890路由器EZVPN+CA认证

No Comments VPN

笔者做easy vpn实验,配置如下,已验证成功。client是891路由器,版本12.4,VPN Server是ASA,版本8.1。

aaa authentication login rtr-remote local
aaa authorization network rtr-remote local

clock timezone HKST 8  //时间需正确

crypto pki trustpoint testca  //证书名
enrollment mode ra
enrollment url http://1.1.1.1:80/certsrv/mscep/mscep.dll //在线注册CA
revocation-check none 
rsakeypair test.domain.com  //密钥对,hostname是test,域名是domain.com,大小最好1024

crypto pki certificate chain testca
ip domain name domain.com

username user privilege 15 password 0 passwd

------中间广告---------

crypto isakmp policy 1  //必需和server一致
encr aes 256
group 2
crypto isakmp keepalive 100
!
crypto isakmp client configuration group testgroup
key 123
domain domain.com
crypto isakmp profile pro  //profile
ca trust-point testca  //指定证书
match identity group testgroup 
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set set1 esp-aes 256 esp-sha-hmac  //和policy对应

crypto ipsec client ezvpn ezvpn
connect auto
mode network-extension
peer 10.10.10.10  //VPN Server地址
xauth userid mode interactive
!
!
crypto dynamic-map dymap 1
set transform-set set1
set isakmp-profile pro
reverse-route
!
!
crypto map mymap isakmp authorization list rtr-remote
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dymap

interface Loopback0
description inside
ip address 192.168.1.1 255.255.255.0
crypto ipsec client ezvpn ezvpn inside  //inside接口必须指定,而且是双up

interface GigabitEthernet0  //outside接口
ip address dhcp
duplex auto
speed auto
crypto map mymap
crypto ipsec client ezvpn ezvpn

 

来自http://blog.sina.com.cn/s/blog_5e4115b501013foj.html

发表评论