综合项目 IPSec VPN配置综合实训.docx

湖南工业职业技术学院信息工程系项目名称：IPSec VPN配置综合实训 专业班级： 计网S09-1 授课教师： 杨丽莎 姓名学号： 李慎铭 03 李洋 13 综合项目 IPSec VPN配置综合实训一、 实训描述某公司有两个分部，现要在公司和分部之间、分部和远程客户端之间搭建IPSec VPN，实现内网的互访。二、 实训拓扑图三、 实训要求1. 公司ZBvpn、分部FBvpn、分部FBezvpn和远程客户端webvpnclient之间通过路由器ISP相连，配置路由器实现Internet功能，实现网络互通。2. 公司和分部FBvpn实现IPSec VPN。3. 公司和分部FBezvpn之间使用硬件客户端配置实现EZVPN。4. 分部FBvpn和远程客户端webvpnclient之间实现无客户端SSL VPN分部FBvpn和远程客户端webvpnclient。5. 提交项目报告，内容包括：l 项目描述l 项目实现过程根据项目要求，可以得出如下配置过程：ZBVPN的IPSec VPN配置：步骤一 网络连通性配置步骤二 感兴趣流量配置步骤三 ISAKMP策略配置，配置使用预共享密钥进行认证步骤四 建立密钥环步骤五 建立ISAKMP/IKE的配置文件步骤六 配置转换集步骤七 配置动态密码图1.建立动态密码图2.使用动态密码图步骤八 应用到节点EZVPN配置：步骤一 网络连通性配置步骤二 IKE第一阶段策略（IKE第一阶段策略，注意DH组必须配置成为2）步骤三 第1.5阶段配置1.定义XAUTH认证策略，策略名为xauth-authen，使用“local”本地用户数据库进行认证2.定义MODE-CFG的授权策略，名字为mcfg-author使用本地配置策略进行授权3.XAUTH认证用用户名和密码4.定义推送给客户端的地址池，名字为vpnclient步骤四 第2阶段转换集与动态map配置步骤五 第2阶段crypto map配置步骤六 应用到节点步骤七 配置VPN硬件客户模式步骤八 手动触发EzVPN连接分部FBvpn和远程客户端webvpnclient之间的SSLVPN配置：步骤一 网络连通性配置步骤二 配置AAA认证步骤三 建立SSL VPN网关步骤四 建立SSL VPN环境步骤五 配置SSL VPN界面步骤六 配置SSL VPN群组策略步骤七 HTTPROUTER路由器WEB服务的配置 步骤八 配置VPN远程访问客户端C0l 项目配置命令总部IPsecVPN配置：ZBvpn#show runBuilding configuration.Current configuration : 1668 bytesversion 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionhostname ZBvpnboot-start-markerboot-end-markerno aaa new-modelip cefno ip domain lookupmultilink bundle-name authenticatedcrypto keyring hngy pre-shared-key address 0.0.0.0 0.0.0.0 key hngycrypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp profile hngy keyring hngy match identity address 0.0.0.0 initiate mode aggressivecrypto ipsec transform-set hngy esp-3des esp-md5-hmaccrypto dynamic-map hngy 10 set transform-set hngy set isakmp-profile hngy match address 100crypto map hngy 1000 ipsec-isakmp dynamic hngyinterface Loopback0 ip address 1.1.1.1 255.255.255.0interface Ethernet0/0 no ip address shutdown duplex autointerface GigabitEthernet0/0 no ip address shutdown duplex full speed 1000 media-type gbic negotiation autointerface Serial1/0 no ip address shutdown serial restart-delay 0interface Serial1/1 ip address 202.1.1.2 255.255.255.0 serial restart-delay 0 crypto map hngyinterface Serial1/2 no ip address shutdown serial restart-delay 0interface Serial1/3 no ip address shutdown serial restart-delay 0ip route 0.0.0.0 0.0.0.0 202.1.1.1no ip http serverno ip http secure-serverlogging alarm informationalaccess-list 100 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255control-planegatekeeper shutdownline con 0 exec-timeout 0 0 logging synchronous stopbits 1line aux 0 stopbits 1line vty 0 4end总部EZVPN配置：ZBvpn#show runBuilding configuration.Current configuration : 2754 bytesversion 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionhostname ZBvpnboot-start-markerboot-end-markeraaa new-modelaaa authentication login xauth-authen localaaa authorization network mcfg-author localaaa session-id commonip cefno ip domain lookupmultilink bundle-name authenticatedusername cisco password 0 ciscocrypto keyring hngy pre-shared-key address 0.0.0.0 0.0.0.0 key hngycrypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp policy 11 hash md5 authentication pre-share group 2crypto isakmp client configuration group hngy key hngy pool hngycrypto isakmp client configuration group vpnclient key hngy pool vpnclient acl Split save-passwordcrypto isakmp profile hngy keyring hngy match identity address 0.0.0.0 initiate mode aggressivecrypto ipsec transform-set hngy esp-des esp-md5-hmaccrypto ipsec transform-set ezvpn esp-des esp-md5-hmaccrypto dynamic-map ezvpn 11 set transform-set ezvpncrypto dynamic-map hngy 10 set transform-set hngy set isakmp-profile hngy match address 100crypto map ezvpn client authentication list xauth-authencrypto map ezvpn isakmp authorization list mcfg-authorcrypto map ezvpn client configuration address respondcrypto map ezvpn 10 ipsec-isakmp dynamic hngycrypto map ezvpn 11 ipsec-isakmp dynamic ezvpncrypto map hngy client authentication list xauth-authencrypto map hngy isakmp authorization list mcfg-authorcrypto map hngy client configuration address respondcrypto map hngy 1000 ipsec-isakmp dynamic hngyinterface Loopback0 ip address 1.1.1.1 255.255.255.0interface Ethernet0/0 no ip address shutdown duplex autointerface GigabitEthernet0/0 no ip address shutdown duplex full speed 1000 media-type gbic negotiation autointerface Serial1/0 no ip address