l2tpoveripsec(lns地址在內網(wǎng),通過公網(wǎng)映射)

pre-shared-keycipher$c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag==pre-shared-keycipher$c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag==pre-shared-keycipher$c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag==pre-shared-keycipher$c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag==##L2TPOVERIPSEC（LNS地址在內網(wǎng)，通過公網(wǎng)映射）組網(wǎng)強網(wǎng)撥號用戶202.109.207,163L2tctunnel01T2.20128.210云主機強網(wǎng)撥號用戶202.109.207,163L2tctunnel01T2.20128.210云主機LAC公網(wǎng)地址為，LNS在用戶內網(wǎng)地址為，通過映射為公網(wǎng)地址。用戶需求：PC用戶通過PPPOE撥號至ijLAC出發(fā)L2TP隧道建立，同時要求做IPSECW密。配置：LAC:<lac>discu#version,Release2512P04#sysnamelac#12tpenable#domaindefaultenablesystem#ipv6telnetserverenable#port-securityenable#password-recoveryenable#aclnumber3500rule5permitipsource0destination0rule10permitipsource0destination0#vlan1#Ddomainauthenticationppplocalaccess-limitdisablestateactiveidle-cutdisableself-service-urldisabledomainsystemaccess-limitdisablestateactiveidle-cutdisableself-service-urldisable#ikepeerlacexchange-modeaggressiveid-typenameremote-namelnsremote-addresslocal-addresslocal-namelacnattraversal#ipsectransform-setlacencapsulation-modetunneltransformespespauthentication-algorithmsha1espencryption-algorithm3des#ipsecpolicylac1isakmpsecurityacl3500ike-peerlactransform-setlac#user-groupsystemgroup-attributeallow-guest#local-useradminpasswordcipher$c$3$EiAlBrd/gVGFvSMRAmLoJwgze3wHlYa1BQ==authorization-attributelevel3service-typetelnetservice-typeweblocal-usertestpasswordcipher$c$3$SQ3SM2FRQoXeMijjRitI72ToSwbJ9f09xw==service-typepppl2tp-group1tunnelpasswordcipher$c$3$TVsHV3HQRBs5eubLlDPrKCp8o8kwnA==tunnelnamelacstartl2tpipdomain#interfaceAux0asyncmodeflowlink-protocolppp#interfaceCellular0/0asyncmodeprotocollink-protocolppp#interfaceVirtual-Template1pppauthentication-modepapchapdomain#interfaceNULL0#interfaceVlan-interface1pppoe-serverbindVirtual-Template1ipaddressGigabitEthernet0/0portlink-moderouteipaddressipsecpolicylac#interfaceGigabitEthernet0/1portlink-modebridge####interfaceGigabitEthernet0/2portlink-modebridge#interfaceGigabitEthernet0/3portlink-modebridge#interfaceGigabitEthernet0/4portlink-modebridge#iproute-staticiproute-staticdialer-rule1ippermit#loadxml-configuration#loadtr069-configuration#user-interfacetty12user-interfaceaux0user-interfacevty04authentication-modescheme#returnLNS：versionRelease0202#sysnamelns#telnetserverenable#ippool1#password-recoveryenable#vlan1#interfaceVirtual-Template1pppauthentication-modepapchapremoteaddresspool1ipaddressNULL0#interfaceLoopBack0ipaddressinterfaceGigabitEthernet