一、EZVPN Between Router to Router
1) 概述
Cisco Easy VPN用一致的策略和密钥管理方式在单一的部署中可以整合所有的Easy VPN Remote设备(Cisco路由器、Cisco PIX防火墙、Cisco VPN3002硬件客户端或软件客户端)这极大地简化了远程端管理和配置。说的简单点就是在Server端配置复杂的策略和密钥管理等命令,而在我们的客户端上只要配置很简单的几条命令就能和Server端建立VPN链路的一种技术,主要的目的当然就是简化远端设备的配置和管理。
2) 实验环境
具体的拓扑结构和IP地址划分如下:
3) 实验的目的
通过使用Easy VPN技术来实现,远程客户端的用户能够直接访问到服务器端内部的WEB服务器,简单来说就是客户端PC能ping通服务器端内部的WEB服务器,并能通过IE浏览WEB服务器主页。
4) 基本实验环境的配置和测试
在这一步我们将配置路由器的基本连通性和一些基本的配置命令并用ping测试。
EZVPN-Server的基本配置
enable
conf t
hostname EZVPN-Server
enable secret cisco
no ip domain-lookupline console 0
exec-timeout 0 0
logging syn
exitline vty 0 4
exec-timeout 0 0
password cisco
login
exitinterface serial 1/2
ip address 10.1.1.1 255.255.255.0
no shutdown
exitinterface fastethernet 0/0
ip address 192.168.1.251 255.255.255.0
no shutdown
exitip route 0.0.0.0 0.0.0.0 serial 1/2
EZVPN-Client的基本配置
enable
conf t
hostname EZVPN-Client
enable secret cisco
no ip domain-lookupline console 0
exec-timeout 0 0
logging syn
exitline vty 0 4
exec-timeout 0 0
password cisco
login
exitinterface serial 1/2
ip address 10.1.2.2 255.255.255.0
no shutdown
exitinterface fastethernet 0/0
ip address 192.168.100.1 255.255.255.0
no shutdown
exitip route 0.0.0.0 0.0.0.0 serial 1/2
ISP的基本配置
enable
conf t
hostname ISP
enable secret cisco
no ip domain-lookupline console 0
exec-timeout 0 0
logging syn
exitline vty 0 4
exec-timeout 0 0
password cisco
login
exitinterface serial 1/0
ip address 10.1.1.2 255.255.255.0
no shutdown
exitinterface serial 1/1
ip address 10.1.2.1 255.255.255.0
no shutdown
exit
在EZVPN-Client进行ping测试:
EZVPN-Client#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/163/192 ms
EZVPN-Client#ping 192.168.1.244
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.244, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
在EZVPN-Server进行ping测试:
EZVPN-Server#ping 10.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/95/140 ms
EZVPN-Server#ping 192.168.100.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.21, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
在PC上进行ping测试:
C:\Documents and Settings\cx>ping 192.168.100.1 -n 2
Pinging 192.168.100.1 with 32 bytes of data:
Reply from 192.168.100.1: bytes=32 time=14ms TTL=255
Reply from 192.168.100.1: bytes=32 time=6ms TTL=255
Ping statistics for 192.168.100.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 14ms, Average = 10ms
C:\Documents and Settings\cx>ping 10.1.2.2 -n 2
Pinging 10.1.2.2 with 32 bytes of data:
Reply from 10.1.2.2: bytes=32 time=7ms TTL=255
Reply from 10.1.2.2: bytes=32 time=5ms TTL=255
Ping statistics for 10.1.2.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 5ms, Maximum = 7ms, Average = 6ms
C:\Documents and Settings\cx>ping 10.1.1.1 -n 2
Pinging 10.1.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.1.1.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
在WEB服务器上进行ping测试:
C:\Documents and Settings\Administrator>ping 192.168.1.251 -n 2
Pinging 192.168.1.251 with 32 bytes of data:
Reply from 192.168.1.251: bytes=32 time=67ms TTL=255
Reply from 192.168.1.251: bytes=32 time=15ms TTL=255
Ping statistics for 192.168.1.251:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 67ms, Average = 41ms
C:\Documents and Settings\Administrator>ping 10.1.1.1 -n 2
Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time=429ms TTL=255
Reply from 10.1.1.1: bytes=32 time=155ms TTL=255
Ping statistics for 10.1.1.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 155ms, Maximum = 429ms, Average = 292ms
C:\Documents and Settings\Administrator>ping 10.1.2.2 -n 2
Pinging 10.1.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.1.2.2:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
从上面的测试可以看出Client端的内部主机并不能访问Server端的WEB服务器,下面我们就要通过配置Easy VPN来实现互访。
5) Easy VPN的配置(不带XAUTH认证)
EZVPN-Server上的配置步骤:
1.建立IP地址池和本地用户数据库
ip local pool Remote-Pool 172.16.1.200 172.16.1.250
username cisco password cisco1232.配置组策略搜寻
aaa new-mode
aaa authorization network vpn-group local3.为远程VPN客户端接入建立ISAKMP策略
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption 3des
group 2
exitshow crypto isakmp policy
4.为MC推定义好的组策略
crypto isakmp client configuration group test
key VPNKEY //authentication pre-share 预配置认证用
domain cisco.com
pool Remote-Pool
exit5.建立变换集
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
exitshow crypto ipsec transform-set
