L2TP-OVER-IPSEC(LNS地址在內(nèi)網(wǎng)-通過公網(wǎng)映射)

1、L2TP OVER IPSEC(LNS地址在內(nèi)網(wǎng)，通過公網(wǎng)映射)組網(wǎng)LAC公網(wǎng)地址為63，LNS在用戶內(nèi)網(wǎng)地址為0，通過映射為公網(wǎng)地址03。用戶需求：PC用戶通過PPPOE撥號到LAC出發(fā)L2TP隧道建立，同時要求做IPSEC加密。配置：LAC：<lac>dis cu# version 5.20, Release 2512P04# sysname lac# l2tp enable# domain default enable system# ipv6# telnet server enable# port-s

2、ecurity enable# password-recovery enable#acl number 3500 rule 5 permit ip source 63 0 destination 0 0 rule 10 permit ip source 0 0 destination 63 0#推薦精選vlan 1#Ddomain authentication ppp local access-limit disable state active idle-cut disable self-se

3、rvice-url disabledomain system access-limit disable state active idle-cut disable self-service-url disable#ike peer lac exchange-mode aggressive pre-shared-key cipher $c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag= id-type name remote-name lns remote-address 03 local-address 63 local-n

4、ame lac nat traversal#ipsec transform-set lacencapsulation-mode tunnel transform esp esp authentication-algorithm sha1 esp encryption-algorithm 3des#ipsec policy lac 1 isakmp security acl 3500 ike-peer lac transform-set lac#user-group system group-attribute allow-guest#local-user admin password ciph

5、er $c$3$EiAlBrd/gVGFvSMRAmLoJwgze3wHlYa1BQ= authorization-attribute level 3 service-type telnet service-type weblocal-user test推薦精選 password cipher $c$3$SQ3SM2FRQoXeMijjRitI72ToSwbJ9f09xw= service-type ppp#l2tp-group 1 tunnel password cipher $c$3$TVsHV3HQRBs5eubLlDPrKCp8o8kwnA= tunnel name lac start

6、 l2tp ip 0 domain #interface Aux0 async mode flow link-protocol ppp#interface Cellular0/0 async mode protocol link-protocol ppp#interface Virtual-Template1 ppp authentication-mode pap chap domain #interface NULL0#interface Vlan-interface1 pppoe-server bind Virtual-Template 1 ip address 1

7、 #interface GigabitEthernet0/0 port link-mode route ip address 63 48 ipsec policy lac#interface GigabitEthernet0/1 port link-mode bridge#interface GigabitEthernet0/2 port link-mode bridge#interface GigabitEthernet0/3 port link-mode bridge#interface Gi

8、gabitEthernet0/4 port link-mode bridge# ip route-static 61 ip route-static 03推薦精選# dialer-rule 1 ip permit# load xml-configuration# load tr069-configuration#user-interface tty 12user-interface aux 0user-interface vty 0 4 authentication-mode sc

9、heme#returnLNS：# version 7.1.049, Release 0202# sysname lns# telnet server enable# ip pool 1 54 # password-recovery enable#vlan 1#interface Virtual-Template1 ppp authentication-mode pap chap remote address pool 1 ip address 54 #interface NULL0#int

10、erface LoopBack0 ip address 0 55# interface GigabitEthernet1/0#interface GigabitEthernet1/0.1498 description to-12/32推薦精選 ip address 0 28 vlan-type dot1q vid 1498#interface GigabitEthernet2/0#interface GigabitEthernet2/0.1499 description to-11/32 ip ad

11、dress 0 28 vlan-type dot1q vid 1499 ipsec apply policy lns# scheduler logfile size 16#line class aux user-role network-operator#line class console user-role network-admin# line class vty user-role network-operator#line aux 0 user-role network-operator#line con 0 user-role ne

12、twork-admin#line vty 0 63 authentication-mode scheme user-role network-operator# ip route-static 0 ip route-static 08 28 ip route-static 08 28 #domain authentication ppp local authorization ppp local accounting ppp local#domain sy

13、stem# aaa session-limit ftp 32推薦精選 aaa session-limit telnet 32 aaa session-limit http 32 aaa session-limit ssh 32 aaa session-limit https 32 domain default enable system#role name level-0 description Predefined level-0 role#role name level-1 description Predefined level-1 role#role name level-2 desc

14、ription Predefined level-2 role#role name level-3 description Predefined level-3 role#role name level-4 description Predefined level-4 role# role name level-5 description Predefined level-5 role#role name level-6 description Predefined level-6 role#role name level-7 description Predefined level-7 ro

