以下内容摘自正在全面热销的最新网络设备图书“豪华四件套”之一《Cisco路由器配置与管理完全手册》(第二版(其余三本分别是:《Cisco交换机配置与管理完全手册》(第二版《H3C交换机配置与管理完全手册》(第二版《H3C路由器配置与管理完全手册》(第二版 )。目前在京东网上购买该套装仅需236元了(共优惠100元先减30元,领取优惠券后再减70元,相当于仅5.4折了):http://item.jd.com/11299332.html当当网上也可直减30元http://book.dangdang.com/20130730_aife
    从15.1.9节介绍的Easy ×××服务器工作原理可以得出,Easy ×××服务器至少需要进行如下四方面的配置任务(还有一些要根据实际的功能需求所进行的选择配置任务):

l  建立用于IKE第一阶段设备认证的IKE策略:也是一个或多个包括加密算法、哈希算法、认证方法和DH组类型组合的建议,也即我们在本书第13章中介绍的IKE策略中所需的加密映射、变换集条目等。

l  配置用于IKE第二阶段Xauth扩展用户认证的AAA策略:其中包括所采用的AAA认证、授权或者计帐(此功能为可选配置)方法。

l  配置模式配置推送功能:其中包括定义可用于模式配置推送的IPSec组或用户属性(包括要推送给Easy ×××客户端的内部本地地址),启用模式配置推送功能,指定推送URL

l  配置RRI(反向路由注入)功能:为每个分配给Easy ×××客户端内部IP地址或子网自动创建静态路由。


15.8.3 Cisco Easy ×××综合配置示例

     本示例拓扑结构如图15-15所示。本示例使用Cisco 831路由器作为Easy ×××远端设备,使用Cisco 1751路由器作为Easy ×××服务器设备。本示例中,Cisco 1751路由器和Cisco 831路由器的WAN接口IP地址都是静态公网IP地址。Easy ×××远端Cisco 831路由器采用Client模式,使用NAT/PAT技术对来自Easy ×××客户端主机的通信进行地址转换,在Easy ×××服务器端进行Xauth用户认证。

图15-15 Cisco Easy ×××配置示例拓扑结构

      在本示例中,Easy ×××远端Cisco 831路由器工作在Client模式,因为该系列路由器默认是以Ethernet0作为NAT/PAT内部接口的,所以无需额外指定NAT/PAT内部接口,也无需额外应用Easy ×××远端配置。Easy ×××远端所连接的私有网络通过NAT/PAT转换为由Easy ×××服务器模式配置功能推送的全局IP地址。因为采用的是Client模式,所以仅允许×××客户端网络用户访问×××服务器端网络,禁止来自Easy ×××服务器访问Cisco 831路由器的通信。

1. Easy ×××远端CISCO 831路由器的配置

1)基本全局配置。

Router(config)#hostname Cisco831

Cisco831(config)#enablepassword cisco

Cisco831(config)#username cisco password 0 cisco

Cisco831(config)#ipsubnet-zero

Cisco831(config)#noipdomain-lookup

Cisco831(config)#ipdomain-name cisco.com

Cisco831(config)#ipsshtime-out 120

Cisco831(config)#ip sshauthentication-retries 3

Cisco831(config)#ipclassless

Cisco831(config)#iproute 0.0.0.0 0.0.0.0 Ethernet1  !---配置通过WAN接口的默认路由

Cisco831(config)#iproute 30.30.30.0 255.255.255.0 Ethernet1  !---配置通过WAN接口到达Easy ×××服务器端私有网络的静态路由

