原创:CISCO路由器配置VPN:配置一个新的L2LVPN到L2LVPN服务器

来源:本站原创 VPN 超过2,673 views围观 0条评论

本文档旨在教你一步一步的配置L2LVPN

前提:

 

要求:

确认你已经配置好了L2LVPN并且正在正常运行.

设备版本

· 路由器IOS versions 12.4 and 12.2

· ASA IOS version 8.0

本配置基于实验环境,所有的设备使用本文档的时候都已清空配置.

如你的是生产设备,请确认你能看懂本配置.

 

拓扑

 

clip_image001

下面配置是由 主L2L和分L2L设备导出.

这个配置是HQ 和BO1 起L2L 遂道的配置.

Current HQ (HUB) Router Configuration
HQ_HUB#show running-config

 

 

service timestamps debug datetime msec

 

service timestamps log datetime msec

 

no service password-encryption

 

hostname HQ_HUB

 

 

boot-start-marker

 

boot-end-marker

 

!

 

!

 

no aaa new-model

 

!

 

resource policy

 

 

ip cef

 

 

crypto isakmp policy 10

 

 encr 3des

 

 authentication pre-share

 

 group 2

 

crypto isakmp key cisco123 address 192.168.11.2

 

!

 

!

 

crypto ipsec transform-set newset esp-3des esp-md5-hmac

 

!

 

crypto map map1 5 ipsec-isakmp

 

 set peer 192.168.11.2

 

 set transform-set newset

 

 match address VPN_BO1

 

!

 

!

 

!

 

!

 

interface Ethernet0/0

 

 ip address 10.10.10.1 255.255.255.0

 

 ip nat inside

 


 


 

interface Serial2/0

 

 ip address 192.168.10.10 255.255.255.0

 

 ip nat outside

 

 ip virtual-reassembly

 

 clock rate 64000

 

 crypto map map1

 

!
ip http server

 

no ip http secure-server

 

!

 

ip route 0.0.0.0 0.0.0.0 192.168.10.1

 

!

 

ip nat inside source route-map nonat interface Serial2/0 overload

 

!

 

ip access-list extended NAT_Exempt

 

 deny ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255

 

 permit ip 10.10.10.0 0.0.0.255 any

 

ip access-list extended VPN_BO1

 

 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255

 

!

 

route-map nonat permit 10

 

 match ip address NAT_Exempt

 

#
BO1 ASA Configuration
CiscoASA#show running-config

 

 

ASA Version 8.0(2)

 

!

 

hostname CiscoASA

 

enable password 8Ry2YjIyt7RRXU24 encrypted

 

names

 

!

 

interface Ethernet0

 

 nameif inside

 

 security-level 100

 

 ip address 172.16.1.1 255.255.255.0

 

!

 

interface Ethernet1

 

 nameif outside

 

 security-level 0

 

 ip address 192.168.11.2 255.255.255.0

 


passwd 2KFQnbNIdI.2KYOU encrypted

 

ftp mode passive

 

access-list 100 extended permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0

 

access-list nonat extended permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0

 

access-list ICMP extended permit icmp any any

 

pager lines 24

 

mtu outside 1500

 

mtu inside 1500

 

no failover

 

icmp unreachable rate-limit 1 burst-size 1

 

asdm image flash:/asdm-602.bin

 

no asdm history enable

 

arp timeout 14400

 

global (outside) 1 interface

 

nat (inside) 0 access-list nonat

 

nat (inside) 1 10.10.10.0 255.255.255.0

 

access-group ICMP in interface outside

 

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

 

snmp-server enable traps snmp authentication linkup linkdown coldstart

 

crypto ipsec transform-set newset esp-3des esp-md5-hmac

 

crypto map map1 5 match address 100

 

crypto map map1 5 set peer 192.168.10.10

 

crypto map map1 5 set transform-set newset

 

crypto map map1 interface outside

 

crypto isakmp enable outside

 

crypto isakmp policy 1

 

 authentication pre-share

 

 encryption 3des

 

 hash sha

 

 group 2

 

 lifetime 86400

 

crypto isakmp policy 65535

 

 authentication pre-share

 

 encryption 3des

 

 hash sha

 

 group 2

 

 lifetime 86400

 

telnet timeout 5

 

ssh timeout 5

 

console timeout 0

 

threat-detection basic-threat

 

threat-detection statistics access-list

 

!

 

class-map inspection_default

 

 match default-inspection-traffic

 

!

 

!

 


!

 

service-policy global_policy global

 

tunnel-group 192.168.10.10 type ipsec-l2l

 

tunnel-group 192.168.10.10 ipsec-attributes

 

 pre-shared-key *

 


方案背景.

当前 hq与BO1之间已经有了L2L VPN

你的公司需要开一个新的分公司 BO2.这个新公司需要链到总公司.

此外还有一个特殊要求,允许所有的员工在家里办公.

 

clip_image002

配置前请确认 HQ总部的L2L VPN已配置好.

 

完成下列步骤:

1.

建一个新的ACL(感兴趣流量)给 crypto map :

2.  HQ_HUB(config)#ip access-list extended VPN_BO2

 

3.  HQ_HUB(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

 

4.  HQ_HUB(config-ext-nacl)#exit

5. 将感兴趣流量做NONAT  NAT 0

 

6.  HQ_HUB(config)#ip access-list extended NAT_Exempt

 

7.  HQ_HUB(config-ext-nacl)#deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

 

8.  HQ_HUB(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 any

将ACL加到 route map nonat:

HQ_HUB(config)#route-map nonat permit 10

 

HQ_HUB(config-route-map)#match ip address NAT_Exempt

 

HQ_HUB(config)#ip nat inside source route-map nonat interface Serial2/0 overload

9. 第一阶段:指定L2L VPN对端地址

10.HQ_HUB(config)#crypto isakmp key cisco123 address 192.168.12.2

这个密码两端必须一至.

