1. 拓扑

   1.1 逻辑拓扑
spacer.gif在思科路由器上部署EZ×××(PC Client)_配置_02
   1.2 实验拓扑(GNS3+VMwareworkstation(Win7))
spacer.gif在思科路由器上部署EZ×××(PC Client)_配置_04
2. 路由器配置
R3:
hostname Internet
interface FastEthernet0/0
ip address 192.168.100.3 255.255.255.0
no shutdown
interface FastEthernet0/1
ip address 100.1.1.1 255.255.255.0
no shutdown

R1:
hostname GW
aaa new-model  // EZ××× Phase 1.5 阶段,引入认证,采用本地认证
aaa authentication login noacs line none //aaa建议配置的策略
aaa authentication login remote local //认证的名字为remote,方式为local
aaa authorization network remote local //授权的名字为remote,方式为local
username user password 0 cisco //local的用户名和密码
crypto isakmp policy 10  //Phase 1阶段
hash md5
authentication pre-share
group 2 //EZ×××必须为group2
!
crypto isakmp client configuration group ipsecgroup  //中心的组策略,名称ipsecgroup,用于向Clinet推送
key cisco  
pool ippool //分配的IP地址
acl Split-Tunnel //启用隧道分割,去往特定网段的路由才会被加密
save-password //保存密码,在EZ×××连接时候会出现save password的可选项
backup-gateway www.ezvpn.org  //备份网关,支持域名和IP
backup-gateway 100.1.1.4
crypto isakmp profile ipsecprofile //Phase2 阶段,建议是用profile方式
  match identity group ipsecgroup  //匹配组
  client authentication list remote //认证的策略
  isakmp authorization list remote //授权的策略
  client configuration address respond //启用mode configuration,须配
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac  //transfrom set
!
crypto dynamic-map dymap 10
set transform-set cisco
set isakmp-profile ipsecprofile
reverse-route //反向路由注入
crypto map cisco 1000 ipsec-isakmp dynamic dymap
interface FastEthernet0/0
ip address 192.168.200.1 255.255.255.0
no shut
interface FastEthernet0/1
ip address 100.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map cisco
no shut
ip local pool ippool 123.1.1.100 123.1.1.200
ip route 0.0.0.0 0.0.0.0 100.1.1.1
ip access-list extended Split-Tunnel //定义隧道分割的流量,其中源地址是要访问的内网的网段
permit ip 192.168.200.0 0.0.0.255 any
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication noacs
!
R2:
hostname Server
interface FastEthernet0/0
ip address 192.168.200.2 255.255.255.0
no sh
exit

ip route 0.0.0.0 0.0.0.0 192.168.200.1


WIN7
需要安装Cisco vpn客户端
1.1 IP 配置
spacer.gif在思科路由器上部署EZ×××(PC Client)_EZVPN_06
1.2 ××× Client 配置
   安装完成后,会在网络连接里面多出一个Cisco ×××虚拟网卡。打开client ,选择“NEW”,如图配置,其中password为GW上定义的cisco。选择Save

在思科路由器上部署EZ×××(PC Client)_EZVPN_07

选择新建的Beijing,然后选择Connect,
spacer.gif在思科路由器上部署EZ×××(PC Client)_配置_09
连接成功后,查看客户端的IP(未配置隧道分离时的客户端IP信息
spacer.gif在思科路由器上部署EZ×××(PC Client)_EZVPN_11
连接成功后,查看客户端的IP(配置隧道分离后的客户端IP
spacer.gif在思科路由器上部署EZ×××(PC Client)_EZVPN_13
单击系统右下角的×××图标,查看×××的流量信息
spacer.gif在思科路由器上部署EZ×××(PC Client)_EZVPN_15
启用隧道分离后的路由信息(只是到特定网段)
spacer.gif在思科路由器上部署EZ×××(PC Client)_EZVPN_17
现在客户端的已经可以连接到内网了,在R3上开启telnet服务,并测试
spacer.gif在思科路由器上部署EZ×××(PC Client)_配置_19
备份网关截图
spacer.gif在思科路由器上部署EZ×××(PC Client)_EZVPN_21

××× 客户端软件下载:http://down.51cto.com/data/1228494