加载中…
个人资料
现任明教教主-乾颐堂
现任明教教主-乾颐堂
  • 博客等级:
  • 博客积分:0
  • 博客访问:2,153,920
  • 关注人气:2,060
  • 获赠金笔:0支
  • 赠出金笔:0支
  • 荣誉徽章:
相关博文
推荐博文
谁看过这篇博文
加载中…
正文 字体大小:

Yeslab现任明教教主Flex VPN Server与Client(预共享与认证认证)

(2011-12-22 09:08:11)
标签:

杂谈

Yeslab现任明教教主Flex <wbr>VPN <wbr>Server与Client(预共享与认证认证)

Yeslab现任明教教主Flex <wbr>VPN <wbr>Server与Client(预共享与认证认证)


Yeslab安全实验室2012新春特大优惠活动


Yeslab上海安全网真真实录像


Yeslab上海实验室(图片)

1.庆祝Yeslab安全实验室已经连续一次PASS 34名安全CCIE这个时间,这个世界上,最接近IE的地方,就在Yeslab安全实验室!

2.上海Yeslab新一轮CCSP课程,将于1226日开讲,前两轮课程免费试听。

3.上海Yeslab安全正式对外招生,下面是课程原始价格。

A.安全CCIE原价¥19800

---主要课程由教主通过网真授课,欢迎试听。

---教主承诺每一轮(约两个月)会到上海来讲一门本地课程。

---vSphere 5.x本地课程。

---送后续教徒计划和数据中心课程(承诺每两个月到上海至少讲一门课)。

B.安全CCIE冲刺班(仅版本)¥15800

C.安全CCSP6800

D.3月在原价基础之上9折优惠,前10人报名享受88折优惠。

Yeslab现任明教教主Flex <wbr>VPN <wbr>Server与Client(预共享与认证认证)

本周日下午三点(2011.12.25),北京上海Yeslab同步开讲,现任明教教主《PKI通俗演义》,通过最浅显的语言介绍PKI(数字证书)的工作原理!希望上海与北京安全学员关注此课程,欢迎到上海Yeslab试听,同样感受网真教学的乐趣。

北京Yeslab咨询QQ:1960692353
北京QQ技术群:67298191
上海Yeslab咨询QQ:2540198237
上海QQ技术群:199681046

     最近发现很多新特性只能在ISR G2上才能够支持了,所以为了学习15.1T之后的安全特性,特意购买了两台1921。最近应该会出不少关于ISR G2安全特性的博文,今天这篇只是一个开始。

     从ISR G2和ASA 8.4开始,Cisco就支持IKE V2的IPSec VPN了,ASA 8.4的配置以前已经发布过相关博文了,这次主要介绍ISR G2上IKE V2 IPSec VPN的配置,Cisco给在IOS上的IKE V2的IPSec VPN取了一个全新的,给力的名字,叫做Flex VPN。包含了很多内容,突然发现变化真的很大,配置和以前相比可以说是完全不一样了。下面是Flex VPN的第三个部分,Flex VPN的Server与Client配置,这个技术应该会替代传统的EzVPN和DMVPN,而且它是一个公有技术,兼容性会很好,例如Windows7不用安装任何客户端就能够拨号到Flex VPN Server上来,今天共享的仅仅是Flex VPN的硬件客户端,关于Windows7的拨号我会在后续部分继续介绍。

