ADSL + IPSEC vpn配置

來源:本站原創 VPN 超過2,411 views圍觀 0條評論

配置需求:總部是靜態ip地址,分部是ADSL撥號的動態ip,而且vpn設備在adsl撥號設備后面,問兩端如何做ipsec vpn。

主要涉及到2個vpn的知識:Dynamic map(R4做)和ipsec的兩個端口(udp500和udp4500)

拓撲圖如下:

配置過程:
1、配置ISP,R3做為PPPOE server,主要命令如下

vpdn enable
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
username cisco password cisco
ip local pool cisco 218.2.2.2 218.2.2.10
int lo0
ip add 218.2.2.1 255.255.255.0
int virtual-template 1
ip unnumber lo0
peer default ip address pool cisco
ppp authentication chap
int e0/0
pppoe enable

2、配置R2做為pppoe接入,主要命令如下

vpdn enablevpdn-group 1
request-dialin
protocol pppoeint e0/3
pppoe enable
pppoe-client dial-pool-number 1

int dialer0
encapsulation ppp
ip address negotiated
ppp authentication chap pap callin
dialer pool 1
dialer-group 1
ppp chap hostname cisco
ppp chap password cisco
dialer-list 1 protocol ip permit
ip route 0.0.0.0 0.0.0.0 dialer 0

配置完成之后R2能看到獲取的地址

R2#sh ip int bri
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Dialer0 218.2.2.2 YES IPCP up up

3、配置R1-R4 4臺路由器的接口和NAT等,保證網絡連通

R1#ping 218.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 218.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/52/108 ms

4、配置VPN
R1正常配置,注意R1沒有配置NAT

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 218.1.1.2
!
!
crypto ipsec transform-set test esp-3des
!
crypto map mymap 1000 ipsec-isakmp
set peer 218.1.1.2
set transform-set test
match address 101
!
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
half-duplex
crypto map mymap
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255

R2配置兩條端口映射

ip nat inside source static udp 192.168.1.2 4500 interface Dialer0 4500
ip nat inside source static udp 192.168.1.2 500 interface Dialer0 500

R4端配置Dynamic-map,注意R4的NAT配置

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set test esp-3des
!
crypto dynamic-map mymap1 1000
set transform-set test
!
crypto map mymap 1000 ipsec-isakmp dynamic mymap1 discover
!
interface Ethernet0/0
ip address 218.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map mymap
!
ip nat inside source list 101 interface Ethernet0/0 overload
!
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip any any

配置完成之后在R1端發起感興趣流(R4為動態map,所以只能由R1發起)

R1#ping 192.168.10.1 so 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/69/144 ms

最后查看一下R1和R4端的VPN狀態

R1#sh crypto isakmp sa
dst src state conn-id slot status
218.1.1.2 192.168.1.2 QM_IDLE 1 0 ACTIVE

R4#sh crypto isakmp sa

配置結束。

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文標題:ADSL + IPSEC vpn配置
本文鏈接:http://www.qdxgqk.live/?p=3018轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
?
?
萌宠夺宝游戏