[CCIE那点事]原创:第三集:手把手交你配置ADSL+IPSEC VPN

来源:本站原创 VPN 超过1,528 views围观 0条评论

第三集来了,潮爆了有没有.

回顾

本文标题:[CCIE那点事]原创:第一集:手把手交你配置VPN之L2L站点到站点VPN

本文链接:http://www.jdccie.com/?p=1862转载请注明转自CCIE那点事

本文标题:[CCIE那点事]原创:第二集:手把手交你配置VPN之L2L+ezvpn

本文链接:http://www.jdccie.com/?p=3020转载请注明转自CCIE那点事

为毛要写这篇呢,因为有人问了.分公司是ADSL拔号上网的怎么配置VPN与总部互联.我相信这也是很多网络工程师碰到的问题.

在企业呆过的IT都知道,ADSL和LAN企业用的话便宜,2M一月估计也就是个2000多块.EPON光纤这种就不一样了.价格要翻几翻

所以大部分企业都是选用ADSL和总公司,总部的IDC或机房具有固定IP的设备来互联了.扯太远了哈哈.

测试目的

分公司 r4 4.4.4.0 网段能与总部server 8.8.8.0互通

测试环境

GNS3  2961 c2691-advsecurityk9-mz[1].124-11.T2.bin

话不多话,上图

clipboard[3]

图在这里了有点复杂,我介绍一个

1.图中包含一个ADSL SERVER 用于模据ISP

2.一个IPSEC VPN server  R8

3.ADSL + vpn client  vpnadsl

4.模拟内网服务器R4 与 VPN REMOTE

5.模拟总部服务器 server

本来想用cisco packet tracer做的,测试了好长时间发现不支持.所以只能找GNS3了.

精简配置,其他的全删

adsl server的配置

vpdn enable    /*启用VPDN

!

vpdn-group 1   /*配置VPDN组

! Default L2TP VPDN group

accept-dialin       /*允许呼入

  protocol pppoe /*协议封装为pppoe

  virtual-template 1    /*应用虚模版1

username cisco password 0 cisco   /*拔号用户名和密码

!

bba-group pppoe global       /*启用全局bba组

virtual-template 1                 /*绑定虚模版1

!

!

interface Loopback1             /*作地址借用

ip address 223.1.1.1 255.255.255.0

!

interface FastEthernet0/0   

ip address 8.8.8.1 255.255.255.0

speed auto

full-duplex

!

interface FastEthernet0/1

pppoe enable group global    /*端口起用pppoe

!

interface Virtual-Template1     /*配置虚模版

ip unnumbered Loopback1    /*借用lo1接口地址

peer default ip address pool cisco     /*指定IP 地址池

ppp authentication chap                   /*验证为chap模式

!

ip local pool cisco 223.1.1.2 223.1.1.100  /*分配地址池

!

总部VPN配置 R8

配置我不解释 了,请看前两集

hostname R8

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set newset esp-3des esp-md5-hmac

!

crypto dynamic-map map1 10

set transform-set newset

!

crypto dynamic-map mymap1 10

set transform-set newset

!

!

crypto map map1 100 ipsec-isakmp dynamic mymap1 discover

!

!

!

!

interface FastEthernet0/0

ip address 8.8.8.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map map1

!

interface FastEthernet0/1

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 8.8.8.1

!

!

no ip http server

no ip http secure-server

ip nat inside source list nonat interface FastEthernet0/0 overload

!

ip access-list extended VPN_B01

permit ip 10.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

ip access-list extended nonat

deny   ip 10.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

permit ip any any

最点来了 vpn+adsl 路由器配置

hostname vpnadsl

vpdn enable

!

vpdn-group 1

request-dialin

  protocol pppoe

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 8.8.8.2

!

!

crypto ipsec transform-set newset esp-3des esp-md5-hmac

!

crypto map map1 5 ipsec-isakmp

set peer 8.8.8.2

set transform-set newset

match address VPN_HUB

!

bba-group pppoe global

!

!

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

speed auto

full-duplex

!

interface FastEthernet0/1

no ip address

speed auto

full-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Dialer0

ip address negotiated

ip nat outside                       /*所有的特性都是做在这里哦,注意

ip virtual-reassembly

encapsulation ppp             

dialer pool 1

dialer-group 1

ppp authentication chap pap callin   /*pap的写法是  ppp pap hostname xxx pass xxx

ppp chap hostname cisco

ppp chap password 0 cisco

crypto map map1                     /*应用ipsec

!

