890路由器EZVPN+CA認證

來源:本站原創 VPN 超過1,369 views圍觀 0條評論

筆者做easy vpn實驗,配置如下,已驗證成功。client是891路由器,版本12.4,VPN Server是ASA,版本8.1。

aaa authentication login rtr-remote local
aaa authorization network rtr-remote local

clock timezone HKST 8  //時間需正確

crypto pki trustpoint testca  //證書名
enrollment mode ra
enrollment url http://1.1.1.1:80/certsrv/mscep/mscep.dll //在線注冊CA
revocation-check none 
rsakeypair test.domain.com  //密鑰對,hostname是test,域名是domain.com,大小最好1024

crypto pki certificate chain testca
ip domain name domain.com

username user privilege 15 password 0 passwd

crypto isakmp policy 1  //必需和server一致
encr aes 256
group 2
crypto isakmp keepalive 100
!
crypto isakmp client configuration group testgroup
key 123
domain domain.com
crypto isakmp profile pro  //profile
ca trust-point testca  //指定證書
match identity group testgroup 
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set set1 esp-aes 256 esp-sha-hmac  //和policy對應

crypto ipsec client ezvpn ezvpn
connect auto
mode network-extension
peer 10.10.10.10  //VPN Server地址
xauth userid mode interactive
!
!
crypto dynamic-map dymap 1
set transform-set set1
set isakmp-profile pro
reverse-route
!
!
crypto map mymap isakmp authorization list rtr-remote
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dymap

interface Loopback0
description inside
ip address 192.168.1.1 255.255.255.0
crypto ipsec client ezvpn ezvpn inside  //inside接口必須指定,而且是雙up

interface GigabitEthernet0  //outside接口
ip address dhcp
duplex auto
speed auto
crypto map mymap
crypto ipsec client ezvpn ezvpn

 

來自http://blog.sina.com.cn/s/blog_5e4115b501013foj.html

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文鏈接:http://www.qdxgqk.live/?p=3461轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
?
?
萌宠夺宝游戏