路由器和路由器

1、一、Pix-Pix二、路由器和路由器之間的VPN配置三、路由器-路由器以及VPN Client之間的VPN一、Pix-PixPIX CentralBuilding configuration.:SavedPIX Version 6.3(3)interface ethernet0 autointerface ethernet1 autonameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KY

2、OU encryptedhostname pix-centralfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup

3、 protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69 names! This is traffic to PIX 2.access-list 120 permit ip ! This is traffic to PIX 3.access-list 130 permit ip ! Do not do Network Address Translation (NAT) on traffic to other PIXes. access-list 100 permit ip access-list 100 permit i

4、p pager lines 24 logging onmtu outside 1500 mtu inside 1500 ip address outside 53 ip address inside ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400! Do not do NAT on traffic to other PIXes.nat (inside) 0 access-list 100 route outside 1 timeout xlate 3:00:

5、00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location

6、no snmp-server contactsnmp-server community public snmp-server enable traps floodguard enablesysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac! This is traffic to PIX 2.crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address 120 crypto map newmap 20 se

7、t peer 54 crypto map newmap 20 set transform-set myset! This is traffic to PIX 3.crypto map newmap 30 ipsec-isakmpcrypto map newmap 30 match address 130crypto map newmap 30 set peer 57 crypto map newmap 30 set transform-set mysetcrypto map newmap interface outsideisakmp enable outsideisakmp key * ad

8、dress 54 netmask 55no-xauth no-config-modeisakmp key * address 57 netmask 55no-xauth no-config-modeisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 1isakmp policy 10 lifetime 1000telnet timeout 5ssh timeout

9、 5console timeout 0terminal width 80Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e:endPIX 2Building configuration.:SavedPIX Version 6.3(3)interface ethernet0 autointerface ethernet1 autonameif ethernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encryptedpa

10、sswd 2KFQnbNIdI.2KYOU encryptedhostname pix2fixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skin

11、ny 2000fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names! This is traffic to PIX Central.access-list 110 permit ip ! Do not do NAT on traffic to PIX Central.access-list 100 permit ip pager lines 24 logging onmtu outside 1500mtu inside 1500ip address outside 54 ip address

12、 inside ip audit info action alarm ip audit attack action alarm no failoverfailover timeout 0:00:00failover poll 15no failover ip address outside no failover ip address inside pdm history enablearp timeout 14400! Do not do NAT on traffic to PIX Central.nat (inside) 0 access-list 100route outside 1ti

13、meout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-

14、server location no snmp-server contactsnmp-server community public no snmp-server enable traps floodguard enablesysopt connection permit-ipseccrypto ipsec transform-set myset esp-des esp-md5-hmac ! This is traffic to PIX Central.crypto map newmap 10 ipsec-isakmpcrypto map newmap 10 match address 110

15、crypto map newmap 10 set peer 53crypto map newmap 10 set transform-set mysetcrypto map newmap interface outsideisakmp enable outsideisakmp key * address 53 netmask 55no-xauth no-config-modeisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10

16、 hash md5isakmp policy 10 group 1isakmp policy 10 lifetime 1000telnet timeout 5ssh timeout 5console timeout 0terminal width 80Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e:endPIX 3 ConfigurationBuilding configuration.:SavedPIX Version 6.3(3)interface ethernet0 autointerface ethernet1 autonameif et

17、hernet0 outside security0nameif ethernet1 inside security100enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix3fixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup pr

18、otocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69names! This is traffic to PIX Central.access-list 110 permit ip ! Do not do NAT on traffic to PIX Central.access-list

19、 100 permit ip pager lines 24logging onmtu outside 1500mtu inside 1500ip address outside 57 ip address inside ip audit info action alarmip audit attack action alarmno failoverfailover timeout 0:00:00failover poll 15no failover ip address outsideno failover ip address insidepdm history enablearp time

20、out 14400! Do not do NAT on traffic to PIX Central.nat (inside) 0 access-list 100route outside 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TA

21、CACS+ protocol tacacs+aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac! This

22、 is traffic to PIX Central.crypto map newmap 10 ipsec-isakmpcrypto map newmap 10 match address 110 crypto map newmap 10 set peer 53 crypto map newmap 10 set transform-set myset crypto map newmap interface outside isakmp enable outsideisakmp key * address 53 netmask 55 no-xauth no-config-mode isakmp

23、identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh timeout 5console timeout 0 terminal width 80 Cryptochecksum:aa3bbd8c6275d214b153e1e0bc0173e4 :end二、路由器和路由器之間的

24、VPN配置Hub Router 2503#show running-config Building configuration.Current configuration : 1466 bytesversion 12.2 service timestamps debug datetime msec service timestamps log uptime no service password-encryption !hostname 2503 ip subnet-zero! Configuration for IKE policies.crypto isakmp policy 10! En

25、ables the IKE policy configuration (config-isakmp)! command mode, where you can specify the parameters that ! are used during an IKE negotiation.hash md5authentication pre-sharecrypto isakmp key cisco123 address crypto isakmp key cisco123 address ! Specifies the preshared key cisco123 which should!