15、le#role name level-8 description Predefined level-8 role#role name level-9 description Predefined level-9 role#role name level-10 description Predefined level-10 role#role name level-11 description Predefined level-11 role#role name level-12 description Predefined level-12 role推薦精選#role name level-1

16、3 description Predefined level-13 role#role name level-14 description Predefined level-14 role#user-group system#local-user admin class manage password hash $h$6$rhjYlaMxTE8Yrgy/$pL4ngHJErR5IS6mIM2TVTpxVJoXAz3Z7twS5WUoHnTBAVcnQ6zRTt3l/IV25NzoxYG4+xduBzNhiM+NovY5gUQ= service-type telnet authorization

17、-attribute user-role network-admin authorization-attribute user-role network-operator#local-user test class manage password hash $h$6$aeSFBsuE4NLmKV/p$Bmfz5WpYqTIdkrJhRl8v9xOkz2sxaxZ4Y0ZtkKglmyw3gvtamdEAxf0CItYelhqBRz/xZmmQF5DcZ3Y15oa5YA= service-type ftp service-type telnet authorization-attribute

18、user-role network-operator#local-user test class network password cipher $c$3$dxUAzslPK2voJ3xxO+kdUpqKQK52oAsuNQ= service-type ppp authorization-attribute user-role network-operator#ipsec transform-set lns esp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 #ipsec policy-template lns

19、 1 transform-set lns ike-profile lns#ipsec policy lns 1 isakmp template lns#l2tp-group 1 mode lns allow l2tp virtual-template 1 remote lac tunnel name lns tunnel password cipher $c$3$TbJ0N3WspYQUVRSjjmPBxkFjo3Xhyg=推薦精選# l2tp enable# ike identity fqdn lns#ike profile lns keychain lac exchange-mode ag

20、gressive local-identity fqdn lns match remote identity fqdn lac match local address GigabitEthernet2/0.1499#ike keychain lac pre-shared-key hostname lac key cipher $c$3$QGKCezjZ+NqQIHxyMuZsfR/weMCQAw=#return推薦精選一：概述首先，先將這兩個概念理順一下。IPSEC OVER GRE即IPSEC在里，GRE在外。首先先把需要加密的數(shù)據(jù)包封裝成IPSEC包，然后在扔到GRE隧道里發(fā)到對端設(shè)備。做

21、法是把IPSEC的加密策略作用在Tunnel口上，即在Tunnel口上監(jiān)聽匹配符合訪問控制列表的數(shù)據(jù)流，來確認(rèn)數(shù)據(jù)是否需要加密，需要則先加密封裝為IPSEC包，然后封裝成GRE包進(jìn)入隧道；反之未在訪問控制列表中的數(shù)據(jù)流將以未加密的狀態(tài)直接走GRE隧道，這樣就會存在有些數(shù)據(jù)處于不安全的傳遞狀態(tài)。 而GRE OVER IPSEC 則是GRE在里，IPSEC在外，即先將數(shù)據(jù)封裝成GRE包，然后在封裝成IPSEC包后發(fā)到對端設(shè)備。做法是把IPSEC的加密測試作用在物理端口上，然后根據(jù)訪問控制列表監(jiān)控匹配是否有需要加密的GRE數(shù)據(jù)流，有則將GRE數(shù)據(jù)流加密封裝成IPSEC包再進(jìn)行傳遞，這樣可以保證所有數(shù)

22、據(jù)包都會被機(jī)密，包括隧道建立和路由的創(chuàng)建和傳遞。二：IPSEC OVER GRE 與GRE OVER IPSEC的配置思路介紹首先先介紹一下配置思路，有兩種配置的區(qū)別在于ipsec over gre 是將ipsec加密封裝應(yīng)用在tunnel口上，使用acl匹配需要加密數(shù)據(jù)流來實(shí)現(xiàn)。而gre over ipsec是將ipsec加密封裝應(yīng)用在物理接口上，用acl來匹配需要加密的tunnel隧道。從這個來講，后者會安全一點(diǎn)，ipsec會將所有數(shù)據(jù)包括隧道報文都進(jìn)行加密。因此我將配置過程分成三步，這樣比較不會亂。第一步先配置公網(wǎng)ip及路由，讓兩端設(shè)備的公網(wǎng)ip先能互相ping通；第二步在配置GRE隧道

