ezvpn配置和三种模式的详细解释

network

ezvpn配置和三种模式的详细解释


1.1.1.0-------------SERVER---------------------------------CLIENT-------2.2.2.0
                                   12.1.1.0


aaa new-model
aaa authentication login remote local
aaa authorization network remote local
username cisco password 0 cisco
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group cisco  
key cisco
dns 12.1.1.100
domain cisco.com
pool cciepool
acl 101           隧道隔离
crypto isakmp profile cisco
   match identity group cisco
   client authentication list remote
   isakmp authorization list remote
   client configuration address respond   respond关键字指出路由器能接受客户IP地址配置的请求
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto dynamic-map cisco 10    动态的MAP，
set transform-set cisco
set isakmp-profile cisco
reverse-route
!
!
crypto map cisco 10 ipsec-isakmp dynamic cisco
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 12.1.1.1 255.255.255.0
serial restart-delay 0
clock rate 64000
crypto map cisco
!
!
ip local pool cciepool 123.1.1.100 123.1.1.200
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 101 permit ip host 1.1.1.1 any              定义客户端隧道分离列表，注意列表中目的地始终为any，源地址为server端内网地址
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
=================
CLIENT

ip cef
ip name-server 12.1.1.100
crypto ipsec client ezvpn cisco                          
connect manual
group cisco key cisco
mode client
peer 12.1.1.1
xauth userid mode interactive
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
crypto ipsec client ezvpn cisco inside
!
interface Loopback1
ip address 123.1.1.100 255.255.255.255
interface Serial1/1
ip address 12.1.1.2 255.255.255.0
serial restart-delay 0
clock rate 64000
crypto ipsec client ezvpn cisco  outside
ip route 0.0.0.0 0.0.0.0 s1/1
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
查看：
client#crypto ipsec client ezvpn connect      连接到SERVER的命令
*Mar  1 00:03:39.311: EZVPN(cisco): Pending XAuth Request, Please enter the following command:
*Mar  1 00:03:39.315: EZVPN: crypto ipsec client ezvpn xauth

client#crypto ipsec client ezvpn xauth     提示输入用户名和密码
Username: cisco
Password:
client#sh crypto ipsec client ezvpn           查看从server 获取到的信息
Easy VPN Remote Phase: 4
Tunnel name : cisco
Inside interface list: Loopback0
Outside interface: Serial1/1
Current State: IPSEC_ACTIVE
Last Event: CONNECT
Address: 123.1.1.100
Mask: 255.255.255.255
DNS Primary: 12.1.1.100
Default Domain: cisco.com
Save Password: Disallowed
Split Tunnel List: 1
       Address    : 1.1.1.1
       Mask       : 255.255.255.255
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 12.1.1.1
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
CLIENT模式：
client#ping 1.1.1.1 source 2.2.2.2 re 10
Client#show ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
icmp 123.1.1.100:0     2.2.2.2:0          1.1.1.1:0          1.1.1.1:0
自动做PAT
Easy VPN Remote端会出现loopback口，当有用户需要访问Easy VPN Server后面的主机时，Easy VPN Remote会自动用loopback接口的地址做PAT；


如果Server上设置了split tunnel，当Remote后面有用户需要访问Internet主机时，Easy VPN Remote会自动用外网接口的地址做PAT。是不是很适合上网使用把
Client#ping 10.10.10.10 source 2.2.2.2 re 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 32/59/124 ms
Client#
Client#
Client#
Client#show ip nat tr
Client#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 12.1.1.2:1        2.2.2.2:1          10.10.10.10:1      10.10.10.10:1
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
扩展模式：
1：当访问SERVER端内部网络，也就是TUNNEL分割的网络。并没有获得地址。使用真实的IP地址。不进行转换。

2：当访问其他网络的时候。比如internet ,会做PAT。把内网的ip (2.2.2.2)PAT成外部
接口(12.1.1.2)
Client#show ip nat tr
Client#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 12.1.1.2:4        2.2.2.2:4          10.10.10.10:4      10.10.10.10:4
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
Remote端处于network-plus模式
会分配到地址，当访问SERVER内部网络，不做PAT转换。但是访问其他网络会做PAT转换。转换成12.1.1.2外网地址
Client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : cisco
Inside interface list: Loopback0
Outside interface: Serial1/1
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 123.1.1.101
Mask: 255.255.255.255
DNS Primary: 12.1.1.100
Default Domain: cisco.com
Save Password: Disallowed
Split Tunnel List: 1
       Address    : 1.1.1.1
       Mask       : 255.255.255.255
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 12.1.1.1
Client#ping 10.10.10.10 source 2.2.2.2 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 24/41/60 ms
Client#show ip nat tr
Client#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 12.1.1.2:6        2.2.2.2:6          10.10.10.10:6      10.10.10.10:6