1/0#interfaceGigabitEthernet1/descriptionto-12/32ipaddressvlan-typedot1qvid1498#interfaceGigabitEthernet2/0interfaceGigabitEthernet2/descriptionto-11/32ipaddressvlan-typedot1qvid1499ipsecapplypolicylns#schedulerlogfilesize16#lineclassauxuser-rolenetwork-operator#lineclassconsoleuser-rolenetwork-admin#lineclassvtyuser-rolenetwork-operator#lineaux0user-rolenetwork-operator#linecon0user-rolenetwork-admin#linevty063authentication-modeschemeuser-rolenetwork-operatoriproute-static0iproute-static28iproute-static28descriptionPredefinedlevel-descriptionPredefinedlevel-#rolerolenamelevel-5descriptionPredefinedlevel-5role#rolenamelevel-6descriptionPredefinedlevel-6role#rolenamelevel-7descriptionPredefinedlevel-7role#rolenamelevel-8descriptionPredefinedlevel-8role#rolenamelevel-9descriptionPredefinedlevel-9role#rolenamelevel-10descriptionPredefinedlevel-10role#rolenamelevel-11descriptionPredefinedlevel-11role#rolenamelevel-12descriptionPredefinedlevel-12role#rolenamelevel-13####rolenamelevel-14descriptionPredefinedlevel-14role#user-groupsystem#local-useradminclassmanagepassword hash$h$6$rhjYlaMxTE8Yrgy/$pL4ngHJErR5IS6mIM2TVTpxVJoXAz3Z7twS5WUoHnTBAVcnQ6zRTt3l/IV25NzoxYG4+xduBzNhiM+NovY5gUQ==service-typetelnetauthorization-attributeuser-rolenetwork-adminauthorization-attributeuser-rolenetwork-operator#local-usertestclassmanagepassword hash$h$6$aeSFBsuE4NLmKV/p$Bmfz5WpYqTIdkrJhRl8v9xOkz2sxaxZ4Y0ZtkKglmyw3gvtamdEAxf0CItYelhqBRz/xZmmQF5DcZ3Y15oa5YA==service-typeftpservice-typetelnetauthorization-attributeuser-rolenetwork-operator#local-usertestclassnetworkpasswordcipher$c$3$dxUAzslPK2voJ3xxO+kdUpqKQK52oAsuNQ==service-typepppauthorization-attributeuser-rolenetwork-operator##ipsectransform-setlnsespencryption-algorithm3des-cbcespauthentication-algorithmsha1#ipsecpolicy-templatelns1transform-setlnsike-profilelns#ipsecpolicylns1isakmptemplatelns#l2tp-group1modelnsallowl2tpvirtual-template1remotelactunnelnamelnstunnelpasswordcipher$c$3$TbJ0N3WspYQUVRSjjmPBxkFjo3Xhyg==#l2tpenable#ikeidentityfqdnlns#ikeprofilelnskeychainlacexchange-modeaggressivelocal-identityfqdnlnsmatchremoteidentityfqdnlacmatchlocaladdressGigabitEthernet2/ikekeychainlacpre-shared-keyhostnamelackeycipher$c$3$QGKCezjZ+NqQIHxyMuZsfR/weMCQAw==#return一：概述首先，先將這兩個概念理順一下。 IPSECOVERGREIPSEC^里，GRE在外。首先先把需要加密的數(shù)據(jù)包封裝成 IPSEC包，然后在扔到GRE隧道里發(fā)到對端設備。做法是把 IPSEC的加密策略作用在 Tunnel口上，即在Tunnel口上監(jiān)聽匹配符合訪問控制列表的數(shù)據(jù)流，來確認數(shù)據(jù)是否需要加密，需要則先加密封裝為IPSECK然后封裝成GRE包進入隧道；反之未在訪問控制列表中的數(shù)據(jù)流將以未加密的狀態(tài)直接走 GRE隧道，這樣就會存在有些數(shù)據(jù)處于不安全的傳遞狀態(tài)。而GREOVERIPSECU是GRE在里，IPSE%外，即先將數(shù)據(jù)封裝成 GRE包，然后在封裝成IPSEC&后發(fā)到對端設備。