在思科路由器上部署EZ×××(PC Client)

1. 拓扑 1.1 逻辑拓扑 1.2 实验拓扑（GNS3+VMwareworkstation（Win7））2. 路由器配置R3：hostname Internetinterface FastEth

.

1. 拓扑

.    1.1 逻辑拓扑....    1.2 实验拓扑（GNS3+VMwareworkstation（Win7））....2. 路由器配置..R3：...hostname Internet..interface FastEthernet0/0.. ip address 192.168.100.3 255.255.255.0.. no shutdown..interface FastEthernet0/1.. ip address 100.1.1.1 255.255.255.0.. no shutdown...
..R1:...hostname GW..aaa new-model  // EZ××× Phase 1.5 阶段，引入认证，采用本地认证..aaa authentication login noacs line none //aaa建议配置的策略..aaa authentication login remote local //认证的名字为remote，方式为local.aaa authorization network remote local //授权的名字为remote，方式为local.username user password 0 cisco //local的用户名和密码..crypto isakmp policy 10  //Phase 1阶段.. hash md5.. authentication pre-share.. group 2 //EZ×××必须为group2..!..crypto isakmp client configuration group ipsecgroup  //中心的组策略，名称ipsecgroup，用于向Clinet推送.. key cisco  .. pool ippool //分配的IP地址 .. acl Split-Tunnel //启用隧道分割，去往特定网段的路由才会被加密.. save-password //保存密码，在EZ×××连接时候会出现save password的可选项... backup-gateway www.ez***.org  //备份网关，支持域名和IP.. backup-gateway 100.1.1.4...crypto isakmp profile ipsecprofile //Phase2 阶段，建议是用profile方式..   match identity group ipsecgroup  //匹配组..   client authentication list remote //认证的策略..   isakmp authorization list remote //授权的策略..   client configuration address respond //启用mode configuration，须配..!..!..crypto ipsec transform-set cisco esp-des esp-md5-hmac  //transfrom set..!..crypto dynamic-map dymap 10.. set transform-set cisco .. set isakmp-profile ipsecprofile.. reverse-route //反向路由注入 ..crypto map cisco 1000 ipsec-isakmp dynamic dymap ..interface FastEthernet0/0.. ip address 192.168.200.1 255.255.255.0..no shut ..interface FastEthernet0/1.. ip address 100.1.1.2 255.255.255.0.. duplex auto.. speed auto.. crypto map cisco.. no shut..ip local pool ippool 123.1.1.100 123.1.1.200..ip route 0.0.0.0 0.0.0.0 100.1.1.1...ip access-list extended Split-Tunnel //定义隧道分割的流量，其中源地址是要访问的内网的网段.. permit ip 192.168.200.0 0.0.0.255 any...line con 0.. exec-timeout 0 0.. privilege level 15.. logging synchronous.. login authentication noacs..!...R2:..hostname Server...interface FastEthernet0/0.. ip address 192.168.200.2 255.255.255.0.. no sh.. exit.

ip route 0.0.0.0 0.0.0.0 192.168.200.1

...WIN7..需要安装Cisco ***客户端..1.1 IP 配置....1.2 ××× Client 配置..    安装完成后，会在网络连接里面多出一个Cisco ×××虚拟网卡。打开client ，选择“NEW”,如图配置，其中password为GW上定义的cisco。选择Save..

..选择新建的Beijing，然后选择Connect，......连接成功后，查看客户端的IP（未配置隧道分离时的客户端IP信息）....连接成功后，查看客户端的IP（配置隧道分离后的客户端IP）....单击系统右下角的×××图标，查看×××的流量信息....启用隧道分离后的路由信息（只是到特定网段）....现在客户端的已经可以连接到内网了，在R3上开启telnet服务,并测试....备份网关截图.....
....××× 客户端软件下载：http://down.51cto.com/data/1228494.

.