[CCIE那點事]原創:第三集:手把手交你配置ADSL+IPSEC VPN

來源:本站原創 VPN 超過1,666 views圍觀 0條評論

第三集來了,潮爆了有沒有.

回顧

本文標題:[CCIE那點事]原創:第一集:手把手交你配置VPN之L2L站點到站點VPN

本文鏈接:http://www.qdxgqk.live/?p=1862轉載請注明轉自CCIE那點事

本文標題:[CCIE那點事]原創:第二集:手把手交你配置VPN之L2L+ezvpn

本文鏈接:http://www.qdxgqk.live/?p=3020轉載請注明轉自CCIE那點事

為毛要寫這篇呢,因為有人問了.分公司是ADSL拔號上網的怎么配置VPN與總部互聯.我相信這也是很多網絡工程師碰到的問題.

在企業呆過的IT都知道,ADSL和LAN企業用的話便宜,2M一月估計也就是個2000多塊.EPON光纖這種就不一樣了.價格要翻幾翻

所以大部分企業都是選用ADSL和總公司,總部的IDC或機房具有固定IP的設備來互聯了.扯太遠了哈哈.

測試目的

分公司 r4 4.4.4.0 網段能與總部server 8.8.8.0互通

測試環境

GNS3  2961 c2691-advsecurityk9-mz[1].124-11.T2.bin

話不多話,上圖

clipboard[3]

圖在這里了有點復雜,我介紹一個

1.圖中包含一個ADSL SERVER 用于模據ISP

2.一個IPSEC VPN server  R8

3.ADSL + vpn client  vpnadsl

4.模擬內網服務器R4 與 VPN REMOTE

5.模擬總部服務器 server

本來想用cisco packet tracer做的,測試了好長時間發現不支持.所以只能找GNS3了.

精簡配置,其他的全刪

adsl server的配置

vpdn enable    /*啟用VPDN

!

vpdn-group 1   /*配置VPDN組

! Default L2TP VPDN group

accept-dialin       /*允許呼入

  protocol pppoe /*協議封裝為pppoe

  virtual-template 1    /*應用虛模版1

username cisco password 0 cisco   /*拔號用戶名和密碼

!

bba-group pppoe global       /*啟用全局bba組

virtual-template 1                 /*綁定虛模版1

!

!

interface Loopback1             /*作地址借用

ip address 223.1.1.1 255.255.255.0

!

interface FastEthernet0/0   

ip address 8.8.8.1 255.255.255.0

speed auto

full-duplex

!

interface FastEthernet0/1

pppoe enable group global    /*端口起用pppoe

!

interface Virtual-Template1     /*配置虛模版

ip unnumbered Loopback1    /*借用lo1接口地址

peer default ip address pool cisco     /*指定IP 地址池

ppp authentication chap                   /*驗證為chap模式

!

ip local pool cisco 223.1.1.2 223.1.1.100  /*分配地址池

!

總部VPN配置 R8

配置我不解釋 了,請看前兩集

hostname R8

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set newset esp-3des esp-md5-hmac

!

crypto dynamic-map map1 10

set transform-set newset

!

crypto dynamic-map mymap1 10

set transform-set newset

!

!

crypto map map1 100 ipsec-isakmp dynamic mymap1 discover

!

!

!

!

interface FastEthernet0/0

ip address 8.8.8.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map map1

!

interface FastEthernet0/1

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 8.8.8.1

!

!

no ip http server

no ip http secure-server

ip nat inside source list nonat interface FastEthernet0/0 overload

!

ip access-list extended VPN_B01

permit ip 10.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

ip access-list extended nonat

deny   ip 10.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

permit ip any any

最點來了 vpn+adsl 路由器配置

hostname vpnadsl

vpdn enable

!

vpdn-group 1

request-dialin

  protocol pppoe

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 8.8.8.2

!

!

crypto ipsec transform-set newset esp-3des esp-md5-hmac

!

crypto map map1 5 ipsec-isakmp

set peer 8.8.8.2

set transform-set newset

match address VPN_HUB

!

bba-group pppoe global

!

!

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

speed auto

full-duplex

!

interface FastEthernet0/1

no ip address

speed auto

full-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Dialer0

ip address negotiated

ip nat outside                       /*所有的特性都是做在這里哦,注意

ip virtual-reassembly

encapsulation ppp             

dialer pool 1

dialer-group 1

ppp authentication chap pap callin   /*pap的寫法是  ppp pap hostname xxx pass xxx

ppp chap hostname cisco

ppp chap password 0 cisco

crypto map map1                     /*應用ipsec

!

