4.1 IKEv2 最基本 Client to Server DVTI
来源:互联网 发布:linux热点连接ip查询 编辑:程序博客网 时间:2024/06/07 22:00
4.1 IKEv2 最基本 Client to Server DVTI
------------------------------------------------------
tunnel0 ---------------------Virtual-Access
| |
| 202.100.1.0 61.128.1.0 |
------Client------------Internet--------Server--------
172.16.1.1 .1 .10 .10 .1 10.1.1.1
----------------------------------------------------
hostname Client
interface Loopback 0
ip address 172.16.1.1 255.255.255.0
interface FastEthernet 0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
duplex full
ip route 0.0.0.0 0.0.0.0 202.100.1.10
hostname Internet
interface FastEthernet 0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface FastEthernet 1/0
ip address 61.128.1.10 255.255.255.0
no shutdown
hostname Server
interface loopback 0
ip address 10.1.1.1 255.255.255.0
interface FastEthernet 1/0
ip address 61.128.1.1 255.255.255.0
no shutdown
duplex full
ip route 0.0.0.0 0.0.0.0 61.128.1.10
----------------------------------------------------
Server:
1.config AAA
aaa new-model
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
login authentication noacs
aaa authorization network Yeslab-Local-Group-Author-List local
2.config authorization policy
ip access-list standard Server-Network
permit 10.1.1.0 0.0.0.255
ip local pool Yeslab-Address-Pool 192.168.1.100 192.168.1.200
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool Yeslab-Address-Pool
route set access-list Server-Network (推送给远端的本地网段)
3.config IKEv2 Keyring
crypto ikev2 keyring Yeslab-IKEv2-Keyring
peer Flex-VPN
address 202.100.1.1
pre-shared-key local Yeslab-Server
pre-shared-key remote Yeslab-Client
4.config IKEv2 Profile
crypto ikev2 profile Yeslab-IKEv2-Profile
match identity remote address 202.100.1.1
identity local address 61.128.1.1
authentication remote pre-share
authentication local pre-share
keyring local Yeslab-IKEv2-Keyring
aaa authorization group psk list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
virtual-template 1
5.config ipsec profile
crypto ipsec profile Yeslab-IPSec-Profile
set ikev2-profile Yeslab-IKEv2-Profile
6.config Virtual-Template
interface Virtual-Template 1 type tunnel
ip unnumbered FastEthernet 1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile Yeslab-IPSec-Profile
-----------------------------------------
Client:
aaa new-model
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
login authentication noacs
aaa authorization network Yeslab-Local-Group-Author-List local
ip access-list standard Client-Network
permit 172.16.1.0 0.0.0.255
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
route set access-list Client-Network (推送给远端的本地网段)
crypto ikev2 keyring Yeslab-IKEv2-Keyring
peer Server
address 61.128.1.1
pre-shared-key local Yeslab-Client
pre-shared-key remote yeslab-Server
crypto ikev2 profile Yeslab-IKEv2-Profile
match identity remote address 61.128.1.1 255.255.255.255
identity local address 202.100.1.1
authentication remote pre-share
authentication local pre-share
keyring local Yeslab-IKEv2-Keyring
aaa authorization group psk list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
crypto ipsec profile Yeslab-IPSec-Profile
set ikev2-profile Yeslab-IKEv2-Profile
interface Tunnel 0
ip address negotiated
tunnel source FastEthernet 0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Yeslab-IPSec-Profile
crypto ikev2 client flexvpn Yeslab-Flex-Client
peer 1 61.128.1.1
client connect Tunnel 0
-----------------------------------------
show crypto engine connections active
ping 10.1.1.1 soure lo 0
----------------------------------------------------
4.2 Server 端额外授权属性
Server:
aaa attribute list Yeslab-Attr-List
attribute type interface-config "ip mtu 1100"
attribute type interface-config "tunnel key 10"
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool pool1
dhcp server 192.168.4.1
dhcp giaddr 192.168.1.1
dhcp timeout 10
dns 10.1.1.1 10.1.1.2
wins 192.168.1.2 192.168.1.3
netmask 255.0.0.0
banner ^C flexvpn server ^C
aaa attribute list Yeslab-Attr-List
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
configuration url http://www.cisco.com
configuration version 10
def-domain cisco.com
split-dns dns1
split-dns dns2
split-dns dns3
backup-gateway gw1
backup-gateway gw2
backup-gateway gw3
smartcard-removal-disconnect
include-local-lan
pfs
----------------------------------------------------
4.3 证书认证 Client to Server DVTI
------------------------------------------------------
tunnel0 ---------------------Virtual-Access
| |
| 202.100.1.0 61.128.1.0 |
