一、CISCO PIX535配置如下:
( [/ e0 Q( I+ g: z7 c2 N/ FPIX Version 6.2(2)
7 B8 F# w, s8 A+ \nameif ethernet0 JieRuWang security100+ A# x. E k) Y2 f3 X
nameif ethernet1 vpngwy security50
" X" Q- \" ^# }5 E& Lnameif ethernet2 chukou security08 V0 ~& K# `0 [ x! J
enable password
# m( i4 a; S6 K0 ^passwd
: |( j+ x8 p+ }6 V$ a! o5 Phostname CiscoPix535' q$ q2 I- F& a7 f8 L5 f
fixup protocol ftp 21
; `* x, S& t$ b0 N4 c9 F4 B4 kfixup protocol http 80
+ n6 k) r; K$ x, \# e0 t4 Hfixup protocol h323 h225 1720
- D0 _7 N) i6 \+ i% \0 u' Mfixup protocol h323 ras 1718-1719
3 [; I! e! H/ `+ Xfixup protocol ils 389' }: q# S2 }3 P' ~- f
fixup protocol rsh 514$ {0 w" x$ v1 r G! w! b# d6 S
fixup protocol rtsp 554
- @$ M' O0 h# p: R- A3 b: Q8 F7 @fixup protocol smtp 25, r+ r- I* j5 C9 d6 m
fixup protocol sqlnet 1521
6 ~# P, A# B" j/ `) K' t. S wfixup protocol sip 5060
" O7 F: C( `' z- v: ~3 e* R9 ino fixup protocol skinny 2000* Y( ~% u6 `0 V" ?2 }
names6 S' Y' e% s: ?; v/ U, G
access-list VPN permit tcp any host 221.217.151.69; W6 {, Q! M' K' M, z
access-list VPN permit udp any host 221.217.151.69
. p% a2 Q& `/ A+ }access-list VPN permit tcp host 221.217.151.69 any+ L( Z3 d0 D8 M) q% C3 D& Y
access-list VPN permit udp host 221.217.151.69 any
2 l2 R% P" ^- |2 Zpager lines 24
P; g3 I9 K/ D$ dlogging queue 0
* a4 F: H, r- S& R+ d+ G! C8 Jinterface ethernet0 auto
/ i+ j% Y! V/ q4 T) uinterface ethernet1 auto
* M* x# u6 g0 i- u7 E" a# `interface ethernet2 auto* E8 N" r" c+ ^" m' ]4 |
mtu JieRuWang 15006 J0 c$ a% m( B+ b4 R! G! n2 j
mtu vpngwy 1500 _5 D/ M9 X4 W, v. d* l2 O
mtu chukou 1500
4 i1 }" b+ W1 F. {ip address JieRuWang 192.168.1.1 255.255.255.0
7 v V) S( w. v& F! F/ B: a7 sip address vpngwy 192.168.10.1 255.255.255.0, s' R4 n! o& X
ip address chukou 218.106.202.6 255.255.255.2529 h& M1 W; W8 B& H/ l
ip audit info action alarm
! z/ x1 x. F1 L* b# jip audit attack action alarm
2 {. L' b2 g: J$ l5 {* s( o" l8 A; f4 ]no failover
0 ]' f& E5 h; S3 dfailover timeout 0:00:00& k$ `5 ?/ @( k' O1 L# b4 B% R
failover poll 15, ~# \! y+ r% c6 e7 m3 P
failover ip address JieRuWang 0.0.0.0! w- c1 I2 @& T* ` S8 C- U6 h/ ]
failover ip address vpngwy 0.0.0.0
& z1 d6 v! P! V0 e0 j1 q7 w a+ m0 cfailover ip address chukou 0.0.0.0+ u& Q' D4 k2 `- F
pdm history enable
, E& `$ u, m9 a( aarp timeout 14400/ G' ~( ^# r4 S |! ^) z) x/ L
global (chukou) 1 221.217.151.701 n4 y, g0 G- D* w/ C; C- T
nat (JieRuWang) 1 10.89.0.0 255.255.0.0 0 0: p$ n: I6 w, x2 j3 s& S
static (vpngwy,chukou) 221.217.151.69 192.168.10.2 netmask 255.255.255.255 0 07 l& u& o$ w% W4 Q s
access-group VPN in interface chukou
W: L8 L9 n) E( P( Z8 Zconduit permit icmp any any
9 E" I% s5 i. [ \' troute chukou 0.0.0.0 0.0.0.0 218.106.202.5 18 i& e }; q' U
