关于Cisco Easy VPN Remote的三种模式
1、Remote端配置ezclient#sh run
Building configuration...
Current configuration : 1134 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ezclient
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
!
resource policy
!
ip cef
!
crypto ipsec client ezvpn mylab
connect auto
group myezvpn key cisco1234
mode network-plus
peer 173.16.1.5
username wanglinlin password cisco
xauth userid mode local
!
interface Loopback0
ip address 192.168.1.3 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn mylab inside
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 173.16.1.1 255.255.255.252
clock rate 64000
crypto ipsec client ezvpn mylab
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 173.16.1.2
!
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
login
!
scheduler allocate 20000 1000
end
2、Sever端配置:
ezserver#sh run
Building configuration...
Current configuration : 1715 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ezserver
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
aaa authentication login default local
aaa authentication login ezvpn-authentication local
aaa authorization network ezvpn-authorization local
!
aaa session-id common
!
resource policy
!
ip cef
!
username wanglinlin password 0 cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group myezvpn
key cisco1234
domain cisco.com
pool vpn-pool
acl 101
save-password
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto dynamic-map ezvpn-dynamic-map 10
set transform-set ccsp
reverse-route
!
crypto map cisco client authentication list ezvpn-authentication
crypto map cisco isakmp authorization list ezvpn-authorization
crypto map cisco client configuration address respond
crypto map cisco 10 ipsec-isakmp dynamic ezvpn-dynamic-map
!
interface FastEthernet0/0
ip address 172.30.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 173.16.1.5 255.255.255.252
clock rate 64000
crypto map cisco
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip local pool vpn-pool 192.168.1.1 192.168.1.50
ip route 0.0.0.0 0.0.0.0 173.16.1.6
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 172.30.1.0 0.0.0.255 any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
!
scheduler allocate 20000 1000
end
3、Client模式:
ezclient#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 173.16.1.1 YES manual up up
Serial0/0/1 unassigned YES unset administratively down down
NVI0 unassigned NO unset up up
Loopback0 192.168.1.4 YES manual up up
ezclient#sh cry ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : mylab
Inside interface list: FastEthernet0/0
Outside interface: Serial0/0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 192.168.1.4
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Allowed
Split Tunnel List: 1
Address : 172.30.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 173.16.1.5
Easy VPN Remote端会出现loopback口,当有用户需要访问Easy VPN Server后面的主机时,Easy VPN Remote会自动用loopback接口的地址做PAT;如果Server上设置了split tunnel,当Remote后面有用户需要访问Internet主机时,Easy VPN Remote会自动用外网接口的地址做PAT。
ezserver#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 173.16.1.6 to network 0.0.0.0
172.30.0.0/24 is subnetted, 1 subnets
C 172.30.1.0 is directly connected, FastEthernet0/0
173.16.0.0/30 is subnetted, 1 subnets
C 173.16.1.4 is directly connected, Serial0/0/0
192.168.1.0/32 is subnetted, 1 subnets
S 192.168.1.4 [1/0] via 173.16.1.1
S* 0.0.0.0/0 [1/0] via 173.16.1.6
由于做了Revers-route,Server上会创建指向Remote loopback接口的静态路由。
4、network-extension模式:
ezclient#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 173.16.1.1 YES manual up up
Serial0/0/1 unassigned YES unset administratively down down
NVI0 unassigned NO unset up up
ezclient#sh cry ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : mylab
Inside interface list: FastEthernet0/0
Outside interface: Serial0/0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Default Domain: cisco.com
Save Password: Allowed
Split Tunnel List: 1
Address : 172.30.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 173.16.1.5
ezserver#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 173.16.1.6 to network 0.0.0.0
172.30.0.0/24 is subnetted, 1 subnets
C 172.30.1.0 is directly connected, FastEthernet0/0
173.16.0.0/30 is subnetted, 1 subnets
C 173.16.1.4 is directly connected, Serial0/0/0
10.0.0.0/24 is subnetted, 1 subnets
S 10.1.1.0 [1/0] via 173.16.1.1
S* 0.0.0.0/0 [1/0] via 173.16.1.6
由于做了Revers-route,Server上会创建指向Remote内部网络的静态路由。
6、network-plus模式:
ezclient#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 173.16.1.1 YES manual up up
Serial0/0/1 unassigned YES unset administratively down down
NVI0 unassigned NO unset up up
Loopback0 192.168.1.3 YES manual up up
ezclient#sh cry ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : mylab
Inside interface list: FastEthernet0/0
Outside interface: Serial0/0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 192.168.1.3
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Allowed
Split Tunnel List: 1
Address : 172.30.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 173.16.1.5
Remote端依然会创建loopback口,但是这个接口此时仅用于troubleshooting。
ezserver#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 173.16.1.6 to network 0.0.0.0
172.30.0.0/24 is subnetted, 1 subnets
C 172.30.1.0 is directly connected, FastEthernet0/0
173.16.0.0/30 is subnetted, 1 subnets
C 173.16.1.4 is directly connected, Serial0/0/0
10.0.0.0/24 is subnetted, 1 subnets
S 10.1.1.0 [1/0] via 173.16.1.1
192.168.1.0/32 is subnetted, 1 subnets
S 192.168.1.3 [1/0] via 173.16.1.1
S* 0.0.0.0/0 [1/0] via 173.16.1.6
由于做了Revers-route,Server上会创建指向Remote loopback接口和内部网络的静态路由。 真是热心人呀,顶一下,看看~~~
页:
[1]
