L2TP VPN over IPSec on Router笔记
浏览数:21 /
时间:2015年06月20日
拓扑如下:
要求:C1使用L2TP VPN加密访问Server
配置:
Gateway:
hostname Gateway interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip nat inside interface FastEthernet0/1 ip address 202.100.1.1 255.255.255.0 ip nat outside ip access-list extended PAT permit ip 10.1.1.0 0.0.0.255 any ip nat inside source list PAT interface FastEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 202.100.1.10 vpdn enable //启用VPDN(Virtual Private Dial-up Networks)功能 vpdn-group 1 Default L2TP VPDN group accept-dialin //服务器为接受拨入 protocol l2tp virtual-template 1 //关联到虚拟模板用于克隆产生Virtual-Access接口 l2tp security crypto-profile L2TP-CRY-PROFILE no l2tp tunnel authentication //禁用L2TP的L2L认证 username cisco password 0 cisco123 ip local pool L2TP-Pool 123.1.1.100 123.1.1.200 interface Virtual-Template1 ip unnumbered FastEthernet0/0 //unnumbered任意一个有IP地址的接口,也可以任意配置IP地址 peer default ip address pool L2TP-Pool ppp authentication ms-chap-v2 //Windows默认算法 crypto isakmp policy 10 //策略只能如下,因为Windows默认会使用如下的策略 encr 3des authentication pre-share group 2 crypto isakmp key cisco@123 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set myset esp-3des esp-sha-hmac //策略只能如下,因为Windows默认会使用如下的策略 mode transport crypto map mymap 10 ipsec-isakmp profile L2TP-CRY-PROFILE set transform-set myset interface FastEthernet0/1 crypto map mymap
Server:
hostname Server no ip domain lookup interface FastEthernet0/0 ip address 10.1.1.10 255.255.255.0 no ip routing ip default-gateway 10.1.1.1 ip http server line vty 0 4 no login enable password cisco
ISP:
hostname ISP interface FastEthernet0/0 ip address 61.128.1.10 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 202.100.1.10 255.255.255.0 duplex auto speed auto
HomeGW:
hostname HomeGW interface Ethernet0/0 ip address 61.128.1.1 255.255.255.0 ip nat outside ip virtual-reassembly full-duplex interface Ethernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly half-duplex ip dhcp pool 192 network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 ip dhcp excluded-address 192.168.1.1 ip route 0.0.0.0 0.0.0.0 Ethernet0/0 ip access-list standard PAT permit any ip nat inside source list PAT interface Ethernet0/0 overload
验证:
拨号成功后在客户机上查看接口信息:
查看客户端路由:
从客户端Telnet到Server:
查看ISAKMP SA:
查看IKE和SA:
查看拨号上来的用户、接口和路由:
在ISP上抓包结果:
从路由器Gateway断开l2tpVPN的方法:
首先查看一个远端用户是从哪个接口连上来的,再使用clear清楚端口:
本文出自 “银凯的博客” 博客,请务必保留此出处http://yinkai.blog.51cto.com/3813923/1579190
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
