L2TP OVER IPSEC(LNS地址在内网,通过公网映射).doc_第1页
L2TP OVER IPSEC(LNS地址在内网,通过公网映射).doc_第2页
L2TP OVER IPSEC(LNS地址在内网,通过公网映射).doc_第3页
L2TP OVER IPSEC(LNS地址在内网,通过公网映射).doc_第4页
L2TP OVER IPSEC(LNS地址在内网,通过公网映射).doc_第5页
已阅读5页,还剩8页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

L2TP OVER IPSEC(LNS地址在内网,通过公网映射)组网LAC公网地址为63,LNS在用户内网地址为0,通过映射为公网地址03。用户需求:PC用户通过PPPOE拨号到LAC出发L2TP隧道建立,同时要求做IPSEC加密。配置:LAC:dis cu# version 5.20, Release 2512P04# sysname lac# l2tp enable# domain default enable system# ipv6# telnet server enable# port-security enable# password-recovery enable#acl number 3500 rule 5 permit ip source 63 0 destination 0 0 rule 10 permit ip source 0 0 destination 63 0#vlan 1#Ddomain authentication ppp local access-limit disable state active idle-cut disable self-service-url disabledomain system access-limit disable state active idle-cut disable self-service-url disable#ike peer lac exchange-mode aggressive pre-shared-key cipher $c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag= id-type name remote-name lns remote-address 03 local-address 63 local-name lac nat traversal#ipsec transform-set lacencapsulation-mode tunnel transform esp esp authentication-algorithm sha1 esp encryption-algorithm 3des#ipsec policy lac 1 isakmp security acl 3500 ike-peer lac transform-set lac#user-group system group-attribute allow-guest#local-user admin password cipher $c$3$EiAlBrd/gVGFvSMRAmLoJwgze3wHlYa1BQ= authorization-attribute level 3 service-type telnet service-type weblocal-user test password cipher $c$3$SQ3SM2FRQoXeMijjRitI72ToSwbJ9f09xw= service-type ppp#l2tp-group 1 tunnel password cipher $c$3$TVsHV3HQRBs5eubLlDPrKCp8o8kwnA= tunnel name lac start l2tp ip 0 domain #interface Aux0 async mode flow link-protocol ppp#interface Cellular0/0 async mode protocol link-protocol ppp#interface Virtual-Template1 ppp authentication-mode pap chap domain #interface NULL0#interface Vlan-interface1 pppoe-server bind Virtual-Template 1 ip address #interface GigabitEthernet0/0 port link-mode route ip address 63 48 ipsec policy lac#interface GigabitEthernet0/1 port link-mode bridge#interface GigabitEthernet0/2 port link-mode bridge#interface GigabitEthernet0/3 port link-mode bridge#interface GigabitEthernet0/4 port link-mode bridge# ip route-static 61 ip route-static 03# dialer-rule 1 ip permit# load xml-configuration# load tr069-configuration#user-interface tty 12user-interface aux 0user-interface vty 0 4 authentication-mode scheme#returnLNS:# version 7.1.049, Release 0202# sysname lns# telnet server enable# ip pool 1 54 # password-recovery enable#vlan 1#interface Virtual-Template1 ppp authentication-mode pap chap remote address pool 1 ip address 54 #interface NULL0#interface LoopBack0 ip address 0 55# interface GigabitEthernet1/0#interface GigabitEthernet1/0.1498 description to-12/32 ip address 0 28 vlan-type dot1q vid 1498#interface GigabitEthernet2/0#interface GigabitEthernet2/0.1499 description to-11/32 ip address 0 28 vlan-type dot1q vid 1499 ipsec apply policy lns# scheduler logfile