一、CISCO PIX535配置如下:
0 x) H: ]0 T5 B4 |' k" `* pPIX Version 6.2(2)
4 }+ a8 y! b- Lnameif ethernet0 JieRuWang security100$ `2 k5 J. T4 B8 T, o m7 e
nameif ethernet1 vpngwy security509 F) Z% \* V) W% J& ~8 _, r
nameif ethernet2 chukou security0
; S6 x4 l" Z8 l) }2 x8 Y* renable password
/ `+ T, L m' }* epasswd " F5 H8 A, |* J3 ~5 K/ k% Y
hostname CiscoPix535! f& s- m7 f) S' C
fixup protocol ftp 21
* ?" O: w, z7 o) ^3 N4 k0 ~fixup protocol http 807 x, i0 Y6 A8 Z2 H, s% |/ d: G0 v8 p
fixup protocol h323 h225 17201 D$ J/ K4 H/ C d- T
fixup protocol h323 ras 1718-1719! S" a+ S% E7 r# B: o
fixup protocol ils 389- M) U/ Y% {, _1 P- r* E
fixup protocol rsh 514
, W5 v3 d$ t" V$ dfixup protocol rtsp 554# T( p& B$ _) N
fixup protocol smtp 25) b" N1 e/ @2 ~ l3 d
fixup protocol sqlnet 1521
c. k4 z8 H+ Q" b+ S, W9 x0 ^1 V9 [, mfixup protocol sip 5060
7 c9 K- G4 |2 f* Z7 R5 a& gno fixup protocol skinny 2000
3 r L; P2 q% F4 E# w% Xnames
& ], x: b# q' f3 Waccess-list VPN permit tcp any host 221.217.151.69 S/ y; i) L+ Q& @5 r
access-list VPN permit udp any host 221.217.151.69
: q; r7 d. q9 L) raccess-list VPN permit tcp host 221.217.151.69 any
5 u2 {) R) d$ v. V" c# paccess-list VPN permit udp host 221.217.151.69 any
5 X. A7 s# i! \+ F5 a8 Ipager lines 240 Y, R0 e" ]5 c5 h% o) w2 I7 n$ Z) ?
logging queue 0& D0 C( d W7 p7 I) e8 [; {
interface ethernet0 auto
! \( q/ G `4 q) G2 C9 Qinterface ethernet1 auto- g$ `; c9 N- r3 k& N& L- d! h
interface ethernet2 auto
$ N+ }6 y. W. c/ F/ v4 }) d9 V. b' rmtu JieRuWang 1500
- x9 l( f6 \- z0 q$ \mtu vpngwy 15003 B0 K @" s& s9 x2 ^4 g8 S; V
mtu chukou 15006 t5 ]- D, m4 ^; b1 S* {
ip address JieRuWang 192.168.1.1 255.255.255.0
9 v; S% S6 u* T; gip address vpngwy 192.168.10.1 255.255.255.07 z& c# [3 ^) q0 J) M
ip address chukou 218.106.202.6 255.255.255.252
# h, W6 |% F/ e5 K S, |% Uip audit info action alarm
1 Q% {$ }. u8 T- ~* I, q8 P, \0 r4 Qip audit attack action alarm% w4 U" l3 v: S5 O; D: v
no failover
8 U# ~. x0 H3 x: Sfailover timeout 0:00:009 q+ w: A* i p, u) a2 @
failover poll 15- {& p8 E$ B, L8 l6 B) J
failover ip address JieRuWang 0.0.0.03 ^3 r- B( ?6 o; J) z; R
failover ip address vpngwy 0.0.0.0- @2 G) ^0 n; b% `
failover ip address chukou 0.0.0.08 g0 e* O( C5 }# |
pdm history enable1 \; `9 a5 P( x" p7 z
arp timeout 14400
2 j9 J0 o! p7 i0 Vglobal (chukou) 1 221.217.151.70
& V/ k$ @% B# |0 M2 Vnat (JieRuWang) 1 10.89.0.0 255.255.0.0 0 0
3 j9 k+ A Y' Cstatic (vpngwy,chukou) 221.217.151.69 192.168.10.2 netmask 255.255.255.255 0 0
7 t9 M5 c- k' R. a7 K ^, b* M& {; Zaccess-group VPN in interface chukou
; N5 s+ W; b3 l- B! D# d( h7 D- C6 ~conduit permit icmp any any+ m7 W# f( j! |1 F ^* M
route chukou 0.0.0.0 0.0.0.0 218.106.202.5 1
" v. U& a: K& p! d/ Proute JieRuWang 10.89.0.0 255.255.0.0 192.168.1.2 1& `" e0 x" T3 r8 O# V' w7 X
5 y, a. u9 |0 {4 f. P
