Vpn

Cisco IOS 中的簡單道路勇士 IPv4 VPN 配置

  • June 15, 2013

我希望在我們的 Cisco 路由器上設置一個相當簡單的 Road Warriors VPN 配置。令人沮喪的是,我一直在尋找這個,但找不到一個簡單的完整指南。

  • 多個(不一定很多)遠端使用者
  • IPSec / ISAKMP 配置
  • IPv4
  • 拆分隧道或預設網關模式的選項

我需要輸入什麼配置才能啟用它?

我正在尋找一個通用的答案,但如果您需要知道,我正在執行 c2600-ik9o3s3-mz.123-26.bin。

這是我想出的,這應該是創建 VPN 配置的一個不錯的起點。我不確定它本身是否最小,但它應該讓任何正在尋找它的人啟動並執行。

Zypher 指出的 Cisco Secure VPN Client Solutions Guide 對創建這個非常有用 - 如果您可以篩選它,那裡有一些很好的例子。

aaa new-model

! Create a vpn-users DB that points to the local auth service
aaa authentication login vpn-users local
aaa authorization network vpn-users local

! any local user will be allowed to use the VPN
username fred secret 5 SECRET

! Create an ISAKMP policy that handles the ISAKMP negotiation process
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 120 15
crypto isakmp xauth timeout 60

! Group policy for ISAKMP
crypto isakmp client configuration group default
key PLAINTEXT_KEY
dns LOCAL_DNS_SERVERS
domain LOCAL_DOMAIN
pool vpn-dynamic-pool

! VPN clients will be assigned addresses out of this pool
ip local pool vpn-dynamic-pool 192.168.2.1 192.168.2.254

! Create transform sets that specify how the actual IPSEC traffic will be encrypted
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-LZS esp-aes esp-sha-hmac comp-lzs

! Create IPSEC policies - any negotiated transform scheme must be specified
! in the map below
crypto dynamic-map vpn-dynamic-map 1
set transform-set ESP-AES-128-SHA-LZS
crypto dynamic-map vpn-dynamic-map 2
set transform-set ESP-AES-128-SHA

! 
crypto map vpn-dynamic client authentication list vpn-users
crypto map vpn-dynamic client configuration address respond
crypto map vpn-dynamic isakmp authorization list vpn-users
crypto map vpn-dynamic 1 ipsec-isakmp dynamic vpn-dynamic-map

! Apply the IPSEC map to the external interface
interface ExternalInterface/0
crypto map vpn-dynamic

您正在尋找遠端訪問 VPN。思科文件

此外,您可能應該查看Cisco Secure VPN Client Solutions Guide

引用自:https://serverfault.com/questions/115291