实验三:EzVPN DVTI

-------------------------------------------ASA------------------------------------------

ASA(config)# int g0

ASA(config-if)# nameif Outside

INFO: Security level for "Outside" set to 0 by default.

ASA(config-if)# ip add 202.100.1.10 255.255.255.0

ASA(config-if)# no sh

ASA(config-if)# int g1

ASA(config-if)# nameif Inside

INFO: Security level for "Inside" set to 100 by default.

ASA(config-if)# ip add 202.100.2.100 255.255.255.0

!

ASA(config)# access-list out ex permit ip any any

ASA(config)# access-list out extended permit udp host 202.100.1.1 eq isakmp host 202.100.2.1 eq isakmp

ASA(config)# access-list out extended permit esp host 202.100.1.1 host 202.100.2.1

ASA(config)# access-group out in int Outside

------------------------------------R2(EzVPN HUB)----------------------------------

R2(config)#int f2/0

R2(config-if)#ip add 202.100.2.1 255.255.255.0

R2(config-if)#no sh

R2(config-if)#int lo 0

R2(config-if)#ip add 192.168.1.2 255.255.255.0

R2(config-if)#int lo 1

R2(config-if)#ip add 172.16.1.1 255.255.255.0

!

R2(config)#ip route 0.0.0.0 0.0.0.0 202.100.2.10

!

R2(config)#aaa new-model

!

R2(config)#aaa authentication login xxbh line none

R2(config)#line con 0

R2(config-line)#login authentication xxbh

!

R2(config)#crypto isakmp policy 10

R2(config-isakmp)#encryption 3des

R2(config-isakmp)#authentication pre-share

R2(config-isakmp)#group 2

!

R2(config)#crypto isakmp client config group qytanggroup

R2(config-isakmp-group)#key cisco

R2(config-isakmp-group)#save-password

!

R2(config)#aaa authentication login ezvpn local

R2(config)#username qytangccies pass cisco

!

R2(config)#aaa authorization network ezvpn local

R2(config)#ip local pool ippool 123.1.1.100 123.1.1.200

!

R2(config)#crypto isakmp client configuration group qytanggroup

R2(config-isakmp-group)#pool ippool

!

R2(config)#crypto isakmp profile ezprof.isa

R2(conf-isa-prof)#match identity group qytanggroup

R2(conf-isa-prof)#client configuration address respond

R2(conf-isa-prof)#client authentication list ezvpn

R2(conf-isa-prof)#isakmp authorization list ezvpn

R2(conf-isa-prof)#virtual-template 100

!

R2(config)#crypto ipsec transform-set ezset esp-3des esp-sha-hmac

!

R2(config)#crypto ipsec profile ezprof.ips

R2(ipsec-profile)#set transform-set ezset

R2(ipsec-profile)#set isakmp-profile ezprof.isa

!

R2(config)#int virtual-template 100 type tunnel

R2(config-if)#ip unnumbered f2/0

R2(config-if)#tunnel source f2/0

R2(config-if)#tunnel mode ipsec ipv4

R2(config-if)#tunnel protection ipsec profile ezprof.ips

!

R2(config)#ip access-list extended split-tunnel

R2(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any

R2(config-ext-nacl)#permit ip 172.16.1.0 0.0.0.255 any

R2(config)#crypto isakmp client configuration group qytanggroup

R2(config-isakmp-group)#acl split-tunnel

-----------------------------------R1(EzVPN spoke)--------------------------------

R1(config)#int f1/0

R1(config-if)#ip add 202.100.1.1 255.255.255.0

R1(config-if)#no sh

R1(config-if)#int lo 0

R1(config-if)#ip add 1.1.1.1 255.255.255.255

!

R1(config)#ip route 0.0.0.0 0.0.0.0 202.100.1.10

!

R1(config)#crypto isakmp policy 10

R1(config-isakmp)#encryption 3des

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#group 2

R1(config-isakmp)#hash sha

!

R1(config)#int virtual-template 100 type tunnel

R1(config-if)#ip unnumbered f1/0

!

R1(config)#crypto ipsec client ezvpn ezprof

R1(config-crypto-ezvpn)#connect auto  

R1(config-crypto-ezvpn)#group qytanggroup key cisco

R1(config-crypto-ezvpn)#mode network-extension

R1(config-crypto-ezvpn)#peer 202.100.2.1

R1(config-crypto-ezvpn)#virtual-interface 100

R1(config-crypto-ezvpn)#username qytangccies pass cisco

R1(config-crypto-ezvpn)#xauth userid mode local

!

R1(config)#int f1/0

R1(config-if)#crypto ipsec client ezvpn ezprof

R1(config)#int lo 0

R1(config-if)#crypto ipsec client ezvpn ezprof inside

测试:

若为connect manual连接

R1#crypto ipsec client ezvpn connect

R1#crypto ipsec client ezvpn xauth