1、进行AAA认证
aaa new-model
 aaa authentication login default local
 aaa authentication login sdm_***_xauth_ml_1 local
 aaa authorization exec default local
 aaa authorization network sdm_***_group_ml_1 local

username cisco privilege 15 secret 5 $ldsjflkjsldkfj/sdlfjsl/dslfkjsl

2、设置×××策略
crypto isakmp policy 1
 encr 3des   #加密算法
 authentication pre-share #认证(预共享认证)
 group 2    #组别

3、设置转换集
crypto ipsec transform-set ESP-3DES-SHA esp-3eds esp-sha-hmac

4、设置动态转换集
crypto dynamic-map SDM_DYNMAP_1 1
 set security-association idle-time 60
 set transform-set ESP-3DES-SHA

5、SDM的crypto map(CM)
crypto map SDM_CMAP_1 client authentication list sdm_***_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_***_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

6、设置地址池
ip local pool SDM_POOL_1 172.16.1.1 172.16.1.10

7、设置×××组
crypto isakmp client configuration group test
 key cisco  #组密码
 dns 202.106.0.20 #DNS
 pool SDM_POOL_1  #所调用的地址池
 max-users 10  #最大可连接数
 netmask 255.255.255.0 #子网掩码

8、物理接口调用
interface fa 0/0
crypto map SDM_CMAP_1