如何在IOS路由器和Android手机之间配置Cisco远程访问IPSEC VPN

网络工程 思科 虚拟专用网 网络安全 cisco-ios-15
2021-07-03 06:38:16

我有一个带有 IOS 15.4 的 C891FW 路由器,我正在尝试为 Android 的本机 VPN 客户端配置远程访问 VPN。我正在使用 RSA-Sig 和 XAUTH 进行身份验证。隧道形成,但我无法访问任何内部资源,也无法通过隧道访问Internet。任何可能出错的帮助将不胜感激!

我删除了我认为不相关或敏感的部分配置。

!
hostname Skynet
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login ClientAuth local
aaa authorization console
aaa authorization exec local_auth local
aaa authorization network local_auth local
aaa authorization network ClientAuth local
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint vpn-tp
 usage ike
 revocation-check none
 rsakeypair vpn-tp
!
!
crypto pki certificate chain vpn-tp
 certificate 01
          xxx
quit
 certificate ca 00EC7044BAD01A044F
          xxx
quit
no ip source-route
no ip gratuitous-arps
!
!
!
ip cef
!
!
!
username jimmy privilege 15 secret 5 xxxx
username vpnuser privilege 0 secret 5 xxxx
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh dh min size 4096
!
!
crypto isakmp policy 3
 encr aes
 group 2
crypto isakmp identity dn
!
crypto isakmp client configuration group <group>
 key <secret key>
 dns y.y.y.y
 pool dynpool
 include-local-lan
 netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
   ca trust-point vpn-tp
   match identity group <group>
   client authentication list ClientAuth
   isakmp authorization list ClientAuth
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC_PROFILE1
 set transform-set ESP-3DES-SHA
 set isakmp-profile IKE-PROFILE
!
!
interface GigabitEthernet8
 ip address dhcp client-id FastEthernet0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default 100
 duplex auto
 speed auto
 no cdp enable
!
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet8
 no ip unreachables
 ip nat inside
 ip virtual-reassembly in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE1
!
interface Vlan1
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
!
!
ip local pool dynpool 192.168.0.100 192.168.0.101 recycle delay 1
!
!
ip pim bidir-enable
ip nat inside source list NAT2 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
!
ip access-list standard ANY
 permit any
ip access-list standard Deny_RFC1918
 deny   10.0.0.0 0.255.255.255
 deny   172.16.0.0 0.15.255.255
 deny   192.168.0.0 0.0.255.255
 permit any
!
ip access-list extended NAT2
 deny   ip 10.0.0.0 0.0.0.255 host 192.168.0.100
 deny   ip 10.0.0.0 0.0.0.255 host 192.168.0.101
 permit ip 10.0.0.0 0.0.0.255 any
 permit ip 192.168.0.0 0.0.0.255 any

!
2个回答
  1. 使用 VPN IP 地址池作为源地址和目标作为您要访问的任何或特定 IP 地址创建一个 ACL。
  2. 将该 ACL 绑定到客户端配置组。它会起作用。

例子:

access-list 108 permit ip X.X.X.X 0.0.0.255 Y.Y.Y.Y 0.0.0.255
crypto isakmp client configuration group <group>
acl 108

转到 Google Play 并下载 Cisco Anyconnect 客户端。这将使您能够连接到 IOS 15.4。

http://www.cisco.com/c/en/us/products/collat​​eral/security/anyconnect-secure-mobility-client/data_sheet_c78-527494.html

其它你可能感兴趣的问题
上一篇思科 ISE 身份管理组分配 下一篇OSPF 区域主干网 (0) 处于非活动状态