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 4.4.4.0 255.255.255.0 1.1.1.2

!

ip nat inside source list nonat interface Dialer0 overload

!

ip access-list extended VPN_HUB

permit ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255

ip access-list extended nonat

deny   ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip any any

!

dialer-list 1 protocol ip permit

測試結果,很OK,達到實驗目的,測試完成

*Mar  1 01:36:02.007: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Mar  1 01:36:10.779: ISAKMP:(0): SA request profile is (NULL)

*Mar  1 01:36:10.779: ISAKMP: Created a peer struct for 8.8.8.2, peer port 500

*Mar  1 01:36:10.783: ISAKMP: New peer created peer = 0x648CE15C peer_handle = 0x80000005

*Mar  1 01:36:10.783: ISAKMP: Locking peer struct 0x648CE15C, refcount 1 for isakmp_initiator

*Mar  1 01:36:10.783: ISAKMP: local port 500, remote port 500

*Mar  1 01:36:10.783: ISAKMP: set new node 0 to QM_IDLE     

*Mar  1 01:36:10.787: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64186BF4

*Mar  1 01:36:10.787: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Mar  1 01:36:10.787: ISAKMP:(0):found peer pre-shared key matching 8.8.8.2

*Mar  1 01:36:10.791: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar  1 01:36:10.791: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar  1 01:36:10.791: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar  1 01:36:10.795: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar  1 01:36:10.795: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 01:36:10.795: ISAKMP:(0): beginning Main Mode exchange

*Mar  1 01:36:10.799: ISAKMP:(0): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 01:36:10.799: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  1 01:36:11.283: ISAKMP (0:0): received packet from 8.8.8.2 dport 500 sport 500 Global (I) MM_NO_STATE

*Mar  1 01:36:11.287: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 01:36:11.287: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar  1 01:36:11.291: ISAKMP:(0): processing SA payload. message ID = 0

*Mar  1 01:36:11.295: ISAKMP:(0): processing vendor id payload

*Mar  1 01:36:11.295: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  1 01:36:11.295: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar  1 01:36:11.295: ISAKMP:(0):found peer pre-shared key matching 8.8.8.2

*Mar  1 01:36:11.299: ISAKMP:(0): local preshared key found

*Mar  1 01:36:11.299: ISAKMP : Scanning profiles for xauth …

*Mar  1 01:36:11.299: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar  1 01:36:11.299: ISAKMP:      encryption 3DES-CBC

*Mar  1 01:36:11.303: ISAKMP:      hash SHA

*Mar  1 01:36:11.303: ISAKMP:      default group 2

*Mar  1 01:36:11.303: ISAKMP:      auth pre-share

*Mar  1 01:36:11.303: ISAKMP:      life type in seconds

*Mar  1 01:36:11.303: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Mar  1 01:36:11.307: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar  1 01:36:11.307: ISAKMP:(0): processing vendor id payload

*Mar  1 01:36:11.307: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  1 01:36:11.311: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar  1 01:36:11.311: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 01:36:11.311: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 01:36:11.323: ISAKMP:(0): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Mar  1 01:36:11.323: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  1 01:36:11.327: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 01:36:11.327: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 01:36:11.967: ISAKMP (0:0): received packet from 8.8.8.2 dport 500 sport 500 Global (I) MM_SA_SETUP

*Mar  1 01:36:11.971: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 01:36:11.971: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 01:36:11.979: ISAKMP:(0): processing KE payload. message ID = 0

*Mar  1 01:36:12.087: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar  1 01:36:12.087: ISAKMP:(0):found peer pre-shared key matching 8.8.8.2

*Mar  1 01:36:12.095: ISAKMP:(1005): processing vendor id payload

*Mar  1 01:36:12.095: ISAKMP:(1005): vendor ID is Unity

*Mar  1 01:36:12.099: ISAKMP:(1005): processing vendor id payload

*Mar  1 01:36:12.099: ISAKMP:(1005): vendor ID is DPD

*Mar  1 01:36:12.099: ISAKMP:(1005): processing vendor id payload

*Mar  1 01:36:12.103: ISAKMP:(1005): speaking to another IOS box!

*Mar  1 01:36:12.103: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 01:36:12.103: ISAKMP:(1005):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 01:36:12.111: ISAKMP:(1005):Send initial contact

*Mar  1 01:36:12.111: ISAKMP:(1005):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar  1 01:36:12.115: ISAKMP (0:1005): ID payload

next-payload : 8

type         : 1

address      : 223.1.1.2

protocol     : 17

port         : 500

length       : 12

*Mar  1 01:36:12.115: ISAKMP:(1005):Total payload length: 12

*Mar  1 01:36:12.119: ISAKMP:(1005): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Mar  1 01:36:12.123: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar  1 01:36:12.123: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 01:36:12.127: ISAKMP:(1005):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  1 01:36:12.579: ISAKMP (0:1005): received packet from 8.8.8.2 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Mar  1 01:36:12.583: ISAKMP:(1005): processing ID payload. message ID = 0

*Mar  1 01:36:12.583: ISAKMP (0:1005): ID payload

next-payload : 8

type         : 1

address      : 8.8.8.2

protocol     : 17

port         : 500

length       : 12

*Mar  1 01:36:12.587: ISAKMP:(0):: peer matches *none* of the profiles

*Mar  1 01:36:12.587: ISAKMP:(1005): processing HASH payload. message ID = 0

*Mar  1 01:36:12.591: ISAKMP:(1005):SA authentication status:

authenticated

*Mar  1 01:36:12.591: ISAKMP:(1005):SA has been authenticated with 8.8.8.2

*Mar  1 01:36:12.591: ISAKMP: Trying to insert a peer 223.1.1.2/8.8.8.2/500/,  and inserted successfully 648CE15C.