timeout xlate 3:00:007 x$ }- f. L- P; x# a
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
1 I" \1 M+ q _' d5 t2 np 0:30:00 sip_media 0:02:00
4 s$ m; Z- [" H+ L: n( |5 J3 | c$ Qtimeout uauth 0:05:00 absolute2 v7 c0 r5 E# s0 |# B- z; \
aaa-server TACACS+ protocol tacacs+
; J5 R. T* t; R z5 Xaaa-server RADIUS protocol radius; N p# B/ t7 Y, R" B$ M8 ~
aaa-server LOCAL protocol local2 C9 C5 N5 t' z# {( B
snmp-server host inside 10.90.55.24 j+ O1 t9 T# k* w' M4 m
snmp-server enable traps
2 c2 I% p& ~7 U8 w$ U' M! U; k/ r% Bfloodguard enable
$ [. s' h5 W* D) N* u4 i( Zno sysopt route dnat
5 S* O$ A; ^" A i9 `7 F u+ ]telnet timeout 59 C* X* H' J8 b
ssh timeout 5
; c# P' S4 H8 O/ J1 m, R; @. ^terminal width 809 c+ | S) i- m# G2 [8 ?
Cryptochecksum:
! y, ^ F- [5 q1 G/ `4 Z: end
! s! k- E6 ^8 y0 A$ e3 j
( @; Q/ |% h0 V/ G& r二、凯创VPN网关配置* \0 d u6 O8 x0 G! w. ?
XSR-3150(config)#show run
- w, B M9 U$ y) z! i
( ?) ?$ L/ H: B!PLATFORM6 }$ Y6 u# P+ u7 Q+ _: F
! CLI version 1.5, x; Y. o+ ]* Y& o0 x
! XSR-3150
1 h5 Z$ y' a; |, h! Software:6 a6 j+ E0 x! v# e% Y
! Version 7.5.0.0, Built Jul 28 2004, 19:01:07
3 K) r5 [* r' B: l# i!
( S# s3 I& d( u. Slogging timestamp UTC7 D4 ]; @5 g r
. R; h/ u; j7 t# W' @( e' q
!NETWORK MANAGEMENT
1 b3 L" `( D5 l1 h- d. W |' ^ username admin privilege 15 "password is not displayed"
2 Y; p; N' u5 l) m/ E' m
: J3 h( U. l, U; L% W1 _6 H" N7 c+ n1 B
!ACCESS-LIST" ]" a8 Y) B4 A* H
access-list 110 permit ip any 192.168.1.0 0.0.0.255! o$ Z% Y. k) S
access-list 120 permit tcp any any eq 1723
9 U5 m3 K/ S- saccess-list 120 permit tcp any eq 1723 any
' F# q# C1 l+ g: Saccess-list 120 permit udp any any eq 1701' e6 H$ _. t! n4 }/ O+ d
access-list 120 permit udp any any eq 500! ?8 k; B w2 M. A* y0 {. u" n
access-list 120 permit udp any eq 1701 any
& x f9 p6 p4 D' @# _0 caccess-list 120 permit udp any eq 500 any
* N- B2 {( Z& r. P* v: M+ gaccess-list 120 permit ip any any
4 g; o; N9 {! M qaccess-list 120 permit gre any any' U8 d( H2 j2 h
access-list 120 permit ah any any
* r7 w" a# c) Paccess-list 130 permit ip any 172.16.1.0 0.0.0.255( O1 U, ~# a W7 b+ e( k3 S
access-list 130 permit tcp any any eq 1723
& [% N1 L! V& c6 a% _access-list 130 permit tcp any any eq 23) f: m2 C' Y+ Y8 R, a
access-list 130 permit udp any eq 500 any3 O) _" e7 J5 T9 e
access-list 130 permit udp any any eq 500! w( ]- y1 g4 e3 V
access-list 130 permit ip any 172.16.10.0 0.0.0.2557 o* k* D8 j% t2 u& b- o# Y9 Y
access-list 130 deny ip any any
5 ^3 ~5 x* _5 I# P& @; c; {, P& e) N. L8 l r; h
!IP LOCAL POOLS6 V0 l [( h: z4 Y l8 i
# G& S$ J* W) o9 Y( d1 c% P4 o
!9 q* s) ^9 R4 o( t J+ g
ip local pool vpnpool 192.168.1.0 255.255.255.07 c5 f1 e( G8 l+ c6 P y
. p# L8 [9 C& u& Z/ b7 S
!IKE
: v3 h+ i7 @% E; `4 zcrypto isakmp proposal p2p
! Y% m' a- Y% t2 R, `* Tauthentication pre-share2 M8 Z) |! H4 W, r
lifetime 50000