6.用RRI建立动态加密映射
crypto dynamic-map Dynamic-Map 10
set transform-set VPNTRANSFORM
reverse-route
exitshow crypto dynamic-map
7.将MC应用到动态加密映射
crypto map ClientMap client configuration address respond
crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map8.将动态加密映射应用到路由器外部接口
interface serial 1/2
crypto map ClientMap
exitshow crypto map
10.打开IKE DPD
crypto isakmp keepalive 20 10
EZVPN-Client上的配置步骤:
1. 定义客服端IPSec加密策略
crypto ipsec client ezvpn R6-Client
group test key VPNKEY
peer 10.1.1.1
mode client
connect auto
exit2.把策略加入接口
interface serial 1/2
crypto ipsec client ezvpn R6-Client
exitinterface fastethernet 0/0
crypto ipsec client ezvpn R6-Client inside
exit
6) 用show命令查看相关状态
EZVPN-Server:
EZVPN-Server#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Serial1/2
Group: test
Assigned address: 172.16.1.200
Uptime: 00:15:27
Session status: UP-ACTIVE
Peer: 10.1.2.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: test
Desc: (none)
IKE SA: local 10.1.1.1/500 remote 10.1.2.2/500 Active
Capabilities:CD connid:1001 lifetime:23:44:31
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.1.200
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 705 drop 0 life (KB/Sec) 4577122/2672
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4577204/2672
EZVPN-Server#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.16.0.0/32 is subnetted, 1 subnets
S 172.16.1.200 [1/0] via 10.1.2.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial1/2
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Serial1/2
EZVPN-Client:
EZVPN-Client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : R6-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.200
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 10.1.1.1
EZVPN-Client#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Serial1/2
Session status: UP-ACTIVE
Peer: 10.1.1.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.1.1.1
Desc: (none)
IKE SA: local 10.1.2.2/500 remote 10.1.1.1/500 Active
Capabilities:C connid:6 lifetime:23:41:43
IPSEC FLOW: permit ip host 172.16.1.200 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4469489/2536
Outbound: #pkts enc'ed 801 drop 0 life (KB/Sec) 4469396/2536
7) 测试PC到WEB的连通性
在PC上ping WEB Server:
C:\Documents and Settings\cx>ping 192.168.1.244
Pinging 192.168.1.244 with 32 bytes of data:
Reply from 192.168.1.244: bytes=32 time=173ms TTL=127
Reply from 192.168.1.244: bytes=32 time=125ms TTL=127
Reply from 192.168.1.244: bytes=32 time=161ms TTL=127
Reply from 192.168.1.244: bytes=32 time=77ms TTL=127
Ping statistics for 192.168.1.244:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 77ms, Maximum = 173ms, Average = 134ms
哈哈哈成功了,下面再来看看能不能访问WEB页面,如下图:
刚刚做的这个是不带XAUTH认证的,但是现在Cisco主推XAUTH认证,下面我们来看看如果启用XAUTH我们的配置有哪些变化。
8) Easy VPN的配置(支持XAUTH认证)
EZVPN-Server上的配置步骤:
1.配置 XAUTH
aaa new-mode
aaa authentication login lab-remote-access local
crypto isakmp xauth timeout 302.建立IP地址池和本地用户数据库
username cisco password cisco
ip local pool Remote-Pool 172.16.1.200 172.16.1.2503.配置组策略搜寻
aaa authorization network vpn-group local
4.为远程VPN客户端接入建立ISAKMP策略
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption 3des
group 2
exitshow crypto isakmp policy
5.为MC推定义好的组策略
crypto isakmp client configuration group test
key VPNKEY
domain cisco.com
pool Remote-Pool
exit6.建立变换集
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
exitshow crypto ipsec transform-set
7.用RRI建立动态加密映射
crypto dynamic-map Dynamic-Map 10
set transform-set VPNTRANSFORM
reverse-route
exitshow crypto dynamic-map
8.将MC应用到动态加密映射
crypto map ClientMap client authentication list lab-remote-access
crypto map ClientMap client configuration address respond
crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map9.将动态加密映射应用到路由器外部接口
interface serial 1/1
crypto map ClientMap
exitshow crypto map
10.打开IKE DPD
crypto isakmp keepalive 20 10
用橙色标明的部分就是增加的XAUTH认证配置
EZVPN-Client上的配置步骤:
1. 定义客服端IPSec加密策略
crypto ipsec client ezvpn R6-Client
group test key VPNKEY
peer 10.1.1.1
mode client
connect auto
username cisco password cisco //在IOS12.3(4)T开始有效,必须和服务器端的save-password一起使用
xauth userid mode local
exit2. 把策略加入接口
interface serial 1/2
crypto ipsec client ezvpn R6-Client
exitinterface fastethernet 0/0
crypto ipsec client ezvpn R6-Client inside
exit
当配置完这些以后我们的Easy VPN链路并没有建立成功,在Client上会提示如下信息:
EZVPN-Client#
