CISCOVPN及其配置示例.docx
《CISCOVPN及其配置示例.docx》由会员分享,可在线阅读,更多相关《CISCOVPN及其配置示例.docx(8页珍藏版)》请在冰豆网上搜索。
CISCOVPN及其配置示例
CISCOVPN及其配置示例
VPN及其配置示例
VPN的定义
虚拟专网(VPN-VIRTUALPRIVATENETWORK)指的是在公用网络上建立专用网络的技术。
之所以称为虚拟网主要是因为整个VPN网络的任意两个节点之间的连接并没有传统专网所需的端到端的物理链路,而是架构在公用网络服务商所提供的网络平台(如INTERNET,ATM,FRAMERELAY等)之上的逻辑网络,用户数据在逻辑链路中传输。
VPN的功能
1、通过隧道(TUNNEL)或虚电路(VIRTUALCIRCUIT)实现网络互联
2、支持用户安全管理
3、能够进行网络监控、故障诊断
VPN解决方案的优点
1、省钱:
它可以节省长途电话费和长途专线电话费和长途专线网络费可以为用户节省30-25%的网络应用的开销。
2、选择灵活、速度快:
通过vpn网关,用户可以选择多种internet连通技术,而且对于INTERNET的容量可以实现按需定制;
3、安全性好:
VPN的认证机制将更好地保证用户的隐私权和收发数据的完整性;
4、实现投资的保护:
VPN技术的应用可以建立在用户现有的防火墙的基础上,用户正在使用的应用软件也不受影响。
VPN技术原理
1、VPN系统使分布在不同地方的专用网络在不可信任的公共网络上安全的通信。
2、VPN设备根据网管设置的规则,确定是否需要对数据进行加密或让数据直接通过。
3、对需要加密的数据,VPN设备对整个数据包进行加密和附上数字签名。
4、VPN设备加上新的收据包头,其中包括目的地VPN设备需要的安全信息和一些初始化参数。
5、VPN设备对加密后的数据、鉴别包以及源IP地址、目标VPN设备IP地址进行重新封装,重新封装后的数据包通过虚拟通道在公网上传输。
6、当数据包到达目标VPN设备时,数据包被解封装,数据包被解封装,数字签名,数字签名被核对无误后,收据包被解密。
VPN配置实例
Intranet内联网配置:
Figure3-8:
IntranetVPNScenarioPhysicalElements
HeadquartersRouter配置
hq-sanjose#showrunning-config
Buildingconfiguration...
Currentconfiguration:
!
version12.0
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepassword-encryption
!
hostnamehq-sanjose
!
bootsystemflashbootflash:
bootbootldrbootflash:
c7100-boot-mz.120-1.1.T
bootconfigslot0:
hq-sanjose-cfg-small
nologgingbuffered
!
cryptoisakmppolicy1
authenticationpre-share
lifetime84600
cryptoisakmpkeytest12345address172.24.2.5
!
cryptoipsectransform-setproposal1ah-sha-hmacesp-desesp-sha-hmac
modetransport
!
!
cryptomaps1firstlocal-addressSerial1/0
cryptomaps1first1ipsec-isakmp
setpeer172.24.2.5
settransform-setproposal1
matchaddress101
!
interfaceTunnel0
bandwidth180
ipaddress172.17.3.3255.255.255.0
noipdirected-broadcast
tunnelsource172.17.2.4
tunneldestination172.24.2.5
cryptomaps1first
!
interfaceFastEthernet0/0
ipaddress10.1.3.3255.255.255.0
noipdirected-broadcast
nokeepalive
full-duplex
nocdpenable
!
interfaceFastEthernet0/1
ipaddress10.1.6.4255.255.255.0
noipdirected-broadcast
nokeepalive
full-duplex
nocdpenable
!
interfaceSerial1/0
ipaddress172.17.2.4255.255.255.0
noipdirected-broadcast
noipmroute-cache
nokeepalive
fair-queue642560
framingc-bit
cablelength10
dsubandwidth44210
clocksourceinternal
nocdpenable
cryptomaps1first
!
iproute10.1.4.0255.255.255.0Tunnel0
!
access-list101permitgrehost172.17.2.4host172.24.2.5
!
linecon0
transportinputnone
lineaux0
linevty04
login
!
end
RemoteOfficeRouter配置:
ro-rtp#showrunning-config
Buildingconfiguration...
Currentconfiguration:
!
version12.0
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepassword-encryption
!
hostnamero-rtp
!
bootsystemflashbootflash:
bootbootldrbootflash:
c7100-boot-mz.120-1.1.T
bootconfigslot0:
ro-rtp-cfg-small
nologgingbuffered
!
cryptoisakmppolicy1
authenticationpre-share
lifetime84600
cryptoisakmpkeytest12345address172.17.2.4
!
cryptoipsectransform-setproposal1ah-sha-hmacesp-desesp-sha-hmac
modetransport
!
