1、使用NAT超载和Cisco Secure VPN Client配置IPSec路由器到路由器 目录简介先决条件要求使用的组件规则配置网络图配置验证故障排除故障排除命令相关信息简介此实例配置加密从Light后的网络到House后网络(192.168.100.x 到 192.168.200.x 网络)的流量。网络地址转换 (NAT) 过载也已完成。加密的VPN客户端连接被允许进入Light,与通配符、预先共享密钥和模式设置。发送到 Internet 的流量已转换,但未加密。先决条件要求本文档没有任何特定的要求。使用的组件本文档中的信息基于以下软件和硬件版本:Cisco IOS软件版本12.2.7和1
2、2.2.8Ta71思科安全VPN客户端1.1 (显示作为2.1.12在IRE客户端帮助 About菜单)a71Cisco 3600 路由器注意: 如果使用Cisco 2600系列路由器这种VPN方案,则路由器必须安装与crypto IPSec VPN IOS镜像。a71本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。规则有关文档规则的详细信息,请参阅 Cisco 技术提示规则。配置本部分提供有关如何配置本文档所述功能的信息。注意: 有关本文档所用命令的详细信息,请使用命令查找工具(
3、仅限注册用户)。网络图本文档使用以下网络设置:配置本文档使用以下配置。Light 配置a71House 配置a71VPN 客户端配置a71Light 配置Current configuration : 2047 bytes!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Light ! boot system flash:c3660-ik9o3s-mz.122-8T ! ip subnet-zero ! ip audit
4、 notify log ip audit pomax-events 100 ip ssh time-out 120 ip sshauthentication-retries 3 ! !- IPsec Internet SecurityAssociation and !- Key Management Protocol (ISAKMP)policy. crypto isakmp policy 5 hash md5 authenticationpre-share !- ISAKMP key for static LAN-to-LAN tunnel!- without extended authen
5、ticaton (xauth). cryptoisakmp key cisco123 address 10.64.10.45 no-xauth !-ISAKMP key for the dynamic VPN Client. crypto isakmp key123cisco address 0.0.0.0 0.0.0.0 !- Assign the IPaddress to the VPN Client. crypto isakmp clientconfiguration address-pool local test-pool ! ! ! cryptoipsec transform-set
6、 testset esp-des esp-md5-hmac !crypto dynamic-map test-dynamic 10 set transform-settestset ! ! !- VPN Client mode configurationnegotiation, !- such as IP address assignment andxauth. crypto map test client configuration addressinitiate crypto map test client configuration addressrespond !- Static cr
7、ypto map for the LAN-to-LANtunnel. crypto map test 5 ipsec-isakmp set peer10.64.10.45 set transform-set testset !- Include theprivate network-to-private network traffic !- in theencryption process. match address 115 !- Dynamiccrypto map for the VPN Client. crypto map test 10 ipsec-isakmp dynamic tes
8、t-dynamic ! call rsvp-sync ! ! ! ! !fax interface-type modem mta receive maximum-recipients0 ! controller E1 2/0 ! ! ! interface FastEthernet0/0 ipaddress 10.64.10.44 255.255.255.224 ip nat outsideduplex auto speed auto crypto map test ! interfaceFastEthernet0/1 ip address 192.168.100.1 255.255.255.
