Internet配置:
1 2 3 4 5 6 7 | ! interface Ethernet0/0 ip address 100.100.100.80 255.255.255.0 half-duplex ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 |
ISP配置:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | ! interface Ethernet0/0 ip address 200.200.200.1 255.255.255.0 half-duplex ! interface Ethernet0/1 ip address 10.10.10.1 255.255.255.0 half-duplex ! interface Ethernet0/2 ip address 100.100.100.1 255.255.255.0 half-duplex ! router ospf 1 passive-interface Ethernet0/0 passive-interface Ethernet0/1 network 0.0.0.0 255.255.255.255 area 0 |
GW配置:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 | ! aaa new-model ! aaa authentication login noacs line none //开启AAA线下保护 aaa authentication login ezvpn-xauth local //创建EzVPN认证列表 aaa authorization network ezvpn-group local //创建EzVPN授权列表 ! username user1 password 0 test123456 //创建xauth阶段的认证用户 ! crypto isakmp policy 10 //配置IKE安全协商第一阶段 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group ezvpn-client //配置一个EzVPN组,并对这个组设计策略 key daupon dns 192.168.1.53 pool ezvpn-pool acl 101 save-password split-dns daupon.com max-users 10 max-logins 10 netmask 255.255.255.0 crypto isakmp profile ezvpn-isakmp-profile //配置isakmp认证阶段 match identity group ezvpn-client //指定匹配EzVPN的组 client authentication list ezvpn-xauth //指定认证列表 isakmp authorization list ezvpn-group //指定授权列表 client configuration address respond //相应客户端IP地址的请求 virtual-template 1 //调用到虚拟模板1 ! crypto ipsec transform-set ezvpnset esp-des esp-md5-hmac //创建IKE第二阶段的转换集 ! crypto ipsec profile ezvpn-ipsec-profile //创建IPSec配置文件,关联第一阶段策略和认证信息到第二阶段策略 set transform-set ezvpnset //指定转换集 set isakmp-profile ezvpn-isakmp-profile //制定第一阶段的策略 ! interface Loopback1 ip address 172.168.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 ip address 200.200.200.200 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Virtual-Template1 type tunnel //配置虚拟接口模板为隧道类型 ip unnumbered Loopback1 //把虚拟接口关联到有IP的环回接口 tunnel source fastethernet 0/1 //指定接口源 tunnel mode ipsec ipv4 //接口的模式是ipv4,这个很关键,要区分与GRE模式不一样 tunnel protection ipsec profile ezvpn-ipsec-profile //在虚拟模板下调用IPSec Profile,这样所有动态产生的虚拟访问接口都会被这个IPSec Profile所保护 ! ip local pool ezvpn-pool 172.168.1.100 172.168.1.150 //创建EzVPN客户端地址池 ip route 0.0.0.0 0.0.0.0 200.200.200.1 ! ip nat inside source list 101 interface FastEthernet0/1 overload ! access-list 101 permit ip 192.168.1.0 0.0.0.255 any //隧道分离和上网用的源 ! line con 0 login authentication noacs line aux 0 login authentication noacs |
扩展:
如果要求远程用户拨回公司后,通过公司网络上网,就要在GW加上如下配置:
1 2 3 4 5 6 7 8 9 | ! access-list 102 permit ip 172.168.1.0 0.0.0.255 any //抓取拨号用户流量 ! ip nat inside source list 102 interface fastethernet 0/1 overload //允许用户通过公司访问外部网络 ! crypto isakmp client configuration group ezvpn-client no acl 101 //关闭隧道分割 !interface virtual-template 1 type tunnel ip nat inside //虚拟接口开启内部NAT |