Cisco831(config)#iphttpserver

Cisco831(config)#ippimbidir-enable

Cisco831(config)#linecon 0

Cisco831(config-line)#exec-timeout 120 0

Cisco831(config-line)#stopbits 1

Cisco831(config-line)#exit

Cisco831(config)#linevty 0 4

Cisco831(config-line)#exec-timeout 0 0

Cisco831(config-line)#nologin

Cisco831(config-line)#exit

2DHCP服务器配置(用于为Easy ×××客户端主机提供自动IP地址分配)。

Cisco831(config)#ipdhcpexcluded-address 10.10.10.1

Cisco831(config)#ipdhcppool CLIENT

Cisco831(dhcp-config)#importall

Cisco831(dhcp-config)#network 10.10.10.0 255.255.255.0

Cisco831(dhcp-config)#default-router 10.10.10.1

Cisco831(dhcp-config)#dns-server 30.30.30.60

Cisco831(dhcp-config)#exit

3Easy ×××远端配置。

Cisco831(config)#cryptoipsecclientez*** hw-client

Cisco831(config-crypto-ez***)#group hw-client-groupname key hw-client-password

Cisco831(config-crypto-ez***)#modeclient

Cisco831(config-crypto-ez***)#peer 20.20.20.2

Cisco831(config-crypto-ez***)#exit

Cisco831(config)#interface Ethernet0

Cisco831(config-if)#description connected to BRANCH LAN

Cisco831(config-if)#ipaddress 10.10.10.1 255.255.255.0

Cisco831(config-if)#nocdpenable

Cisco831(config-if)#exit

Cisco831(config)#interface Ethernet1

Cisco831(config-if)#description connected to INTERNET

Cisco831(config-if)#ipaddress 20.20.20.1 255.255.255.0

Cisco831(config-if)#nocdpenable

Cisco831(config-if)#cryptoipsecclientez*** hw-client  !---在作为NAT/PAT外部接口的WAN接口上应用前面创建的Easy ×××远端配置hw-client

Cisco831(config-if)#exit

可通过show crypto ipsec client ez***命令查看Easy ×××远端基本配置。

Cisco831#show crypto ipsec client ez***

Current State: IPSEC_ACTIVE

Last Event: SOCKET_UP

Address: 30.30.30.2

Mask: 255.255.255.255

DNS Primary: 30.30.30.10

DNS Secondary: 30.30.30.11

NBMS/WINS Primary: 30.30.30.12

NBMS/WINS Secondary: 30.30.30.13

Default Domain: cisco.com

可通过show crypto ipsec sa命令查看Easy ×××远端设备上IPSec SA协商使用的配置。

Cisco831#show crypto ipsec sa

interface: Ethernet1

Crypto map tag: Ethernet1-head-0, local addr. 20.20.20.1

local ident (addr/mask/prot/port): (30.30.30.2/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: 20.20.20.2

PERMIT, flags={origin_is_acl,}

#pkts encaps: 26, #pkts encrypt: 26, #pkts digest 26

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 20.20.20.1, remote crypto endpt.: 20.20.20.2

path mtu 1500, media mtu 1500

current outbound spi: 7C1E9826

inbound esp sas:

spi: 0x54C859CF(1422416335)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: Ethernet1-head-0

sa timing: remaining key lifetime (k/sec): (4607999/3404)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x7C1E9826(2082379814)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: Ethernet1-head-0

sa timing: remaining key lifetime (k/sec): (4607996/3395)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

2.  Easy ×××服务器CISCO 1751V路由器配置

1)基本全局配置。

Router(config)#hostname Cisco1751

Cisco1751(config)#ipclassless

Cisco1751(config)#iproute 0.0.0.0 0.0.0.0 Ethernet0/0  !---配置以WAN接口Ethernet0/0为出接口的默认路由

Cisco1751(config)#noiphttpserver

Cisco1751(config)#ippimbidir-enable

Cisco1751(config)#no ip source-route  !---禁止对包括源路由选项的数据包进行处理

Cisco1751(config)#linevty 0 4

Cisco1751(config-line)#password cisco

Cisco1751(config-line)#login

Cisco1751(config-line)#exit

2)启用AAA查找配置。

Cisco1751(config)#aaanew-model

Cisco1751(config)#aaaauthenticationlogin userlist local !---定义一个名为userlist的用户登录认证AAA服务器列表,采用本地认证方法

Cisco1751(config)#aaaauthorizationnetwork hw-client-groupname local !---定义一个名为hw-client-groupname的网络授权AAA服务器列表,采用本地授权方法