Mar 20 22:11:18.223: EZVPN(R6-Client): Pending XAuth Request, Please enter the following command:
Mar 20 22:11:18.227: EZVPN: crypto ipsec client ezvpn xauth
这个提示的意思是要你在特权模式下输入crypto ipsec client ezvpn xauth命令来完成XAUTH认证,接下来我们就来敲入命令,并输入用户名和密码来完成认证。
EZVPN-Client#crypto ipsec client ezvpn xauth
Username: cisco
Password:
EZVPN-Client#
9) 用show命令查看相关状态
EZVPN-Client:
EZVPN-Client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : R6-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.201
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 10.1.1.1
EZVPN-Client#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Serial1/2
Session status: UP-ACTIVE
Peer: 10.1.1.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.1.1.1
Desc: (none)
IKE SA: local 10.1.2.2/500 remote 10.1.1.1/500 Active
Capabilities:CX connid:2 lifetime:23:57:01
IPSEC FLOW: permit ip host 172.16.1.201 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4473610/3470
Outbound: #pkts enc'ed 274 drop 0 life (KB/Sec) 4473577/3470
EZVPN-Client#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.201:512 192.168.100.21:512 192.168.1.244:512 192.168.1.244:512
EZVPN-Server:
EZVPN-Server#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Serial1/2
Username: cisco
Group: test
Assigned address: 172.16.1.201
Uptime: 00:02:26
Session status: UP-ACTIVE
Peer: 10.1.2.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: test
Desc: (none)
IKE SA: local 10.1.1.1/500 remote 10.1.2.2/500 Active
Capabilities:CDX connid:1002 lifetime:23:57:16
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.1.201
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 341 drop 0 life (KB/Sec) 4512820/3453
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4512860/3453
EZVPN-Server#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.16.0.0/32 is subnetted, 1 subnets
S 172.16.1.201 [1/0] via 10.1.2.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial1/2
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Serial1/2
10) 测试PC到WEB的连通性
在PC上ping WEB Server:
C:\Documents and Settings\cx>ping 192.168.1.244 –n 2
Pinging 192.168.1.244 with 32 bytes of data:
Reply from 192.168.1.244: bytes=32 time=173ms TTL=127
Reply from 192.168.1.244: bytes=32 time=125ms TTL=127
Reply from 192.168.1.244: bytes=32 time=161ms TTL=127
Reply from 192.168.1.244: bytes=32 time=77ms TTL=127
Ping statistics for 192.168.1.244:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 77ms, Maximum = 173ms, Average = 134ms
哈哈哈又成功了,下面再来看看能不能访问WEB页面,如下图:
^_^。。。。。。OK也能访问,实验成功!
哈哈哈,基本的Easy VPN的实验我们就做完了!
11) 对比Easy VPN远程硬件客户端三种模式的区别
注意:(这里是采用EZVPN Between Router to Router这个实验环境测试的)
- 客户端模式(Client Mode):在这个模式下PCs和主机在VPN连接的私有网络中不使用任何目的服务器IP地址空间里的IP地址,而是采用特定的NAT或PAT的配置来实现到Server端的通讯。客户端模式自动配置NAT、PAT和ACLS来实现VPN的连接。当VPN连接启动时配置被自动创建。当VPN通道关闭时,NAT、PAT和ACLS的配置将自动删除。
- 网络扩展模式(Network Extension Mode):这种模式明确规定,客户端PCs和主机通过这个逻辑的网络上的隧道和全路由表到达目的网络。在这个模式中NAT和PAT将不被使用,允许客户端PCs和主机直接访问目标网段的PCs和主机。
- 网络扩展模式加(Network Extension Plus Mode):网络扩展模式plus:这种模式等同与网络扩展模式,在这个模式中增加了一个新的特性,就是能够通过MC和自动分配功能为回环接口请求IP地址,在Cisco Easy VPN远端会为这个接口自动创建IPSec SAs。这个接口主要被用来排错(用ping,Telnet或SSH)。
我们通过下列命令来改变模式:
EZVPN-Client(config)#crypto ipsec client ezvpn name
EZVPN-Client(config-crypto-ezvpn)#mode { client | network-extension | network-plus }
我们使用上面的实验环境来对比这三种模式的差别:
客户端模式:
1.在EZVPN-Client上配置并检测
crypto ipsec client ezvpn R6-Client
group test key VPNKEY
peer 10.1.1.1
mode client
connect auto
username cisco password cisco
xauth userid mode local
exit
EZVPN-Clinet#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : R6-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.204
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 10.1.1.1
EZVPN-Clinet#show ip interface brief
Interfac IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.100.1 YES manual up up
Serial1/0 unassigned YES unset administratively down down
Serial1/1 unassigned YES unset administratively down down
Serial1/2 10.1.2.2 YES manual up up
Serial1/3 unassigned YES unset administratively down down
NVI0 unassigned NO unset up up
Loopback0 172.16.1.204 YES manual up up
在客户端模式下我们看见EZVPN-Client会自动创建一个loopback口,当有用户需要访问EZVPN-Server后面的主机时,EZVPN-Client会自动用loopback接口的地址做PAT。 当我用客户端PC192.168.100.21访问服务器端PC192.168.1.88是,可以看到EZVPN-Client进行了PAT翻译。