route JieRuWang 10.89.0.0 255.255.0.0 192.168.1.2 1$ u+ G8 W! x! M& j6 k5 u
% x+ c! ^8 G2 X* X Y; I
timeout xlate 3:00:00
& A( c; ?! O) Z' atimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
% ?9 l6 C, ?3 S( J! Z- np 0:30:00 sip_media 0:02:001 w- }+ s3 B0 P& F0 c/ d( B
timeout uauth 0:05:00 absolute5 j* I2 x- ?/ w3 G+ z$ F
aaa-server TACACS+ protocol tacacs+
3 M9 C; O, a- {3 m+ K/ @% caaa-server RADIUS protocol radius
. F. ^: Z& [9 y" Gaaa-server LOCAL protocol local
& U* \; B2 U4 Y. }snmp-server host inside 10.90.55.2
: s/ W/ `& B5 M( l9 W* N1 Jsnmp-server enable traps5 e# g2 `, R4 d: v
floodguard enable
9 j9 a+ [% N' g0 H- H+ a& U3 C% ino sysopt route dnat
+ d: G [% J8 m6 n. ?0 W2 J5 ntelnet timeout 53 {# ]# [' S! F- k2 t
ssh timeout 5
5 s1 N2 U/ D2 j+ E$ }: eterminal width 80& {/ g7 i; @( h" I( C9 S
Cryptochecksum:
! s5 i. i! W- c: end
. u* n8 D" O# y' N3 ?0 _8 {: h; L
* i; E& s, `- z1 L# Q二、凯创VPN网关配置
6 b$ l \9 G, ^ d7 [XSR-3150(config)#show run
9 \. Y) ~' M; n, F) O# @
! ]# r- L/ J: o0 ]. S2 R8 n!PLATFORM
: Q2 ?! p* [1 P# k! CLI version 1.5
$ I) t2 u' [: P" b9 v. l7 z! XSR-3150
' W" o4 i) m( _8 T' P! Software:
e5 V# v: f) G! Version 7.5.0.0, Built Jul 28 2004, 19:01:07" m0 i/ ~. B6 R! d* j+ I
!- i! @5 u5 t% P ^
logging timestamp UTC _" v) a$ c5 j0 n, h; x
2 Y$ e ^4 F1 ~3 p" G4 v
!NETWORK MANAGEMENT
% l" Z$ b$ y" J3 C, G4 O username admin privilege 15 "password is not displayed" x1 W9 z' v. n$ o, q3 k
: x' O7 E0 @: E }3 T0 }! y% Y
/ W1 g# B' a1 l+ @!ACCESS-LIST
- ^4 O, }- a6 Q6 t# yaccess-list 110 permit ip any 192.168.1.0 0.0.0.255
- m: ~. }& u2 b+ \4 kaccess-list 120 permit tcp any any eq 1723
, l+ j) _4 [: K$ L3 haccess-list 120 permit tcp any eq 1723 any
( J& o. x6 ?; w. o- @- Oaccess-list 120 permit udp any any eq 1701
% P p+ f3 L9 ^% c( N& kaccess-list 120 permit udp any any eq 500 V& J9 M( N' @- d
access-list 120 permit udp any eq 1701 any
3 n0 ~+ u2 v* p6 ^, ?4 f0 `access-list 120 permit udp any eq 500 any) D f. G+ e Y! l9 x. k5 C
access-list 120 permit ip any any
* k3 H, T; ?& j9 f9 t6 U" maccess-list 120 permit gre any any
5 |/ V% i5 ?! o) w+ E8 haccess-list 120 permit ah any any$ x+ X+ i( {3 B( o
access-list 130 permit ip any 172.16.1.0 0.0.0.255
) T8 P5 o+ @* g" S3 ]access-list 130 permit tcp any any eq 1723+ n1 }4 w g. a G9 C& J5 s1 Q
access-list 130 permit tcp any any eq 23, u/ @0 Y4 {- b) w: p% u) K
access-list 130 permit udp any eq 500 any& u4 {/ r( S }; a
access-list 130 permit udp any any eq 500
: _/ w: O+ W( }5 e1 R" ~5 }access-list 130 permit ip any 172.16.10.0 0.0.0.255+ [+ L$ C6 o. ]! v- }% Y7 C* J/ I3 M. {8 H
access-list 130 deny ip any any! |. c o# y) f* ^
: Y$ H& X1 F: d( O, C: T T, w
!IP LOCAL POOLS$ ^" j$ [8 ~$ Y7 q- u" ^
v- y D+ `3 j* m k" E!