11.

为一个新的vpn tunnel创建一个新的crypto map

与HQ总部L2LVPN使用相同的交换集,与第二阶段配置一至.

12.HQ_HUB(config)#crypto map map1 10 ipsec-isakmp

 

13. HQ_HUB(config-crypto-map)#set peer 192.168.12.2

 

14. HQ_HUB(config-crypto-map)#set transform-set newset

 

15. HQ_HUB(config-crypto-map)#match address VPN_BO2

16. 现在你已经配置了一个VPN TUNNEL,你必须发送感兴趣流量已激活VPN tunnel.

实现方法,使用扩展ping 用本地地址PING远端VPN地址.

在这个实例里面用10.20.20.16PING10.10.10.0使HQ与新分公司bo2之间VPN TUNNEL建立完成.

现在已经有两个TUNNEL 连到了总部HQ.

 

Example Configuration
HUB_HQ – Added a New L2L VPN Tunnel Configuration
HQ_HUB#show running-config

 

Building configuration...

 


 

Current configuration : 2230 bytes

 

!

 

version 12.4

 

service timestamps debug datetime msec

 

service timestamps log datetime msec

 

no service password-encryption

 

!

 

hostname HQ_HUB

 

!

 

boot-start-marker

 

boot-end-marker

 

!

 

!

 

no aaa new-model

 

!

 

resource policy

 

!

 

ip cef

 


 

!

 

crypto isakmp policy 10

 

 authentication pre-share

 

 encryption 3des

 

 group 2

 

crypto isakmp key cisco123 address 192.168.11.2

 

crypto isakmp key cisco123 address 192.168.12.2

 

!

 

!

 

crypto ipsec transform-set newset esp-3des esp-md5-hmac

 

!

 

crypto map map1 5 ipsec-isakmp

 

 set peer 192.168.11.2

 

 set transform-set newset

 

 match address VPN_BO1

 

crypto map map1 10 ipsec-isakmp

 

 set peer 192.168.12.2

 

 set transform-set newset

 

 match address VPN_BO2

 

!

 

!

 

interface Ethernet0/0

 

 ip address 10.10.10.1 255.255.255.0

 

 ip nat inside

 

 ip virtual-reassembly

 

!

 


 

interface Serial2/0

 

 ip address 192.168.10.10 255.255.255.0

 

 ip nat outside

 

 ip virtual-reassembly

 

 clock rate 64000

 

 crypto map map1

 

!

 

!

 

ip http server

 

no ip http secure-server

 

!

 

ip route 0.0.0.0 0.0.0.0 192.168.10.1

 

!

 

ip nat inside source route-map nonat interface Serial2/0 overload

 

!

 


 

ip access-list extended NAT_Exempt

 

 deny ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255

 

 deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

 

 permit ip 10.10.10.0 0.0.0.255 any

 

ip access-list extended VPN_BO1

 

  permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255

 

ip access-list extended VPN_BO2

 

 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255

 


 


 


 

!

 

route-map nonat permit 10

 

 match ip address NAT_Exempt

 

!

 

!

 

control-plane

 

!

 

!

 

!

 

line con 0

 

line aux 0

 

line vty 0 4

 

!

 

!

 

end

 

HQ_HUB#
BO2 L2L VPN Tunnel Configuration
BO2#show running-config

 

Building configuration...

 


 

3w3d: %SYS-5-CONFIG_I: Configured from console by console

 

Current configuration : 1212 bytes

 

!

 

version 12.1

 

no service single-slot-reload-enable

 

service timestamps debug uptime

 

service timestamps log uptime

 

no service password-encryption

 

!

 

hostname BO2

 

!

 

!

 

!

 

!

 

!

 

!

 

ip subnet-zero

 

!

 

!

 

!

 

crypto isakmp policy 10

 

 authentication pre-share

 

 encryption 3des

 

 group 2

 

crypto isakmp key cisco123 address 192.168.10.10

 

!

 

!

 

crypto ipsec transform-set newset esp-3des esp-md5-hmac

 

!

 

crypto map map1 5 ipsec-isakmp

 

 set peer 192.168.10.10

 

 set transform-set newset

 

 match address 100

 

!

 

!

 

!

 

!

 

interface Ethernet0

 

 ip address 10.20.20.10 255.255.255.0

 

 ip nat inside

 

!

 


 

!

 

interface Ethernet1

 

 ip address 192.168.12.2 255.255.255.0

 

 ip nat outside

 

 crypto map map1

 

!

 

interface Serial0

 

 no ip address

 

 no fair-queue

 

!

 

interface Serial1

 

 no ip address

 

 shutdown

 

!

 

ip nat inside source route-map nonat interface Ethernet1 overload

 

ip classless

 

ip route 0.0.0.0 0.0.0.0 192.168.12.1

 

ip http server

 

!

 

access-list 100 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

 

access-list 150 deny ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

 

access-list 150 permit ip 10.20.20.0 0.0.0.255 any

 

route-map nonat permit 10

 

 match ip address 150

 

!

 

!

 

!

 

line con 0

 

line aux 0

 

line vty 0 4

 

 login

 

!

 

end

 


 

BO2#
文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=1842转载请注明转自CCIE那点事
如果喜欢:点此订阅本站