9、0ip nat inside duplex auto speed auto ! interface BRI4/0no ip address shutdown ! interface BRI4/1 no ip addressshutdown ! interface BRI4/2 no ip address shutdown !interface BRI4/3 no ip address shutdown ! !- Definethe IP address pool for the VPN Client. ip local pooltest-pool 192.168.1.1 192.168.1.2
10、54 !- Exclude theprivate network and VPN Client !- traffic from the NATprocess. ip nat inside source route-map nonat interfaceFastEthernet0/0 overload ip classless ip route 0.0.0.00.0.0.0 10.64.10.33 ip http server ip pim bidir-enable !- Exclude the private network and VPN Client !-traffic from the
11、NAT process. access-list 110 deny ip192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.00.0.0.255 access-list 110 permit ip 192.168.100.00.0.0.255 any !- Include the private network-to-private network traffic !- in the encryption process.access-
12、list 115 permit ip 192.168.100.0 0.0.0.255192.168.200.0 0.0.0.255 ! !- Exclude the privatenetwork and VPN Client !- traffic from the NATprocess. route-map nonat permit 10 match ip address 110! ! dial-peer cor custom ! ! ! ! ! line con 0 line 97108 line aux 0 line vty 0 4 ! endHouse 配置Current configu
13、ration : 1689 bytes!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname house ! boot system flash:c3660-jk8o3s-mz.122-7.bin ! ip subnet-zero ! ! no ip domain-lookup ! ipaudit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh
14、authentication-retries 3 ! !- IPsecISAKMP policy. crypto isakmp policy 5 hash md5authentication pre-share !- ISAKMP key for static LAN-to-LAN tunnel without xauth authenticaton. crypto isakmpkey cisco123 address 10.64.10.44 no-xauth ! ! cryptoipsec transform-set testset esp-des esp-md5-hmac ! !-Stat
15、ic crypto map for the LAN-to-LAN tunnel. crypto maptest 5 ipsec-isakmp set peer 10.64.10.44 set transform-set testset !- Include the private network-to-privatenetwork traffic !- in the encryption process. matchaddress 115 ! call rsvp-sync cns event-service server ! ! ! ! fax interface-type modem mta
16、 receive maximum-recipients 0 ! ! ! interface FastEthernet0/0 ip address10.64.10.45 255.255.255.224 ip nat outside duplex autospeed auto crypto map test ! interface FastEthernet0/1ip address 192.168.200.1 255.255.255.0 ip nat insideduplex auto speed auto ! interface BRI2/0 no ip addressshutdown ! in
17、terface BRI2/1 no ip address shutdown !interface BRI2/2 no ip address shutdown ! interfaceBRI2/3 no ip address shutdown ! interfaceFastEthernet4/0 no ip address shutdown duplex auto speedauto ! !- Exclude the private network traffic !-from the dynamic (dynamic association to a pool) NATprocess. ip n
18、at inside source route-map nonat interfaceFastEthernet0/0 overload ip classless ip route 0.0.0.00.0.0.0 10.64.10.33 no ip http server ip pim bidir-enable ! !- Exclude the private network traffic fromthe NAT process. access-list 110 deny ip 192.168.200.00.0.0.255 192.168.100.0 0.0.0.255 access-list 1
19、10 permitip 192.168.200.0 0.0.0.255 any !- Include the privatenetwork-to-private network traffic !- in theencryption process. access-list 115 permit ip192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 !-Exclude the private network traffic from the NATprocess. route-map nonat permit 10 match ip address
20、 110! ! ! dial-peer cor custom ! ! ! ! ! line con 0 line aux0 line vty 0 4 login ! endVPN 客户端配置Network Security policy:1- TOLIGHTMy IdentityConnection security: SecureRemote Party Identity and addressingID Type: IP subnet192.168.100.0255.255.255.0Port all Protocol allConnect using secure tunnelID Ty
21、pe: IP address10.64.10.44Pre-shared Key=123ciscoAuthentication (Phase 1)Proposal 1Authentication method: pre-shared keyEncryp Alg: DESHash Alg: MD5SA life: UnspecifiedKey Group: DH 1Key exchange (Phase 2)Proposal 1Encapsulation ESPEncrypt Alg: DESHash Alg: MD5Encap: tunnelSA life: Unspecifiedno AH2-
22、 Other ConnectionsConnection security: Non-secureLocal Network InterfaceName: AnyIP Addr: AnyPort: All验证使用本部分可确认配置能否正常运行。命令输出解释程序(仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。show crypto ipsec sa 显示第2阶段安全关联(SA)。a71show crypto isakmp sa - 显示第 1 阶段 SA。a71故障排除使用本部分可排除配置故障。故障排除命令命令输出解释程序(仅限注册用户)(O
23、IT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息。debug crypto ipsec - 显示第 2 阶段的 IPsec 协商。a71debug crypto isakmp - 显示第 1 阶段的 ISAKMP 协商。a71debug crypto engine - 显示已加密的数据流。a71clear crypto isakmp - 清除与第 1 阶段相关的 SA。a71clear crypto sa - 清除与第 2 阶段相关的 SA。a71相关信息配置 IPSec 网络安全a71配置 Internet 密钥交换安全协议a71IPsec 协商/IKE 协议支持页a71思科安全VPN客户端支持页面a71技术支持 - Cisco Systemsa71
