Cisco Easy VPN без cryptomap

Возникла необходимость организовать удалённый доступ в сеть конторы, через PPTP и CiscoVPN-Client.
Для чего развернули RADIUS-сервер на базе FreeRadius+Abills и настроили циску.
Конфиг:

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login user_auth group radius local
aaa authentication ppp default group radius
aaa authorization exec default local none
aaa authorization network default group radius local
aaa authorization network group_author local
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
!
aaa server radius dynamic-author
client 192.168.100.242 server-key TESTKEY
auth-type any
!
aaa session-id unique
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name Cisco_VPN_PPTP_server
l2tp tunnel receive-window 1024
ip mtu adjust
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address *.*.*.26 no-xauth
crypto isakmp key ******** address *.*.*.137 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp xauth timeout 90

!
crypto isakmp client configuration group mobile
key *******
dns 192.168.100.254 *.*.*.18
max-users 250
netmask 255.255.255.0
crypto isakmp profile mobile_users
match identity group mobile
client authentication list user_auth
isakmp authorization list group_author
client configuration address respond
client configuration group mobile
accounting default
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA0 esp-3des esp-sha-hmac
crypto ipsec transform-set T2 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile P2
set transform-set T2
!
crypto ipsec profile mobile_users_ipsec
set transform-set ESP-3DES-SHA0
set isakmp-profile mobile_users
!
!
crypto map temp local-address Vlan60
crypto map temp client configuration address respond
crypto map temp 1 ipsec-isakmp
description to_Archangelsk
set peer *.*.*.137
set transform-set ESP-3DES-SHA0
match address 101
!
!
interface Loopback10
ip address 192.168.111.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.7.1 255.255.255.0
ip mtu 1250
ip tcp adjust-mss 1100
tunnel source *.*.*.190
tunnel destination *.*.*.26
tunnel protection ipsec profile P2
!
interface GigabitEthernet0/0
description LAN
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.40
description Data_LAN
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip helper-address 192.168.100.254
ip wccp web-cache redirect in
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.100
description Servers
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Virtual-Template1
ip unnumbered Loopback10
ip verify unicast reverse-path
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
autodetect encapsulation ppp
no snmp trap link-status
no peer default ip address
compress mppc
ppp mtu adaptive
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
ppp ipcp dns 192.168.100.254 *.*.*.18
ppp ipcp wins 192.168.100.254
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback10
ip nat inside
ip virtual-reassembly
load-interval 30
tunnel mode ipsec ipv4
tunnel protection ipsec profile mobile_users_ipsec
!
interface Vlan1
no ip address
!
interface Vlan50
description ISP2
ip address *.*.*.190 255.255.255.252
ip access-group From-INTERNET in
ip mtu 1490
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
interface Vlan60
description ISP1
ip address *.*.*.13 255.255.255.248
ip access-group From-INTERNET in
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
crypto map temp
!
!
ip local pool PPTP_VPN 192.168.111.100 192.168.111.254
!
ip radius source-interface GigabitEthernet0/0.100
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server configure-nas
radius-server host 192.168.100.242 auth-port 1812 acct-port 1813
radius-server timeout 30
radius-server key *********
!


P.S. Есть небольшая проблема - POD на Cisco-VPN клиентах не работает... Х.З. почему... А в остальном всё замечательно.

Комментариев нет:

Отправить комментарий