shutdown serial restart-delay 0interface Serial1/1 ip address 202.1.1.2 255.255.255.0 serial restart-delay 0 crypto map ezvpninterface Serial1/2 no ip address shutdown serial restart-delay 0interface Serial1/3 no ip address shutdown serial restart-delay 0ip local pool hngy 123.1.1.100 123.1.1.200ip local pool vpnclient 123.1.2.100 123.1.2.200ip route 0.0.0.0 0.0.0.0 202.1.1.1no ip http serverno ip http secure-serverip access-list extended Split permit ip 1.1.1.0 0.0.0.255 anylogging alarm informationalaccess-list 100 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255control-planegatekeeper shutdownline con 0 exec-timeout 0 0 logging synchronous stopbits 1line aux 0 stopbits 1line vty 0 4End分部VPN配置：FBvpn#show runBuilding configuration.Current configuration : 4018 bytesversion 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionhostname FBvpnboot-start-markerboot-end-markeraaa new-modelaaa authentication login Webvpn localaaa session-id commonip cefno ip domain lookupmultilink bundle-name authenticatedcrypto pki trustpoint TP-self-signed-4279256517 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4279256517 revocation-check none rsakeypair TP-self-signed-4279256517crypto pki certificate chain TP-self-signed-4279256517 certificate self-signed 01 3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34323739 32353635 3137301E 170D3131 31303239 30313033 34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32373932 35363531 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BBD4 BB0FBE18 B9255EEC ACA233F3 79AC8E2E 4D4B32B0 3EFDC2B8 228A8CA7 B42E4AE9 1D343837 19B47A19 680E563B DE38EA3A 882A6FFB 699D42D4 C17ABB39 EB9E9F10 CE9BAC71 A9557409 3CAFEB91 0909F3BE 6B1C88B8 A803D8EA 245F6659 76FA8CC2 3A6ED4A8 6254B759 A5BB9AE3 679DC1A2 333B73C5 DA733FC8 F2626D1F DB490203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603 551D1104 09300782 05464276 706E301F 0603551D 23041830 1680148F 9A72DA8A C113AFAB 8794C517 855E6C3E 23ACB630 1D060355 1D0E0416 04148F9A 72DA8AC1 13AFAB87 94C51785 5E6C3E23 ACB6300D 06092A86 4886F70D 01010405 00038181 009F514F FA185606 7C61D0BA 22A44E2C 64D3DEF9 4A5D7372 C2043D8B DC421FFB 6DADA432 63FFEFB7 CA53CB33 0ABD7D25 3DA7C857 D6F3B1B4 D33872D6 120F6BF1 F5F4D9E1 C4A597D6 129A5749 3FEAC8C6 7450A3B0 0B8F919E F4E88EF1 9224CCC5 40A97860 266DAB76 65991354 11B17EA0 E5AC7F7E F98519C2 B8379D1D 29E456CF D0 quitusername cisco privilege 15 secret 5 $1$4RO1$Fvf5nEHzF/kx8e5lTw0Se1username hngy privilege 15 password 0 hngycrypto keyring hngy pre-shared-key address 202.1.1.2 key hngycrypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp profile hngy keyring hngy match identity address 202.1.1.2 255.255.255.255 initiate mode aggressivecrypto ipsec transform-set hngy esp-3des esp-md5-hmaccrypto map hngy 10 ipsec-isakmp set peer 202.1.1.2 set transform-set hngy set isakmp-profile hngy match address 100interface Loopback0 ip address 2.2.2.2 255.255.255.0interface Ethernet0/0 no ip address shutdown duplex autointerface GigabitEthernet0/0 no ip address shutdown duplex full speed 1000 media-type gbic negotiation autointerface Serial1/0 no ip address shutdown serial restart-delay 0interface Serial1/1 no ip address shutdown serial restart-delay 0interface Serial1/2 ip address 202.2.2.2 255.255.255.0 serial restart-delay 0 crypto map hngyinterface Serial1/3 no ip address shutdown serial restart-delay 0ip route 0.0.0.0 0.0.0.0 202.2.2.1ip http serverip http authentication localno ip http secure-serverlogging alarm informationalaccess-list 100 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255control-planegatekeeper shutdownline con 0 exec-timeout 0 0 logging synchronous stopbits 1line aux 0 stopbits 1line vty 0 4 login authentication Webvpnline vty 5 15 login authentication Webvpnwebvpn gateway hngy ip address 202.2.2.2 port 443 ssl trustpoint TP-self-signed-4279256517 inservicewebvpn context Webvpn_context title "SSL VPN Service" ssl authenticate verify all url-list "Webvpn" heading "SSLVPN" url-text "HTTPROUTER" url-value "http:/2.2.2.2" login-message "welcome to webvpn" policy group Webvpn url-list "Webvpn" default-group-policy Webvpn aaa authentication list Webvpn gateway hngy inserviceEndl 项目测试结果l 项目心得在此次综合项目试验中，我们经过不断的努力，一点一点理清思路，制定好步骤，在加上仔细的输入命令进行配置，其间虽然失败过，但是还是不断找出问题所在，然后改正，当测试通过的那一下真是激动万分。总的感觉有点吃力，不过这种综合型的配置也正好锻炼了我们的各方面能力。