------Client------------Internet--------Server--------
172.16.1.1 .1 | .10 .10 | .1 10.1.1.1
| |
.100 / \
win7 .100 .241
win2008 ACS5.3
-------------------------------------------------------
alias exec i show ip inter brief
alias exec e show crypto engine connections active
hostname Client
interface Loopback 0
ip address 172.16.1.1 255.255.255.0
interface FastEthernet 0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
duplex full
ip route 0.0.0.0 0.0.0.0 202.100.1.10
hostname Internet
interface FastEthernet 0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface FastEthernet 1/0
ip address 61.128.1.10 255.255.255.0
no shutdown
hostname Server
interface loopback 0
ip address 10.1.1.1 255.255.255.0
interface FastEthernet 1/0
ip address 61.128.1.1 255.255.255.0
no shutdown
duplex full
ip route 0.0.0.0 0.0.0.0 61.128.1.10
------------------------------------------------
Server:
Server端配置TrustPoint
严重注意:配置之前手动同步设备时间
ip domain name mingjiao.org
ip name-server 61.128.1.100
ip domain-lookup
enable password cisco
crypto pki trustpoint CA
enrollment terminal
fqdn Server.mingjiao.org
subject-name cn=Server.mingjiao.org,ou=MingJiao
revocation-check none
rsakeypair Server.mingjiao.org 1024
eku request server-auth
Client:
严重注意:配置之前手动同步设备时间
ip domain name migjiao.org
ip name-server 61.128.1.100
ip domain-lookup
enable password cisco
crypto pki trustpoint CA
enrollment terminal
fqdn Clinet.mingjiao.org
subject-name cn=Client.mingjiao.org,ou=HardwareClinet
revocation-check none
rsakeypair Clinet.mingjiao.org
eku request clinet-auth
---------------------------------
Server:
crypto pki authenticate CA
贴根证书
yes
crypto pki enrollment CA
no
no
yes
no
crypto pki inport CA certificate
贴证书
end
Client:
crypto pki authenticate CA
贴根证书
yes
crypto pki enrollment CA
no
no
yes
no
crypto pki inport CA certificate
贴证书
end
-----------------------------------------
show crypto pki certificates verbose
---------------------------------------------
Server:
1.config AAA
aaa new-model
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
login authentication noacs
aaa authorization network Yeslab-Local-Group-Author-List local
ip access-list standard Server-Network
permit 10.1.1.0 0.0.0.255
ip local pool Yeslab-Address-Pool 192.168.1.100 192.168.1.200
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool Yeslab-Address-Pool
route set access-list Server-Network
crypto pki certificate map Yeslab-Cert-Map 10
subject-name co ou=HardwareClient
crypto ikev2 profile Yeslab-IKEv2-Profile
match certificate Yeslab-Cert-Map
identity local fqdn Server.mingjiao.org
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
aaa authorization group cert list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
virtual-template 1
crypto ipsec profile Yeslab-IPSec-Profile
set ikev2-profile Yeslab-IKEv2-Profile
interface Virtual-Template 1 type tunnel
ip unnumbered FastEthernet 1/0
tunnel mode ipsec ipv4
tunnel protection ipsec Profile Yeslab-IPSec-Profile
-------------------------------------------
Client :
aaa new-model
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
login authentication noacs
aaa authorization network Yeslab-Local-Group-Author-List local
ip access-list standard Client-Network
permit 172.16.1.0 0.0.0.255
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
route set access-list Client-Network
cryto pki certificate map Yeslab-Cert-Map 10
subject-name co ou=mingjiao
crypto ikev2 profile Yeslab-IKEv2-Profile
match certificate Yeslab-Cert-Map
identity local fqdn Client.mingjiao.org
authentication remote rsa-sig
authentication local rsa-sig
aaa authorization group cert list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
pki trustpoint CA
crypto ipsec profile Yeslab-IPSec-Profile
set ikev2-profile Yeslab-IKEv2-Profile
interface tunnel 0
ip address negotiated
tunnel source FastEthernet 0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Yeslab-IPSec-Profile
crypto ikev2 client flexvpn Yeslab-Flex-Client
peer 1 61.128.1.1
client connect Tunnel 0
-----------------------------------------
ping 10.1.1.1 source lo 0 re 100
------------------------------------------------
------------------------------------------------------
tunnel0 ---------------------Virtual-Access
| |
| 202.100.1.0 61.128.1.0 |
------Client------------Internet--------Server--------
172.16.1.1 .1 .10 .10 .1 10.1.1.1
----------------------------------------------------
hostname Client
interface Loopback 0
ip address 172.16.1.1 255.255.255.0
interface FastEthernet 0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