!
cryptomaps1firstlocal-addressSerial1/0
cryptomaps1first1ipsec-isakmp
setpeer172.17.2.4
settransform-setproposal1
matchaddress101
!
interfaceTunnel1
bandwidth180
ipaddress172.24.3.6255.255.255.0
noipdirected-broadcast
tunnelsource172.24.2.5
tunneldestination172.17.2.4
cryptomaps1first
!
interfaceFastEthernet0/0
ipaddress10.1.4.2255.255.255.0
noipdirected-broadcast
nokeepalive
full-duplex
nocdpenable
!
interfaceSerial1/0
ipaddress172.24.2.5255.255.255.0
noipdirected-broadcast
noipmroute-cache
nokeepalive
fair-queue642560
framingc-bit
cablelength10
dsubandwidth44210
clocksourceinternal
nocdpenable
cryptomaps1first
!
iproute10.1.3.0255.255.255.0Tunnel1
iproute10.1.6.0255.255.255.0Tunnel1
!
access-list101permitgrehost172.24.2.5host172.17.2.4
!
linecon0
transportinputnone
lineaux0
linevty04
login
!
end
Extranet外联网配置:
Figure3-9:
ExtranetVPNScenarioPhysicalElements
HeadquartersRouter配置:
hq-sanjose#showrunning-config
Buildingconfiguration...
Currentconfiguration:
!
version12.0
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepassword-encryption
!
hostnamehq-sanjose
!
bootsystemflashbootflash:
bootbootldrbootflash:
c7100-boot-mz.120-1.1.T
bootconfigslot0:
hq-sanjose-cfg-small
nologgingbuffered
!
cryptoisakmppolicy1
authenticationpre-share
lifetime84600
cryptoisakmpkeytest12345address172.24.2.5
cryptoisakmpkeytest67890address172.23.2.7
!
cryptoipsectransform-setproposal1ah-sha-hmacesp-desesp-sha-hmac
odetransport
!
cryptoipsectransform-setproposal4ah-sha-hmacesp-desesp-sha-hmac
!
!
cryptomaps1firstlocal-addressSerial1/0
cryptomaps1first1ipsec-isakmp
setpeer172.24.2.5
settransform-setproposal1
matchaddress101
!
cryptomaps4secondlocal-addressSerial2/0
cryptomaps4second2ipsec-isakmp
setpeer172.23.2.7
settransform-setproposal4
matchaddress111
!
interfaceTunnel0
bandwidth180
ipaddress172.17.3.3255.255.255.0
noipdirected-broadcast
tunnelsource172.17.2.4
tunneldestination172.24.2.5
cryptomaps1first
!
interfaceFastEthernet0/0
ipaddress10.1.3.3255.255.255.0
noipdirected-broadcast
nokeepalive
full-duplex
nocdpenable
!
interfaceFastEthernet0/1
ipaddress10.1.6.4255.255.255.0
noipdirected-broadcast
ipnatinside
nokeepalive
full-duplex
nocdpenable
!
interfaceSerial1/0
ipaddress172.17.2.4255.255.255.0
noipdirected-broadcast
noipmroute-cache
nokeepalive
fair-queue642560
framingc-bit
cablelength10
dsubandwidth44210
clocksourceinternal
nocdpenable
cryptomaps1first
!
interfaceSerial2/0
ipaddress172.16.2.2255.255.255.0
noipdirected-broadcast
ipnatoutside
noipmroute-cache
nokeepalive
fair-queue642560
framingc-bit
cablelength10
dsubandwidth44210
clocksourceinternal
nocdpenable
cryptomaps4second
!
routerbgp10
network10.2.2.2mask255.255.255.0
network172.16.2.0mask255.255.255.0
!
iproute10.1.4.0255.255.255.0Tunnel0
!
ipnatinsidesourcestatic10.1.6.510.2.2.2
!
access-list101permitgrehost172.17.2.4host172.24.2.5
access-list111permitiphost10.2.2.2host10.1.5.3
!
linecon0
transportinputnone
lineaux0
linevty04
login
!
end
BusinessPartnerRouter配置:
bus-ptnr#showrunning-config
Buildingconfiguration...
Currentconfiguration:
!
version12.0
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepassword-encryption
!
hostnamebus-ptnr
!
bootsystemflashbootflash:
bootbootldrbootflash:
c7100-boot-mz.120-1.1.T
bootconfigslot0:
bus-ptnr-cfg-small
nologgingbuffered
!
cryptoisakmppolicy1
authenticationpre-share
lifetime84600
cryptoisakmpkeytest67890address172.16.2.2
!
cryptoipsectransform-setproposal4ah-sha-hmacesp-desesp-sha-hmac
!
!
cryptomaps4secondlocal-addressSerial1/0
cryptomaps4second2ipsec-isakmp
setpeer172.16.2.2
settransform-setproposal4
matchaddress111
!
interfaceFastEthernet0/0
ipaddress10.1.5.2255.255.255.0
noipdirected-broadcast
nokeepalive
full-duplex
nocdpenable
!
interfaceSerial1/0
ipaddress172.23.2.7255.255.255.0
noipdirected-broadcast
noipmroute-cache
nokeepalive
fair-queue642560
framingc-bit
cablelength10
dsubandwidth44210
clocksourceinternal
nocdpenable
cryptomaps4second
!
routerbgp10
network10.1.5.0mask255.255.255.0
network172.16.2.0mask255.255.255.0
!
access-list111permitiphost10.1.5.3host10.2.2.2
!
linecon0
transportinputnone
lineaux0
linevty04