ADSL + IPSEC vpn配置

来源:本站原创 VPN 超过2,318 views围观 0条评论

配置需求:总部是静态ip地址,分部是ADSL拨号的动态ip,而且vpn设备在adsl拨号设备后面,问两端如何做ipsec vpn。

主要涉及到2个vpn的知识:Dynamic map(R4做)和ipsec的两个端口(udp500和udp4500)

拓扑图如下:

配置过程:
1、配置ISP,R3做为PPPOE server,主要命令如下

vpdn enable
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
username cisco password cisco
ip local pool cisco 218.2.2.2 218.2.2.10
int lo0
ip add 218.2.2.1 255.255.255.0
int virtual-template 1
ip unnumber lo0
peer default ip address pool cisco
ppp authentication chap
int e0/0
pppoe enable

2、配置R2做为pppoe接入,主要命令如下

vpdn enablevpdn-group 1
request-dialin
protocol pppoeint e0/3
pppoe enable
pppoe-client dial-pool-number 1

int dialer0
encapsulation ppp
ip address negotiated
ppp authentication chap pap callin
dialer pool 1
dialer-group 1
ppp chap hostname cisco
ppp chap password cisco
dialer-list 1 protocol ip permit
ip route 0.0.0.0 0.0.0.0 dialer 0

配置完成之后R2能看到获取的地址

R2#sh ip int bri
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Dialer0 218.2.2.2 YES IPCP up up

3、配置R1-R4 4台路由器的接口和NAT等,保证网络连通

R1#ping 218.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 218.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/52/108 ms

4、配置VPN
R1正常配置,注意R1没有配置NAT

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 218.1.1.2
!
!
crypto ipsec transform-set test esp-3des
!
crypto map mymap 1000 ipsec-isakmp
set peer 218.1.1.2
set transform-set test
match address 101
!
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
half-duplex
crypto map mymap
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255

R2配置两条端口映射

ip nat inside source static udp 192.168.1.2 4500 interface Dialer0 4500
ip nat inside source static udp 192.168.1.2 500 interface Dialer0 500

R4端配置Dynamic-map,注意R4的NAT配置

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set test esp-3des
!
crypto dynamic-map mymap1 1000
set transform-set test
!
crypto map mymap 1000 ipsec-isakmp dynamic mymap1 discover
!
interface Ethernet0/0
ip address 218.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map mymap
!
ip nat inside source list 101 interface Ethernet0/0 overload
!
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip any any

配置完成之后在R1端发起感兴趣流(R4为动态map,所以只能由R1发起)

R1#ping 192.168.10.1 so 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/69/144 ms

最后查看一下R1和R4端的VPN状态

R1#sh crypto isakmp sa
dst src state conn-id slot status
218.1.1.2 192.168.1.2 QM_IDLE 1 0 ACTIVE

R4#sh crypto isakmp sa

配置结束。

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文标题:ADSL + IPSEC vpn配置
本文链接:http://www.jdccie.com/?p=3018转载请注明转自CCIE那点事
如果喜欢:点此订阅本站