23、，然后測試GRE隧道是否建立正常；第三步再創(chuàng)建ipsec加密并引用。拓?fù)鋱D如下：推薦精選A：GRE over IPSEC R2：作為互聯(lián)網(wǎng)，保證路由可達(dá)即可 Int s0/2/0 Ip ad 24 Int s0/2/1 24 Int 0/2/2 Ip ad 24 R1： 第一步先配置公網(wǎng)接口 | R3:第一步配置公網(wǎng)接口 int s0/2/0 | int s0/2/0 Ip ad 24 | ip ad 24 Ip rou | ip rou

24、 第二步配置GRE | 配置GRE Int tunnel 0 | int tunnel 0 Ip ad 24 | ip ad 24 Source | source Destination | destination Ip rou 0 tunnel0 | ip rou 0 tunnel0 第三步配置IPSEC 第三步配置IPSEC IKE配置 Ike peer r1-r3 ike peer r3

25、-r1 Pre-shared-key 12345 pre-shared-key 12345 Remote-address remote-address Ipsec類型 Ipsec proposal r1-r3 ipsec proposal r3-r1推薦精選 Encapsulation tunnel/transport Encapsulation tunnel/transport Transform esp Transform esp Esp authentication-algorithm sha1 Esp authentication-algorithm

26、 sha1 Esp encryption-algorithm 3des Esp encryption-algorithm 3des ACL匹配策略 Acl number 3013 acl number 3013 Rule 5 permit ip source 0 rule 5 permit ip source 0 Destination 0 destination 0 Ipsec 策略 Ipsec policy r13 1 isakmp ipsec policy r31 1 isakmp Security acl 3013

27、 security acl 3031 Ike-peer r1-r3 ike-peer r3-r1 Proposal r1-r3 proposal r3-r1 應(yīng)用到接口 Int s0/2/0 int s0/2/0 Ipsec policy r13 ipsec policy r31 B：IPSEC over GRE R2：作為互聯(lián)網(wǎng)，保證路由可達(dá)即可 Int s0/2/0 Ip ad 24 Int s0/2/1 24 Int 0/2/2 Ip ad 24 R1： 第一步先配置公網(wǎng)接口 | R3:第一步配置公網(wǎng)接口 int s0/2/0 | i

28、nt s0/2/0 Ip ad 24 | ip ad 24 Ip rou | ip rou 第二步配置GRE | 配置GRE Int tunnel 0 | int tunnel 0 Ip ad 24 | ip ad 24 Source | source Destination | destination Ip rou 192.168.3.

29、1 0 tunnel0 | ip rou 0 tunnel0 第三步配置IPSEC 第三步配置IPSEC IKE配置 Ike peer r1-r3 ike peer r3-r1 推薦精選 Pre-shared-key 12345 pre-shared-key 12345 Remote-address remote-address Ipsec類型 Ipsec proposal r1-r3 ipsec proposal r3-r1 Encapsulation tunnel Encapsulation tunnel Tran

30、sform esp Transform esp Esp authentication-algorithm sha1 Esp authentication-algorithm sha1 Esp encryption-algorithm 3des Esp encryption-algorithm 3des ACL匹配策略 Acl number 3013 acl number 3013 Rule 5 permit ip source 0 rule 5 permit ip source 0 Destination 0 destin

31、ation 0 Ipsec 策略 Ipsec policy r13 1 isakmp ipsec policy r31 1 isakmp Security acl 3013 security acl 3031 Ike-peer r1-r3 ike-peer r3-r1 Proposal r1-r3 proposal r3-r1 應(yīng)用到TUNNEL口 Int tunnel 0 int tunnle 0 Ipsec policy r13 ipsec policy r31三：ipsec over gre 與gre over ipsec 報文路由轉(zhuǎn)發(fā)和封裝過程 首先是gre o

32、ver ipsec的路由轉(zhuǎn)發(fā)過程：R1路由表：<H3C>dis ip rouRouting Tables: Public Destinations : 13 Routes : 13Destination/Mask Proto Pre Cost NextHop Interface/0 Static 60 0 S0/2/0/24 Direct 0 0 S0/2/0/32 Direct 0 0 InLoop0/32 Direct 0 0 S0/2/012

33、/8 Direct 0 0 InLoop0/32 Direct 0 0 InLoop0/32 Direct 0 0 InLoop0/32 Static 60 0 Tun0/32 Static 60 0 Tun1推薦精選/24 Direct 0 0 Tun0/32 Direct 0 0 InLoop0192.168.11