使用 SDM 配置Cisco Ios Easy Vpn
拓扑如下：

                    

R1(config)#inter e1/0
R1(config-if)#ip add 172.16.18.1 255.255.0.0
R1(config-if)#no sh
R1(config)#inter e0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#no sh
R1(config)#ip http server
R1(config)#ip http authentication enable
R1(config)#line vty 0 4
R1(config-line)#transport input ssh telnet
R1(config-line)#login local

 

 

 

 

R2(config)#inter e1/0
R2(config-if)#ip add 172.16.18.2 255.255.0.0
R2(config-if)#no sh
R2(config-if)#inter e0/0
R2(config-if)#ip add 192.168.0.2 255.255.255.0
R2(config-if)#no sh
R2(config)#inter lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config)#ip http server
R2(config)#ip http authentication enable
R2(config)#line vty 0 4
R2(config-line)#transport input ssh telnet
R2(config-line)#login local

 

aaa authorization network sdm_vpn_group_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_1 local
ip local pool SDM_POOL_1 2.2.2.5 2.2.2.10
crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des
 mode tunnel
 exit
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
 exit
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface Ethernet0/0
 no crypto map
 crypto map SDM_CMAP_1
 exit
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto isakmp client configuration group ezvpn
 key ******
 pool SDM_POOL_1
 exit
crypto isakmp policy 1
 authentication pre-share
 encr 3des
 hash sha
 group 2
 lifetime 86400
 exit
crypto isakmp xauth timeout 15

 

 

R2#show crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-head-0, local addr. 192.168.0.2

   protected vrf:
   local  ident (addr/mask/prot/port): (2.2.2.5/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer: 192.168.0.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.0.2, remote crypto endpt.: 192.168.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: EF32E2FA

     inbound esp sas:
      spi: 0xBE1AC98B(3189426571)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: Ethernet0/0-head-0
        sa timing: remaining key lifetime (k/sec): (4482796/3316)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEF32E2FA(4013089530)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: Ethernet0/0-head-0
        sa timing: remaining key lifetime (k/sec): (4482796/3315)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

 

 

R2#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption

C-id  Local           Remote          I-VRF    Encr Hash Auth DH Lifetime Cap.
3     192.168.0.2     192.168.0.1              3des sha       2  23:53:00 CX