LTP OVER IPSECLNS地址在內(nèi)網(wǎng)通過公網(wǎng)映射

1、L2TP OVER IPSEC(LNS地址在內(nèi)網(wǎng)，通過公網(wǎng)映射)組網(wǎng)LAC公網(wǎng)地址為63，LNS在用戶內(nèi)網(wǎng)地址為0，通過映射為公網(wǎng)地址03。用戶需求：PC用戶通過PPPOE撥號(hào)到LAC出發(fā)L2TP隧道建立，同時(shí)要求做IPSEC加密。配置：LAC：<lac>dis cu# version 5.20, Release 2512P04# sysname lac# l2tp enable# domain default enable system# ipv6# telnet server enable# port-s

2、ecurity enable# password-recovery enable#acl number 3500 rule 5 permit ip source 63 0 destination 0 0 rule 10 permit ip source 0 0 destination 63 0#vlan 1#Ddomain authentication ppp local access-limit disable state active idle-cut disable self-servic

3、e-url disabledomain system access-limit disable state active idle-cut disable self-service-url disable#ike peer lac exchange-mode aggressive pre-shared-key cipher $c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag= id-type name remote-name lns local-name lac nat traversal#ipsec transform-set lacencapsulation-mode

4、tunnel transform esp esp authentication-algorithm sha1 esp encryption-algorithm 3des#ipsec policy lac 1 isakmp security acl 3500 ike-peer lac transform-set lac#user-group system group-attribute allow-guest#local-user admin password cipher $c$3$EiAlBrd/gVGFvSMRAmLoJwgze3wHlYa1BQ= authorization-attrib

5、ute level 3 service-type telnet service-type weblocal-user test password cipher $c$3$SQ3SM2FRQoXeMijjRitI72ToSwbJ9f09xw= service-type ppp#l2tp-group 1 tunnel password cipher $c$3$TVsHV3HQRBs5eubLlDPrKCp8o8kwnA= tunnel name lac start l2tp ip 0 domain #interface Aux0 async mode flow link-p

6、rotocol ppp#interface Cellular0/0 async mode protocol link-protocol ppp#interface Virtual-Template1 ppp authentication-mode pap chap domain #interface NULL0#interface Vlan-interface1 pppoe-server bind Virtual-Template 1#interface GigabitEthernet0/0 port link-mode route ipsec policy lac#interface Gig

7、abitEthernet0/1 port link-mode bridge#interface GigabitEthernet0/2 port link-mode bridge#interface GigabitEthernet0/3 port link-mode bridge#interface GigabitEthernet0/4 port link-mode bridge# ip route-static # dialer-rule 1 ip permit# load xml-configuration# load tr069-configuration#

8、user-interface tty 12user-interface aux 0user-interface vty 0 4 authentication-mode scheme#returnLNS：# version 7.1.049, Release 0202# sysname lns# telnet server enable# ip pool 1 54 # password-recovery enable#vlan 1#interface Virtual-Template1 ppp authentication-mode pap c

9、hap remote address pool 1 ip address #interface NULL0#interface LoopBack0# interface GigabitEthernet1/0#interface GigabitEthernet1/0.1498 description to-12/32 vlan-type dot1q vid 1498#interface GigabitEthernet2/0#interface GigabitEthernet2/0.1499 description to-11/32 vlan-type dot1q vid 1499 ipsec a

10、pply policy lns# scheduler logfile size 16#line class aux user-role network-operator#line class console user-role network-admin# line class vty user-role network-operator#line aux 0 user-role network-operator#line con 0 user-role network-admin#line vty 0 63 authentication-mode scheme user-role netwo

11、rk-operator#domain authentication ppp local authorization ppp local accounting ppp local#domain system# aaa session-limit ftp 32 aaa session-limit telnet 32 aaa session-limit http 32 aaa session-limit ssh 32 aaa session-limit https 32 domain default enable system#role name level-0 description Predef