# N. r5 j' R* _1 V# y$ N' t! Q% P; R! d3 ^! D% k& S) p# e
crypto isakmp proposal xp-soho0 ^, |3 o- X% I5 ?7 J+ t
hash md5) U( N5 I) q6 e0 v" f
lifetime 50000
d' Y& H$ d+ }1 h$ ?) V$ q [" o+ ~' I+ V1 [ G: p/ z( R" I! \2 S
crypto isakmp peer 0.0.0.0 0.0.0.0# M9 F4 u7 q) A
proposal xp-soho p2p! V7 @5 A7 r/ ?6 ~) }
config-mode gateway
7 |3 t& r# w$ S X! X8 H8 d/ S; Znat-traversal automatic. A! g! D2 g: E2 b
; m3 @5 `! ?/ v. v
9 `1 X' I- a g1 A" w" t
!IPSEC: F7 }) R6 w* z/ T
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac" b" J* u* Z9 P+ B
set security-association lifetime kilobytes 10000& _ u3 _, p' `' D
5 \( j. m4 `7 X2 N, {, u! U7 b
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac c, E4 }- B" C u0 @8 V+ D3 {* X: g
no set security-association lifetime kilobytes" Y) X5 W* R( B% t: A& h3 Y1 M
3 X; H- z$ E: o5 B8 ^
crypto map test 30/ K* q; n1 @$ c% K/ n! {
set transform-set esp-3des-sha
9 F: K, G. m0 Z, _6 Lmatch address 130
* t5 f2 q% y3 j8 D" W1 G: B( D/ G0 ?- [: |! e
crypto map test 20' L: _$ @9 P+ t6 o/ G6 P5 D
set transform-set esp-3des-md5; h- `/ Y) {; v4 h* r8 m$ V
match address 120
& u- `- o1 G- Y2 x0 imode transport" C% n( k+ r' Z- z
set security-association level per-host
. X' o8 Z9 V$ d1 ~1 s4 G1 d$ Q7 p @4 Z# o! U- U) c5 ?5 u: x7 x
crypto map test 10! A2 {5 K/ b5 F' Z) J% p7 T3 U7 w
set transform-set esp-3des-sha9 |! W' t3 F0 G7 E% V
match address 110
" M9 h$ N: A3 w# o- O- W) x
! u$ h7 }, Y4 x' ]1 t
2 k! {5 \7 D0 b n" X' a!INTERFACE AND SUB-INTERFACE
7 B% Z' M! |) Y, W7 I% einterface GigabitEthernet 19 ?4 k$ T- [, r Q9 z
crypto map test
. _2 a: T( B: a* b- Bip address 192.168.10.2 255.255.255.248
' \ a, n- X- n. R8 t' P4 h, gno shutdown, n( B; I1 J0 F" D3 T9 y
2 z. U/ |4 `$ L: b9 M
interface GigabitEthernet 2% X9 G% g9 b% ^6 Y# e! C( O: _
ip address 172.16.10.1 255.255.255.248" t# R; {5 P a' M. d* T
no shutdown
# A2 M/ D9 r1 ?, ]* |9 f
$ w: F( e6 b, v3 n1 yinterface Vpn1 multi-point. h- e E0 _8 H) C% W# z
ip multicast-redirect tunnel-endpoint9 |. a, J) ^4 x' C) V
ip address 192.168.1.1 255.255.255.0
- s+ q5 ~/ g2 z/ |
k" |) q' x( E; a. u# ?! a( j!IP
9 S8 L' l7 B2 c, K' ~9 qcrypto ipsec df-bit clear! c0 _5 E9 G+ _% s
ip route 0.0.0.0 0.0.0.0 192.168.10.1
6 y9 |1 x/ f2 c+ Y. Y3 x% b: |- `% c
!SNMP
5 v& _$ m# p' p% N6 [5 N2 Fsnmp-server disable7 o. a& a1 U- ~. @# y
, W `% i j6 v+ J0 r6 H
!AAA' C! ]# c; U+ l2 B: W* o
!6 y5 O5 Y$ m* k j8 H/ Q
aaa group DEFAULT
& T* b! T; B, A$ w+ L" L# ldns server primary 0.0.0.0" G# V! F6 d& E6 J' n1 c: Z8 v" S3 s
dns server secondary 0.0.0.0
. d2 R$ b- x) ?1 G3 H" kwins server primary 0.0.0.0
2 ]* b2 v2 V" t0 E# e3 n6 a4 J3 r- ^" nwins server secondary 0.0.0.0
* n3 Q; P% r! N& T$ ~& lip pool vpnpool& S0 C) ?6 k4 A# }
pptp encrypt mppe 128
4 l9 |2 w, ~/ b- X& m- e3 [policy vpn4 B4 V1 t# R8 V" b% o3 s2 V
0 }* q8 T& H1 }) |# @$ U+ j!