size 16#line class aux user-role network-operator#line class console user-role network-admin# line class vty user-role network-operator#line aux 0 user-role network-operator#line con 0 user-role network-admin#line vty 0 63 authentication-mode scheme user-role network-operator# ip route-static 0 ip route-static 08 28 ip route-static 08 28 #domain authentication ppp local authorization ppp local accounting ppp local#domain system# aaa session-limit ftp 32 aaa session-limit telnet 32 aaa session-limit http 32 aaa session-limit ssh 32 aaa session-limit https 32 domain default enable system#role name level-0 description Predefined level-0 role#role name level-1 description Predefined level-1 role#role name level-2 description Predefined level-2 role#role name level-3 description Predefined level-3 role#role name level-4 description Predefined level-4 role# role name level-5 description Predefined level-5 role#role name level-6 description Predefined level-6 role#role name level-7 description Predefined level-7 role#role name level-8 description Predefined level-8 role#role name level-9 description Predefined level-9 role#role name level-10 description Predefined level-10 role#role name level-11 description Predefined level-11 role#role name level-12 description Predefined level-12 role#role name level-13 description Predefined level-13 role#role name level-14 description Predefined level-14 role#user-group system#local-user admin class manage password hash $h$6$rhjYlaMxTE8Yrgy/$pL4ngHJErR5IS6mIM2TVTpxVJoXAz3Z7twS5WUoHnTBAVcnQ6zRTt3l/IV25NzoxYG4+xduBzNhiM+NovY5gUQ= service-type telnet authorization-attribute user-role network-admin authorization-attribute user-role network-operator#local-user test class manage password hash $h$6$aeSFBsuE4NLmKV/p$Bmfz5WpYqTIdkrJhRl8v9xOkz2sxaxZ4Y0ZtkKglmyw3gvtamdEAxf0CItYelhqBRz/xZmmQF5DcZ3Y15oa5YA= service-type ftp service-type telnet authorization-attribute user-role network-operator#local-user test class network password cipher $c$3$dxUAzslPK2voJ3xxO+kdUpqKQK52oAsuNQ= service-type ppp authorization-attribute user-role network-operator#ipsec transform-set lns esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 #ipsec policy-template lns 1 transform-set lns ike-profile lns#ipsec policy lns 1 isakmp template lns#l2tp-group 1 mode lns allow l2tp virtual-template 1 remote lac tunnel name lns tunnel password cipher $c$3$TbJ0N3WspYQUVRSjjmPBxkFjo3Xhyg=# l2tp enable# ike identity fqdn lns#ike profile lns keychain lac exchange-mode aggressive local-identity fqdn lns match remote identity fqdn lac match local address GigabitEthernet2/0.1499#ike keychain lac pre-shared-key hostname lac key cipher $c$3$QGKCezjZ+NqQIHxyMuZsfR/weMCQAw=#return一:概述首先,先将这两个概念理顺一下。IPSEC OVER GRE即IPSEC在里,GRE在外。首先先把需要加密的数据包封装成IPSEC包,然后在扔到GRE隧道里发到对端设备。做法是把IPSEC的加密策略作用在Tunnel口上,即在Tunnel口上监听匹配符合访问控制列表的数据流,来确认数据是否需要加密,需要则先加密封装为IPSEC包,然后封装成GRE包进入隧道;反之未在访问控制列表中的数据流将以未加密的状态直接走GRE隧道,这样就会存在有些数据处于不安全的传递状态。 而GRE OVER IPSEC 则是GRE在里,IPSEC在外,即先将数据封装成GRE包,然后在封装成IPSEC包后发到对端设备。