VPN的基本配置.doc-道客多多_道客多多docduoduo.com

资源描述

1、VPN 的基本配置 http:/ 发布日期： 2004-5-11 浏览次数: 162270VPN 的基本配置精作者：yc_liang2003-4-24VPN 的基本配置工作原理：一边服务器的网络子网为 192.168.1.0/24路由器为 100.10.15.1另一边的服务器为 192.168.10.0/24路由器为 200.20.25.1。执行下列步骤：1. 确定一个预先共享的密钥（保密密码）（以下例子保密密码假设为 noIP4u）2. 为 SA 协商过程配置 IKE。3. 配置 IPSec。配置 IKE:Shelby(config)#crypto isakmp policy 1注释：p

2、olicy 1 表示策略 1，假如想多配几个 VPN，可以写成 policy 2、policy3 Shelby(config-isakmp)#group 1注释：除非购买高端路由器，或是 VPN 通信比较少，否则最好使用 group 1 长度的密钥，group 命令有两个参数值： 1 和 2。参数值 1 表示密钥使用 768 位密钥，参数值 2表示密钥使用 1024 位密钥，显然后一种密钥安全性高，但消耗更多的 CPU 时间。Shelby(config-isakmp)#authentication pre-share注释：告诉路由器要使用预先共享的密码。Shelby(config-isakmp

3、)#lifetime 3600注释：对生成新 SA 的周期进行调整。这个值以秒为单位，默认值为 86400，也就是一天。值得注意的是两端的路由器都要设置相同的 SA 周期，否则 VPN 在正常初始化之后，将会在较短的一个 SA 周期到达中断。Shelby(config)#crypto isakmp key noIP4u address 200.20.25.1注释：返回到全局设置模式确定要使用的预先共享密钥和指归 VPN 另一端路由器 IP 地址，即目的路由器 IP 地址。相应地在另一端路由器配置也和以上命令类似，只不过把IP 地址改成 100.10.15.1。配置 IPSecShelby(co

4、nfig)#access-list 130 permit ip 192.168.1.0 0.0.0.255 172.16.10.0 0.0.0.255注释：在这里使用的访问列表号不能与任何过滤访问列表相同，应该使用不同的访问列表号来标识 VPN 规则。Shelby(config)#crypto ipsec transform-set vpn1 ah-md5-hmac esp-des esp-md5-hmac注释：这里在两端路由器唯一不同的参数是 vpn1，这是为这种选项组合所定义的名称。在两端的路由器上，这个名称可以相同，也可以不同。以上命令是定义所使用的 IPSec参数。为了加强安全性，要启

5、动验证报头。由于两个网络都使用私有地址空间，需要通过隧道传输数据，因此还要使用安全封装协议。最后，还要定义 DES 作为保密密码钥加密算法。Shelby(config)#crypto map shortsec 60 ipsec-isakmp注释：以上命令为定义生成新保密密钥的周期。如果攻击者破解了保密密钥，他就能够解使用同一个密钥的所有通信。基于这个原因，我们要设置一个较短的密钥更新周期。比如，每分钟生成一个新密钥。这个命令在 VPN 两端的路由器上必须匹配。参数shortsec 是我们给这个配置定义的名称，稍后可以将它与路由器的外部接口建立关联。Shelby(config-crypto-ma

6、p)#set peer 200.20.25.1注释：这是标识对方路由器的合法 IP 地址。在远程路由器上也要输入类似命令，只是对方路由器地址应该是 100.10.15.1。Shelby(config-crypto-map)#set transform-set vpn1Shelby(config-crypto-map)#match address 130注释：这两个命令分别标识用于这个连接的传输设置和访问列表。Shelby(config)#interface s0Shelby(config-if)#crypto map shortsec注释：将刚才定义的密码图应用到路由器的外部接口。现在剩下的部