12、ined level-0 role#role name level-1 description Predefined level-1 role#role name level-2 description Predefined level-2 role#role name level-3 description Predefined level-3 role#role name level-4 description Predefined level-4 role# role name level-5 description Predefined level-5 role#role name l

13、evel-6 description Predefined level-6 role#role name level-7 description Predefined level-7 role#role name level-8 description Predefined level-8 role#role name level-9 description Predefined level-9 role#role name level-10 description Predefined level-10 role#role name level-11 description Predefin

14、ed level-11 role#role name level-12 description Predefined level-12 role#role name level-13 description Predefined level-13 role#role name level-14 description Predefined level-14 role#user-group system#local-user admin class manage password hash $h$6$rhjYlaMxTE8Yrgy/$pL4ngHJErR5IS6mIM2TVTpxVJoXAz3Z

15、7twS5WUoHnTBAVcnQ6zRTt3l/IV25NzoxYG4+xduBzNhiM+NovY5gUQ= service-type telnet authorization-attribute user-role network-admin authorization-attribute user-role network-operator#local-user test class manage password hash $h$6$aeSFBsuE4NLmKV/p$Bmfz5WpYqTIdkrJhRl8v9xOkz2sxaxZ4Y0ZtkKglmyw3gvtamdEAxf0CItY

16、elhqBRz/xZmmQF5DcZ3Y15oa5YA= service-type ftp service-type telnet authorization-attribute user-role network-operator#local-user test class network password cipher $c$3$dxUAzslPK2voJ3xxO+kdUpqKQK52oAsuNQ= service-type ppp authorization-attribute user-role network-operator#ipsec transform-set lns esp

17、encryption-algorithm 3des-cbc esp authentication-algorithm sha1 #ipsec policy-template lns 1 transform-set lns ike-profile lns#ipsec policy lns 1 isakmp template lns#l2tp-group 1 mode lns allow l2tp virtual-template 1 remote lac tunnel name lns tunnel password cipher $c$3$TbJ0N3WspYQUVRSjjmPBxkFjo3X

18、hyg=# l2tp enable# ike identity fqdn lns#ike profile lns keychain lac exchange-mode aggressive local-identity fqdn lns match remote identity fqdn lac match local address GigabitEthernet2/0.1499#ike keychain lac pre-shared-key hostname lac key cipher $c$3$QGKCezjZ+NqQIHxyMuZsfR/weMCQAw=#return一：概述首先，

19、先將這兩個(gè)概念理順一下。IPSEC OVER GRE即IPSEC在里，GRE在外。首先先把需要加密的數(shù)據(jù)包封裝成IPSEC包，然后在扔到GRE隧道里發(fā)到對(duì)端設(shè)備。做法是把IPSEC的加密策略作用在Tunnel口上，即在Tunnel口上監(jiān)聽匹配符合訪問控制列表的數(shù)據(jù)流，來確認(rèn)數(shù)據(jù)是否需要加密，需要?jiǎng)t先加密封裝為IPSEC包，然后封裝成GRE包進(jìn)入隧道；反之未在訪問控制列表中的數(shù)據(jù)流將以未加密的狀態(tài)直接走GRE隧道，這樣就會(huì)存在有些數(shù)據(jù)處于不安全的傳遞狀態(tài)。 而GRE OVER IPSEC 則是GRE在里，IPSEC在外，即先將數(shù)據(jù)封裝成GRE包，然后在封裝成IPSEC包后發(fā)到對(duì)端設(shè)備。做法是把I

20、PSEC的加密測(cè)試作用在物理端口上，然后根據(jù)訪問控制列表監(jiān)控匹配是否有需要加密的GRE數(shù)據(jù)流，有則將GRE數(shù)據(jù)流加密封裝成IPSEC包再進(jìn)行傳遞，這樣可以保證所有數(shù)據(jù)包都會(huì)被機(jī)密，包括隧道建立和路由的創(chuàng)建和傳遞。二：IPSEC OVER GRE 與GRE OVER IPSEC的配置思路介紹首先先介紹一下配置思路，有兩種配置的區(qū)別在于ipsec over gre 是將ipsec加密封裝應(yīng)用在tunnel口上，使用acl匹配需要加密數(shù)據(jù)流來實(shí)現(xiàn)。而gre over ipsec是將ipsec加密封裝應(yīng)用在物理接口上，用acl來匹配需要加密的tunnel隧道。從這個(gè)來講，后者會(huì)安全一點(diǎn)，ipsec會(huì)將