做法是把IPSEC的加密测试作用在物理端口上,然后根据访问控制列表监控匹配是否有需要加密的GRE数据流,有则将GRE数据流加密封装成IPSEC包再进行传递,这样可以保证所有数据包都会被机密,包括隧道建立和路由的创建和传递。二:IPSEC OVER GRE 与GRE OVER IPSEC的配置思路介绍首先先介绍一下配置思路,有两种配置的区别在于ipsec over gre 是将ipsec加密封装应用在tunnel口上,使用acl匹配需要加密数据流来实现。而gre over ipsec是将ipsec加密封装应用在物理接口上,用acl来匹配需要加密的tunnel隧道。从这个来讲,后者会安全一点,ipsec会将所有数据包括隧道报文都进行加密。因此我将配置过程分成三步,这样比较不会乱。第一步先配置公网ip及路由,让两端设备的公网ip先能互相ping通;第二步在配置GRE隧道,然后测试GRE隧道是否建立正常;第三步再创建ipsec加密并引用。拓扑图如下:A:GRE over IPSEC R2:作为互联网,保证路由可达即可 Int s0/2/0 Ip ad 24 Int s0/2/1 24 Int 0/2/2 Ip ad 24 R1: 第一步先配置公网接口 | R3:第一步配置公网接口 int s0/2/0 | int s0/2/0 Ip ad 24 | ip ad 24 Ip rou | ip rou 第二步配置GRE | 配置GRE Int tunnel 0 | int tunnel 0 Ip ad 24 | ip ad 24 Source | source Destination | destination Ip rou 0 tunnel0 | ip rou 0 tunnel0 第三步配置IPSEC 第三步配置IPSEC IKE配置 Ike peer r1-r3 ike peer r3-r1 Pre-shared-key 12345 pre-shared-key 12345 Remote-address remote-address Ipsec类型 Ipsec proposal r1-r3 ipsec proposal r3-r1 Encapsulation tunnel/transport Encapsulation tunnel/transport Transform esp Transform esp Esp authentication-algorithm sha1 Esp authentication-algorithm sha1 Esp encryption-algorithm 3des Esp encryption-algorithm 3des ACL匹配策略 Acl number 3013 acl number 3013 Rule 5 permit ip source 0 rule 5 permit ip source 0 Destination 0 destination 0 Ipsec 策略 Ipsec policy r13 1 isakmp ipsec policy r31 1 isakmp Security acl 3013 security acl 3031 Ike-peer r1-r3 ike-peer r3-r1 Proposal r1-r3 proposal r3-r1 应用到接口 Int s0/2/0 int s0/2/0 Ipsec policy r13 ipsec policy r31 B:IPSEC over GRE R2:作为互联网,保证路由可达即可 Int s0/2/0 Ip ad 24 Int s0/2/1 24 Int 0/2/2 Ip ad 24 R1: 第一步先配置公网接口 | R3:第一步配置公网接口 int s0/2/0 | int s0/2/0 Ip ad 24 | ip ad 24 Ip rou | ip rou 第二步配置GRE | 配置GRE Int tunnel 0 | int tunnel 0 Ip ad 24 | ip ad 24 Source | source Destination | destination Ip rou 0 tunnel0 | ip rou 0 tunnel0 第三步配置IPSEC 第三步配置IPSEC IKE配置 Ike peer r1-r3 ike peer r3-r1 Pre-shared-key 12345 pre-shared-key 12345 Remote-address remote-address Ipsec类型 Ipsec proposal r1-r3 ipsec proposal r3-r1 Encapsulation tunnel Encapsulation tunnel Transform esp Transform esp Esp authentication-algorithm sha1 Esp authentication-algorithm sha1 Esp encryption-algorithm 3des Esp encryption-algorithm 3des ACL匹配策略 Acl number 3013 acl number 3013 Rule 5 permit ip source 0 rule 5 permit ip source 0 Destination 0 destination 0 Ipsec 策略 Ipsec policy r13 1 isakmp ipsec policy r31 1 isakmp Security acl 3013 security acl 3031 Ike-peer r1-r3 ike-peer r3-r1 Proposal r1-r3 proposal r3-r1 应用到TUNNEL口 Int tunnel 0 int tunnle 0 Ipsec policy r13 ipsec policy r31三:ipsec over gre 与gre over ipsec 报文路由转发和封装过程 首先是gre over ipsec的路由转发过程:R1路由表:dis ip rouRouting Tables: Public Destinations : 13 Routes : 13Destination/Mask Proto Pre Cost NextHop Interface/0 Static 60 0 S0/2/0/24 Direct 0 0 S0/2/0/32 Direct 0 0 InLoop0/32 Direct 0 0 S0/2/0/8 Direct 0 0 InLoop0/32 Direct 0 0 InLoop0/32 Direct 0 0 InLoop0/32 Static 60 0 Tun0/32 Static 60 0 Tun1/24 Direct 0 0
人人文库> 全部分类> 教育资料 > 课件下载

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论