*Mar  1 01:36:12.595: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 01:36:12.595: ISAKMP:(1005):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  1 01:36:12.603: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 01:36:12.603: ISAKMP:(1005):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  1 01:36:12.611: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 01:36:12.611: ISAKMP:(1005):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  1 01:36:12.619: ISAKMP:(1005):beginning Quick Mode exchange, M-ID of 1720065028

*Mar  1 01:36:12.619: ISAKMP:(1005):QM Initiator gets spi

*Mar  1 01:36:12.627: ISAKMP:(1005): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) QM_IDLE     

*Mar  1 01:36:12.627: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar  1 01:36:12.631: ISAKMP:(1005):Node 1720065028, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Mar  1 01:36:12.631: ISAKMP:(1005):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Mar  1 01:36:12.631: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar  1 01:36:12.635: ISAKMP:(1005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE       /*如果不成功注意定位

*Mar  1 01:36:13.487: ISAKMP (0:1005): received packet from 8.8.8.2 dport 500 sport 500 Global (I) QM_IDLE     

*Mar  1 01:36:13.491: ISAKMP:(1005): processing HASH payload. message ID = 1720065028

*Mar  1 01:36:13.495: ISAKMP:(1005): processing SA payload. message ID = 1720065028

*Mar  1 01:36:13.495: ISAKMP:(1005):Checking IPSec proposal 1

*Mar  1 01:36:13.495: ISAKMP: transform 1, ESP_3DES

*Mar  1 01:36:13.495: ISAKMP:   attributes in transform:

*Mar  1 01:36:13.495: ISAKMP:      encaps is 1 (Tunnel)

*Mar  1 01:36:13.499: ISAKMP:      SA life type in seconds

*Mar  1 01:36:13.499: ISAKMP:      SA life duration (basic) of 3600

*Mar  1 01:36:13.499: ISAKMP:      SA life type in kilobytes

*Mar  1 01:36:13.499: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Mar  1 01:36:13.503: ISAKMP:      authenticator is HMAC-MD5

*Mar  1 01:36:13.503: ISAKMP:(1005):atts are acceptable.

*Mar  1 01:36:13.507: ISAKMP:(1005): processing NONCE payload. message ID = 1720065028

*Mar  1 01:36:13.507: ISAKMP:(1005): processing ID payload. message ID = 1720065028

*Mar  1 01:36:13.507: ISAKMP:(1005): processing ID payload. message ID = 1720065028

*Mar  1 01:36:13.515: ISAKMP:(1005): Creating IPSec SAs

*Mar  1 01:36:13.519:         inbound SA from 8.8.8.2 to 223.1.1.2 (f/i)  0/ 0

        (proxy 10.1.1.0 to 4.4.4.0)

*Mar  1 01:36:13.519:         has spi 0x34C7B52D and conn_id 0

*Mar  1 01:36:13.519:         lifetime of 3600 seconds

*Mar  1 01:36:13.519:         lifetime of 4608000 kilobytes

*Mar  1 01:36:13.519:         outbound SA from 223.1.1.2 to 8.8.8.2 (f/i) 0/0

        (proxy 4.4.4.0 to 10.1.1.0)

*Mar  1 01:36:13.523:         has spi  0xBE4D8EE6 and conn_id 0

*Mar  1 01:36:13.523:         lifetime of 3600 seconds

*Mar  1 01:36:13.523:         lifetime of 4608000 kilobytes

*Mar  1 01:36:13.527: ISAKMP:(1005): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) QM_IDLE     

*Mar  1 01:36:13.527: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar  1 01:36:13.531: ISAKMP:(1005):deleting node 1720065028 error FALSE reason "No Error"

*Mar  1 01:36:13.531: ISAKMP:(1005):Node 1720065028, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

1 01:36:13.531: ISAKMP:(1005):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE   /*如果不成功注意定位

*Mar  1 01:36:21.867: %SYS-5-CONFIG_I: Configured from console by console

ping 測試

r4#ping 10.1.1.2 repeat 10000

server#

*Mar  1 02:22:38.047: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

*Mar  1 02:22:38.423: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

*Mar  1 02:22:38.551: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

*Mar  1 02:22:38.799: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

附原版配置  http://pan.baidu.com/share/link?shareid=2163115506&uk=4144237329

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文鏈接:http://www.qdxgqk.live/?p=3026轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
上篇文章:
?
?
萌宠夺宝游戏