2004-8-23 21:46
紫枫猪猪
感谢Net130.com和zhaoshan的帮助 <br /><br />VPN client 4。05 下载地址 <br /><a href='http://www.fixdown.com/soft/8818.asp?free=sc-down' target='_blank'>http://www.fixdown.com/soft/8818.asp?free=sc-down</a> <br /><br />做一个最简单的PIX和VPN client连接,不需要验证服务器。 <br /><br />环境如下: <br /><br /><br />VPN client----------------------PIX-------------------- <br />192.168.10.1 218.218.218.218 192.168.100.1 <br />VPN分配IP为192.168.100.10-192.168.100.200 <br /><br />PIX Version 6.3(3) <br />interface ethernet0 auto <br />interface ethernet1 100full <br />nameif ethernet0 outside security0 <br />nameif ethernet1 inside security100 <br />enable password AmL53.8shQrncOlX encrypted <br />passwd 2KFQnbNIdI.2KYOU encrypted <br />hostname pixfirewall <br />fixup protocol dns maximum-length 512 <br />fixup protocol ftp 21 <br />fixup protocol h323 h225 1720 <br />fixup protocol h323 ras 1718-1719 <br />fixup protocol http 80 <br />fixup protocol rsh 514 <br />fixup protocol rtsp 554 <br />fixup protocol sip 5060 <br />fixup protocol sip udp 5060 <br />fixup protocol skinny 2000 <br />fixup protocol smtp 25 <br />fixup protocol sqlnet 1521 <br />fixup protocol tftp 69 <br />names <br /><br />access-list no-nat permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0 <br />!定义不进行NAT的传输, <br />pager lines 24 <br />interface ethernet0 auto <br />interface ethernet1 auto <br />mtu outside 1500 <br />mtu inside 1500 <br />ip address outside 218.218.218 255.255.255.0 <br />!定义PIX的outside口IP <br />ip address inside 192.168.100.1 255.255.255.0 <br />!定义PIX的inside口IP <br />ip audit info action alarm <br />ip audit attack action alarm <br />ip local pool dialer 192.168.100.10-192.168.100.200 <br />!定义分配给VPN client的IP地址池 <br />no failover <br />failover timeout 0:00:00 <br />failover poll 15 <br />failover ip address outside 0.0.0.0 <br />failover ip address inside 0.0.0.0 <br />pdm logging informational 100 <br />pdm history enable <br />arp timeout 14400 <br />global (outside) 1 interface <br />nat (inside) 0 access-list no-nat <br />!定义不需要进行NAT传输的流量 <br />nat (inside) 1 0.0.0.0 0.0.0.0 0 0 <br />route outside 0.0.0.0 0.0.0.0 218.218.218.1 1 <br />timeout xlate 3:00:00 <br />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si <br />p 0:30:00 sip_media 0:02:00 <br />timeout uauth 0:05:00 absolute <br />aaa-server TACACS+ protocol tacacs+ <br />aaa-server RADIUS protocol radius <br />aaa-server LOCAL protocol local <br />!服务器使用的协议 <br />http server enable <br />http 10.1.1.0 255.255.255.255 inside <br />no snmp-server location <br />no snmp-server contact <br />snmp-server community public <br />no snmp-server enable traps <br />floodguard enable <br />sysopt connection permit-ipsec <br />!对于所有IPSec流量不检测允许其通过,如果不加这个命令的话,需要加上ACL到outside口以允许特定的IPSce流量通过,但会控制更加灵活。 <br />no sysopt route dnat <br />crypto ipsec transform-set aaades esp-des esp-md5-hmac <br />!定义一个变换集aaades <br />crypto dynamic-map dynomap 10 set transform-set aaades <br />!把变换集aaades添加到动态加密策略dynomap<br />crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap <br />!把动态加密策略绑定到vpnpeer 加密图<br />crypto map vpnpeer client authentication LOCAL <br />!定义不需要验证服务器 ,使用的是PIX自己的用户验证。 <br />crypto map vpnpeer client configuration address initiate <br />!