(1) vpnaccessserver configuration experiment network topology: pc (vpnclient4.01) --- switch --- router1720 (vpnaccessserver) pc configuration: ip: 10.130.23.24228gw: 10.130.23.2461720 interface ip: f0: bandwidth: ios of 172.16.1.122.1620 is a c1700-k
(1) vpn access server Configuration experiment network topology: pc (vpn client 4.01) --- switch --- router1720 (vpn access server) pc configuration: ip: 10.130.23.242/28 gw: 10.130.23.246 1720 interface ip: f0: 10.130.23.246/28 lo0: 172.16.1.1/24 1720 ios for c1700-k
(1) vpn access serverConfiguration
LabNetwork Topology:
Pc (vpn client 4.01) --- switch --- router1720 (vpn access server)
PcConfiguration:
Ip: 10.130.23.242/28
Gw: 10.130.23.246
1720 interface ip Address:
F0: 10.130.23.246/28
Lo0: 172.16.1.1/24
1720 ios for c1700-k93sy7-mz.122-8.T5.bin
Steps:
1,ConfigurationIsakmp policy:
Crypto isakmp policy 1
Encr 3des
Authen pre-share
Group 2
2,ConfigurationVpn client address pool
Cry isa client conf address-pool local pool192
Ip local pool pool192 192.168.1.1 192.168.1.254
3,ConfigurationVpn client Parameters
Cry isa client conf group vclient-group
#### Vclient-group is the connection to the vpn clientConfigurationThe group authentication name to be entered.
Key vclient-key
#### The vclient-key is the connection to the vpn client.ConfigurationThe group authentication password to be entered.
Pool pool192 #### select the IP address of the client from here
#### The preceding two parameters are requiredConfiguration. Other parameters include domain, dns, and wins.Configuration.
4,ConfigurationIpsec transform-set
Cry ipsec trans vclient-tfs esp-3des esp-sha-hmac
5,ConfigurationMap Template
Cry dynamic-map template-map 1
Set transform-set vclient-tfs #### corresponds to Step 4
6,ConfigurationVpnmap
Cry map vpnmap 1 ipsec-isakmp dynamic template-map #### use step 5ConfigurationMap Template
Cry map vpnmap isakmp author list vclient-group #### use step 3ConfigurationAuthorization
Cry map vpnmap client conf address respond #### respond to the client's address Allocation request
7,ConfigurationStatic Routing
Ip route 192.168.1.0 255.255.255.0 fastethernet0
Notes:
(1) Because 1720 only has one fastethernet port, the lo0 address on router1720 is used to simulate the internal network of the router.
(2) the ip address pool used by the vpn client cannot overlap with the internal network ip address of the router.
(3) The 10.130.23.0 CIDR Block simulates the public IP address. The 172.16.1.0 CIDR block is used for the internal IP address 1720, And the 192.168.1.0 CIDR block is used for the vpn channel.
(4) No way was found to set the subnet mask obtained by the vpn client. It seems that ios does not support this function.
(5) about split tunnel.ConfigurationMethod: First, set access 133 permit ip 172.16.1.0 0.0.255 any, allow 1720 local network data to pass tunnel, and then add a parameter: acl 133 in step 3.
1720 completeConfiguration:
VPN1720 # sh run
Building configuration...
Current configuration: 1321 bytes
!
Version 12.2:
Service timestamps debug uptime
Service timestamps log uptime
No service password-encryption
!
Hostname VPN1720
!
Enable secret 5 $1 $ aNmA $ b0AqzlCr3MfM5XU0IAmED.
!
Mmi polling-interval 60
No mmi auto-configure
No mmi pvc
Mmi snmp-timeout 180
Ip subnet-zero
!
!
No ip domain-lookup
!
Ip audit Policy log
Ip: audit po max-events 100
!
Crypto isakmp policy 1
Encr 3des
Authentication pre-share
Group 2
Crypto isakmp client configuration address-pool local pool192
!
Crypto isakmp client configuration group vclient-group
Key vclient-key
Domain test.com
Pool pool192
!
!
Crypto ipsec transform-set vclient-tfs esp-3des esp-sha-hmac
!
Crypto dynamic-map template-map 1
Set transform-set vclient-tfs
!
!
Crypto map vpnmap isakmp authorization list vclient-group
Crypto map vpnmap client configuration address respond
Crypto map vpnmap 1 ipsec-isakmp dynamic template-map
!
!
!
!
Interface Loopback0
Ip address 172.16.1.1 255.255.255.255.240
!
Interface FastEthernet0
Ip address 10.130.23.246 255.255.255.240
Speed auto
Crypto map vpnmap
!
Interface Serial0
No ip address
Shutdown
!
Ip local pool pool192 192.168.1.1 192.168.1.254
Ip classless
Ip route 192.168.1.0 255.255.255.0 FastEthernet0
No ip http server
Ip pim bidir-enable
!
!
!
!
Line con 0
Line aux 0
Line vty 0 4
!
No scheduler allocate
End
VPN Client 4.01Configuration:
Create a connection entry with any name in the parameter. Enter the f0 address of the vpn access server as the host.
10.130.23.246,
In group auahentication, Set name To vclient-group, and password to vclient-key.
Test:
(1) run the VPN client on the pc to connect to the vpn access server.
(2) ipconfig/all: view the obtained IP address and other parameters.
(3) In the router, show cry isa sa to check whether the connection is successful.
(4) from the router, ping the IP address that the client has obtained and pass.
(5) ping lo0 of the router from the clientConfiguration172.16.1.1.
(6) view the status-statistics of the vpn client software to view the data volume encrypted and decrypted.
(7) show cry ip sa on 1720, you can also view the data volume of encryption and decryption.
Common Debugging commands:
Show cry isakmp sa
Show cry ipsec sa
Clear cry sa
Clear cry isakmp
Debug cry isakmp ##### this is the most common debug command. You can use it to locate basic vpn connection errors.
Debug cry ipsec
[Editor: Zenghui]