Easy ×××路由器上配置

R1(config)#aaa new-model 定义AAA

R1(config)#aaa authentication login ***_authen local

R1(config)#aaa authorization network ***_author localR1(config)#username cisco password ciscoR1(config)#crypto isakmp policy 10 定义一阶段策略的SA参数

R1(config-isakmp)#encryption aes 128

R1(config-isakmp)#hash shaR1(config-isakmp)#authentication per-shareR1(config-isakmp)#group 2R1(config-isakmp)#exitR1(config)#ip local pool ***_pool 192.168.1.1 192.168.1.200 创建IP地址池R1(config)#access-list 101 permit ip 10.10.1.0 0.0.0.255 any 定义ACL用于分离隧道R1(config)#crypto isakmp cluent configuration group ***_group 定义Easy ×××组及参数R1(config-isakmp-group)#key groupkyR1(config-isakmp-group)#pool ***_poolR1(config-isakmp-group)#acl 101R1(config-isakmp-group)#exitR1(config)#crypto ipsec teansform-set ***_transform esp-aes esp-sha-hmac 定义传输集R1(config-crypto-trans)#exitR1(config)#crypto dynamic-map cpn_dymap 10 定义动态的Crypto Map条目

R1(config-isakmp-group)#set transform-set ***_transform

R1(config-isakmp-group)#exit定义静态的crypto map条目和xauthR1(config)#crypto map mymap client authentication list ***_authenR1(config)#crypto map mymap isakmp authorization list ***_authorR1(config)#crypto map mymap client configuration address respondR1(config)#crypto map mymap 1000 ipsec-isakmp dynameic ***_dymapR1(config)#int S1/0R1(config-if)#crypto map mymap 将Crypto Map 应用到接口定义Easy ×××组硬件配置R1(config)#crypto isakmp cluent configuration group ***_groupR1(config-isakmp-group)#key groupkyR1(config-isakmp-group)#pool ***_poolR1(config-isakmp-group)#acl 101R1(config-isakmp-group)#save-passwordR1(config-isakmp-group)#exit配置R3easy***硬件客户端1建立连接配置文件crypto ipsec client ez*** myeasy***2自动发起连接connect auto3指定客户端属于服务器的哪个组和这个组的与共享秘钥group ***-group key groupkey4客户端的连接模式mode network-extension5其他配置peer 200.1.1.1

Easy ×××基于ASA的配置

定义XAUTH(用户)验证ASA(config)#username cisco password cisco定义阶段1的SA参数ASA(config)#crypto isakmp enable outsideASA(config)#crypto isakmp policy 10ASA(config-isakmp-policy)#encryption aesASA(config-isakmp-policy)#authentication pre-shareASA(config-isakmp-policy)#group2ASA(config-isakmp-policy)#exitASA(config)#ip local ***-pool 192.168.1.1-192.168.1.200 定义IP地址池

ASA(config)#access-list split-tunnel permit ip 10.10.1.0 255.255.255.0 any 定义ACL用于分离隧道

ASA(config)#group-policy ***-group-policy internal 定义组策略

ASA(config)#group-policy ***-group-policy attribute

ASA(config-group-poicy)#split-tunnel-policy tunnelspecifiedASA(config-group-poicy)#split-tunnel-natwork-list value split-tunnelASA(config-group-poicy)#exitASA(config)#tunnel-group ***-group type ipsec-ra 建立隧道组

ASA(config)#tunnel-group ***-group general-attributes

ASA(config-tunnel-general)#address-pool ***-poolASA(config-tunnel-general)#default-group-policyASA(config-tunnel-general)#exitASA(config)#tunnel-group ***-group ipsec-attributesASA(config-tunnel-general)#pre-shared-key groupkryASA(config-tunnel-general)#exitASA(config)#crypto ipsec transform-set ***-transfprm esp-aes esp-sha-hmac 定义传输集

ASA(config)#crypto dynamic-map ***-dymap 10 set transform-set ***-transform 定义动态的crypto map 条目

ASA(config)#crypyo map mymap 1000 ipsec-isakmp dynamic ***-dymap 定义静态的crypto map 条目ASA(config)#crypto map maymap interface ouside将crypto map 应用到接口