l2tpoveripseclns地址在内网通过公网映射.docx
《l2tpoveripseclns地址在内网通过公网映射.docx》由会员分享,可在线阅读,更多相关《l2tpoveripseclns地址在内网通过公网映射.docx(16页珍藏版)》请在冰豆网上搜索。
l2tpoveripseclns地址在内网通过公网映射
L2TPOVERIPSEC
(LNS地址在内网,通过公网映射)
组网
LAC公网地址为,LNS在用户内网地址为,通过映射为公网地址。
用户需求:
PC用户通过PPPOE拨号到LAC出发L2TP隧道建立,同时要求做IPSEC加密。
配置:
LAC:
discu
#
version,Release2512P04
#
sysnamelac
#
l2tpenable
#
domaindefaultenablesystem
#
ipv6
#
telnetserverenable
#
port-securityenable
#
password-recoveryenable
#
aclnumber3500
rule5permitipsource0destination0
rule10permitipsource0destination0
#
vlan1
#
Ddomain
authenticationppplocal
access-limitdisable
stateactive
idle-cutdisable
self-service-urldisable
domainsystem
access-limitdisable
stateactive
idle-cutdisable
self-service-urldisable
#
ikepeerlac
exchange-modeaggressive
pre-shared-keycipher$c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag==
id-typename
remote-namelns
remote-address
local-address
local-namelac
nattraversal
#
ipsectransform-setlac
encapsulation-modetunnel
transformesp
espauthentication-algorithmsha1
espencryption-algorithm3des
#
ipsecpolicylac1isakmp
securityacl3500
ike-peerlac
transform-setlac
#
user-groupsystem
group-attributeallow-guest
#
local-useradmin
passwordcipher$c$3$EiAlBrd/gVGFvSMRAmLoJwgze3wHlYa1BQ==
authorization-attributelevel3
service-typetelnet
service-typeweb
local-usertest
passwordcipher$c$3$SQ3SM2FRQoXeMijjRitI72ToSwbJ9f09xw==
service-typeppp
#
l2tp-group1
tunnelpasswordcipher$c$3$TVsHV3HQRBs5eubLlDPrKCp8o8kwnA==
tunnelnamelac
startl2tpipdomain
#
interfaceAux0
asyncmodeflow
link-protocolppp
#
interfaceCellular0/0
asyncmodeprotocol
link-protocolppp
#
interfaceVirtual-Template1
pppauthentication-modepapchapdomain
#
interfaceNULL0
#
interfaceVlan-interface1
pppoe-serverbindVirtual-Template1
ipaddress
#
interfaceGigabitEthernet0/0
portlink-moderoute
ipaddress
ipsecpolicylac
#
interfaceGigabitEthernet0/1
portlink-modebridge
#
interfaceGigabitEthernet0/2
portlink-modebridge
#
interfaceGigabitEthernet0/3
portlink-modebridge
#
interfaceGigabitEthernet0/4
portlink-modebridge
#
iproute-static
iproute-static
#
dialer-rule1ippermit
#
loadxml-configuration
#
loadtr069-configuration
#
user-interfacetty12
user-interfaceaux0
user-interfacevty04
authentication-modescheme
#
return
LNS:
#
versionRelease0202
#
sysnamelns
#
telnetserverenable
#
ippool1
#
password-recoveryenable
#
vlan1
#
interfaceVirtual-Template1
pppauthentication-modepapchap
remoteaddresspool1
ipaddress
#
interfaceNULL0
#
interfaceLoopBack0
ipaddress
#
interfaceGigabitEthernet1/0
#
interfaceGigabitEthernet1/
descriptionto-12/32
ipaddress
vlan-typedot1qvid1498
#
interfaceGigabitEthernet2/0
#
interfaceGigabitEthernet2/
descriptionto-11/32
ipaddress
vlan-typedot1qvid1499
ipsecapplypolicylns
#
schedulerlogfilesize16
#
lineclassaux
user-rolenetwork-operator
#
lineclassconsole
user-rolenetwork-admin
#
lineclassvty
user-rolenetwork-operator
#
lineaux0
user-rolenetwork-operator