EZVPN-Clinet#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.204:512 192.168.100.21:512 192.168.1.88:512 192.168.1.88:512
2.在EZVPN-Server上检测
EZVPN-Server#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.16.0.0/32 is subnetted, 1 subnets
S 172.16.1.204 [1/0] via 10.1.2.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial1/2
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Serial1/2
由于做了Revers-route,Server上会自动创建指向Client端 loopback接口的静态路由。
网络扩展模式:
1.在EZVPN-Client上配置并检测
crypto ipsec client ezvpn R6-Client
group test key VPNKEY
peer 10.1.1.1
mode network-extension
connect auto
username cisco password cisco
xauth userid mode local
exit
EZVPN-Clinet#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : R6-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 10.1.1.1
EZVPN-Clinet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.100.1 YES manual up up
Serial1/0 unassigned YES unset administratively down down
Serial1/1 unassigned YES unset administratively down down
Serial1/2 10.1.2.2 YES manual up up
Serial1/3 unassigned YES unset administratively down down
NVI0 unassigned NO unset up up
在网络扩展模式中应为不需要PAT,所以VPN连通后就相当与一个内部局域网,所以在show crypto ipsec client ezvpn结果中没有看到从服务器端地址池中获取到的IP地址因为现在不需要了。那这个时候Server端如何访问Client端的网络呢,因为在Server端配置了Revers-route,Server上会自动创建指向Remote内部网络的静态路由。
2.在EZVPN-Server上检测
EZVPN-Server#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial1/2
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S 192.168.100.0/24 [1/0] via 10.1.2.2
S* 0.0.0.0/0 is directly connected, Serial1/2
网络扩展模式加:
1.在EZVPN-Client上配置并检测
crypto ipsec client ezvpn R6-Client
group test key VPNKEY
peer 10.1.1.1
mode network-plus
connect auto
username cisco password cisco
xauth userid mode local
exit
EZVPN-Clinet#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : R6-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.206
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 10.1.1.1
EZVPN-Clinet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.100.1 YES manual up up
Serial1/0 unassigned YES unset administratively down down
Serial1/1 unassigned YES unset administratively down down
Serial1/2 10.1.2.2 YES manual up up
Serial1/3 unassigned YES unset administratively down down
NVI0 unassigned NO unset up up
Loopback0 172.16.1.206 YES manual up up
在这个模式下所有特性跟网络扩展模式一样但是Client端依然会创建loopback口,但是这个接口此时仅用于排错。
2.在EZVPN-Server上检测
EZVPN-Server#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.16.0.0/32 is subnetted, 1 subnets
S 172.16.1.206 [1/0] via 10.1.2.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial1/2
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S 192.168.100.0/24 [1/0] via 10.1.2.2
S* 0.0.0.0/0 is directly connected, Serial1/2
由于做了Revers-route,Server端上会创建指向Client loopback接口和内部网络的两条静态路由,指向回环接口的路由用于排错,指向内网的路由用于与Client端内网的通讯。
二、EZVPN Between Router to VPN Client 4.x
1) 概述
EZVPN Server 可以端接IPSec隧道,这些隧道是由在PC上运行Cisco VPN客户端软件的远程移动工作者发起的。这种灵活性使远程移动工作者,如旅途中的销售人员和远程办公者,访问存有重要数据和应用的总部内部网络成为可能,接下来我们就来讨论如何实现。
2) 实验环境
具体的拓扑结构和IP地址划分如下:
3) 实验的目的
通过使用Easy VPN技术,使移动用户通过Cisco VPN Client 4.x能够直接拨入总部内部网络,并能访问内部WEB服务器。
4) 基本实验环境的配置和测试
在这一步我们将配置路由器的基本连通性和一些基本的配置命令并用ping测试。
EZVPN-Server的基本配置:
interface serial 1/2
ip address 10.1.1.2 255.255.255.0
no shutdown
exitinterface fastethernet 0/0
ip address 192.168.1.251 255.255.255.0
no shutdown
exitip route 0.0.0.0 0.0.0.0 serial 1/2
ISP的基本配置:
interface serial 1/2
ip address 10.1.1.1 255.255.255.0
no shutdown
exitinterface fastethernet 0/0
ip address 10.1.2.1 255.255.255.0
no shutdown
exit
在EZVPN-Client(PC)进行ping测试:
C:\Documents and Settings\cx>ipconfig /all
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Mobile Connection
Physical Address. . . . . . . . . : 00-0D-60-AF-41-86
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.2.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.2.1
DNS Servers . . . . . . . . . . . : 220.170.0.18
C:\Documents and Settings\cx>ping 10.1.1.2 -n 2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=73ms TTL=254
Reply from 10.1.1.2: bytes=32 time=82ms TTL=254
Ping statistics for 10.1.1.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 73ms, Maximum = 82ms, Average = 77ms
C:\Documents and Settings\cx>ping 192.168.1.244 -n 2
Pinging 192.168.1.244 with 32 bytes of data:
Reply from 10.1.2.1: Destination host unreachable.
Reply from 10.1.2.1: Destination host unreachable.
