RM router 의 RM_Inside PC1 은 cisco vpn client software 를 이용하여 NY_R1으로 접속
Branch_A router는 NY_R1 router로 directly EZVPN을 구성하여 Branch_A 뒷단의 Branch_A_Inside네트워크는 cisco vpn client software 없이 ( Branch_A router 가 대신함 ) NY_R1으로 접속한다.
NY_R1은 미리 정의된 pool에서 ip를 선택하여 RM_Inside PC1에 배당하고, 접속이 성공한 RM_Inside PC1의 command 창에서 Ipconfig시 local ip대역이 가상으로 잡힌다.(192.168.15.1 ~ .200)
Branch_A 에서 pc 설정은 따로 없다. GNS3의 문제인지 Branch_A와 NY_R1의 EZVPN 접속 후 얼마의 시간이 지나지 않아 접속이 끊기는 현상이 발생한다.
Branch_A 에서
NY_R1
aaa new-model
aaa authentication login LOCAL_AUTHEN local
aaa authorization network LOCAL_AUTHOR local
aaa authentication login LOCAL_AUTHEN local
aaa authorization network LOCAL_AUTHOR local
username master password 0 cisco
username Branch1 password 0 cisco
username Branch1 password 0 cisco
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp client configuration group EZGROUP
key cisco123
pool EZPOOL
acl EZSPLIT
netmask 255.255.255.0
crypto isakmp profile EZISAPROF
match identity group EZGROUP
client authentication list LOCAL_AUTHEN
isakmp authorization list LOCAL_AUTHOR
client configuration address respond
client configuration group EZGROUP
virtual-template 1
crypto ipsec transform-set EZSET esp-aes esp-sha-hmac
crypto ipsec profile EZPROFILE
set transform-set EZSET
set isakmp-profile EZISAPROF
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet1/0
ip address 20.1.1.1 255.255.255.192
duplex auto
speed auto
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp client configuration group EZGROUP
key cisco123
pool EZPOOL
acl EZSPLIT
netmask 255.255.255.0
crypto isakmp profile EZISAPROF
match identity group EZGROUP
client authentication list LOCAL_AUTHEN
isakmp authorization list LOCAL_AUTHOR
client configuration address respond
client configuration group EZGROUP
virtual-template 1
crypto ipsec transform-set EZSET esp-aes esp-sha-hmac
crypto ipsec profile EZPROFILE
set transform-set EZSET
set isakmp-profile EZISAPROF
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet1/0
ip address 20.1.1.1 255.255.255.192
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile EZPROFILE
!
router ospf 1
log-adjacency-changes
redistribute static subnets
network 20.1.1.0 0.0.0.15 area 0
default-information originate
!
ip local pool EZPOOL 192.168.15.1 192.168.15.200
ip access-list extended EZSPLIT
permit ip 192.168.1.0 0.0.0.255 any
ip unnumbered FastEthernet1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile EZPROFILE
!
router ospf 1
log-adjacency-changes
redistribute static subnets
network 20.1.1.0 0.0.0.15 area 0
default-information originate
!
ip local pool EZPOOL 192.168.15.1 192.168.15.200
ip access-list extended EZSPLIT
permit ip 192.168.1.0 0.0.0.255 any
end
------------------------------
ISP
------------------------------
ISP
interface FastEthernet1/0
ip address 20.1.1.14 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 40.1.1.14 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 30.1.1.14 255.255.255.192
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 20.1.1.0 0.0.0.15 area 0
network 30.1.1.0 0.0.0.15 area 0
network 40.1.1.0 0.0.0.15 area 0
end
------------------------------
Branch_A
Branch_A
crypto ipsec client ezvpn EVC
connect auto
group EZGROUP key cisco123
mode client
peer 20.1.1.1
virtual-interface 1
username Branch1 password cisco
xauth userid mode local
connect auto
group EZGROUP key cisco123
mode client
peer 20.1.1.1
virtual-interface 1
username Branch1 password cisco
xauth userid mode local
interface FastEthernet0/0
ip address 192.168.11.2 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn EVC inside
!
interface FastEthernet1/0
ip address 30.1.1.1 255.255.255.192
duplex auto
speed auto
crypto ipsec client ezvpn EVC
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
router ospf 1
log-adjacency-changes
network 30.1.1.0 0.0.0.15 area 0
!
end
ip address 192.168.11.2 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn EVC inside
!
interface FastEthernet1/0
ip address 30.1.1.1 255.255.255.192
duplex auto
speed auto
crypto ipsec client ezvpn EVC
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
router ospf 1
log-adjacency-changes
network 30.1.1.0 0.0.0.15 area 0
!
end
-----------------------------------
RM
RM
interface FastEthernet0/0
ip address 192.168.100.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 40.1.1.1 255.255.255.192
duplex auto
speed auto
!
ip address 192.168.100.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 40.1.1.1 255.255.255.192
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 40.1.1.0 0.0.0.15 area 0
network 192.168.100.0 0.0.0.255 area 0
!
end
log-adjacency-changes
network 40.1.1.0 0.0.0.15 area 0
network 192.168.100.0 0.0.0.255 area 0
!
end
No comments:
Post a Comment