路由器-路由器以及VPN Client之间的VPN

Cisco 2611 Router

vpn2611#show run
Building configuration...

Current configuration : 2265 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn2611
!

!--- Enable aaa for user authentication
!--- and group authorization.

aaa new-model
!
!

!--- To enable X-Auth for user authentication,
!--- enable the aaa authentication commands.

aaa authentication login userauthen local

!--- To enable group authorization, enable
!--- the aaa authorization commands.

aaa authorization network groupauthor local
aaa session-id common
!

!--- For local authentication of the IPSec user,
!--- create the user with password.

username cisco password 0 cisco
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!

!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP)
!--- policy for Phase 1 negotiations for the VPN 3.x clients.

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!

!--- Create an ISAKMP policy for Phase 1
!--- negotiations for the LAN-to-LAN tunnels.

crypto isakmp policy 10
hash md5
authentication pre-share

!--- Specify the PreShared key for the LAN-to-LAN tunnel.
!--- Make sure that you use
!--- no-xauth parameter with your ISAKMP key.

crypto isakmp key cisco123 address 172.18.124.199 no-xauth
!

!--- Create a group that will be used to
!--- specify the WINS, DNS servers' address
!--- to the client, along with the pre-shared
!--- key for authentication.

crypto isakmp client configuration group 3000client
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
!
!

!--- Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!

!--- Create a dynamic map and apply
!--- the transform set that was created above.

crypto dynamic-map dynmap 10
set transform-set myset
!
!

!--- Create the actual crypto map, and
!--- apply the aaa lists that were created
!--- earlier. Also create a new instance for your
!--- LAN-to-LAN tunnel. Specify the peer IP address,
!--- transform set and an Access Control List (ACL) for this
!--- instance.

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 172.18.124.199
set transform-set mysetR>match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!

!--- Apply the crypto map on the outside interface.

interface Ethernet0/0
ip address 172.18.124.159 255.255.255.0
half-duplex
crypto map clientmap
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 10.10.10.1 255.255.255.0
no keepalive
half-duplex
!
!

!--- Create a pool of addresses to be
!--- assigned to the VPN Clients.

ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!
!

!--- Create an ACL for the traffic
!--- to be encrypted. In this example,
!--- the traffic from 10.10.10.0/24 to 10.10.20.0/24
!--- would be encrypted.

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
!
snmp-server community foobar RO
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
end

Configuring the 3640 Router
Cisco 3640 Router

vpn3640#show run
Building configuration...

Current configuration : 1287 bytes
!
! Last configuration change at 13:47:37 UTC Wed Mar 6 2002
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn3640
!
!
ip subnet-zero
ip cef
!

!--- Create an ISAKMP policy for Phase 1
!--- negotiations for the LAN-to-LAN tunnels.

crypto isakmp policy 10
hash md5
authentication pre-share

!--- Specify the PreShared key for the LAN-to-LAN
!--- tunnel. You do not have to add
!--- X-Auth parameter, as this
!--- router is not doing Cisco Unity Client IPSEC
!--- authentication.

crypto isakmp key cisco123 address 172.18.124.159
!
!

!--- Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!

!--- Create the actual crypto map. Specify
!--- the peer IP address, transform
!--- set and an ACL for this instance.

crypto map mymap 10 ipsec-isakmp
set peer 172.18.124.159
set transform-set myset
match address 100
!
call RSVP-sync
!
!
!

!--- Apply the crypto map on the outside interface.

interface Ethernet0/0
ip address 172.18.124.199 255.255.255.0
half-duplex
crypto map mymap
!
interface Ethernet0/1
ip address 10.10.20.1 255.255.255.0
half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!

!--- Create an ACL for the traffic to
!--- be encrypted. In this example,
!--- the traffic from 10.10.20.0/24 to10.10.10.0/24
!--- would be encrypted.

access-list 100 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
snmp-server community foobar RO
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
end