原创:CISCO路由器配置VPN: 新增一路远程接VPN到L2LVPN服务器

来源:本站原创 VPN 超过1,591 views围观 0条评论

拓扑如下:

clip_image001

 

这个实例中,我们使用一个叫 split-tunneling 遂道分离的技术,这个特性允许ipsec的远程客户端特定的流量(ACL判断)走加密通道.

或不走加密通道.遂道分离起用后,不是到对端VPN的流量加不会加密.

默认不启用,那么将所有流量都会被加密,或者说你只能访问公司内部应用,而无法上internet.

下面是配置步骤.

 

下面这个配置是让远程vpn user访问所有站点.或分公司.

完整步骤:

1.

建立一个给vpn 客户访问vpn tunnel 用的独立的IP地址池,并建立相关的用户名和密码.

 

o    HQ_HUB(config)#ip local pool ippool 10.10.120.10 10.10.120.50
o    HQ_HUB(config)#username vpnuser password 0 vpnuser123

2. 让指定流量不走nat (走VPN的必须不NAT).

3.  HQ_HUB(config)#ip access-list extended NAT_Exempt
4.  HQ_HUB(config-ext-nacl)#deny ip 10.10.10.0 0.0.0.255 10.10.120.0 0.0.0.255
5.  HQ_HUB(config-ext-nacl)#deny ip 10.10.120.0 0.0.0.255 10.20.20.0 0.0.0.255
6.  HQ_HUB(config-ext-nacl)#deny ip 10.10.120.0 0.0.0.255 172.16.1.0 0.0.0.255
7.  HQ_HUB(config-ext-nacl)#permit ip host 10.10.10.0 any
8.  HQ_HUB(config-ext-nacl)#exit
用route-map 调用acl 并挂载到 nat上面.
HQ_HUB(config)#route-map nonat permit 10
HQ_HUB(config-route-map)#match ip address NAT_Exempt
HQ_HUB(config)#ip nat inside source route-map nonat interface Serial2/0 overload

 

9. 允许L2L与vpn用户通信.

10.HQ_HUB(config)#ip access-list extended VPN_BO1
11.HQ_HUB(config-ext-nacl)#permit ip 10.10.120.0 0.0.0.255 172.16.1.0 0.0.0.255
12.HQ_HUB(config-ext-nacl)#exit
13.HQ_HUB(config)#ip access-list extended VPN_BO2
14.HQ_HUB(config-ext-nacl)#permit ip 10.10.120.0 0.0.0.255 10.20.20.0 0.0.0.255
15.HQ_HUB(config-ext-nacl)#exit

注意:反掩码

16. 配置 split-tunneling

配置之前你必须在路由器上面配置ACL,不然会报错.

在这个例子中 access-list split_tunnel  允许

10.10.10.0 /24 and 10.20.20.0/24 and 172.16.1.0/24 网段走TUNNEL

非这三个网站不进行加密.

HQ_HUB(config)#ip access-list extended split_tunnel
HQ_HUB(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 10.10.120.0 0.0.0.255
HQ_HUB(config-ext-nacl)#permit ip 10.20.20.0 0.0.0.255 10.10.120.0 0.0.0.255
HQ_HUB(config-ext-nacl)#permit ip 172.16.1.0 0.0.0.255 10.10.120.0 0.0.0.255
HQ_HUB(config-ext-nacl)#exit

17.配置本地认证和授权,客户端信息

比如VPN客户端的 wins,dns,感兴趣流量池,

18.HQ_HUB(config)#aaa new-model
19.HQ_HUB(config)#aaa authentication login userauthen local
20.HQ_HUB(config)#aaa authorization network groupauthor local
21.HQ_HUB(config)#crypto isakmp client configuration group vpngroup
22.HQ_HUB(config-isakmp-group)#key cisco123
23.HQ_HUB(config-isakmp-group)#dns 10.10.10.10
24.HQ_HUB(config-isakmp-group)#wins 10.10.10.20
25.HQ_HUB(config-isakmp-group)#domain cisco.com
26.HQ_HUB(config-isakmp-group)#pool ippool
27.HQ_HUB(config-isakmp-group)#acl split_tunnel
28.HQ_HUB(config-isakmp-group)#exit

29.

创建vpn tunnel 必需配置dynamic map 和cryto map 信息

30.HQ_HUB(config)#crypto isakmp profile vpnclient
31.HQ_HUB(config-isakmp-group)#match identity group vpngroup
32.HQ_HUB(config-isakmp-group)#client authentication list userauthen
33.HQ_HUB(config-isakmp-group)#isakmp authorization list groupauthor
34.HQ_HUB(config-isakmp-group)#client configuration address respond
35.HQ_HUB(config-isakmp-group)#exit
36.HQ_HUB(config)#crypto dynamic-map dynmap 10
37.HQ_HUB(config-crypto-map)#set transform-set newset
38.HQ_HUB(config-crypto-map)#set isakmp-profile vpnclient
39.HQ_HUB(config-crypto-map)#reverse-route
40.HQ_HUB(config-crypto-map)#exit
41.HQ_HUB(config)#crypto map map1 65535 ipsec-isakmp dynamic dynmap
42.HQ_HUB(config)#interface serial 2/0
43.HQ_HUB(config-if)#crypto map map1
Example Configuration
Example Configuration 2
HQ_HUB#show running-config
Building configuration...