. m( [( c. }9 d8 i( jaaa method local
, a3 ?, E. T; `$ R+ O; B3 h* gqtimeout 0
$ _- p: b3 N* C. A. Q
$ \- I" r+ Z7 K8 z, I!* R" }; }. ^) l! h, ^( M: ?
aaa method radius MSradius default
, l/ t. q) t% _6 y( k% |$ Eenable
+ E/ ?: e& s, A. d6 ogroup DEFAULT( P/ ~5 M- Y k$ ]5 \6 v1 T" x1 ~
address ip-address 172.16.10.2
' Y; w+ X4 f- y2 V3 k }4 Lnas_ip_address 0.0.0.0
- s/ h) u7 Q) e; z r- Y: mkey 163
6 {% y4 Q. Z6 I+ z' v6 ]2 W, ]! f$ d3 Vauth-port 1812
5 m& A3 |7 G& i7 Gacct-port 1813* o. d# d" @+ K: x' A
attempts 2
4 B- _% ~) l# O4 Iretransmit 2, A, g$ \" \% [/ K8 _( f- c# f
timeout 5" s7 |6 \! u& m( }0 X& n) D
qtimeout 06 Q3 v8 M/ B& l& O! u9 i
/ v* \3 m! l9 D0 u$ U' j8 e; F
三、当前情况% K$ S6 L% P6 D, i
1、不管VPNGWY放到PIX内或者外,客户端通过硬件方式,都可以和网关建立IPSEC隧道。
( ?) x( t: X& U) U- M3 o7 j2、如上VPNGWY放到PIX内,客户端用MS软件方式,始终停留在检测用户名和密码,之后超时退出。' d- E- j2 V9 A4 W: W2 Z
当客户端正在连接VPNGWY验证用户名和密码的时候,在VPNGWY上用SHOW TUNNEL命令可以发现如下信息:
/ n- z9 E# r/ WID Creation Time Proto Username+ I& A2 H9 Y2 {; d/ W/ E
Peer IP Packets In/Out% w5 E) C% T# H7 ?& v; n+ s
' f$ ^" Q5 F5 k- W2 ]3 B, L6 C
40000001 11/01/2004, 22:50 IPSEC xsruser (此条为客户端硬件连接获取的)
1 J3 P5 `: F! u& p 192.168.1.2 0000045378/0000045379! ?! p3 T6 z/ N5 c \$ ]
40000001 11/08/2004, 12:50 PPTP (此为软件客户端连时)
) ]" o1 y! E* q( l+ F2 ? 0.0.0.0 0000000000/0000000000( a) M5 _" Z( \1 ^1 j) f& Y/ m
此时在RADIUS日志里没发现任何认证信息。
5 B/ l9 K0 V6 _3、如果VPNGWY放到公网上不通过PIX,客户端用MS软件方式可以建立VPN连接。9 u0 Z( s. U( F# c! I- j
4、+ T& L9 O6 L) f% ]
/ H, A( e# O4 c6 v
. t# m3 P! X" s- R- W9 |四、我怀疑问题所在:
' K3 b8 o+ s z3 s1 J通过SHOW TUNNLE和客户端连接时候始终停留在检测用户名状态,感觉是RADIUS认证没通过,但不知道是什么原因造成了,请熟悉VPN和PIX的高手帮看看。 |
|
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
