请教一个vpn配置问题

魔力

配置一个remote access vpn， 如果在配置isakmp策略时选择了pre-share认证，在后面配置
的时候除了设置group密码之外 是不是不需要设置pre-share key？

小雪

送楼主一个配置实例
VPN配置实例

Intranet 内联网配置:
Figure 3-8: Intranet VPN Scenario Physical Elements
Headquarters Router 配置
hq-sanjose# show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hq-sanjose
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:hq-sanjose-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.24.2.5
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
mode transport
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.24.2.5
set transform-set proposal1
match address 101
!
interface Tunnel0
bandwidth 180
ip address 172.17.3.3 255.255.255.0
no ip directed-broadcast
tunnel source 172.17.2.4
tunnel destination 172.24.2.5
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.3.3 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.6.4 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.17.2.4 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.4.0 255.255.255.0 Tunnel0
!
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end

Remote Office Router 配置:
ro-rtp# show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ro-rtp
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:ro-rtp-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.17.2.4
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
mode transport
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.17.2.4
set transform-set proposal1
match address 101
!
interface Tunnel1
bandwidth 180
ip address 172.24.3.6 255.255.255.0
no ip directed-broadcast
tunnel source 172.24.2.5
tunnel destination 172.17.2.4
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.4.2 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.24.2.5 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.3.0 255.255.255.0 Tunnel1
ip route 10.1.6.0 255.255.255.0 Tunnel1
!
access-list 101 permit gre host 172.24.2.5 host 172.17.2.4
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Extranet外联网配置:
Figure 3-9: Extranet VPN Scenario Physical Elements


Headquarters Router配置:
hq-sanjose# show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hq-sanjose
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:hq-sanjose-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.24.2.5
cr

yangyu844512

要设置

dingyichao

要配置的吧

别说朋

关注高人

tceui

......踩过

上官

非常感谢分享

tceui

站个位在说

安踏：我顶帖，我喜欢

茶丸星

谢谢分享