实验一:预共享密钥认证+本地AAA

hostname Yeslab-CA
!
aaa new-model
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool ippool
dns 100.1.1.1
wins 100.1.1.1
banner ^CWelcome to Yeslab^C
def-domain yeslab.net
backup-gateway yeslabgw1.yeslab.net
backup-gateway yeslabgw2.yeslab.net
backup-gateway yeslabgw3.yeslab.net
route set access-list 5
!
crypto ikev2 keyring Yeslab-IKEv2-Keyring
peer Flex-VPN
  address 202.100.1.1
  pre-shared-key local yeslabccies
  pre-shared-key remote yeslabccies
!
crypto ikev2 profile Yeslab-IKEv2-Profile
match identity remote address 202.100.1.1 255.255.255.255
identity local address 202.100.1.100
authentication local pre-share
authentication remote pre-share
keyring local Yeslab-IKEv2-Keyring
aaa authorization group override psk list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
virtual-template 1
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 100.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0
ip address 202.100.1.100 255.255.255.0
no shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
ip local pool ippool 123.1.1.100 123.1.1.200
!
access-list 5 permit 100.1.1.0 0.0.0.255
!
end
=================================
hostname Client
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
route set access-list 5
!
crypto ikev2 keyring Yeslab-IKEv2-Keyring
peer Flex-VPN
  address 202.100.1.100
  pre-shared-key local yeslabccies
  pre-shared-key remote yeslabccies
!        
crypto ikev2 profile Yeslab-IKEv2-Profile
match identity remote address 202.100.1.100 255.255.255.255
identity local address 202.100.1.1
authentication local pre-share
authentication remote pre-share
keyring local Yeslab-IKEv2-Keyring
aaa authorization group override psk list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
!
crypto ikev2 client flexvpn Yeslab-Flex-Client
  peer 1 202.100.1.100
  client connect Tunnel0
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address negotiated
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
interface GigabitEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
!
access-list 5 permit 1.1.1.0 0.0.0.255

 

实验二:数字签名认证+本地AAA

hostname Yeslab-CA
!
aaa new-model
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
clock timezone GMT 8 0
!
ip domain name yeslab.net
!
crypto pki server Yeslab-CA
issuer-name cn=Yeslab-CA.yeslab.net, ou=YeslabSec, o=Yeslab
!
crypto pki trustpoint Yeslab-CA
revocation-check crl
rsakeypair Yeslab-CA
!
crypto pki trustpoint Flex-VPN
enrollment url http://202.100.1.100:80
subject-name cn=Yeslab-CA.yeslab.net, ou=YeslabSec, o=Yeslab
revocation-check crl
!
crypto pki certificate map cert-acl 10
subject-name co ou = yeslabsec
!
crypto pki certificate chain Yeslab-CA
certificate ca 01
------省略证书------
        quit
crypto pki certificate chain Flex-VPN
certificate 02
------省略证书------
        quit
certificate ca 01
------省略证书------
        quit
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool ippool
dns 100.1.1.1
wins 100.1.1.1
banner ^CWelcome to Yeslab^C
def-domain yeslab.net
backup-gateway yeslabgw1.yeslab.net
backup-gateway yeslabgw2.yeslab.net
backup-gateway yeslabgw3.yeslab.net
route set access-list 5
!
crypto ikev2 profile Yeslab-IKEv2-Profile
match certificate cert-acl
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint Flex-VPN
aaa authorization group override cert list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
virtual-template 1
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 100.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0
ip address 202.100.1.100 255.255.255.0
no shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
ip local pool ippool 123.1.1.100 123.1.1.200
!
access-list 5 permit 100.1.1.0 0.0.0.255
!
ntp master
!
end
======================================================
hostname Client
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
clock timezone GMT 8 0
!
crypto pki trustpoint Flex-VPN
enrollment url http://202.100.1.100:80
subject-name cn=Client.yeslab.net, ou=YeslabSec, o=Yeslab
revocation-check crl
!
crypto pki certificate map cert-acl 10
subject-name co ou = yeslabsec
!
crypto pki certificate chain Flex-VPN
certificate 03
------省略证书------
        quit
certificate ca 01
------省略证书------
        quit
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
route set access-list 5
!        
crypto ikev2 profile Yeslab-IKEv2-Profile
match certificate cert-acl
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint Flex-VPN
aaa authorization group override cert list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
!
crypto ikev2 client flexvpn Yeslab-Flex-Client
  peer 1 202.100.1.100
  client connect Tunnel0
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address negotiated
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
interface GigabitEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
!
access-list 5 permit 1.1.1.0 0.0.0.255
!
ntp server 202.100.1.100
!
end

0

阅读 评论 收藏 转载 喜欢 打印举报/Report
  • 评论加载中,请稍候...
发评论

    发评论

    以上网友发言只代表其个人观点,不代表新浪网的观点或立场。

      

    新浪BLOG意见反馈留言板 电话:4000520066 提示音后按1键(按当地市话标准计费) 欢迎批评指正

    新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 会员注册 | 产品答疑

    新浪公司 版权所有