VPN的配置实例

一、Pix-Pix PIX Central Building configuration... : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix-central fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names !--- This is traffic to PIX 2. access-list 120 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 !--- This is traffic to PIX 3. access-list 130 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0 !--- Do not do Network Address Translation (NAT) on traffic to other PIXes. access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 access-list 100 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0 pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside 172.18.124.153 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 !--- Do not do NAT on traffic to other PIXes. nat (inside) 0 access-list 100 route outside 0.0.0.0 0.0.0.0 172.18.124.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac !--- This is traffic to PIX 2. crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address 120 crypto map newmap 20 set peer 172.18.124.154 crypto map newmap 20 set transform-set myset !--- This is traffic to PIX 3. crypto map newmap 30 ipsec-isakmp crypto map newmap 30 match address 130 crypto map newmap 30 set peer 172.18.124.157 crypto map newmap 30 set transform-set myset crypto map newmap interface outside isakmp enable outside isakmp key ******** address 172.18.124.154 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 172.18.124.157 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end PIX 2 Building configuration... : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix2 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names !--- This is traffic to PIX Central. access-list 110 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 !--- Do not do NAT on traffic to PIX Central. access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside 172.18.124.154 255.255.255.0 ip address inside 10.2.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside pdm history enable arp timeout 14400 !--- Do not do NAT on traffic to PIX Central. nat (inside) 0 access-list 100 route outside 0.0.0.0 0.0.0.0 172.18.124.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac !--- This is traffic to PIX Central. crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 110 crypto map newmap 10 set peer 172.18.124.153 crypto map newmap 10 set transform-set myset crypto map newmap interface outside isakmp enable outside isakmp key ******** address 172.18.124.153 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end PIX 3 Configuration Building configuration... : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix3 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names !--- This is traffic to PIX Central. access-list 110 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0 !--- Do not do NAT on traffic to PIX Central. access-list 100 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0 pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside 172.18.124.157 255.255.255.0 ip address inside 10.3.3.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside pdm history enable arp timeout 14400 !--- Do not do NAT on traffic to PIX Central. nat (inside) 0 access-list 100 route outside 0.0.0.0 0.0.0.0 172.18.124.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac !--- This is traffic to PIX Central. crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 110 crypto map newmap 10 set peer 172.18.124.153 crypto map newmap 10 set transform-set myset crypto map newmap interface outside isakmp enable outside isakmp key ******** address 172.18.124.153 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:aa3bbd8c6275d214b153e1e0bc0173e4 : end 　 　 二、路由器和路由器之间的的VPN配置： Hub Router 2503#show running-config Building configuration... Current configuration : 1466 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log uptime no service password-encryption ! hostname 2503 ! ! ip subnet-zero ! ! !--- Configuration for IKE policies. crypto isakmp policy 10 !--- Enables the IKE policy configuration (config-isakmp) !--- command mode, where you can specify the parameters that !--- are used during an IKE negotiation. hash md5 authentication pre-share crypto isakmp key cisco123 address 200.1.2.1 crypto isakmp key cisco123 address 200.1.3.1 !--- Specifies the preshared key "cisco123" which should !--- be identical at both peers. This is a global !--- configuration mode command. ! !--- Configuration for IPSec policies. crypto ipsec transform-set myset esp-des esp-md5-hmac !--- Enables the crypto transform configuration mode, !--- where you can specify the transform sets that are used !--- during an IPSec negotiation. ! crypto map mymap 10 ipsec-isakmp !--- Indicates that IKE is used to establish !--- the IPSec security association for protecting the !--- traffic specified by this crypto map entry. set peer 200.1.2.1 !--- Sets the IP address of the remote end. set transform-set myset !--- Configures IPSec to use the transform-set !--- "myset" defined earlier in this configuration. match address 110 !--- Specifyies the traffic to be encrypted. crypto map mymap 20 ipsec-isakmp set peer 200.1.3.1 set transform-set myset match address 120 ! ! ! ! interface Loopback0 ip address 10.1.1.1 255.255.255.0 ! interface Ethernet0 ip address 200.1.1.1 255.255.255.0 no ip route-cache !--- You must enable process switching for IPSec !--- to encrypt outgoing packets. This command disables fast switching. no ip mroute-cache crypto map mymap !--- Configures the interface to use the !--- crypto map "mymap" for IPSec. ! !--- Output suppressed. ip classless ip route 172.16.1.0 255.255.255.0 Ethernet0 ip route 192.168.1.0 255.255.255.0 Ethernet0 ip route 200.1.0.0 255.255.0.0 Ethernet0 ip http server ! access-list 110 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 120 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 120 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 !--- This crypto ACL-permit identifies the !--- matching traffic flows to be protected via encryption. Spoke 1 Router 2509a#show running-config Building configuration... Current configuration : 1203 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log uptime no service password-encryption ! hostname 2509a ! enable secret 5 $1$DOX3$rIrxEnTVTw/7LNbxi.akz0 ! ip subnet-zero no ip domain-lookup ! ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco123 address 200.1.1.1 ! ! crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 200.1.1.1 set transform-set myset match address 110 ! ! ! ! interface Loopback0 ip address 172.16.1.1 255.255.255.0 ! interface Ethernet0 ip address 200.1.2.1 255.255.255.0 no ip route-cache no ip mroute-cache crypto map mymap ! . . !--- Output suppressed. . . ip classless ip route 10.1.1.0 255.255.255.0 Ethernet0 ip route 192.168.1.0 255.255.255.0 Ethernet0 ip route 200.1.0.0 255.255.0.0 Ethernet0 no ip http server ! access-list 110 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 ! end 2509a# Spoke 2 Router VPN2509#show running-config Building configuration... Current configuration : 1117 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log uptime service password-encryption ! hostname VPN2509 ! ! ip subnet-zero no ip domain-lookup ! ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco123 address 200.1.1.1 ! ! crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 200.1.1.1 set transform-set myset match address 120 ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0 ip address 200.1.3.1 255.255.255.0 !--- No ip route-cache. no ip mroute-cache crypto map mymap ! . . !--- Output suppressed. . . ip classless ip route 10.1.1.0 255.255.255.0 Ethernet0 ip route 172.16.0.0 255.255.0.0 Ethernet0 ip route 200.1.0.0 255.255.0.0 Ethernet0 no ip http server ! access-list 120 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 120 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 ! end VPN2509# 　 三、路由器-路由器以及VPN Client之间的VPN： Cisco 2611 Router vpn2611#show run Building configuration... Current configuration : 2265 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn2611 ! !--- Enable aaa for user authentication !--- and group authorization. aaa new-model ! ! !--- To enable X-Auth for user authentication, !--- enable the aaa authentication commands. aaa authentication login userauthen local !--- To enable group authorization, enable !--- the aaa authorization commands. aaa authorization network groupauthor local aaa session-id common ! !--- For local authentication of the IPSec user, !--- create the user with password. username cisco password 0 cisco ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ! !--- Create an Internet Security Association and !--- Key Management Protocol (ISAKMP) !--- policy for Phase 1 negotiations for the VPN 3.x clients. crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! !--- Create an ISAKMP policy for Phase 1 !--- negotiations for the LAN-to-LAN tunnels. crypto isakmp policy 10 hash md5 authentication pre-share !--- Specify the PreShared key for the LAN-to-LAN tunnel. !--- Make sure that you use !--- no-xauth parameter with your ISAKMP key. crypto isakmp key cisco123 address 172.18.124.199 no-xauth !! !--- Create a group that will be used to !--- specify the WINS, DNS servers' address !--- to the client, along with the pre-shared !--- key for authentication. crypto isakmp client configuration group 3000client key cisco123 dns 10.10.10.10 wins 10.10.10.20 domain cisco.com pool ippool !! ! !--- Create the Phase 2 Policy for actual data encryption. crypto ipsec transform-set myset esp-3des esp-md5-hmac ! !--- Create a dynamic map and apply !--- the transform set that was created above. crypto dynamic-map dynmap 10 set transform-set myset ! ! !--- Create the actual crypto map, and !--- apply the aaa lists that were created !--- earlier. Also create a new instance for your !--- LAN-to-LAN tunnel. Specify the peer IP address, !--- transform set and an Access Control List (ACL) for this !--- instance. crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 1 ipsec-isakmp set peer 172.18.124.199 set transform-set myset match address 100 crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! fax interface-type fax-mail mta receive maximum-recipients 0 ! ! !--- Apply the crypto map on the outside interface. interface Ethernet0/0 ip address 172.18.124.159 255.255.255.0 half-duplex crypto map clientmap ! interface Serial0/0 no ip address shutdown ! interface Ethernet0/1 ip address 10.10.10.1 255.255.255.0 no keepalive half-duplex ! ! !--- Create a pool of addresses to be !--- assigned to the VPN Clients. ip local pool ippool 14.1.1.100 14.1.1.200 ip classless ip route 0.0.0.0 0.0.0.0 172.18.124.1 ip http server ip pim bidir-enable ! ! !--- Create an ACL for the traffic !--- to be encrypted. In this example, !--- the traffic from 10.10.10.0/24 to 10.10.20.0/24 !--- would be encrypted. access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 ! ! snmp-server community foobar RO call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 ! ! end Configuring the 3640 Router Cisco 3640 Router vpn3640#show run Building configuration... Current configuration : 1287 bytes ! ! Last configuration change at 13:47:37 UTC Wed Mar 6 2002 ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname vpn3640 ! ! ip subnet-zero ip cef ! !--- Create an ISAKMP policy for Phase 1 !--- negotiations for the LAN-to-LAN tunnels. crypto isakmp policy 10 hash md5 authentication pre-share !--- Specify the PreShared key for the LAN-to-LAN !--- tunnel. You do not have to add !--- X-Auth parameter, as this !--- router is not doing Cisco Unity Client IPSEC !--- authentication. crypto isakmp key cisco123 address 172.18.124.159 ! ! !--- Create the Phase 2 Policy for actual data encryption. crypto ipsec transform-set myset esp-3des esp-md5-hmac ! !--- Create the actual crypto map. Specify !--- the peer IP address, transform !--- set and an ACL for this instance. crypto map mymap 10 ipsec-isakmp set peer 172.18.124.159 set transform-set myset match address 100 ! call RSVP-sync ! ! ! !--- Apply the crypto map on the outside interface. interface Ethernet0/0 ip address 172.18.124.199 255.255.255.0 half-duplex crypto map mymap ! interface Ethernet0/1 ip address 10.10.20.1 255.255.255.0 half-duplex ! ip classless ip route 0.0.0.0 0.0.0.0 172.18.124.1 ip http server ip pim bidir-enable ! !--- Create an ACL for the traffic to !--- be encrypted. In this example, !--- the traffic from 10.10.20.0/24 to 10.10.10.0/24 !--- would be encrypted. access-list 100 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 snmp-server community foobar RO ! dial-peer cor custom ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! end