duplex full
ip route 0.0.0.0 0.0.0.0 202.100.1.10
hostname Internet
interface FastEthernet 0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface FastEthernet 1/0
ip address 61.128.1.10 255.255.255.0
no shutdown
hostname Server
interface loopback 0
ip address 10.1.1.1 255.255.255.0
interface FastEthernet 1/0
ip address 61.128.1.1 255.255.255.0
no shutdown
duplex full
ip route 0.0.0.0 0.0.0.0 61.128.1.10
----------------------------------------------------
Server:
1.config AAA
aaa new-model
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
login authentication noacs
aaa authorization network Yeslab-Local-Group-Author-List local
2.config authorization policy
ip access-list standard Server-Network
permit 10.1.1.0 0.0.0.255
ip local pool Yeslab-Address-Pool 192.168.1.100 192.168.1.200
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool Yeslab-Address-Pool
route set access-list Server-Network (推送给远端的本地网段)
3.config IKEv2 Keyring
crypto ikev2 keyring Yeslab-IKEv2-Keyring
peer Flex-VPN
address 202.100.1.1
pre-shared-key local Yeslab-Server
pre-shared-key remote Yeslab-Client
4.config IKEv2 Profile
crypto ikev2 profile Yeslab-IKEv2-Profile
match identity remote address 202.100.1.1
identity local address 61.128.1.1
authentication remote pre-share
authentication local pre-share
keyring local Yeslab-IKEv2-Keyring
aaa authorization group psk list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
virtual-template 1
5.config ipsec profile
crypto ipsec profile Yeslab-IPSec-Profile
set ikev2-profile Yeslab-IKEv2-Profile
6.config Virtual-Template
interface Virtual-Template 1 type tunnel
ip unnumbered FastEthernet 1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile Yeslab-IPSec-Profile
-----------------------------------------
Client:
aaa new-model
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
login authentication noacs
aaa authorization network Yeslab-Local-Group-Author-List local
ip access-list standard Client-Network
permit 172.16.1.0 0.0.0.255
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
route set access-list Client-Network (推送给远端的本地网段)
crypto ikev2 keyring Yeslab-IKEv2-Keyring
peer Server
address 61.128.1.1
pre-shared-key local Yeslab-Client
pre-shared-key remote yeslab-Server
crypto ikev2 profile Yeslab-IKEv2-Profile
match identity remote address 61.128.1.1 255.255.255.255
identity local address 202.100.1.1
authentication remote pre-share
authentication local pre-share
keyring local Yeslab-IKEv2-Keyring
aaa authorization group psk list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
crypto ipsec profile Yeslab-IPSec-Profile
set ikev2-profile Yeslab-IKEv2-Profile
interface Tunnel 0
ip address negotiated
tunnel source FastEthernet 0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Yeslab-IPSec-Profile
crypto ikev2 client flexvpn Yeslab-Flex-Client
peer 1 61.128.1.1
client connect Tunnel 0
-----------------------------------------
show crypto engine connections active
ping 10.1.1.1 soure lo 0
----------------------------------------------------
4.2 Server 端额外授权属性
Server:
aaa attribute list Yeslab-Attr-List
attribute type interface-config "ip mtu 1100"
attribute type interface-config "tunnel key 10"
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool pool1
dhcp server 192.168.4.1
dhcp giaddr 192.168.1.1
dhcp timeout 10
dns 10.1.1.1 10.1.1.2
wins 192.168.1.2 192.168.1.3
netmask 255.0.0.0
banner ^C flexvpn server ^C
aaa attribute list Yeslab-Attr-List
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
configuration url http://www.cisco.com
configuration version 10
def-domain cisco.com
split-dns dns1
split-dns dns2
split-dns dns3
backup-gateway gw1
backup-gateway gw2
backup-gateway gw3
smartcard-removal-disconnect
include-local-lan
pfs
----------------------------------------------------
4.3 证书认证 Client to Server DVTI
------------------------------------------------------
tunnel0 ---------------------Virtual-Access
| |
| 202.100.1.0 61.128.1.0 |
------Client------------Internet--------Server--------
172.16.1.1 .1 | .10 .10 | .1 10.1.1.1
| |
.100 / \
win7 .100 .241
win2008 ACS5.3
-------------------------------------------------------
alias exec i show ip inter brief
alias exec e show crypto engine connections active
hostname Client
interface Loopback 0
ip address 172.16.1.1 255.255.255.0
interface FastEthernet 0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
duplex full
ip route 0.0.0.0 0.0.0.0 202.100.1.10
hostname Internet
interface FastEthernet 0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface FastEthernet 1/0