21、所有數(shù)據(jù)包括隧道報(bào)文都進(jìn)行加密。因此我將配置過程分成三步，這樣比較不會(huì)亂。第一步先配置公網(wǎng)ip及路由，讓兩端設(shè)備的公網(wǎng)ip先能互相ping通；第二步在配置GRE隧道，然后測(cè)試GRE隧道是否建立正常；第三步再創(chuàng)建ipsec加密并引用。拓?fù)鋱D如下：A：GRE over IPSEC R2：作為互聯(lián)網(wǎng)，保證路由可達(dá)即可 Int s0/2/0 Ip ad 24 Int s0/2/1 24 Int 0/2/2 Ip ad 24 R1： 第一步先配置公網(wǎng)接口 | R3:第一步配置公網(wǎng)接口 int s0/2/0 | int s0/2/0 Ip ad 12.

22、1.1.1 24 | ip ad 24 第二步配置GRE | 配置GRE Int tunnel 0 | int tunnel 0 Ip ad 24 | ip ad 24 Source | source Destination | destination Ip rou 0 tunnel0 | ip rou 0 tunnel0 第三步配置IPSEC 第三步配置IPSEC IKE配置 Ike peer r1-r3

23、 ike peer r3-r1 Pre-shared-key 12345 pre-shared-key 12345 Remote-address Ipsec類型 Ipsec proposal r1-r3 ipsec proposal r3-r1 Encapsulation tunnel/transport Encapsulation tunnel/transport Transform esp Transform esp Esp authentication-algorithm sha1 Esp authentication-algorithm sha1 Esp encryp

24、tion-algorithm 3des Esp encryption-algorithm 3des ACL匹配策略 Acl number 3013 acl number 3013 Rule 5 permit ip source 0 rule 5 permit ip source 0 Destination 0 destination 0 Ipsec 策略 Ipsec policy r13 1 isakmp ipsec policy r31 1 isakmp Security acl 3013 security acl 30

25、31 Ike-peer r1-r3 ike-peer r3-r1 Proposal r1-r3 proposal r3-r1 應(yīng)用到接口 Int s0/2/0 int s0/2/0 Ipsec policy r13 ipsec policy r31 B：IPSEC over GRE R2：作為互聯(lián)網(wǎng)，保證路由可達(dá)即可 Int s0/2/0 Ip ad 24 Int s0/2/1 24 Int 0/2/2 Ip ad 24 R1： 第一步先配置公網(wǎng)接口 | R3:第一步配置公網(wǎng)接口 int s0/2/0 | int s0/2/0 Ip ad

26、 24 | ip ad 24 第二步配置GRE | 配置GRE Int tunnel 0 | int tunnel 0 Ip ad 24 | ip ad 24 Source | source Destination | destination Ip rou 0 tunnel0 | ip rou 0 tunnel0 第三步配置IPSEC 第三步配置IPSEC IKE配置 Ike peer r1

27、-r3 ike peer r3-r1 Pre-shared-key 12345 pre-shared-key 12345 Ipsec類型 Ipsec proposal r1-r3 ipsec proposal r3-r1 Encapsulation tunnel Encapsulation tunnel Transform esp Transform esp Esp authentication-algorithm sha1 Esp authentication-algorithm sha1 Esp encryption-algorithm 3des Esp encryption-algorithm 3des ACL匹配策略 Acl number 3013 acl number 3013 Rule 5 permit ip source 0 rule 5 permit ip source 0 Destination 0 de