Ping statistics for 192.168.1.244:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
通过测试我们可以看出来,在没有做EZVPN之前我们只能ping通Server端的外网接口地址,并不能访问到Server内部的WEB服务器。
5) Easy VPN的配置
EZVPN-Server的配置:
1.配置 XAUTH
username cisco password cisco
aaa new-mode
aaa authentication login lab-remote-access local
crypto isakmp xauth timeout 302.建立IP地址池
ip local pool Remote-Pool 172.16.1.200 172.16.1.250
3.配置组策略授权
aaa authorization network vpn-group local
4.为远程VPN客户端接入建立ISAKMP策略
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption 3des
group 2show crypto isakmp policy
5.为MC推定义好的组策略
crypto isakmp client configuration group test
key VPNKEY
domain cisco.com
dns 220.170.0.18
pool Remote-Pool6.建立变换集
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
exitshow crypto ipsec transform-set
7.建立动态加密映射
crypto dynamic-map Dynamic-Map 10
set transform-set VPNTRANSFORM
reverse-routeshow crypto dynamic-map
8.为动态加密映射关联其他参数
crypto map ClientMap client authentication list lab-remote-access
crypto map ClientMap client configuration address respond
crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map9.将动态加密映射应用到路由器外部接口
interface serial 1/2
crypto map ClientMap
exitshow crypto map
10.打开IKE DPD
crypto isakmp keepalive 20 10
ip route 0.0.0.0 0.0.0.0 serial 1/2
EZVPN-Server的配置2(如果EZVPN-Server设备是pix 7.0):
1.配置 XAUTH
username cisco password cisco
2.建立IP地址池
ip local pool Remote-Pool 172.16.1.200 172.16.1.250
3.为远程VPN客户端接入建立ISAKMP策略
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption 3des
group 2
exit4.配置IPSec变换集
crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
5.用RRI建立动态加密映射
crypto dynamic-map Dynamic-Map 10
set transform-set VPNTRANSFORM
reverse-route6.配置隧道组
pixfirewall(config)# tunnel-group Dynamic-Map type ipsec-ra
pixfirewall(config)# tunnel-group Dynamic-Map general-attributes
pixfirewall(config-general)# address-pool vpn-address
pixfirewall(config-general)# authentication-server-group local
pixfirewall(config-general)# default-group-policy remote-policy
//可以在组策略中配置地址池,并且分配默认策略
pixfirewall(config)# tunnel-group Dynamic-Map ipsec-attributes
pixfirewall(config-ipsec)# pre-shared-key vpnkey7.配置加密图
crypto map ClientMap 10 ipsec-isakmp dynamic Dynamic-Map
crypto map ClientMap interface outside注意:可以在隧道组中设置组策略,用来隧道分离等操作
pixfirewall(config)# group-policy remote-policy internal
pixfirewall(config)# group-policy remote-policy attributes
pixfirewall(config-group-policy)# split-tunnel-policy tunnelspecified
pixfirewall(config-group-policy)# split-tunnel-network-list value vpn
//设置split-tunnel,让客户端在访问公司网络的同时也能访问internet
pixfirewall(config-group-policy)# dns-server value 10.2.2.10
EZVPN-Client 4.x的配置:
1.安装Cisco VPN Client 4.x软件
拿到软件安装包后直接双击安装,安装采用默认设置就OK了。安装完成以后我们就该配置客户端的一些参数了。
首先我们双击打开VPN Client:
接下来我们新建一个VPN拨号连接,点击New按钮:
填入相关参数并保存:
连接远端服务器并输入用户名和密码:
在Client上检查IP地址配置情况:
C:\Documents and Settings\cx>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : chenxin
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : cisco.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Mobile Connection
Physical Address. . . . . . . . . : 00-0D-60-AF-41-86
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.2.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 220.170.0.18
220.170.0.38
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . : cisco.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.201
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.16.0.1
DNS Servers . . . . . . . . . . . : 220.170.0.18
测试到Server端WEB服务器的连通性并访问:
C:\Documents and Settings\cx>ping 192.168.1.244
Pinging 192.168.1.244 with 32 bytes of data:
Reply from 192.168.1.244: bytes=32 time=174ms TTL=128
Reply from 192.168.1.244: bytes=32 time=56ms TTL=128
Reply from 192.168.1.244: bytes=32 time=96ms TTL=128
Reply from 192.168.1.244: bytes=32 time=93ms TTL=128
Ping statistics for 192.168.1.244:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 56ms, Maximum = 174ms, Average = 104ms
查看VPN连接的状态信息:
通过测试我们能成功访问Server端的WEB服务器,实验成功!
三、Cisco IOS Easy VPN Remote with Client Mode and Split Tunneling
1) 概述
Split Tunneling(隧道分离)技术主要是用来区分流量的,那区分什么流量呢?在本实验中主要是用来区分去往Internet的流量和要通过VPN加密传输的流量。在实验中我们先不采用隧道分离技术,我们能看到Client端在成功建立VPN连接后,不能访问Server端的内部网络,也不能访问Internet了,要解决这个问题,为了达到Client端能同时访问Server端的内部网络和Internet网络的效果我们应该如何解决呢?那就往下看吧!