ip address 61.128.1.10 255.255.255.0
no shutdown
hostname Server
interface loopback 0
ip address 10.1.1.1 255.255.255.0
interface FastEthernet 1/0
ip address 61.128.1.1 255.255.255.0
no shutdown
duplex full
ip route 0.0.0.0 0.0.0.0 61.128.1.10
------------------------------------------------
Server:
Server端配置TrustPoint
严重注意:配置之前手动同步设备时间
ip domain name mingjiao.org
ip name-server 61.128.1.100
ip domain-lookup
enable password cisco
crypto pki trustpoint CA
enrollment terminal
fqdn Server.mingjiao.org
subject-name cn=Server.mingjiao.org,ou=MingJiao
revocation-check none
rsakeypair Server.mingjiao.org 1024
eku request server-auth
Client:
严重注意:配置之前手动同步设备时间
ip domain name migjiao.org
ip name-server 61.128.1.100
ip domain-lookup
enable password cisco
crypto pki trustpoint CA
enrollment terminal
fqdn Clinet.mingjiao.org
subject-name cn=Client.mingjiao.org,ou=HardwareClinet
revocation-check none
rsakeypair Clinet.mingjiao.org
eku request clinet-auth
---------------------------------
Server:
crypto pki authenticate CA
贴根证书
yes
crypto pki enrollment CA
no
no
yes
no
crypto pki inport CA certificate
贴证书
end
Client:
crypto pki authenticate CA
贴根证书
yes
crypto pki enrollment CA
no
no
yes
no
crypto pki inport CA certificate
贴证书
end
-----------------------------------------
show crypto pki certificates verbose
---------------------------------------------
Server:
1.config AAA
aaa new-model
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
login authentication noacs
aaa authorization network Yeslab-Local-Group-Author-List local
ip access-list standard Server-Network
permit 10.1.1.0 0.0.0.255
ip local pool Yeslab-Address-Pool 192.168.1.100 192.168.1.200
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool Yeslab-Address-Pool
route set access-list Server-Network
crypto pki certificate map Yeslab-Cert-Map 10
subject-name co ou=HardwareClient
crypto ikev2 profile Yeslab-IKEv2-Profile
match certificate Yeslab-Cert-Map
identity local fqdn Server.mingjiao.org
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
aaa authorization group cert list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
virtual-template 1
crypto ipsec profile Yeslab-IPSec-Profile
set ikev2-profile Yeslab-IKEv2-Profile
interface Virtual-Template 1 type tunnel
ip unnumbered FastEthernet 1/0
tunnel mode ipsec ipv4
tunnel protection ipsec Profile Yeslab-IPSec-Profile
-------------------------------------------
Client :
aaa new-model
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
login authentication noacs
aaa authorization network Yeslab-Local-Group-Author-List local
ip access-list standard Client-Network
permit 172.16.1.0 0.0.0.255
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
route set access-list Client-Network
cryto pki certificate map Yeslab-Cert-Map 10
subject-name co ou=mingjiao
crypto ikev2 profile Yeslab-IKEv2-Profile
match certificate Yeslab-Cert-Map
identity local fqdn Client.mingjiao.org
authentication remote rsa-sig
authentication local rsa-sig
aaa authorization group cert list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
pki trustpoint CA
crypto ipsec profile Yeslab-IPSec-Profile
set ikev2-profile Yeslab-IKEv2-Profile
interface tunnel 0
ip address negotiated
tunnel source FastEthernet 0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Yeslab-IPSec-Profile
crypto ikev2 client flexvpn Yeslab-Flex-Client
peer 1 61.128.1.1
client connect Tunnel 0
-----------------------------------------
ping 10.1.1.1 source lo 0 re 100
------------------------------------------------
0 0
- 4.1 IKEv2 最基本 Client to Server DVTI
- 3.1 IKEv2 最基本IOS vs IOS SVTI
- How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 16.04
- Winsocket Server/Client 基本配置
- 最简单client和server通信程序
- 最简单的server/client程序
- 5.1 IKEv2 spoke to spoke FlexVPN
- JAVA中的server和client基本连接
- WCF基本实现(Server和Client)
- hadoop Client: Retrying connect to server
- socket programming multiple client to one server
- DB2 configure client to remove server
- Go语言最简单的tcp server/client
- 6.1 IKEv2 CLI 配置Anyconnect3.0 to ASA
- Java中实现 Client-Server 体系1 -- 基本实现
- Client/Server
- server&&client
- client server
- 隐藏图标
- 面试
- 背包问题之2
- 【SSH商城】--- Hibernate 的many-to-one;one-to-many;many-to-many
- jsp页面格式化数字或时间
- 4.1 IKEv2 最基本 Client to Server DVTI
- 圆的放大和缩小
- Android基础——Activity的四种启动模式
- 第14章 Debugging Tools 翻译
- WKWebView 点击链接无反应
- myeclipse里的Hibernate关系映射
- The comparison of the toString() method and the valueOf(...) method of the String class
- 预置Android 手机 APK
- Android内核开发:理解和掌握repo工具