* S* r1 f/ v8 V0 p9 f2 W: E& Hip local pool vpnpool 192.168.1.0 255.255.255.0+ d! [* q! i9 N( W2 @
/ {7 ?! d y+ j+ t
!IKE# ]" S0 ]+ a2 d" r4 D6 d# P
crypto isakmp proposal p2p
& g* j. }' g3 d! c3 S; X4 j+ L8 Rauthentication pre-share
- p3 g5 Y4 j3 [3 N# xlifetime 50000
, E& N& Z. _% U1 x- ], P m! y
7 z9 h# ]7 g; ocrypto isakmp proposal xp-soho+ M! m: }) G a4 N q) U5 L
hash md5( |8 [: B8 N$ `" X, k; D" U& c
lifetime 500006 c" T* G0 p% G( H
. P% a3 z% H# acrypto isakmp peer 0.0.0.0 0.0.0.0" a: C8 u9 q+ o* U; [) Q E. k. p, Y
proposal xp-soho p2p
* s( w0 ^0 y7 i( _6 u! aconfig-mode gateway" r! e! F* x3 h3 `, M, c
nat-traversal automatic: G5 p' _. _0 n Y5 g( K0 `! W, ^. x
, v/ T9 X, X T, f
' }9 n U8 I& p. [# y& H5 h1 r!IPSEC7 M- \# a6 \$ Q& J* w4 B: s
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac: T' } x q9 O# l8 E3 k; E
set security-association lifetime kilobytes 10000. K7 P3 j; f( U+ u I+ ^: m' \
0 v$ z3 r; Q _* J, a: Hcrypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
" W/ ]+ I$ G& Zno set security-association lifetime kilobytes
m0 V( E# f7 h" ^( z6 C, t' T9 B" c7 w: u* b
crypto map test 30
0 C% R# U1 }9 e) A: c% Xset transform-set esp-3des-sha& X" z' D" Z$ C) _
match address 130
. n4 F0 ]* v& j* g4 L" K0 W* C
6 s2 b+ f; G( C# lcrypto map test 20+ m' p- r9 f, c6 g" d
set transform-set esp-3des-md5
/ q' ]! g. k2 L- J0 V" s! A! Xmatch address 120
% t; x3 t Z% z' X5 Hmode transport
9 s7 t$ n& r2 C- g( T6 {set security-association level per-host# O* o$ |3 k/ P+ G" H! U ^
8 ^/ O6 y4 F* t5 @# d/ ecrypto map test 10
: Y t1 K% D8 Z! j& ^set transform-set esp-3des-sha
) Z) e& v' [; S2 rmatch address 110
: v- V8 V) ?6 @* q2 c" S& Y/ O6 M7 R
1 E+ G. I1 S: c8 ~!INTERFACE AND SUB-INTERFACE9 v9 E3 j( y% q
interface GigabitEthernet 1( b0 X, R: f8 m; ?
crypto map test
4 p4 C4 r w" W/ Z, B0 ~ip address 192.168.10.2 255.255.255.2484 h6 G; ]7 `+ ~3 ]6 @4 U
no shutdown
7 X. _0 V5 B4 {/ @$ B, J+ n \
$ c4 i% ?' X& ~! P" a' Qinterface GigabitEthernet 27 J$ _9 D! r$ J; D5 |* @
ip address 172.16.10.1 255.255.255.248
% ^- p5 e1 v/ I: D& L$ ?* Lno shutdown
& ^+ |2 G6 H; c( q) X/ U! b
% e( Y! I5 v! B7 Ainterface Vpn1 multi-point
" B/ O2 w( b# g) Zip multicast-redirect tunnel-endpoint
/ U- K7 S- u, p5 h. Qip address 192.168.1.1 255.255.255.07 V, f* b2 J9 {8 J
( |( Y* F. y4 H!IP
% I# K3 _) J3 U) `% ^crypto ipsec df-bit clear
" }) y2 d; d& |2 |$ mip route 0.0.0.0 0.0.0.0 192.168.10.1
# Q- r* @! u4 O5 h& A
3 A, g" b: ]) ]0 e0 k; j- f+ K& e!SNMP
: k: ?7 [; c: E% V* z8 M* Hsnmp-server disable1 z! { w6 n1 ^0 J
$ x. I/ x# Y z( _- N1 Y
!AAA$ A0 g5 W& g9 z: R& `# y
!