2) 实验环境
具体的拓扑结构和IP地址划分如下:
3) 实验的目的
通过使用Split Tunneling技术,使Client端内网的客户端PC能同时访问Server端内部网络和Internet网的WEB服务器。
4) 基本实验环境的配置和测试
在这一步我们将配置路由器的基本连通性和一些基本的配置命令以达到Server端和Clinet端能正常访问Internet WEB服务器的效果,并用ping测试。
EZVPN-Server的基本配置
interface serial 1/2
ip address 220.1.3.2 255.255.255.0
no shutdown
exitinterface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
no keepalive
no shutdown
exitaccess-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exitinterface serial 1/2
ip nat outside
exitip route 0.0.0.0 0.0.0.0 serial 1/2
EZVPN-Client的基本配置
interface serial 1/2
ip address 220.1.1.2 255.255.255.0
no shutdown
exitinterface fastethernet 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
exitaccess-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exitinterface serial 1/2
ip nat outside
exitip route 0.0.0.0 0.0.0.0 serial 1/2
ISP的基本配置
interface serial 1/0
ip address 220.1.3.1 255.255.255.0
no shutdown
exitinterface serial 1/1
ip address 220.1.1.1 255.255.255.0
no shutdown
exitinterface fastethernet 0/0
ip address 220.1.2.1 255.255.255.0
no shutdown
exit
在EZVPN-Client(PC)进行测试:
C:\Documents and Settings\cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=248ms TTL=126
Reply from 220.1.2.2: bytes=32 time=44ms TTL=126
Reply from 220.1.2.2: bytes=32 time=80ms TTL=126
Reply from 220.1.2.2: bytes=32 time=562ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 44ms, Maximum = 562ms, Average = 233ms
测试结果表明Client端内网用户通过NAT技术能够正常访问Internet WEB服务器。
在EZVPN-Server(VPC)进行测试:
VPCS 1 >ping 220.1.2.2
220.1.2.2 icmp_seq=1 time=166.000 ms
220.1.2.2 icmp_seq=2 time=208.000 ms
220.1.2.2 icmp_seq=3 time=47.000 ms
220.1.2.2 icmp_seq=4 time=165.000 ms
220.1.2.2 icmp_seq=5 time=147.000 ms
测试结果表明Server端内网用户通过NAT技术能够正常访问Internet WEB服务器。
5) Easy VPN For Split Tunneling的配置
EZVPN-Server的配置(不启用split tunneling)
ip local pool Remote-Pool 172.16.1.200 172.16.1.250
username cisco password cisco
aaa new-mode
aaa authentication login lab-remote-access local
crypto isakmp xauth timeout 30aaa authorization network vpn-group local
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption 3des
group 2
exitcrypto isakmp client configuration group test
key VPNKEY
domain cisco.com
pool Remote-Pool
exitcrypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
exitcrypto dynamic-map Dynamic-Map 10
set transform-set VPNTRANSFORM
reverse-route
exitcrypto map ClientMap client authentication list lab-remote-access
crypto map ClientMap client configuration address respond
crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Mapinterface serial 1/2
crypto map ClientMap
exitcrypto isakmp keepalive 20 10
EZVPN-Clinet的配置
crypto ipsec client ezvpn test-Client
group test key VPNKEY
peer 220.1.3.2
mode client
connect auto
username cisco password cisco
xauth userid mode local
exitinterface serial 1/2
crypto ipsec client ezvpn test-Client
exitinterface fastethernet 0/0
crypto ipsec client ezvpn test-Client inside
exit
在EZVPN-Client端测试
EZVPN-Client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.200
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 220.1.3.2
我们看见VPN建立成功,接下来到PC上测试
C:\Documents and Settings\cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
C:\Documents and Settings\cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
这个时候我们发现Client端内部的PC即不能访问Server端内网也不能访问外网了,这是为什么呢?那我们先来看看为什么不能访问外网。
首先我们在Client端内部的PC上使用tracert命令跟踪一下数据包
C:\Documents and Settings\cx>tracert 220.1.2.2
Tracing route to 220.1.2.2 over a maximum of 30 hops
1 13 ms 51 ms 64 ms 192.168.10.1
2 242 ms 160 ms 107 ms 220.1.3.2
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
我们可以看见去往外网的下一跳为220.1.3.2,这个地址刚好是Server端的公网IP地址,而并没有走正常的NAT,造这个问题的原因正是应为没有启用隧道分离,Client端路由器把所有的数据包都放到隧道当中传输了。为了解决这个问题我们在Server端路由器上加入如下命令启用隧道分离。
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
crypto isakmp client configuration group test
acl 100 //定义客户端隧道分离列表,注意源地址始终是客户端要到达你内部网络的地址,目的地址始终是any,因为这个ACL应用到客户那里后生效,所以是反过来的,即只有任意源到目的为10.1.1.0网段时,才进入隧道。
接下来在Client端重新建立VPN连接并测试。
clear crypto session 清除原有的VPN连接
Mar 30 14:52:19.935: EZVPN(test-Client): Pending XAuth Request, Please enter the following command:
Mar 30 14:52:19.939: EZVPN: crypto ipsec client ezvpn xauth
因为启用了XAUTH认证,所以在连接重置后要求重新输入用户名和密码
使用show crypto ipsec client ezvpn查看隧道建立是否成功是否启用了隧道分离
EZVPN-Client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.201
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Disallowed
Split Tunnel List: 1
Address : 10.1.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 220.1.3.2
可以看见隧道建立成功并启用隧道分离,让我在到Client端的PC上测试
C:\Documents and Settings\cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=361ms TTL=126
Reply from 220.1.2.2: bytes=32 time=102ms TTL=126
Reply from 220.1.2.2: bytes=32 time=43ms TTL=126
Reply from 220.1.2.2: bytes=32 time=305ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 43ms, Maximum = 361ms, Average = 202ms
C:\Documents and Settings\cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
从测试结果上来看我们解决了上外网的问题,但是为什么还是不能访问Server端内部网络呢?我们在Client端使用show ip nat translation
EZVPN-Client#show ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.201:512 192.168.10.2:512 10.1.1.2:512 10.1.1.2:512
从show命令当中我们发现当我们发送数据包去往10.1.1.0段时,Client端路由器进行了PAT地址翻译,这个刚好符合我们前面所讲过的client模式下EZVPN-Client会自动创建一个loopback口,当有用户需要访问EZVPN-Server后面的主机时,EZVPN-Client会自动用loopback接口的地址做PAT的原理。那也证明我们去往10网段是没有问题的了,那问题是不是出在Server端呢,是不是因为Server端不能正常的把数据包送回来而导致Client端PC不能访问Server端内部网络呢?
