我想在我们的 Cisco 路由器上设置一个相当简单的 Road Warrior VPN 配置。令人沮丧的是,我一直在寻找这个,但找不到一个简单完整的指南。
- 多个(不一定很多)远程用户
- IPSec/ISAKMP 配置
- IPv4
- 拆分隧道或默认网关模式的选项
我需要输入什么配置才能启用此功能?
我正在寻找一个通用的答案,但如果您需要知道的话,我正在运行 c2600-ik9o3s3-mz.123-26.bin。
答案1
您正在寻找远程访问 VPN。思科文档
你也许应该看看Cisco 安全 VPN 客户端解决方案指南
答案2
这是我的想法,这应该是创建 VPN 配置的一个不错的起点。我不确定它是否最小就其本身而言,但它应该能够帮助任何寻求它的人启动并运行。
Zypher 指出的 Cisco Secure VPN 客户端解决方案指南对于创建此功能非常有用 - 如果您可以仔细查看,其中有一些很好的例子。
aaa new-model
! Create a vpn-users DB that points to the local auth service
aaa authentication login vpn-users local
aaa authorization network vpn-users local
! any local user will be allowed to use the VPN
username fred secret 5 SECRET
! Create an ISAKMP policy that handles the ISAKMP negotiation process
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 120 15
crypto isakmp xauth timeout 60
! Group policy for ISAKMP
crypto isakmp client configuration group default
key PLAINTEXT_KEY
dns LOCAL_DNS_SERVERS
domain LOCAL_DOMAIN
pool vpn-dynamic-pool
! VPN clients will be assigned addresses out of this pool
ip local pool vpn-dynamic-pool 192.168.2.1 192.168.2.254
! Create transform sets that specify how the actual IPSEC traffic will be encrypted
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-LZS esp-aes esp-sha-hmac comp-lzs
! Create IPSEC policies - any negotiated transform scheme must be specified
! in the map below
crypto dynamic-map vpn-dynamic-map 1
set transform-set ESP-AES-128-SHA-LZS
crypto dynamic-map vpn-dynamic-map 2
set transform-set ESP-AES-128-SHA
!
crypto map vpn-dynamic client authentication list vpn-users
crypto map vpn-dynamic client configuration address respond
crypto map vpn-dynamic isakmp authorization list vpn-users
crypto map vpn-dynamic 1 ipsec-isakmp dynamic vpn-dynamic-map
! Apply the IPSEC map to the external interface
interface ExternalInterface/0
crypto map vpn-dynamic