7、分是测试这个 VPN 的连接，并且确保通信是按照预期规划进行的。最后一步是不要忘记保存运行配置，否则所作的功劳白费了。附：参照网络安全范围，VPN 硬件设备应放置以下四个地点：在 DMZ 的防火墙之外连接到防火墙的第三个网卡（服务网络）在防火墙保护的范围之内与防火墙集成（转载请保留作者和来自 Cisco 网络技术论坛 http:/，不得用于商业用途）Cisco VPN 客户端安装与配置作者：张腾英以下为 Cisco Systems VPN Client 4.0.3 的安装与配置步骤，该客户端适用于 Microsoft Windows 操作系统。1 VPN 客户端安装Cisco S

8、ystems VPN Client 的安装步骤如下：1、在 Cisco Systems VPN Client 软件包目录下，双击 vpnclient_setup.exe 安装文件，弹出如下对话框：2、点击 OK 按钮，弹出如下对话框：3、直接点击 Next按钮，弹出如下对话框：4、选择 I accept the licence agreement ，并点击 Next按钮，弹出安装路径对话框：5、保持默认安装路径，点击 Next按钮，弹出如下对话框：6、点击 Next按钮，弹出成功安装对话框，并点击 Finish 按钮，安装成功，并提示重新启动计算机。2 VPN 客户端配置下面详细介

9、绍如何配置 VPN 客户端，其中所用参数仅起演示之用，并非实际使用参数。1、选择开始程序Cisco Systems VPN clientVPN client，弹出 VPN client主窗口，如下图所示：2、点击New 按钮，弹出Create New VPN Connection Entry窗口，然后根据实际情况，填写窗口中相应的条目。3、在Connection Entry框中输入 VPN 名称，譬如“测试 VPN”，在Description框中输入该 VPN 的注释，譬如“测试” ，在 Host框中输入 VPN 设备的 IP 地址，譬如“192.168.0.1” 。在Authentic

10、ation页面中，选择“Group Authentication”方式，并输入组名及密码，譬如：组名为“test”，密码为“TesT” 。如下图所示：4、填写完毕之后，选择Save按钮保存，返回到 VPN Client 主界面，就有了“测试 VPN”VPN 条目，如下图所示：5、若要修改 VPN 的一些参数，可以选择Modify按钮，进入该 VPN 的属性对话框，可以对其属性值进行修改，如下图所示：6、 VPN Client 软件自带防火墙，可以启用或关闭防火墙，选择菜单OptionsStateful Firewall (Always On)，该菜单项前面打勾，表明已启用防火墙，如下图所示

11、：7、所有配置完成之后，就可以使用 VPN 了。双击 VPN 连接，弹出用户认证窗口，在该窗口中输入用户名和密码，若认证通过，弹出窗口提示 VPN 连接建立成功，点击 OK 按钮后窗口缩小。然后就可以访问 “测试 VPN”中相关内容了。8、当不需要使用 VPN 时，可以点击Cancel Connect按钮断开 VPN 连接。VPN 的配置实例(1)将该资讯加入网摘: 天极新浪 ViVi 365Key Poco 5Seek 博采拇指一、Pix-PixPIX CentralBuilding configuration.: Saved:PIX Version 6.3(3)interface

12、ethernet0 autointerface ethernet1 autonameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pix-centralfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup proto

13、col h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69names !- This is traffic to PIX 2.access-list 120 permit ip 10.1.

14、1.0 255.255.255.0 10.2.2.0 255.255.255.0 !- This is traffic to PIX 3.access-list 130 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0 !- Do not do Network Address Translation (NAT) on traffic to other PIXes.access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 access-list 10

15、0 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0 pager lines 24logging onmtu outside 1500mtu inside 1500ip address outside 172.18.124.153 255.255.255.0ip address inside 10.1.1.1 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400!- Do not d

16、o NAT on traffic to other PIXes.nat (inside) 0 access-list 100route outside 0.0.0.0 0.0.0.0 172.18.124.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa

17、-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server locationno snmp-server contactsnmp-server community publicsnmp-server enable trapsfloodguard enablesysopt connection permit-ipseccrypto ipsec transform-set myset esp-des esp-md5-hmac !-

