PIX與VPN client的pre-shared key互連
vpn client是cisco的一款vpn客戶端軟件,專門用來與cisco的產品(PIX,router,VPN 3000集中器)作vpn連接使用,近日做了一下PIX和VPN client互連的實驗,先把pre-shared key的配置寫一下
實驗環境如下:
VPN client--------------------------------PIX---------------------------AAA ACS server
192.168.0.243 192.168.0.254 10.1.1.244 10.1.1.88
VPN分配IP為10.1.1.246
pixfirewall# sh config
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password EZt/JroCts.3MWq4 encrypted
passwd EZt/JroCts.3MWq4 encrypted
hostname pixfirewall
domain-name test.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 2121
names
access-list test permit icmp host 192.168.0.243 host 192.168.0.254 echo-reply
access-list 80 permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
|
!定義不進行NAT的流量,這些流量會用IPSce來封裝,當PIX的內部IP和分配給VPN client的IP在同一網段的時候,一樣要加ACL,源和目的網段一樣的ACL,這個要注意。當時我在這里按照student guide的例子來配置ACL,允許PIX的outside口IP到分配給VPN client的IP地址段,但怎么也沒有配置成功,VPN client不能訪問PIX的內網服務器,但PIX的內網服務器卻可以訪問VPN client。后來修改ACL后就成功了。
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.254 255.255.255.0
!定義PIX的outside口IP
ip address inside 10.1.1.244 255.255.255.0
!定義PIX的inside口IP
ip audit info action alarm
ip audit attack action alarm
ip local pool dialer 10.1.1.246-10.1.1.247
!定義分配給VPN client的IP地址池
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 10.1.1.88 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
!定義不進行NAT的流量
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.243 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server myserver protocol tacacs+
!定義AAA服務器使用的協議
aaa-server myserver (inside) host 10.1.1.88 1234 timeout 5
!定義AAA服務器的IP地址(裝了ACS的服務器)
http server enable
http 10.1.1.88 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
!對于所有IPSec流量不檢測允許其通過,如果不加這個命令的話,
需要加上ACL到outside口以允許特定的IPSce流量通過,但會控制更加靈活。
no sysopt route dnat
crypto ipsec transform-set aaades esp-des esp-md5-hmac
!定義phase 2的加密和散列算法作為一個transform-set
crypto dynamic-map dynomap 10 set transform-set aaades
!把transform-set綁定到dynamic-map
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
!把dynamic-map綁定到vpnpeer
crypto map vpnpeer client authentication myserver
!定義進行xauth使用的AAA服務器
crypto map vpnpeer interface outside
!把crypto map綁定到outside口
isakmp enable outside
!在outside口綁定isakmp
isakmp client configuration address-pool local dialer outside
!配置分配給VPN client的地址池
isakmp policy 10 authentication pre-share
!定義phase 1使用pre-shared key進行認證
isakmp policy 10 encryption des
!定義phase 1協商用DES加密算法
isakmp policy 10 hash md5
!定義phase 1協商用MD5散列算法
isakmp policy 10 group 2
!定義phase 1進行IKE協商使用DH group 2
isakmp policy 10 lifetime 86400
!定義IKE SA生存期
vpngroup student0 address-pool dialer
!定義VPN client撥入使用的vpngroup所分配的IP地址池
vpngroup student0 idle-time 1800
!定義vpngroup的空閑時間
vpngroup student0 password 1234
!定義vpngroup的pre-shared key
telnet 10.1.1.88 255.255.255.255 inside
telnet timeout 5
ssh 10.1.1.88 255.255.255.255 inside
ssh timeout 20
terminal width 80
Cryptochecksum:693b87faa42d062c2848346a3a0acb43
pixfirewall#
|
VPN client版本為4.0.3,先創建一個連接,使用pre-shared key,group name和password要和PIX中的vpngroup和key一致。
在vpn client進行IKE協商后會有一個窗口彈出,要輸入用戶名和密碼,這是因為cisco的VPN使用了xauth,要再驗證一次ACS服務器中設置的帳號,輸入即可。不過,如果在PIX中沒有加這一句
crypto map vpnpeer client authentication myserver |
就不會有這個窗口彈出來了.
