用CISCO路由器實(shí)現(xiàn)L2TPVPDN

1、術(shù)語：l2tp ：第二層隧道協(xié)議 layer 2 tunneling protocol l2tp ：訪問集中器l2tp access concentrator l2tp ：網(wǎng)絡(luò)服務(wù)器l2tp network server nas：網(wǎng)絡(luò)訪問服務(wù)器network access server 二層隧道協(xié)議l2tp 是一種基于點(diǎn)對點(diǎn)協(xié)議 ppp 的二層隧道協(xié)議。在由l2tp 構(gòu)建的vpn 中，有兩種類型的服務(wù)器，一種是l2tp 訪問集中器lac，它是附屬在網(wǎng)絡(luò)上的具有ppp 端系統(tǒng)和l2tp 協(xié)議 處理能力的設(shè)備，lac 一般就是一個網(wǎng)絡(luò)接入服務(wù)器，用于為用戶提供網(wǎng)絡(luò)接入服務(wù)；另一種是l2tp 網(wǎng)絡(luò)服

2、務(wù)器lns，一般就是路由 器，是ppp 端系統(tǒng)上用于處理l2tp 協(xié)議服務(wù)器端部分的設(shè)備。在lns 和lac 之間存在著兩種類型的連接，一種是隧道（tunnel ）連接，它定義了一個lns 和lac 對；另一種是會話（session ）連接，它復(fù)用在隧道連接之上，用于表示承載在隧道連接中的每個ppp 會話過程。l2tp 連接的維護(hù)以及ppp 數(shù)據(jù)的傳送都是通過l2tp 消息的交換來完成的，l2tp 消息可以分為兩種類型，一種是控制消息，另一種是數(shù)據(jù)消息。控制消息用于隧道連接和會話連接的建立與維護(hù)，數(shù)據(jù)消息用于承載用戶的ppp 會話數(shù)據(jù)包。這些消息都通過udp 的1701 端口承載于tcp/ip

3、 之上。l2tp 訪問集中器（lac）作為l2tp 隧道的一個端點(diǎn)，是l2tp 網(wǎng)絡(luò)服務(wù)器（lns ）的對端。lac 放在lns 和遠(yuǎn)端系統(tǒng)之間，并在兩者之間傳送數(shù)據(jù)包。從lac 向lns 發(fā)送數(shù)據(jù)包需要l2tp 隧道。lac 與遠(yuǎn)端系統(tǒng)的連接是通過本地或ppp 鏈路。lns 是l2tp 隧道的一個端點(diǎn)，是lac 的對端。lns 是lac 從遠(yuǎn)端系統(tǒng)傳輸?shù)膒pp 會話的邏輯終結(jié)點(diǎn)。nas 為遠(yuǎn)程訪問網(wǎng)絡(luò)上的用戶提供本地網(wǎng)絡(luò)訪問，如pstn 網(wǎng)絡(luò)。nas 通?？勺鳛閘ac 。l2tp 只要求隧道媒介提供面向數(shù)據(jù)包的點(diǎn)對點(diǎn)的連接。l2tp 可以在ip（使用udp），楨中繼永久虛擬電路（pvcs),

4、x.25 虛擬電路（vcs）或atm vcs 網(wǎng)絡(luò)上使用。 lns 路由 器配置：building configuration. current configuration: ! version 12.1 service timestamps debug uptime service timestamps log uptime service password-encryption ! /配置主機(jī)名hostname vpdn ! /配置aaa /aaa 訪問控制aaa new-model aaa authentication login default local group radius /