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 4.4.4.0 255.255.255.0 1.1.1.2

!

ip nat inside source list nonat interface Dialer0 overload

!

ip access-list extended VPN_HUB

permit ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255

ip access-list extended nonat

deny   ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip any any

!

dialer-list 1 protocol ip permit

测试结果,很OK,达到实验目的,测试完成

*Mar  1 01:36:02.007: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Mar  1 01:36:10.779: ISAKMP:(0): SA request profile is (NULL)

*Mar  1 01:36:10.779: ISAKMP: Created a peer struct for 8.8.8.2, peer port 500

*Mar  1 01:36:10.783: ISAKMP: New peer created peer = 0x648CE15C peer_handle = 0x80000005

*Mar  1 01:36:10.783: ISAKMP: Locking peer struct 0x648CE15C, refcount 1 for isakmp_initiator

*Mar  1 01:36:10.783: ISAKMP: local port 500, remote port 500

*Mar  1 01:36:10.783: ISAKMP: set new node 0 to QM_IDLE     

*Mar  1 01:36:10.787: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64186BF4

*Mar  1 01:36:10.787: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Mar  1 01:36:10.787: ISAKMP:(0):found peer pre-shared key matching 8.8.8.2

*Mar  1 01:36:10.791: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar  1 01:36:10.791: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar  1 01:36:10.791: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar  1 01:36:10.795: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar  1 01:36:10.795: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 01:36:10.795: ISAKMP:(0): beginning Main Mode exchange

*Mar  1 01:36:10.799: ISAKMP:(0): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 01:36:10.799: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  1 01:36:11.283: ISAKMP (0:0): received packet from 8.8.8.2 dport 500 sport 500 Global (I) MM_NO_STATE

*Mar  1 01:36:11.287: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 01:36:11.287: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar  1 01:36:11.291: ISAKMP:(0): processing SA payload. message ID = 0

*Mar  1 01:36:11.295: ISAKMP:(0): processing vendor id payload

*Mar  1 01:36:11.295: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  1 01:36:11.295: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar  1 01:36:11.295: ISAKMP:(0):found peer pre-shared key matching 8.8.8.2

*Mar  1 01:36:11.299: ISAKMP:(0): local preshared key found

*Mar  1 01:36:11.299: ISAKMP : Scanning profiles for xauth …

*Mar  1 01:36:11.299: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar  1 01:36:11.299: ISAKMP:      encryption 3DES-CBC

*Mar  1 01:36:11.303: ISAKMP:      hash SHA

*Mar  1 01:36:11.303: ISAKMP:      default group 2

*Mar  1 01:36:11.303: ISAKMP:      auth pre-share

*Mar  1 01:36:11.303: ISAKMP:      life type in seconds

*Mar  1 01:36:11.303: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Mar  1 01:36:11.307: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar  1 01:36:11.307: ISAKMP:(0): processing vendor id payload

*Mar  1 01:36:11.307: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  1 01:36:11.311: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar  1 01:36:11.311: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 01:36:11.311: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 01:36:11.323: ISAKMP:(0): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Mar  1 01:36:11.323: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  1 01:36:11.327: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 01:36:11.327: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 01:36:11.967: ISAKMP (0:0): received packet from 8.8.8.2 dport 500 sport 500 Global (I) MM_SA_SETUP

*Mar  1 01:36:11.971: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 01:36:11.971: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 01:36:11.979: ISAKMP:(0): processing KE payload. message ID = 0

*Mar  1 01:36:12.087: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar  1 01:36:12.087: ISAKMP:(0):found peer pre-shared key matching 8.8.8.2

*Mar  1 01:36:12.095: ISAKMP:(1005): processing vendor id payload

*Mar  1 01:36:12.095: ISAKMP:(1005): vendor ID is Unity

*Mar  1 01:36:12.099: ISAKMP:(1005): processing vendor id payload

*Mar  1 01:36:12.099: ISAKMP:(1005): vendor ID is DPD

*Mar  1 01:36:12.099: ISAKMP:(1005): processing vendor id payload

*Mar  1 01:36:12.103: ISAKMP:(1005): speaking to another IOS box!

*Mar  1 01:36:12.103: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 01:36:12.103: ISAKMP:(1005):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 01:36:12.111: ISAKMP:(1005):Send initial contact

*Mar  1 01:36:12.111: ISAKMP:(1005):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar  1 01:36:12.115: ISAKMP (0:1005): ID payload

next-payload : 8

type         : 1

address      : 223.1.1.2

protocol     : 17

port         : 500

length       : 12

*Mar  1 01:36:12.115: ISAKMP:(1005):Total payload length: 12

*Mar  1 01:36:12.119: ISAKMP:(1005): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Mar  1 01:36:12.123: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar  1 01:36:12.123: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 01:36:12.127: ISAKMP:(1005):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  1 01:36:12.579: ISAKMP (0:1005): received packet from 8.8.8.2 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Mar  1 01:36:12.583: ISAKMP:(1005): processing ID payload. message ID = 0

*Mar  1 01:36:12.583: ISAKMP (0:1005): ID payload

next-payload : 8

type         : 1

address      : 8.8.8.2

protocol     : 17

port         : 500

length       : 12

*Mar  1 01:36:12.587: ISAKMP:(0):: peer matches *none* of the profiles

*Mar  1 01:36:12.587: ISAKMP:(1005): processing HASH payload. message ID = 0

*Mar  1 01:36:12.591: ISAKMP:(1005):SA authentication status:

authenticated

*Mar  1 01:36:12.591: ISAKMP:(1005):SA has been authenticated with 8.8.8.2

*Mar  1 01:36:12.591: ISAKMP: Trying to insert a peer 223.1.1.2/8.8.8.2/500/,  and inserted successfully 648CE15C.