定义给每个客户端分配IP地址 <br />crypto map vpnpeer client configuration address respond <br />!定义PIX防火墙接受来自任何IP的请求 <br />crypto map vpnpeer interface outside <br />!把动态加密图vpnpeer绑定到outside口 <br />isakmp enable outside <br />!在outside口启用isakmp <br />isakmp key 1234 address 0.0.0.0 netmask 0.0.0.0 <br />!定义共享密匙,并接受任何地址的请求。 <br />isakmp client configuration address-pool local dialer outside <br />!将VPN client地址池绑定到isakmp <br />isakmp policy 10 authentication pre-share <br />!定义phase 1使用pre-shared key进行认证 <br />isakmp policy 10 encryption des <br />!定义phase 1协商用DES加密算法 <br />isakmp policy 10 hash md5 <br />!定义phase 1协商用MD5散列算法 <br />isakmp policy 10 group 2 <br />!定义phase 1进行IKE协商使用DH group 2 <br />isakmp policy 10 lifetime 86400 <br />!定义IKE SA生存时间<br />vpngroup student0 address-pool dialer <br />!定义VPN client拨入使用的vpngroup所分配的IP地址池 <br />vpngroup student0 idle-time 1800 <br />!定义vpngroup的空闲时间 <br />vpngroup student0 password 1234 <br />!定义vpngroup的pre-shared key <br />telnet 192.168.100.9 255.255.255.0 inside <br />telnet timeout 5 <br />ssh 192.168.100.9 255.255.255.255 inside <br />ssh timeout 20 <br />terminal width 80 <br />username vpnuser password vpnuser <br />!在PIX上创建一个用户,用户名密码都为vpnuser <br />Cryptochecksum:693b87faa42d062c2848346a3a0acb43 <br />pixfirewall# <br /><br /><br /><br /><br />VPN client版本为4.0.5,先在Connection Entries里创建一个连接,在最上面填入。 <br /><br />Connection Entry:vpnpeer1 <br />Description:test <br />Host:218.218.218.218 <br /><br />在Authentication里的GROUP Authentication里填入。 <br />Name:student0 #就是vpngroup name <br />Password:1234 #就是vpngroup password <br />Confirm Password:1234 <br /><br />name和password要和PIX中的vpngroup和key一致。 <br /><br />在vpn client进行连接的时候会有一个窗口弹出,要输入用户名和密码,输入vpnuser就可以了。
2004-8-24 10:36
ipcfg
<!--emo&:grin:--><img src='style_emoticons/default/grin.gif' border='0' style='vertical-align:middle' alt='grin.gif' /><!--endemo--> <br />太好了<br />我想问一下,pix可以支持在win下直接建立vpn连接访问吗?不安装vpn client
2004-8-24 10:44
ipcfg
我的是aes <!--emo&^_^--><img src='style_emoticons/default/happy.gif' border='0' style='vertical-align:middle' alt='happy.gif' /><!--endemo--> <br /><br />PIX Version 6.3(1)<br />interface ethernet0 auto<br />interface ethernet1 auto<br />interface ethernet2 auto shutdown<br />nameif ethernet0 outside security0<br />nameif ethernet1 inside security100<br />nameif ethernet2 intf2 security4<br />enable password 8Ry2YjIyt7RRXU24 encrypted<br />passwd 2KFQnbNIdI.2KYOU encrypted<br />hostname Pixfirewall<br />fixup protocol ftp 21<br />fixup protocol h323 h225 1720<br />fixup protocol h323 ras 1718-1719<br />fixup protocol http 80<br />fixup protocol ils 389<br />fixup protocol rsh 514<br />fixup protocol rtsp 554<br />fixup protocol sip 5060<br />fixup protocol sip udp 5060<br />fixup protocol skinny 2000<br />fixup protocol smtp 25<br />fixup protocol sqlnet 1521<br />names<br /><br />!--- Define the access list to avoid network address <br />!--- translation (NAT) on IPSec packets.<br /><br />access-list 102 permit ip 10.10.10.0 255.255.255.0 10.10.8.0 255.255.255.0<br />access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.8.0 255.255.255.0<br />pager lines 24<br />mtu outside 1500<br />mtu inside 1500<br />mtu intf2 1500<br /><br />!--- Configure the IP address on the interfaces.