#
linecon0
user-rolenetwork-admin
#
linevty063
authentication-modescheme
user-rolenetwork-operator
#
iproute-static0
iproute-static28
iproute-static28
#
domain
authenticationppplocal
authorizationppplocal
accountingppplocal
#
domainsystem
#
aaasession-limitftp32
aaasession-limittelnet32
aaasession-limithttp32
aaasession-limitssh32
aaasession-limithttps32
domaindefaultenablesystem
#
rolenamelevel-0
descriptionPredefinedlevel-0role
#
rolenamelevel-1
descriptionPredefinedlevel-1role
#
rolenamelevel-2
descriptionPredefinedlevel-2role
#
rolenamelevel-3
descriptionPredefinedlevel-3role
#
rolenamelevel-4
descriptionPredefinedlevel-4role
#
rolenamelevel-5
descriptionPredefinedlevel-5role
#
rolenamelevel-6
descriptionPredefinedlevel-6role
#
rolenamelevel-7
descriptionPredefinedlevel-7role
#
rolenamelevel-8
descriptionPredefinedlevel-8role
#
rolenamelevel-9
descriptionPredefinedlevel-9role
#
rolenamelevel-10
descriptionPredefinedlevel-10role
#
rolenamelevel-11
descriptionPredefinedlevel-11role
#
rolenamelevel-12
descriptionPredefinedlevel-12role
#
rolenamelevel-13
descriptionPredefinedlevel-13role
#
rolenamelevel-14
descriptionPredefinedlevel-14role
#
user-groupsystem
#
local-useradminclassmanage
passwordhash$h$6$rhjYlaMxTE8Yrgy/$pL4ngHJErR5IS6mIM2TVTpxVJoXAz3Z7twS5WUoHnTBAVcnQ6zRTt3l/IV25NzoxYG4+xduBzNhiM+NovY5gUQ==
service-typetelnet
authorization-attributeuser-rolenetwork-admin
authorization-attributeuser-rolenetwork-operator
#
local-usertestclassmanage
passwordhash$h$6$aeSFBsuE4NLmKV/p$Bmfz5WpYqTIdkrJhRl8v9xOkz2sxaxZ4Y0ZtkKglmyw3gvtamdEAxf0CItYelhqBRz/xZmmQF5DcZ3Y15oa5YA==
service-typeftp
service-typetelnet
authorization-attributeuser-rolenetwork-operator
#
local-usertestclassnetwork
passwordcipher$c$3$dxUAzslPK2voJ3xxO+kdUpqKQK52oAsuNQ==
service-typeppp
authorization-attributeuser-rolenetwork-operator
#
ipsectransform-setlns
espencryption-algorithm3des-cbc
espauthentication-algorithmsha1
#
ipsecpolicy-templatelns1
transform-setlns
ike-profilelns
#
ipsecpolicylns1isakmptemplatelns
#
l2tp-group1modelns
allowl2tpvirtual-template1remotelac
tunnelnamelns
tunnelpasswordcipher$c$3$TbJ0N3WspYQUVRSjjmPBxkFjo3Xhyg==
#
l2tpenable
#
ikeidentityfqdnlns
#
ikeprofilelns
keychainlac
exchange-modeaggressive
local-identityfqdnlns
matchremoteidentityfqdnlac
matchlocaladdressGigabitEthernet2/
#
ikekeychainlac
pre-shared-keyhostnamelackeycipher$c$3$QGKCezjZ+NqQIHxyMuZsfR/weMCQAw==
#
return
一:
概述
首先,先将这两个概念理顺一下。
IPSECOVERGRE即IPSEC在里,GRE在外。
首先先把需要加密的数据包封装成IPSEC包,然后在扔到GRE隧道里发到对端设备。
做法是把IPSEC的加密策略作用在Tunnel口上,即在Tunnel口上监听匹配符合访问控制列表的数据流,来确认数据是否需要加密,需要则先加密封装为IPSEC包,然后封装成GRE包进入隧道;反之未在访问控制列表中的数据流将以未加密的状态直接走GRE隧道,这样就会存在有些数据处于不安全的传递状态。
而GREOVERIPSEC则是GRE在里,IPSEC在外,即先将数据封装成GRE包,然后在封装成IPSEC包后发到对端设备。
做法是把IPSEC的加密测试作用在物理端口上,然后根据访问控制列表监控匹配是否有需要加密的GRE数据流,有则将GRE数据流加密封装成IPSEC包再进行传递,这样可以保证所有数据包都会被机密,包括隧道建立和路由的创建和传递。
二:
IPSECOVERGRE与GREOVERIPSEC的配置思路介绍