Current configuration : 3524 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ_HUB
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
 
!--- Output is suppressed

!
username vpnuser password 0 vpnuser123
!
!
!
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 group 2
crypto isakmp key cisco123 address 192.168.11.2
crypto isakmp key cisco123 address 192.168.12.2
!
crypto isakmp client configuration group vpngroup
 key cisco123
 dns 10.10.10.10
 wins 10.10.10.20
 domain cisco.com
 pool ippool
 acl split_tunnel
crypto isakmp profile vpnclient
   match identity group vpngroup
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set newset esp-3des esp-md5-hmac
crypto ipsec transform-set remote-set esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set remote-set
 set isakmp-profile vpnclient
 reverse-route
!
!
crypto map map1 5 ipsec-isakmp
 set peer 192.168.11.2
 set transform-set newset
 match address VPN_BO1
crypto map map1 10 ipsec-isakmp
 set peer 192.168.12.2
 set transform-set newset
 match address VPN_BO2
crypto map map1 65535 ipsec-isakmp dynamic dynmap
!
!
interface Ethernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!

interface Serial2/0
 ip address 192.168.10.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 clock rate 64000
 crypto map map1
!
!
ip local pool ippool 10.10.120.10 10.10.120.50
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
ip nat inside source route-map nonat interface Serial2/0 overload
!
ip access-list extended NAT_Exempt
 deny ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
 deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
 deny ip 10.10.10.0 0.0.0.255 10.10.120.0 0.0.0.255
 deny ip 10.10.120.0 0.0.0.255 10.20.20.0 0.0.0.255
 deny ip 10.10.120.0 0.0.0.255 172.16.1.0 0.0.0.255
 permit ip host 10.10.10.0 any
ip access-list extended VPN_BO1
 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
 permit ip 10.10.120.0 0.0.0.255 172.16.1.0 0.0.0.255
ip access-list extended VPN_BO2
 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
 permit ip 10.10.120.0 0.0.0.255 10.20.20.0 0.0.0.255
ip access-list extended split_tunnel
 permit ip 10.10.10.0 0.0.0.255 10.10.120.0 0.0.0.255
 permit ip 10.20.20.0 0.0.0.255 10.10.120.0 0.0.0.255
 permit ip 172.16.1.0 0.0.0.255 10.10.120.0 0.0.0.255



!
route-map nonat permit 10
 match ip address NAT_Exempt
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
end
HQ_HUB#

 

验证

用下面方法来验证VPN是否正常.

 

· ping

Extended Ping
HQ_HUB#ping




 
!--- In order to make the L2L VPN tunnel with BO1 
!--- to be established.

Protocol [ip]:
Target IP address: 172.16.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 132/160/172 ms

HQ_HUB#ping

 
!--- In order to make the L2L VPN tunnel with BO2 
!--- to be established.

Protocol [ip]:
Target IP address: 10.20.20.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.10, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
....!
Success rate is 20 percent (1/5), round-trip min/avg/max = 64/64/64 ms
show crypto isakmp sa
HQ_HUB#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.12.2    192.168.10.10   QM_IDLE              2    0 ACTIVE
192.168.11.2    192.168.10.10   QM_IDLE              1    0 ACTIVE
show crypto ipsec sa
HQ_HUB#show crypto ipsec sa

interface: Serial2/0
    Crypto map tag: map1, local addr 192.168.10.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.120.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer 192.168.11.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.10.10, remote crypto endpt.: 192.168.11.22
     path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
     current outbound spi: 0x0(0)


     local crypto endpt.: 192.168.10.10, remote crypto endpt.: 192.168.12.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
     current outbound spi: 0x0(0)


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
   current_peer 192.168.12.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
    #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 192.168.10.10, remote crypto endpt.: 192.168.12.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
     current outbound spi: 0xF1328(987944)

     inbound esp sas:
      spi: 0xAD07C262(2902966882)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: SW:4, crypto map: map1
        sa timing: remaining key lifetime (k/sec): (4601612/3292)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF1328(987944)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: SW:3, crypto map: map1
        sa timing: remaining key lifetime (k/sec): (4601612/3291)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.120.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
   current_peer 192.168.12.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.10.10, remote crypto endpt.: 192.168.12.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
     current outbound spi: 0x0(0)


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer 192.168.11.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 11, #recv errors 0

     local crypto endpt.: 192.168.10.10, remote crypto endpt.: 192.168.11.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
     current outbound spi: 0x978B3F93(2542485395)

     inbound esp sas:
      spi: 0x2884F32(42487602)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: map1
        sa timing: remaining key lifetime (k/sec): (4421529/3261)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x978B3F93(2542485395)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: map1
        sa timing: remaining key lifetime (k/sec): (4421529/3261)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE



     local crypto endpt.: 192.168.10.10, remote crypto endpt.: 192.168.12.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
     current outbound spi: 0x0(0)

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
   current_peer 192.168.12.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.10.10, remote crypto endpt.: 192.168.12.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
     current outbound spi: 0x0(0)
    protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer 192.168.11.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.10.10, remote crypto endpt.: 192.168.11.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
     current outbound spi: 0x0(0)
      local crypto endpt.: 192.168.10.10, remote crypto endpt.: 192.168.12.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
     current outbound spi: 0x0(0)
 HQ_HUB#
文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=1843转载请注明转自CCIE那点事
如果喜欢:点此订阅本站