18、This is traffic to PIX 2.crypto map newmap 20 ipsec-isakmpcrypto map newmap 20 match address 120crypto map newmap 20 set peer 172.18.124.154crypto map newmap 20 set transform-set myset!- This is traffic to PIX 3.crypto map newmap 30 ipsec-isakmpcrypto map newmap 30 match address 130crypto map newmap

19、 30 set peer 172.18.124.157crypto map newmap 30 set transform-set mysetcrypto map newmap interface outsideisakmp enable outsideisakmp key * address 172.18.124.154 netmask 255.255.255.255 no-xauth no-config-mode isakmp key * address 172.18.124.157 netmask 255.255.255.255 no-xauth no-config-mode isakm

20、p identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 1isakmp policy 10 lifetime 1000telnet timeout 5ssh timeout 5console timeout 0terminal width 80Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e: endPIX 2Building co

21、nfiguration.: Saved:PIX Version 6.3(3)interface ethernet0 autointerface ethernet1 autonameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pix2fixup protocol dns maximum-length 512fixup protocol ftp 2

22、1fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69names !- This is traffic

23、 to PIX Central.access-list 110 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 !- Do not do NAT on traffic to PIX Central.access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 pager lines 24logging onmtu outside 1500mtu inside 1500ip address outside 172.18.124.154 255.255.

24、255.0ip address inside 10.2.2.1 255.255.255.0ip audit info action alarmip audit attack action alarmno failoverfailover timeout 0:00:00failover poll 15no failover ip address outsideno failover ip address insidepdm history enablearp timeout 14400!- Do not do NAT on traffic to PIX Central.nat (inside)

25、0 access-list 100route outside 0.0.0.0 0.0.0.0 172.18.124.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+ aaa-server R

26、ADIUS protocol radius aaa-server LOCAL protocol local no snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enablesysopt connection permit-ipseccrypto ipsec transform-set myset esp-des esp-md5-hmac !- This is traffic to PIX Central.crypto map

27、newmap 10 ipsec-isakmpcrypto map newmap 10 match address 110crypto map newmap 10 set peer 172.18.124.153crypto map newmap 10 set transform-set mysetcrypto map newmap interface outsideisakmp enable outsideisakmp key * address 172.18.124.153 netmask 255.255.255.255 no-xauth no-config-mode isakmp ident

28、ity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 1isakmp policy 10 lifetime 1000telnet timeout 5ssh timeout 5 console timeout 0terminal width 80Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e: endPIX 3 ConfigurationBui

29、lding configuration.: Saved:PIX Version 6.3(3)interface ethernet0 autointerface ethernet1 autonameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname pix3fixup protocol dns maximum-length 512fixup protoc

30、ol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69names !- This is

31、 traffic to PIX Central.access-list 110 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0 !- Do not do NAT on traffic to PIX Central.access-list 100 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0 pager lines 24logging onmtu outside 1500mtu inside 1500ip address outside 172.18.124.157

32、255.255.255.0ip address inside 10.3.3.1 255.255.255.0ip audit info action alarmip audit attack action alarmno failoverfailover timeout 0:00:00failover poll 15no failover ip address outsideno failover ip address insidepdm history enablearp timeout 14400!- Do not do NAT on traffic to PIX Central.nat (

33、inside) 0 access-list 100route outside 0.0.0.0 0.0.0.0 172.18.124.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+ aaa-

34、server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enablesysopt connection permit-ipseccrypto ipsec transform-set myset esp-des esp-md5-hmac !- This is traffic to PIX Central.cry

35、pto map newmap 10 ipsec-isakmpcrypto map newmap 10 match address 110crypto map newmap 10 set peer 172.18.124.153crypto map newmap 10 set transform-set mysetcrypto map newmap interface outsideisakmp enable outsideisakmp key * address 172.18.124.153 netmask 255.255.255.255 no-xauth no-config-mode isak

36、mp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 1isakmp policy 10 lifetime 1000telnet timeout 5ssh timeout 5 console timeout 0terminal width 80Cryptochecksum:aa3bbd8c6275d214b153e1e0bc0173e4: end page_break 二、

