件配置

   match identity group ×××            //关联组

   client authentication list AUTHEN    //认证方式

   isakmp authorization list AUTHOR

   client configuration address respond

!

!

crypto ipsec transform-set ×××SET esp-3des esp-md5-hmac

!

crypto dynamic-map DMAP 10  //remote ×××动态加密图

 set transform-set ×××SET

 set isakmp-profile EZPRO

 reverse-route

!

!

crypto map SMAP 10 ipsec-isakmp

 set peer 100.100.100.2

 set transform-set ×××SET

 set isakmp-profile NEWPRO

 match address ×××ACL

crypto map SMAP 20 ipsec-isakmp dynamic DMAP    //动态加密图关联到静态,因为只有静态才可以运用到接口,SMAP 的动态绑定序列号要比静态MAP的大 20 > 10

!

interface FastEthernet0/0

crypto map SMAP

!

interface FastEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!        

ip local pool ×××POOL 10.1.1.1 10.1.1.255

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

ip access-list extended ×××ACL

 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

R2配置
crypto keyring NEWCONF

  pre-shared-key address 100.100.100.1 255.255.255.0 key cisco

!

crypto isakmp policy 10

 hash md5

 authentication pre-share

 group 2

crypto isakmp profile NEWPRO

   keyring NEWCONF

   match identity address 100.100.100.1 255.255.255.0

!

crypto ipsec transform-set ×××SET esp-3des esp-md5-hmac

!

crypto map SMAP 10 ipsec-isakmp

 set peer 100.100.100.1

 set transform-set ×××SET

 set isakmp-profile NEWPRO

 match address ×××ACL

!

interface FastEthernet0/0

crypto map SMAP

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip access-list extended ×××ACL

 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

R3 配置:

crypto ipsec client ezvpn MY×××

 connect manual

 group ××× key abc123,

 mode client

 peer 100.100.100.1

interface Loopback0

crypto ipsec client ezvpn MY××× inside

interface FastEthernet0/0

crypto ipsec client ezvpn MY×××

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

R4配置

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

 

实验验证:

 

PC机拨号后可以ping××× server 的内网

C:\Documents and Settings\Administrator>ping  192.168.1.1

 

Pinging 192.168.1.1 with 32 bytes of data:

 

Reply from 192.168.1.1: bytes=32 time=149ms TTL=255

Reply from 192.168.1.1: bytes=32 time=29ms TTL=255

Reply from 192.168.1.1: bytes=32 time=27ms TTL=255

Reply from 192.168.1.1: bytes=32 time=31ms TTL=255

 

Ping statistics for 192.168.1.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 27ms, Maximum = 149ms, Average = 59ms

 

 

 

 

 

L2L ×××的验证,加密可以互通

L2L#

L2L#ping 192.168.1.1 source lo0 repeat 10

 

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!!!!!!

Success rate is 100 percent (10/10), round-trip min/avg/max = 24/34/44 ms

L2L#sho crypto engine connections active

Crypto Engine Connections

 

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address

    3 Fa0/0      IPsec 3DES+MD5                  0       49 100.100.100.2

    4 Fa0/0      IPsec 3DES+MD5                 49        0 100.100.100.2

 1007 Fa0/0      IKE   MD5+DES                   0        0 100.100.100.2

 

 

 

硬件拨号

×××client#  

×××client#ping 192.168.1.1 source lo0

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.3.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/48 ms

×××client#sho crypto engine connections active

Crypto Engine Connections

 

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address

    1 Fa0/0      IPsec 3DES+MD5                  0       30 100.100.100.3

    2 Fa0/0      IPsec 3DES+MD5                 30        0 100.100.100.3

 1004 Fa0/0      IKE   MD5+DES                   0        0 100.100.100.3

 

×××SERVER的验证

×××SERVER1#sho crypto engine connections active

Crypto Engine Connections

 

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address

    3 Fa0/0      IPsec 3DES+MD5                  0       49 100.100.100.1

    4 Fa0/0      IPsec 3DES+MD5                 49        0 100.100.100.1

    5 Fa0/0      IPsec 3DES+MD5                  0       29 100.100.100.1

    6 Fa0/0      IPsec 3DES+MD5                 31        0 100.100.100.1

    7 Fa0/0      IPsec 3DES+MD5                  0       30 100.100.100.1

    8 Fa0/0      IPsec 3DES+MD5                 30        0 100.100.100.1

 1011 Fa0/0      IKE   MD5+DES                   0        0 100.100.100.1

 1017 Fa0/0      IKE   MD5+DES                   0        0 100.100.100.1

 1019 Fa0/0      IKE   MD5+DES                   0        0 100.100.100.1

×××SERVER1#sho ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

 

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

 

     100.0.0.0/24 is subnetted, 1 subnets

C       100.100.100.0 is directly connected, FastEthernet0/0

     10.0.0.0/32 is subnetted, 2 subnets

S       10.1.1.2 [1/0] via 100.100.100.3

S       10.1.1.1 [1/0] via 172.16.1.10

C    192.168.1.0/24 is directly connected, Loopback0

S*   0.0.0.0/0 is directly connected, FastEthernet0/0

×××SERVER1#ping 192.168.2.1 source lo0 repeat 10

 

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!!!!!!

Success rate is 100 percent (10/10), round-trip min/avg/max = 28/36/68 ms

 

说明:只有当×××SERVERremote ×××配置为网络扩展模式×××SERVER才可以访问客户端的网络。因为client模式情况下,×××SERVER只能学习到客户端的一个IP地址,而network-extended模式×××SERVER可以学习到客户端的内部网络地址。