5、用戶登錄的認(rèn)證順序?yàn)橄仍诮尤敕?wù)器本機(jī)認(rèn)證，如未找到該用戶，則通過radius 服務(wù)器認(rèn)證，仍未通過，則認(rèn)證失敗。aaa authentication login radius enable aaa authentication ppp default local group radius /ppp 連接的認(rèn)證方式，過程同上。用戶登錄的認(rèn)證順序?yàn)橄仍诮尤敕?wù)器本機(jī)認(rèn)證，如未找到該用戶，則通過radius 服務(wù)器認(rèn)證，仍未通過，則認(rèn)證失敗。aaa authorization network default group radius local /所有認(rèn)證通過的用戶都有訪問網(wǎng)絡(luò)的權(quán)限。aaa ac

6、counting network default start-stop group radius /網(wǎng)絡(luò)訪問的記賬方式為在radius 服務(wù)器上記錄網(wǎng)絡(luò)訪問的開始和結(jié)束時間。aaa nas port extended enable password 7 ! /設(shè)置本地認(rèn)證用戶名和密碼username cisco password 7 cisco username testtest.l2tp.vpdn password 7 test ! memory-size iomem 25 ip subnet-zero no ip finger no ip domain-lookup ! /指定地址池的工作

7、方式ip address-pool dhcp-proxy-client | local ip address-pool local virtual-profile virtual-template 1 /配置vpdn 功能/打開vpdn 功能vpdn enable no vpdn logging ! /建立一個vpdn-group vpdn-group 1 ! default l2tp vpdn group accept-dialin /使用的vpdn 協(xié)議為l2tp protocol l2tpvirtual-template 1 lcp renegotiation on-mismatch /

8、l2tp tunnel 的密碼設(shè)置，需雙方約定l2tp tunnel password 7 001c0710145f05 ! /配置virtual-template1 interface virtual-template1 /根據(jù)具體可選設(shè)置ip 地址與serial0.1 相同，即配置借用地址ip unnumbered serial0.1 ip mroute-cache /設(shè)置用戶的ip 地址從地址池中分配/peer default ip address ip-address | dhcp | pool pool-name peer default ip address pool defaul

9、t /設(shè)置認(rèn)證方式ppp authentication pap ! interface serial0 no ip address encapsulation frame-relay ietf no fair-queue frame-relay lmi-type ansi ! interface serial0.1 point-to-point ip address 93 52 no arp frame-relay frame-relay interface-dlci 100 ! interface fastethernet0 ip addres

10、s speed auto ! /設(shè)置用戶的ip 地址池/ local pool default | pool-name low-ip-address high-ip-addressip local pool default 54 ip classless ip route serial0.1 no ip http server ! /設(shè)置認(rèn)證服務(wù)器地址、端口、關(guān)鍵字和重傳次數(shù)radius-server host 97 auth-port 1645 acct-port

11、 1646 key vpdn radius-server retransmit 3 ! line con 0 transport input none line aux 0 line vty 0 4 password 7 cisco ! endacknowledgements my deepest gratitude goes first and foremost to professor aaa , my supervisor, for her constant encouragement and guidance. she has walked me through all the sta

12、ges of the writing of this thesis. without her consistent and illuminating instruction, this thesis could not havereached its present form. second, i would like to express my heartfelt gratitude to professor aaa, who led me into the world of translation. i am also greatly indebted to the professors

13、and teachers at the department of english: professor dddd, professor ssss, who have instructed and helped me a lot in the past two years. last my thanks would go to my beloved family for their loving considerations and great confidence in me all through these years. i also owe my sincere gratitude t

14、o my friends and my fellow classmates who gave me their help and time in listening to me and helping me work out my problems during the difficult course of the thesis. my deepest gratitude goes first and foremost to professor aaa , my supervisor, for her constant encouragement and guidance. she has

15、walked me through all the stages of the writing of this thesis. without her consistent and illuminating instruction, this thesis could not havereached its present form. second, i would like to express my heartfelt gratitude to professor aaa, who led me into the world of translation. i am also greatly indebted to the professors and teachers at the department of english: professor dddd, professor ssss, who have instructed and helped me a lot in the past two years. last my thanks would go to my beloved family for their loving considerations and