37、路由器和路由器之间的的 VPN 配置：Hub Router2503#show running-configBuilding configuration.Current configuration : 1466 bytes!version 12.2service timestamps debug datetime msecservice timestamps log uptimeno service password-encryption!hostname 2503!ip subnet-zero!- Configuration for IKE policies.crypto isakmp pol

38、icy 10!- Enables the IKE policy configuration (config-isakmp) !- command mode, where you can specify the parameters that !- are used during an IKE negotiation.hash md5authentication pre-sharecrypto isakmp key cisco123 address 200.1.2.1crypto isakmp key cisco123 address 200.1.3.1!- Specifies the pres

39、hared key “cisco123“ which should !- be identical at both peers. This is a global !- configuration mode command.!- Configuration for IPSec policies.crypto ipsec transform-set myset esp-des esp-md5-hmac !- Enables the crypto transform configuration mode, !- where you can specify the transform sets th

40、at are used !- during an IPSec negotiation. !crypto map mymap 10 ipsec-isakmp !- Indicates that IKE is used to establish !- the IPSec security association for protecting the !- traffic specified by this crypto map entry.set peer 200.1.2.1!- Sets the IP address of the remote end.set transform-set mys

41、et !- Configures IPSec to use the transform-set !- “myset“ defined earlier in this configuration.match address 110!- Specifyies the traffic to be encrypted.crypto map mymap 20 ipsec-isakmp set peer 200.1.3.1set transform-set myset match address 120!interface Loopback0ip address 10.1.1.1 255.255.255.

42、0!interface Ethernet0ip address 200.1.1.1 255.255.255.0no ip route-cache!- You must enable process switching for IPSec !- to encrypt outgoing packets. This command disables fast switching.no ip mroute-cachecrypto map mymap!- Configures the interface to use the !- crypto map “mymap“ for IPSec.!- Outp

43、ut suppressed.ip classlessip route 172.16.1.0 255.255.255.0 Ethernet0ip route 192.168.1.0 255.255.255.0 Ethernet0ip route 200.1.0.0 255.255.0.0 Ethernet0ip http server!access-list 110 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.25

44、5access-list 120 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255access-list 120 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255!- This crypto ACL-permit identifies the !- matching traffic flows to be protected via encryption.Spoke 1 Router2509a#show running-configBuilding configuration.Curre

45、nt configuration : 1203 bytes!version 12.2service timestamps debug datetime msecservice timestamps log uptimeno service password-encryption!hostname 2509a!enable secret 5 $1$DOX3$rIrxEnTVTw/7LNbxi.akz0!ip subnet-zerono ip domain-lookup!crypto isakmp policy 10hash md5authentication pre-sharecrypto is

46、akmp key cisco123 address 200.1.1.1! !crypto ipsec transform-set myset esp-des esp-md5-hmac !crypto map mymap 10 ipsec-isakmp set peer 200.1.1.1set transform-set myset match address 110!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface Ethernet0ip address 200.1.2.1 255.255.255.0no ip

47、route-cacheno ip mroute-cachecrypto map mymap!.!- Output suppressed.ip classlessip route 10.1.1.0 255.255.255.0 Ethernet0ip route 192.168.1.0 255.255.255.0 Ethernet0ip route 200.1.0.0 255.255.0.0 Ethernet0no ip http server!access-list 110 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255access-list

48、110 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255!end2509a#Spoke 2 RouterVPN2509#show running-configBuilding configuration.Current configuration : 1117 bytes!version 12.2service timestamps debug datetime msecservice timestamps log uptimeservice password-encryption!hostname VPN2509!ip subnet-zerono ip domain-lookup!crypto isakmp policy 10hash md5authentication pre-sharecrypto isakmp key cisco123 address 200.1.1.1! crypto ipsec transform-set myset esp-des esp-md5-hmac !crypto map mymap 10 ipsec-isakmp set peer 200.1.1.1set transform-set myset match address 120!inte

展开阅读全文