26、be identical at both peers. This is a global! configuration mode command.! Configuration for IPSec policies.crypto ipsec transform-set myset esp-des esp-md5-hmac! Enables the crypto transform configuration mode, ! where you can specify the transform sets that are used ! during an IPSec negotiation.c

27、rypto map mymap 10 ipsec-isakmp! Indicates that IKE is used to establish! the IPSec security association for protecting the ! traffic specified by this crypto map entry.set peer ! Sets the IP address of the remote end.set transform-set myset! Configures IPSec to use the transform-set ! myset defined

28、 earlier in this configuration.match address 110! Specifyies the traffic to be encrypted.crypto map mymap 20 ipsec-isakmpset peer set transform-set mysetmatch address 120 interface Loopback0ip address !interface Ethernet0ip address no ip route-cache! You must enable process switching for IPSec! to e

29、ncrypt outgoing packets. This command disables fast switching.no ip mroute-cachecrypto map mymap! Configures the interface to use the! crypto map mymap for IPSec.! Output suppressed.ip classlessip route Ethernet0ip route Ethernet0ip route Ethernet0ip http server!access-list 110 permit ip 55 55access

30、-list 110 permit ip 55 55access-list 120 permit ip 55 55 access-list 120 permit ip 55 55! This crypto ACL-permit identifies the! matching traffic flows to be protected via encryption.Spoke 1 Router2509a#show running-config Building configuration.Current configuration : 1203 bytes !version 12.2servic

31、e timestamps debug datetime msec service timestamps log uptime no service password-encryption !hostname 2509a!enable secret 5 $1$DOX3$rIrxEnTVTw/7LNbxi.akz0!ip subnet-zerono ip domain-lookupcrypto isakmp policy 10hash md5authentication pre-sharecrypto isakmp key cisco123 address !crypto ipsec transf

32、orm-set myset esp-des esp-md5-hmac!crypto map mymap 10 ipsec-isakmpset peer set transform-set mysetmatch address 110 interface Loopback0ip address !interface Ethernet0ip address no ip route-cacheno ip mroute-cachecrypto map mymapOutput suppressed.ip classlessip route Ethernet0ip route Ethernet0ip ro

33、ute Ethernet0 no ip http server access-list 110 permit ip 55 55 access-list 110 permit ip 55 55 end2509a#Spoke 2 RouterVPN2509#show running-config Building configuration.Current configuration : 1117 bytes !version 12.2service timestamps debug datetime msec service timestamps log uptime service passw

34、ord-encryption !hostname VPN2509 ip subnet-zero no ip domain-lookup crypto isakmp policy 10hash md5authentication pre-sharecrypto isakmp key cisco123 address !crypto ipsec transform-set myset esp-des esp-md5-hmac!crypto map mymap 10 ipsec-isakmpset peer set transform-set mysetmatch address 120interf

35、ace Loopback0ip address !interface Ethernet0ip address ! No ip route-cache.no ip mroute-cachecrypto map mymapOutput suppressed.ip classlessip route Ethernet0ip route Ethernet0ip route Ethernet0no ip http server!access-list 120 permit ip 55 55 access-list 120 permit ip 55 55 !end三、路由器-路由器以及VPN Client

36、之間的VPNCisco 2611 Routervpn2611#show runBuilding configuration.Current configuration : 2265 bytesversion 12.2service timestamps debug uptime service timestamps log uptime no service password-encryption !hostname vpn2611! Enable aaa for user authentication ! and group authorization.aaa new-model! To e

37、nable X-Auth for user authentication, ! enable the aaa authentication commands.aaa authentication login userauthen local! To enable group authorization, enable ! the aaa authorization commands.aaa authorization network groupauthor localaaa session-id common! For local authentication of the IPSec use

38、r, ! create the user with password.username cisco password 0 ciscoip subnet-zero ip audit notify logip audit po max-events 100Create an Internet Security Association andKey Management Protocol (ISAKMP)! policy for Phase 1 negotiations for the VPN 3.x clients.crypto isakmp policy 3encr 3desauthentica

39、tion pre-sharegroup 2! Create an ISAKMP policy for Phase 1! negotiations for the LAN-to-LAN tunnels.crypto isakmp policy 10hash md5authentication pre-share! Specify the PreShared key for the LAN-to-LAN tunnel.! Make sure that you use! no-xauth parameter with your ISAKMP key.crypto isakmp key cisco12

40、3 address 99 no-xauth ! Create a group that will be used to! specify the WINS, DNS servers address! to the client, along with the pre-shared ! key for authentication.crypto isakmp client configuration group 3000clientkey cisco123dns 0wins 0domain pool ippool! Create the Phase 2 Policy for actual dat

41、a encryption.crypto ipsec transform-set myset esp-3des esp-md5-hmacCreate a dynamic map and applythe transform set that was created above.crypto dynamic-map dynmap 10 set transform-set myset! Create the actual crypto map, and! apply the aaa lists that were created! earlier. Also create a new instanc

42、e for your! LAN-to-LAN tunnel. Specify the peer IP address,! transform set and an Access Control List (ACL) for this ! instance.crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address resp

43、ond crypto map clientmap 1 ipsec-isakmpset peer 99set transform-set mysetmatch address 100crypto map clientmap 10 ipsec-isakmp dynamic dynmap!fax interface-type fax-mailmta receive maximum-recipients 0! Apply the crypto map on the outside erface Ethernet0/0ip address 59 half-duplexcrypto map clientm

44、ap!interface Serial0/0no ip addressshutdowninterface Ethernet0/1ip address no keepalivehalf-duplex! Create a pool of addresses to be! assigned to the VPN Clients.ip local pool ippool 00 00ip classlessip route ip http serverip pim bidir-enable! Create an ACL for the traffic! to be encrypted. In this example,! the traffic from /24 to /24! would be encrypted.access-list 100 permit ip 55 55 !snmp-server community foobar ROcall rsvp-sync!mgcp profile default!dial-peer