Easy ×××&DVTI

 

!配置Xauth所需要的aaa认证和授权

--------------------------------------------------------------------------------------------------
aaa new-model
!
!
aaa authentication login noacs line none
aaa authentication login remote local
aaa authorization network remote local
!

-------------------------------------------------------------------------------------------------
!

----------------------------------------------------------------------------------
!指定xauth用户认证所需要的用户名和密码
username remote password 0 cisco

----------------------------------------------------------------------------------
!
!        
!

----------------------------------------------------------------------------------------------
!指定阶段1的SA参数
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
!

----------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------

指定Easy ×××远程组参数
crypto isakmp client configuration group remote
key cisco
pool remotepool

----------------------------------------------------------------------------------------------

指定ISAKMP profile和绑定的参数
crypto isakmp profile IsaProfile
   match identity group remote
   client authentication list remote
   isakmp authorization list remote
   client configuration address respond
   virtual-template 10

 

-----------------------------------------------------------------------------------------
!指定IPSec 加密和认证参数
crypto ipsec transform-set Trans esp-des esp-md5-hmac
!指定IPSec Profile和绑定的参数
crypto ipsec profile IPSecProfile
set transform-set Trans
set isakmp-profile IsaProfile
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
!配置virtual-template
interface Virtual-Template10 type tunnel
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSecProfile
!指定×××用户的地址池
ip local pool remotepool 192.168.1.150 192.168.1.200

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

Easy ×××&DVTI

Easy ×××&DVTI

远程访问IPSec ×××有两种方法

1.Cisco Easy ×××

(1)no crypto isakmp profile:使用全局命令配置远程用户组的参数

(2)crypto isakmp profile

在一台路由器上有多种类型的×××时,如同时存在L2L和远程访问×××,需要使用crypto isakmp profile。

由于crypto isakmp profile的优点,建议部署remote ×××时都使用crypto isakmp profile,不管路由器有没有多种类型的×××。

2.动态DVTI(DVTI)

isakmp profile+ipsec profile+interface virtual-template

Cisco引入动态虚拟隧道接口(DVTI)方法是为了扩展基于IPSec的远程访问×××。

DVTI为从虚拟模板配置中衍生出的每一个远程×××连接提供唯一的按需分配的虚拟访问接口。