一个ipse vpn拨号到路由器的问题.补拓扑和需求!
本帖最后由 mmght 于 2009-11-17 16:42 编辑最简单的拓扑,从互联网上用cisco vpn client拨号到路由器.不成功,开debug 看,是第一阶段认证不成功.
需求,从互联网上用cisco vpn clinet 拨号到公司出口路由器,访问公司内网资源.
公司内部网段192.168.1.0/24
分配给vpn拨号用户192.168.2.0/24
show run 如下
hostname R2
aaa new-model
aaa authentication login tea-rz local
aaa authorization network tea-sq local
!
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
!
crypto isakmp client configuration group cisco
key cisco
pool mypool
acl 101
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
!
crypto dynamic-map dymap 10
set transform-set myset
reverse-route
!
!
crypto map mymap client authentication list tea-rz
crypto map mymap isakmp authorization list tea-sq
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dymap
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 1.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
ip local pool mypool 192.168.2.1 192.168.2.254
ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet1/0 overload
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
end 最好把图和需求贴出来, 还要隐藏........ access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
好矛盾的说 当时看秦坷的视频说是,配这种REMOTE VPN需要使用Diffie-Hellman GROUP 2,如果是GROUP 1的话应该是不行的,我看你的POLICY 应该只是默认的GROUP 1
页:
[1]