6 E" m& ?9 I+ ?( Haaa group DEFAULT4 a F. L$ `5 F; w
dns server primary 0.0.0.09 A0 B0 ?9 Z0 i9 K
dns server secondary 0.0.0.00 P1 S8 n+ ?" X" q
wins server primary 0.0.0.0( R p9 m- ^8 ~
wins server secondary 0.0.0.0" a1 L' s2 m$ x: f) g5 ]
ip pool vpnpool
% ~4 Q/ t! M0 Y6 p' i- m& mpptp encrypt mppe 128
! s: `! {# R* s, R( D8 spolicy vpn, U% `: G4 U+ ~- j; g
% S. ~* Y2 D& H& k3 o
!
* x' c! y) s2 d2 r: i/ h+ @3 jaaa method local
- t1 s3 t' M/ l! ? e2 Vqtimeout 0; r0 P9 p* c: c
% N. U& g: K$ G( O
!
( r# U9 p2 Y& Y \* m1 B5 F3 haaa method radius MSradius default+ k5 q( E8 K" F" e W: T8 a9 ^
enable
! ]2 F$ S" c# F& K# I8 r+ a+ }& n* c) ]group DEFAULT
% P$ \6 k$ G* m oaddress ip-address 172.16.10.29 D/ q7 u/ G E# Q) v7 s
nas_ip_address 0.0.0.0
1 ?( n/ M- Y% @( Xkey 163 u$ n1 V) ~0 r
auth-port 1812) [; ^. \+ k) @# n5 x2 ?% c0 i
acct-port 1813
_ |( U2 _$ [4 g7 rattempts 2) ]: U$ u5 I5 t9 y9 T j) r
retransmit 2
" ~+ `% r7 T. R4 ]7 u! Y9 htimeout 5
; b9 q3 ]7 k0 R' Qqtimeout 0
* b- Z I6 d6 v4 z6 v/ X: Z; y$ ~: T$ I2 i ~
三、当前情况
" R/ o: f( |3 h* ]' s3 ]# N0 x1、不管VPNGWY放到PIX内或者外,客户端通过硬件方式,都可以和网关建立IPSEC隧道。9 }2 ~$ t. C' D$ N3 L) m
2、如上VPNGWY放到PIX内,客户端用MS软件方式,始终停留在检测用户名和密码,之后超时退出。
5 E6 R" e6 j& }1 d8 R# B当客户端正在连接VPNGWY验证用户名和密码的时候,在VPNGWY上用SHOW TUNNEL命令可以发现如下信息:9 Q9 w- P& V& ~# `& t# S0 C
ID Creation Time Proto Username
8 h- B6 u( N# M# ?' ~1 C* ? Peer IP Packets In/Out
8 q$ Z9 J6 d. ~* q/ {
! x) {* z8 H- B8 Q4 ~( Q3 O( _5 e40000001 11/01/2004, 22:50 IPSEC xsruser (此条为客户端硬件连接获取的), z. |: j% _. [1 _/ |* i
192.168.1.2 0000045378/00000453795 n/ @+ j% X% l- i
40000001 11/08/2004, 12:50 PPTP (此为软件客户端连时)' z' X5 \- _" M d: Y! n
0.0.0.0 0000000000/00000000007 W+ J6 d; y7 ~
此时在RADIUS日志里没发现任何认证信息。
# E+ j+ o, l& G! T( ^! r3、如果VPNGWY放到公网上不通过PIX,客户端用MS软件方式可以建立VPN连接。: y* p2 h4 R6 m3 r% e
4、) i2 a9 x& x/ i8 Q9 l: I% ?# F
7 s% O% f; R, G! f
7 d, i% d& y. U/ |; ?四、我怀疑问题所在:
) Y8 S$ \+ m* F/ E6 Q- q; G" k9 U通过SHOW TUNNLE和客户端连接时候始终停留在检测用户名状态,感觉是RADIUS认证没通过,但不知道是什么原因造成了,请熟悉VPN和PIX的高手帮看看。 |
|
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