我们先看看Server端路由有没有问题
EZVPN-Server#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 220.1.3.0/24 is directly connected, Serial1/2
172.16.0.0/32 is subnetted, 1 subnets
S 172.16.1.201 [1/0] via 220.1.1.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Serial1/2
我们发现去往172.16.1.0段的路由存在,路由没有问题,那问题出现在哪里呢?我们再回想一下我们在Server端的配置,为了能够实现Server端内部主机能够访问Internet,我们在Server端路由器上配置了NAT,配置命令如下:
access-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
我们发现访问控制列表1中定义了源地址为10.1.1.0的所有主机都要被翻译出去,也就是说当Server端内部主机想要回应172.16.1.0这个段的主机时,回应数据包在进入Server端路由器时因为满足被翻译的条件,所以就不能被送回给172.16.1.0的主机了,那我们怎么解决呢,我的解决办法就是修改访问控制列表1,首先把访问控制列表1删除,然后定义扩展访问控制列表111,指定原地址为10.1.1.0的到达目的地址为172.16.1.0的数据包不要被NAT翻译,其它所有数据包都将被翻译,具体命令如下:
no access-list 1
no ip nat inside source list 1 interface serial 1/2 overload
access-list 111 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 111 permit ip any anyip nat inside source list 111 interface serial 1/2 overload
修改完配置命令并重置VPN连接后,我们再到Client端的PC上来做测试。
C:\Documents and Settings\cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=242ms TTL=124
Reply from 10.1.1.2: bytes=32 time=319ms TTL=124
Reply from 10.1.1.2: bytes=32 time=344ms TTL=124
Reply from 10.1.1.2: bytes=32 time=270ms TTL=124
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 242ms, Maximum = 344ms, Average = 293ms
C:\Documents and Settings\cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=340ms TTL=126
Reply from 220.1.2.2: bytes=32 time=161ms TTL=126
Reply from 220.1.2.2: bytes=32 time=159ms TTL=126
Reply from 220.1.2.2: bytes=32 time=268ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 159ms, Maximum = 340ms, Average = 232ms
我们发现这个时候我们既能访问Server端内部网络又能访问外网了,哈哈实验结束!
6) 实验扩展
接着这个实验平台我们再来看看Easy VPN Remote With Network-extension Mode下使用Split Tunneling。
EZVPN-Server的配置(同样先不启用split tunneling)
interface serial 1/2
ip address 220.1.3.2 255.255.255.0
no shutdown
exitinterface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
no keepalive
no shutdown
exitaccess-list 1 permit 10.1.1.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exitinterface serial 1/2
ip nat outside
exitip route 0.0.0.0 0.0.0.0 serial 1/2
ip local pool Remote-Pool 172.16.1.200 172.16.1.250
username cisco password cisco
aaa new-mode
aaa authentication login lab-remote-access local
crypto isakmp xauth timeout 30aaa authorization network vpn-group local
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption 3des
group 2
exitcrypto isakmp client configuration group test
key VPNKEY
domain cisco.com
pool Remote-Pool
exitcrypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
exitcrypto dynamic-map Dynamic-Map 10
set transform-set VPNTRANSFORM
reverse-route
exitcrypto map ClientMap client authentication list lab-remote-access
crypto map ClientMap client configuration address respond
crypto map ClientMap isakmp authorization list vpn-group
crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Mapinterface serial 1/2
crypto map ClientMap
exitcrypto isakmp keepalive 20 10
EZVPN-Client的配置
interface serial 1/2
ip address 220.1.1.2 255.255.255.0
no shutdown
exitinterface fastethernet 0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
exitaccess-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface serial 1/2 overload
interface fastethernet 0/0
ip nat inside
exitinterface serial 1/2
ip nat outside
exitip route 0.0.0.0 0.0.0.0 serial 1/2
crypto ipsec client ezvpn test-Client
group test key VPNKEY
peer 220.1.3.2
mode network-extension
connect auto
username cisco password cisco
xauth userid mode local
exitinterface serial 1/2
crypto ipsec client ezvpn test-Client
exitinterface fastethernet 0/0
crypto ipsec client ezvpn test-Client inside
exit
ISP的配置
interface serial 1/0
ip address 220.1.3.1 255.255.255.0
no shutdown
exitinterface serial 1/1
ip address 220.1.1.1 255.255.255.0
no shutdown
exitinterface fastethernet 0/0
ip address 220.1.2.1 255.255.255.0
no shutdown
exit
接下来到Client路由器上检查VPN建立情况。
EZVPN-Client#show crypt ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 220.1.3.2
在Server端查看路由表。
EZVPN-Server#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 220.1.3.0/24 is directly connected, Serial1/2
S 192.168.10.0/24 [1/0] via 220.1.1.2
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Serial1/2
在网络扩展模式中应为不需要PAT,所以VPN连通后就相当与一个内部局域网,所以在show crypto ipsec client ezvpn结果中没有看到从服务器端地址池中获取到的IP地址因为现在不需要了。那这个时候Server端如何访问Client端的网络呢,因为在Server端配置了Revers-route,Server上会自动创建指向Remote内部网络的静态路由。 接下来我们在Client端的PC上测试连通性。
C:\Documents and Settings\cx>ping 220.1.2.2
Pinging 220.1.2.2 with 32 bytes of data:
Reply from 220.1.2.2: bytes=32 time=149ms TTL=126
Reply from 220.1.2.2: bytes=32 time=124ms TTL=126
Reply from 220.1.2.2: bytes=32 time=127ms TTL=126
Reply from 220.1.2.2: bytes=32 time=149ms TTL=126
Ping statistics for 220.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 124ms, Maximum = 149ms, Average = 137ms
C:\Documents and Settings\cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
我们发现Client端PC能正常访问Internet但不能通过VPN访问Server端内网。为什么呢?我们在PC机上跟踪一下数据包。
C:\Documents and Settings\cx>tracert 220.1.2.2
Tracing route to 220.1.2.2 over a maximum of 30 hops
1 88 ms 47 ms 46 ms 192.168.10.1
2 80 ms 100 ms 184 ms 220.1.1.1
3 72 ms 81 ms 236 ms 220.1.2.2
Trace complete.
