IPSec(Main mode)--Vigor到Cisco1702 Router


                      


一、 Vigor的配置:


(一) Vigor作为VPN Client:
 
1.基本设置(Common Settings):
   a.输入Profile Name.
   b. 选择 "Enable this Profile".
   c. 选择 Dial-Out,Idle Timeout 选项设为0,这样可以始终维持IPSec隧道的开通直到远端拨入端发出终止命令。如果选择Always on, 那只要连接一中断路由器就会自动重拨。

2. 拨出设置(Dial-Out Settings):
   a. 选择IPSec 模式。
   b. 输入远端VPN server的IP地址/主机名字。
   c. 输入IKE Pre-shared 值。
   d. 选择IPSec 安全模式: 高(ESP)。
 
4. TCP/IP网络设置(TCP/IP Network Settings):
   输入远端局域网内网IP地址及其网关。







(二) Vigor作为VPN Server:


1.基本设置(Common Settings):
   a. 输入Profile Name.
   b. 选择 "Enable this Profile".
   c. 选择 Dial-In,Idle Timeout 选项设为0,这样可以始终维持IPSec隧道的开通直到远端拨入端发出终止命令。

3. 拨入设置(Dial-in Settings):
   a. 选择IPSec 模式。
   b. 选中 “Specify Remote VPN Gateway”。
   c. 输入对方端VPN服务器IP(the Peer VPN Server IP)。
   d. 输入IKE Pre-shared 值。
   e. 选择IPSec 安全模式: 高(ESP)。

4. TCP/IP网络设置(TCP/IP Network Settings):
   输入远端局域网内网IP地址及其网关。





二、Cisco路由器设置:

Setup Cisco with Commands
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Cisco1720
logging rate-limit console 10 except errors
enable password
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip domain-lookup
ip dhcp pool 1
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key 123 address 203.69.175.28
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
crypto map cm-cryptomap local-address Ethernet0
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 203.69.175.28
set transform-set cm-transformset-1
match address 100

interface Ethernet0
description connected to Internet
ip address 210.243.151.181 255.255.255.240
half-duplex
crypto map cm-cryptomap
interface FastEthernet0
description connected to EthernetLAN_1
ip address 192.168.2.1 255.255.255.0
speed auto
router rip
version 1
passive-interface Ethernet0
network 210.243.151.176
network 192.168.2.0
no auto-summary
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
access-list 100 permit ip 192.168.2.0
0.0.0.255
192.168.1.0
0.0.0.255

snmp-server community public RO
line con 0
exec-timeout 0 0
password 7 06575D7218
login
line aux 0
line vty 0 4
password
login
line vty 5 15
login
no scheduler allocate
end

已读次数:4659