1)EZ×××组件

(1)×××网关:router asa/pix ***3000

(2)×××客户端:软件client、PIX、×××3002

2)工作流程

(1)由客户端初始化IKE阶段1连接

(2)服务器找1个策略来匹配客户端

(3)建立IKE阶段1 SA

(4)扩展认证

(5)模式配置(下发策略:例如分配IP)

(6)RRI 反向路由注入

(7)建立IKE 阶段2 SA

3)配置

aaa new-model

!

!

aaa authentication login authen local

aaa authorization network author local

username cisco password 0 cisco

!               

crypto isakmp policy 1

 encr 3des

 hash md5

 authentication pre-share

 group 2 

!        

crypto isakmp client configuration group ccnp

 key cisco

 pool p  

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!        

crypto dynamic-map dyn 1

 set transform-set myset

 reverse-route

!        

!        

crypto map mymap client authentication list authen

crypto map mymap isakmp authorization list author

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap 1 ipsec-isakmp dynamic dyn

!        

interface Serial1/0

 crypto map mymap

!

ip local pool p 10.1.1.1 10.1.1.10

4)split-tunnel

acl来指定哪些流量应该被IPSEC保护