Cisco1751(config)#aaasession-idcommon

Cisco1751(config)#enablepassword cisco

Cisco1751(config)#username winda password 0 cisco  !---配置用于本认证的用户名和密码

Cisco1751(config)#ipdomain-name cisco.com

3IKE策略配置。

Cisco1751(config)#cryptoisakmppolicy 1

Cisco1751(config-isakmp)#encryption 3des

Cisco1751(config-isakmp)#authenticationpre-share

Cisco1751(config-isakmp)#group 2

Cisco1751(config-isakmp)#exit

Cisco1751(config)#cryptoipsectransform-set transform-1 esp-3des esp-sha-hmac

Cisco1751(config-crypto-tran)#exit

Cisco1751(config)#cryptodynamic-map dynmap 1

Cisco1751(config-crypto-map)#settransform-set transform-1

Cisco1751(config-crypto-map)#reverse-route

Cisco1751(config-crypto-map)#exit

4)配置模式配置组策略信息。

Cisco1751(config)#cryptoisakmpclientconfigurationgroup hw-client-groupname

Cisco1751(config-isakmp-group)#key hw-client-password

Cisco1751(config-isakmp-group)#dns 30.30.30.10 30.30.30.11

Cisco1751(config-isakmp-group)#wins 30.30.30.12 30.30.30.13

Cisco1751(config-isakmp-group)#domain cisco.com

Cisco1751(config-isakmp-group)#pool dynpool

Cisco1751(config)#cryptoisakmpclientconfigurationaddress-poollocal dynpool !---指定在组配置中要推送的本地地址池名为dynpool

Cisco1751(config)#ip local pool dynpool 30.30.30.20 30.30.30.30  !---配置用于为Easy ×××客户端推送的内部全局IP地址池

5)应用模式配置和Xauth认证。

Cisco1751(config)#cryptomap dynmap clientauthenticationlist userlist

Cisco1751(config)#cryptomap dynmap isakmpauthorizationlist hw-client-groupname

Cisco1751(config)#cryptomap dynmap clientconfigurationaddressrespond

Cisco1751(config)#cryptomap dynmap 1 ipsec-isakmpdynamic dynmap

Cisco1751(config)#interface Ethernet0/0

Cisco1751(config-if)#descriptionconnected to INTERNET

Cisco1751(config-if)#ipaddress 20.20.20.2 255.255.255.0

Cisco1751(config-if)#half-duplex

Cisco1751(config-if)#nocdpenable

Cisco1751(config-if)#cryptomap dynmap  !---应用前面在IKE策略中创建的名为dynmap的动态加密映射

Cisco1751(config-if)#exit

Cisco1751(config)#interface FastEthernet0/0

Cisco1751(config-if)#description connected to HQ LAN

Cisco1751(config-if)#ipaddress 30.30.30.1 255.255.255.0

Cisco1751(config-if)#speedauto

Cisco1751(config-if)#nocdpenable

Cisco1751(config-if)#exit

同样可以通过命令查看Easy ×××服务器端的IPSec SA协商所用的配置。总体上与在Easy ×××远端查看的IPSec SA协商配置差不多。

Cisco1751#show crypto ipsec sa

interface: Ethernet0/0

Crypto map tag: dynmap, local addr. 20.20.20.2

protected vrf:

local ident (addr/mask/prot/port): (30.30.30.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (30.30.30.20/255.255.255.255/0/0)

current_peer: 20.20.20.1:500

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 13, #pkts decrypt: 13, #pkts verify 13

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 20.20.20.2, remote crypto endpt.: 20.20.20.1

path mtu 1500, media mtu 1500

current outbound spi: 239C766E

inbound esp sas:

spi: 0xE89E6649(3902694985)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 200, flow_id: 1, crypto map: dynmap

sa timing: remaining key lifetime (k/sec): (4458452/3335)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x239C766E(597456494)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 201, flow_id: 2, crypto map: dynmap

sa timing: remaining key lifetime (k/sec): (4458454/3335)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

可以使用show crypto engine connections active命令显示加密引擎活动的连接汇总。最前面的数字是指对应的连接ID

Cisco1751#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 Ethernet0/0 20.20.20.2 set HMAC_SHA+3DES_56_C 0 0

200 Ethernet0/0 20.20.20.2 set HMAC_SHA+3DES_56_C 0 538

201 Ethernet0/0 20.20.20.2 set HMAC_SHA+3DES_56_C 133 0