l2tp/ipsec remote access vpn on pix 7.2

network

l2tp/ipsec remote access vpn on pix 7.2 [/td]

PIX Version 7.2(1) ! interface Ethernet0 nameif outside security-level 0 ip address 58.135.192.7 255.255.255.192 ! interface Ethernet1 nameif inside security-level 100 ip address 10.0.0.254 255.255.255.0 ! access-list nonat permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0 ip local pool l2tpoipsec 10.0.0.10-10.0.0.20 mask 255.255.255.0 route outside 0.0.0.0 0.0.0.0 58.135.192.62 1 nat (inside) 0 access-list nonat  //这个命令很重要，或者直接no nat-control group-policy l2tpoipsec internal group-policy l2tpoipsec attributes dns-server value 202.106.116.1 vpn-tunnel-protocol IPSec l2tp-ipsec  //必须要加IPsec，只有l2tp-ipsec的话是拨不通的 default-domain value cisco.com address-pools value l2tpoipsec username l2tpoipsec password diVqlLvH/KThxao5xxZ8XA== nt-encrypted  //在password后面加个mschap，这个也是必须的 crypto ipsec transform-set l2tpoipsec esp-3des esp-md5-hmac  //就用3des吧和md5，windows不支持aes，而且据我查的那个sha1好像是40位的，可能和pix的sha加密位数不一样 crypto ipsec transform-set l2tpoipsec mode transport  //必须加，l2tp协议所定 crypto dynamic-map dyn 10 set transform-set l2tpoipsec crypto map l2tpoipsec 10 ipsec-isakmp dynamic dyn crypto map l2tpoipsec interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des  //和windows端是匹配的 hash md5 group 2 lifetime 86400 tunnel-group DefaultRAGroup general-attributes  //这个很重要，一定要使用DefaultRAGroup，因为l2tp是不支持group的 default-group-policy l2tpoipsec tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes authentication ms-chap-v2

展翅高飞

什么玩意啊！

network

要是高手话，就不用看了。晕晕