做法是把 IPSEC勺加密測試作用在物理端口上，然后根據(jù)訪問控制列表監(jiān)控匹配是否有需要加密的 GRE數(shù)據(jù)流，有則將GRE數(shù)據(jù)流加密封裝成IPSEC包再進行傳遞，這樣可以保證所有數(shù)據(jù)包都會被機密，包括隧道建立和路由的創(chuàng)建和傳遞。二：IPSECOVERGREGREOVERIPSEC己置思路介紹首先先介紹一下配置思路，有兩種配置的區(qū)別在于 ipsecovergre是將ipsec加密封裝應用在tunnel口上，使用acl匹配需要加密數(shù)據(jù)流來實現(xiàn)。而 greove門psec是將ipsec力口密封裝應用在物理接口上，用acl來匹配需要加密的tunnel隧道。從這個來講，后者會安全一點，ipsec會將所有數(shù)據(jù)包括隧道報文都進行加密。因此我將配置過程分成三步，這樣比較不會亂。第一步先配置公網(wǎng)ip及路由，讓兩端設備的公網(wǎng)ip先能互相ping通；第二步在配置 GRE隧道， 然后測試 GRE隧道是否建立正常；第三步再創(chuàng)建 ipsec加密并引用。拓撲圖如下：

)92.IS8J3,21股，1胡.3.)92.IS8J3,21股，1胡.3.1W2.16B.1O11立。1S2.If%,HO.1192.168.UO.2A:GREoverIPSECR2:作為互聯(lián)網(wǎng)，保證路由可達即可Ints0/20Ipad24Ints0/2124Int0/2/2Ipad24| R3:| R3:第一步配置公網(wǎng)接口|intS0/2/0ipad24第二步配置GRE |配置|inttunnel0ipad24R1:第一步先配置公網(wǎng)接口ints0⑵0Ipad24 |Iprou |iprouGREInttunnel0Ipad24 |sourcesourceSourcedestinationdestinationDestinationIprou0tunnel0|iprou0tunnel0第三步配置IPSECIKE配置Ikepeerr1-r3Pre-shared-key12345Remote-addressIpsecproposalr1-r3Encapsulationtunnel/transportTransformespEspauthentication-algorithmsha1Espencryption-algorithm3desACL匹配策略Aclnumber3013Rule5permitipsource0Destination0Ipsec策略Ipsecpolicyr131isakmpSecurityacl3013Ike-peerr1-r3Proposalr1-r3應用到接口Ints0/2/0Ipsecpolicyr13第三步配置IPSECikepeerr3-r1pre-shared-key12345remote-address Ipsec類型ipsecproposalr3-r1Encapsulationtunnel/transportTransformespEspauthentication-algorithmsha1Espencryption-algorithm3desaclnumber3013rule5permitipsource0destination0ipsecpolicyr311isakmpsecurityacl3031ike-peerr3-r1proposalr3-r1ints0/2/0ipsecpolicyr31B：IPSECoverGRER2:作為互聯(lián)網(wǎng)，保證路由可達即可配置配置Ints0/2/0Ipad24Ints0/2/124Int0/2/2Ipad24R1：第一步先配置公網(wǎng)接口ints0/2/0TOC\o"1-5"\h\zIpad24 |Iprou |iprouGREInttunnel0Ipad24 |Source |Destination |Iprou0tunnel0|第三步配置IPSECIKE配置Ikepeerr1-r3Pre-shared-key12345Remote-addressIpsecproposalr1-r3EncapsulationtunnelTransformesp| R3:第一步配置公網(wǎng)接口|ints0/2/0ipad24第二步配置 GRE ||inttunnel0ipad24sourcedestinationiprou0tunnel0第三步配置IPSECikepeerr3-r1pre-shared-key12345remote-address Ipsec類型ipsecproposalr3-r1EncapsulationtunnelTransformespEspauthentication-algorithmsha1Espauthentication-algorithmsha1Espencryption-algorithm3desACL匹配策略Aclnumber3013Rule5permitipsource0Destination0Ipsec策略Ipsecpolicyr131isakmpSecurityacl3013Ike-peerr1-r3Proposalr1-r3應用到TUNNEL口Inttunnel0Ipsecpolicyr13Espencryption-algorithm3desaclnumber3013rule5permitipsource0destination0ipsecpolicyr311isakmpsecurityacl3031ike-peerr3-r1proposalr3-r1inttunnle0ipsecpolicyr31ipsecovergre與greoveripsec報文路由轉發(fā)和封裝過程首先是greoveripsec的路由轉發(fā)過程：R1路由表：<H3C>disiprouRoutingTables:PublicDestinations:13 Routes