C:\Documents and Settings\cx>tracert 10.1.1.2
Tracing route to 10.1.1.2 over a maximum of 30 hops
1 16 ms 27 ms 46 ms 192.168.10.1
2 132 ms 50 ms 70 ms 220.1.1.1
3 220.1.1.1 reports: Destination host unreachable.
Trace complete.
通过跟踪发现他们出去的下一跳地址都是220.1.1.1,就是说数据包都没有经过VPN隧道传输,而是直接走了PAT,通过在Client端show ip nat translation得以证明。
EZVPN-Client#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 220.1.1.2:512 192.168.10.2:512 10.1.1.2:512 10.1.1.2:512
icmp 220.1.1.2:512 192.168.10.2:512 220.1.2.2:512 220.1.2.2:512
所以能ping通Internet WEB就很正常了,但是ping 10.1.1.2的数据包由于被送到了ISP路由器,而ISP路由器上没有到达10.1.1.0网段的路由,所以返回目的地不可达的回应。那怎么解决这个问题呢,可能这个时候我们想到那就用隧道分离不就可以了吗?那我们来试试看,首先在Server端加上隧道分离的命令,如下:
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
crypto isakmp client configuration group test
acl 100
接下来在Client端重新建立VPN连接并测试。
clear crypto session 清除原有的VPN连接
Mar 30 14:52:19.935: EZVPN(test-Client): Pending XAuth Request, Please enter the following command:
Mar 30 14:52:19.939: EZVPN: crypto ipsec client ezvpn xauth
因为启用了XAUTH认证,所以在连接重置后要求重新输入用户名和密码
使用show crypto ipsec client ezvpn查看隧道建立是否成功是否启用了隧道分离
EZVPN-Client#show crypt ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : test-Client
Inside interface list: FastEthernet0/0
Outside interface: Serial1/2
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Default Domain: cisco.com
Save Password: Disallowed
Split Tunnel List: 1
Address : 10.1.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 220.1.3.2
我们看见隧道分离建立成功,接下来在PC端测试。
C:\Documents and Settings\cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Reply from 220.1.1.1: Destination host unreachable.
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
测试结果还是目的不可达,为什么呢?这里我个人是这样理解的,首先我们在服务器和客户端上都启用了NAT功能,当Easy VPN Client工作在Easy VPN Remote Client模式下时,EZVPN-Client会自动创建一个loopback口,当有用户需要访问EZVPN-Server后面的主机时,EZVPN-Client会自动用loopback接口的地址做PAT,这个时候Easy VPN Client自动创建的PAT要优先于我们手动配置的NAT,当不匹配PAT时再匹配NAT,所以Client模式下默认EZVPN-Client端内网的PC ping不通外网,因为所有的数据包都被送到隧道里面去了,并没有送到外网,所以当启用隧道分离后就能解决这个问题了。而当Easy VPN Client工作在Easy VPN Remote network-extension模式下时,EZVPN-Client不需要创建PAT,当VPN连通后就相当与一个内部局域网。这个时候在EZVPN-Client端上只有一个我们手动配置的NAT,所以当数据包进入路由器的时候,还没有来得及把数据包送到隧道里面就先被NAT翻译出去了,所以也就导致在这个模式下,能ping通外网WEB,但不能ping通对端内网的PC。这个时候即使我们在服务器上启用了隧道分离技术也没有用,因为数据包先被NAT出去了。要解决这个问题我们只能在EZVPN-Client上更改NAT的配置,告诉NAT哪些数据包要NAT出去,哪些不要被NAT,并把EZVPN-Server上有关隧道分离的命令删除,具体修改配置如下:
EZVPN-Server端
no access-list 100 permit ip 10.1.1.0 0.0.0.255 any
crypto isakmp client configuration group test
no acl 100
EZVPN-Client端
no access-list 1 permit 192.168.10.0 0.0.0.255
no ip nat inside source list 1 interface serial 1/2 overloadaccess-list 111 deny ip 192.168.10.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 permit ip any any
ip nat inside source list 111 interface serial 1/2 overload
在Client端PC机上测试。
C:\Documents and Settings\cx>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=242ms TTL=124
Reply from 10.1.1.2: bytes=32 time=319ms TTL=124
Reply from 10.1.1.2: bytes=32 time=344ms TTL=124
Reply from 10.1.1.2: bytes=32 time=270ms TTL=124
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 242ms, Maximum = 344ms, Average = 293ms
从测试结果上来看是成功了,哈哈哈!也许这个时候我们又开始考虑那在网络扩展模式加这种模式下,情况是这样,经过本人测试情况跟网络扩展模式下一样。所以这里就不在重复了。