<br /><br />ip address outside 172.16.10.1 255.255.255.0<br />ip address inside 10.10.10.2 255.255.255.0<br />no ip address intf2<br />ip audit info action alarm<br />ip audit attack action alarm<br /><br />!--- Create a pool of addresses from which IP addresses are assigned <br />!--- dynamically to the remote VPN Clients.<br /><br /><br />ip local pool vpnpool1 10.10.8.1-10.10.8.254<br />pdm history enable<br />arp timeout 14400<br /><br />!--- Disable NAT for IPSec packets.<br /><br />nat (inside) 0 access-list 102<br />route outside 0.0.0.0 0.0.0.0 172.16.10.2 1<br />route inside 10.10.11.0 255.255.255.0 10.10.10.1 1<br />timeout xlate 3:00:00<br />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00<br />timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00<br />timeout uauth 0:05:00 absolute<br />aaa-server TACACS+ protocol tacacs+<br />aaa-server RADIUS protocol radius<br />aaa-server LOCAL protocol local<br />no snmp-server location<br />no snmp-server contact<br />snmp-server community public<br />no snmp-server enable traps<br />floodguard enable<br /><br />!---Permit packet that came from an IPSec tunnel to pass through without <br />!---checking them against the configured conduits/access lists.<br /><br />sysopt connection permit-ipsec<br /><br />!--- Define the transform set to be used during IPSec <br />!--- security association (SA) negotiation. Specify AES as the encryption algorithm.<br /><br />crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac<br /><br />!--- Create a dynamic crypto map entry <br />!--- and add it to a static crypto map.<br /><br />crypto dynamic-map map2 10 set transform-set trmset1<br />crypto map map1 10 ipsec-isakmp dynamic map2<br /><br />!--- Bind the crypto map to the outside interface.<br /><br />crypto map map1 interface outside<br /><br />!--- Enable Internet Security Association and Key Management <br />!--- Protocol(ISAKMP) negotiation on the interface on which the IPSec <br />!--- peer communicates with the PIX firewall.<br /><br />isakmp enable outside<br />isakmp identity address<br /><br />!--- Define an ISAKMP policy to be used while <br />!--- negotiating the ISAKMP SA. Specify<br />!--- AES as the encryption algorithm. The configurable AES <br />!--- options are aes, aes-192 and aes-256. <br />!--- Note: AES 192 is not supported by the VPN Client.<br /><br />isakmp policy 10 authentication pre-share<br />isakmp policy 10 encryption aes-256<br />isakmp policy 10 hash sha<br />isakmp policy 10 group 2<br />isakmp policy 10 lifetime 86400<br /><br />!--- Create a VPN group and configure the policy attributes which are<br />!--- downloaded to the Easy VPN Clients.<br /><br />vpngroup groupmarketing address-pool vpnpool1<br />vpngroup groupmarketing dns-server 10.10.11.5<br />vpngroup groupmarketing wins-server 10.10.11.5<br />vpngroup groupmarketing default-domain org1.com<br />vpngroup groupmarketing split-tunnel 102<br />vpngroup groupmarketing idle-time 1800<br />vpngroup groupmarketing password ********<br />telnet timeout 5<br />ssh timeout 5<br />console timeout 0<br />terminal width 80<br />Cryptochecksum:c064abce81996b132025e83e421ee1c3
2004-9-6 13:33
excelit
good
页: [1]
查看完整版本: 最简单的VPN登入PIX
Powered by Discuz! Archiver 5.5.0 © 2001-2006 Comsenz Inc.