首先先介绍一下配置思路,有两种配置的区别在于ipsecovergre是将ipsec加密封装应用在tunnel口上,使用acl匹配需要加密数据流来实现。
而greoveripsec是将ipsec加密封装应用在物理接口上,用acl来匹配需要加密的tunnel隧道。
从这个来讲,后者会安全一点,ipsec会将所有数据包括隧道报文都进行加密。
因此我将配置过程分成三步,这样比较不会乱。
第一步先配置公网ip及路由,让两端设备的公网ip先能互相ping通;第二步在配置GRE隧道,然后测试GRE隧道是否建立正常;第三步再创建ipsec加密并引用。
拓扑图如下:
A:
GREoverIPSEC
R2:
作为互联网,保证路由可达即可
Ints0/2/0
Ipad24
Ints0/2/1
24
Int0/2/2
Ipad24
R1:
第一步先配置公网接口|R3:
第一步配置公网接口
ints0/2/0|ints0/2/0
Ipad24|ipad24
Iprou|iprou
第二步配置GRE|配置GRE
Inttunnel0|inttunnel0
Ipad24|ipad24
Source|source
Destination|destination
Iprou0tunnel0|iprou0tunnel0
第三步配置IPSEC第三步配置IPSEC
IKE配置
Ikepeerr1-r3ikepeerr3-r1
Pre-shared-key12345pre-shared-key12345
Remote-addressremote-address
Ipsec类型
Ipsecproposalr1-r3ipsecproposalr3-r1
Encapsulationtunnel/transportEncapsulationtunnel/transport
TransformespTransformesp
Espauthentication-algorithmsha1Espauthentication-algorithmsha1
Espencryption-algorithm3desEspencryption-algorithm3des
ACL匹配策略
Aclnumber3013aclnumber3013
Rule5permitipsource0rule5permitipsource0
Destination0destination0
Ipsec策略
Ipsecpolicyr131isakmpipsecpolicyr311isakmp
Securityacl3013securityacl3031
Ike-peerr1-r3ike-peerr3-r1
Proposalr1-r3proposalr3-r1
应用到接口
Ints0/2/0ints0/2/0
Ipsecpolicyr13ipsecpolicyr31
B:
IPSECoverGRE
R2:
作为互联网,保证路由可达即可
Ints0/2/0
Ipad24
Ints0/2/1
24
Int0/2/2
Ipad24
R1:
第一步先配置公网接口|R3:
第一步配置公网接口
ints0/2/0|ints0/2/0
Ipad24|ipad24
Iprou|iprou
第二步配置GRE|配置GRE
Inttunnel0|inttunnel0
Ipad24|ipad24
Source|source
Destination|destination
Iprou0tunnel0|iprou0tunnel0
第三步配置IPSEC第三步配置IPSEC
IKE配置
Ikepeerr1-r3ikepeerr3-r1
Pre-shared-key12345pre-shared-key12345
Remote-addressremote-address
Ipsec类型
Ipsecproposalr1-r3ipsecproposalr3-r1
EncapsulationtunnelEncapsulationtunnel
TransformespTransformesp
Espauthentication-algorithmsha1Espauthentication-algorithmsha1
Espencryption-algorithm3desEspencryption-algorithm3des
ACL匹配策略
Aclnumber3013aclnumber3013
Rule5permitipsource0rule5permitipsource0
Destination0destination0
Ipsec策略
Ipsecpolicyr131isakmpipsecpolicyr311isakmp
Securityacl3013securityacl3031
Ike-peerr1-r3ike-peerr3-r1
Proposalr1-r3proposalr3-r1
应用到TUNNEL口
Inttunnel0inttunnle0
Ipsecpolicyr13ipsecpolicyr31
三:
ipsecovergre与greoveripsec报文路由转发和封装过程
首先是greoveripsec的路由转发过程:
R1路由表:
disiprou
RoutingTables:
Public
Destinations:
13Routes:
13
Destination/MaskProtoPreCostNextHopInterface
/0Static600S0/2/0
/24Direct00S0/2/0
/32Direct00InLoop0
/32Direct00S0/2/0
/8Direct00InLoop0
/32Direct00InLoop0
/32Direct00InLoop0
/32Static600Tun0
/32Static600Tun1
/24Direct00Tun0
/32Direct00InLoop0
/24Direct00Tun1
/32Direct00InLoop0
路由转发过程如下:
发往:
原始报文匹配路由表->tunnel0>GRE封装后源地址为自己公网,目的为对方公网->路由到物理接口->匹配到acl->ipsec加密封装->对端
ipsecovergre的路由转发过程:
R1路由表:
[r1]disiprou
RoutingTables:
Public
Destinations:
13Routes:
13
Destination/MaskProtoPreCostNextHopInterface
/0Static600S0/2/0
/24Direct00S0/2/0
/32Direct00InLoop0
/32Direct00S0/2/0
/8Direct00InLoop0
/32Direct00InLoop0
/32Direct00InLoop0
/32Static600Tun0
/32
升级会员 