配置总流程图:
配置:
version 12.3
hostname 26_2
!
enable secret 5 $1$nGGG$pyIANu7.xaKKQXVPqq.Dh1
!
!定义本地数据库
username cisco password 0 cisco
!
!启动AAA
aaa new-model
!
--------------------------------------------------------------------------
!Xauth配置部分
aaa authentication login vpn-authen local
crypto isakmp xauth timeout 20
crypto map cisco client authentication list vpn-authen
!
--------------------------------------------------------------------------
!组策略配置部分
aaa authorization network vpn-author local
ip local pool vpn-pool 10.2.1.10 10.2.1.20
!
crypto map cisco client configuration address respond
crypto isakmp client configuration group mobile
key cisco
dns 10.2.1.5
domain cisco.com
pool vpn-pool
!
crypto map cisco isakmp authorization list vpn-author
!
--------------------------------------------------------------------------
!建立ISAKMP策略
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
hash sha
!
--------------------------------------------------------------------------
!设置转换集
crypto ipsec transform-set vpn-set esp-3des esp-sha-hmac
!
!用RRI建立动态加密映射
crypto dynamic-map vpn-dyn 10
set transform-set vpn-set
reverse-route
!
--------------------------------------------------------------------------
!将组策略、Xauth应用到动态映射
crypto map cisco 10 ipsec-isakmp dynamic vpn-dyn
!
--------------------------------------------------------------------------
interface FastEthernet0/0
ip address 10.2.1.1 255.255.255.0
duplex auto
speed auto
!
--------------------------------------------------------------------------
!加载map
interface Serial0/0
ip address 17.1.1.2 255.255.255.0
crypto map cisco
!
--------------------------------------------------------------------------
!打开IKE DPD(可选)
crypto isakmp keepalive 20 10