890路由器EZVPN+CA认证

来源:本站原创 VPN 超过1,421 views围观 0条评论

笔者做easy vpn实验,配置如下,已验证成功。client是891路由器,版本12.4,VPN Server是ASA,版本8.1。

aaa authentication login rtr-remote local
aaa authorization network rtr-remote local

clock timezone HKST 8  //时间需正确

crypto pki trustpoint testca  //证书名
enrollment mode ra
enrollment url http://1.1.1.1:80/certsrv/mscep/mscep.dll //在线注册CA
revocation-check none 
rsakeypair test.domain.com  //密钥对,hostname是test,域名是domain.com,大小最好1024

crypto pki certificate chain testca
ip domain name domain.com

username user privilege 15 password 0 passwd

crypto isakmp policy 1  //必需和server一致
encr aes 256
group 2
crypto isakmp keepalive 100
!
crypto isakmp client configuration group testgroup
key 123
domain domain.com
crypto isakmp profile pro  //profile
ca trust-point testca  //指定证书
match identity group testgroup 
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set set1 esp-aes 256 esp-sha-hmac  //和policy对应

crypto ipsec client ezvpn ezvpn
connect auto
mode network-extension
peer 10.10.10.10  //VPN Server地址
xauth userid mode interactive
!
!
crypto dynamic-map dymap 1
set transform-set set1
set isakmp-profile pro
reverse-route
!
!
crypto map mymap isakmp authorization list rtr-remote
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dymap

interface Loopback0
description inside
ip address 192.168.1.1 255.255.255.0
crypto ipsec client ezvpn ezvpn inside  //inside接口必须指定,而且是双up

interface GigabitEthernet0  //outside接口
ip address dhcp
duplex auto
speed auto
crypto map mymap
crypto ipsec client ezvpn ezvpn

 

来自http://blog.sina.com.cn/s/blog_5e4115b501013foj.html

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=3461转载请注明转自CCIE那点事
如果喜欢:点此订阅本站