說明:此Lab為實機上單純建立Remote Access VPN。
兩個Group,拿的不一樣,連結的網段也不一樣。
主要設定是在RO_C,RO_D只有ospf
大部份在前一篇都有解釋,就只補充少部份囉~
為了減少行數,刪除不必要之設定。
實做條件:
一、Remote Access VPN之設定
ISAKMP
Encryption:3DES
Authentication:PSK ( PW:CISCO )
DH Group:2
Hash:MD5
ISAKMP Group
Name:EZVPN
Key:CISCO
Access Network:OA
Local Address Pool:3.3.3.1 ~ 3.3.3.100
Name:RDVPN
Key:RDCISCO
Access Network:OA & RD
Local Address Pool:33.33.33.1 ~ 33.33.33.100
解釋:用EZVPN去連的話,拿的到是3.3.3.x的IP,只能存取OA
用RDVPN去連的話,拿的到是33.33.33.x的IP,能存取OA和RD
二、兩台Router的Routing Protocol設定OSPF,所有介面都設定於Area 0
三、設定split tunnel
解釋:只有某些網段是從VPN過去,而不是所有流量都往VPN丟(印象中)
RO_C Show Run如下:
RO_C#show run
Building configuration...
Current configuration : 2251 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RO_C
!
boot-start-marker
boot-end-marker
!
AAA之區域
aaa new-model
aaa authentication login VPN local
aaa authorization network VPN local
aaa session-id common
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username coolking password 0 coolking
username cater password 0 cater
!
VPN之區段
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration address-pool local VPN_LOCAL
!
crypto isakmp client configuration group EZVPN
key CISCO
pool VPN_POOL
acl SPLIT_TUNNEL
!
crypto isakmp client configuration group RDVPN
key RDCISCO
pool VPN2_POOL
acl SPLIT_TUNNEL1
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map DYNAMIC 10
set transform-set 3DES_MD5
reverse-route
!
crypto map VPN client authentication list VPN
crypto map VPN isakmp authorization list VPN
crypto map VPN client configuration address respond
crypto map VPN 20 ipsec-isakmp dynamic DYNAMIC
!
介面之區域
interface Serial0/0
ip address 10.140.3.2 255.255.255.0
crypto map VPN
!
interface FastEthernet0/1
ip address 192.168.103.254 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
ip address 10.100.34.1 255.255.255.0
clock rate 128000
!
路由之區域
router ospf 1
log-adjacency-changes
redistribute static metric 100 subnets 把靜態路由redistibute給RO_D
network 10.100.34.0 0.0.0.255 area 0
network 10.140.3.0 0.0.0.255 area 0
network 192.168.103.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.140.3.1
!
Local Pool之區域
ip local pool VPN_POOL 3.3.3.1 3.3.3.100
ip local pool VPN2_POOL 33.33.33.1 33.33.33.100
!
no ip http server
no ip http secure-server
!
ACL之區域
ip access-list extended SPLIT_TUNNEL
permit ip 192.168.103.0 0.0.0.255 any
ip access-list extended SPLIT_TUNNEL1
permit ip 192.168.103.0 0.0.0.255 any
permit ip 192.168.104.0 0.0.0.255 any
!
control-plane
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
end
RO_D Show Run如下:
RO_D#sh run
Building configuration...
Current configuration : 1006 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RO_D
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
介面之區域
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 10.140.4.2 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.104.254 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
ip address 10.100.34.2 255.255.255.0
!
路由之區域
router ospf 1
log-adjacency-changes
network 10.100.34.0 0.0.0.255 area 0
network 10.140.4.0 0.0.0.255 area 0
network 192.168.104.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end
留言列表