*Mar  1 01:36:12.595: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 01:36:12.595: ISAKMP:(1005):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  1 01:36:12.603: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 01:36:12.603: ISAKMP:(1005):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  1 01:36:12.611: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 01:36:12.611: ISAKMP:(1005):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  1 01:36:12.619: ISAKMP:(1005):beginning Quick Mode exchange, M-ID of 1720065028

*Mar  1 01:36:12.619: ISAKMP:(1005):QM Initiator gets spi

*Mar  1 01:36:12.627: ISAKMP:(1005): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) QM_IDLE     

*Mar  1 01:36:12.627: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar  1 01:36:12.631: ISAKMP:(1005):Node 1720065028, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Mar  1 01:36:12.631: ISAKMP:(1005):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Mar  1 01:36:12.631: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar  1 01:36:12.635: ISAKMP:(1005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE       /*如果不成功注意定位

*Mar  1 01:36:13.487: ISAKMP (0:1005): received packet from 8.8.8.2 dport 500 sport 500 Global (I) QM_IDLE     

*Mar  1 01:36:13.491: ISAKMP:(1005): processing HASH payload. message ID = 1720065028

*Mar  1 01:36:13.495: ISAKMP:(1005): processing SA payload. message ID = 1720065028

*Mar  1 01:36:13.495: ISAKMP:(1005):Checking IPSec proposal 1

*Mar  1 01:36:13.495: ISAKMP: transform 1, ESP_3DES

*Mar  1 01:36:13.495: ISAKMP:   attributes in transform:

*Mar  1 01:36:13.495: ISAKMP:      encaps is 1 (Tunnel)

*Mar  1 01:36:13.499: ISAKMP:      SA life type in seconds

*Mar  1 01:36:13.499: ISAKMP:      SA life duration (basic) of 3600

*Mar  1 01:36:13.499: ISAKMP:      SA life type in kilobytes

*Mar  1 01:36:13.499: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Mar  1 01:36:13.503: ISAKMP:      authenticator is HMAC-MD5

*Mar  1 01:36:13.503: ISAKMP:(1005):atts are acceptable.

*Mar  1 01:36:13.507: ISAKMP:(1005): processing NONCE payload. message ID = 1720065028

*Mar  1 01:36:13.507: ISAKMP:(1005): processing ID payload. message ID = 1720065028

*Mar  1 01:36:13.507: ISAKMP:(1005): processing ID payload. message ID = 1720065028

*Mar  1 01:36:13.515: ISAKMP:(1005): Creating IPSec SAs

*Mar  1 01:36:13.519:         inbound SA from 8.8.8.2 to 223.1.1.2 (f/i)  0/ 0

        (proxy 10.1.1.0 to 4.4.4.0)

*Mar  1 01:36:13.519:         has spi 0x34C7B52D and conn_id 0

*Mar  1 01:36:13.519:         lifetime of 3600 seconds

*Mar  1 01:36:13.519:         lifetime of 4608000 kilobytes

*Mar  1 01:36:13.519:         outbound SA from 223.1.1.2 to 8.8.8.2 (f/i) 0/0

        (proxy 4.4.4.0 to 10.1.1.0)

*Mar  1 01:36:13.523:         has spi  0xBE4D8EE6 and conn_id 0

*Mar  1 01:36:13.523:         lifetime of 3600 seconds

*Mar  1 01:36:13.523:         lifetime of 4608000 kilobytes

*Mar  1 01:36:13.527: ISAKMP:(1005): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) QM_IDLE     

*Mar  1 01:36:13.527: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar  1 01:36:13.531: ISAKMP:(1005):deleting node 1720065028 error FALSE reason "No Error"

*Mar  1 01:36:13.531: ISAKMP:(1005):Node 1720065028, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

1 01:36:13.531: ISAKMP:(1005):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE   /*如果不成功注意定位

*Mar  1 01:36:21.867: %SYS-5-CONFIG_I: Configured from console by console

ping 测试

r4#ping 10.1.1.2 repeat 10000

server#

*Mar  1 02:22:38.047: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

*Mar  1 02:22:38.423: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

*Mar  1 02:22:38.551: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

*Mar  1 02:22:38.799: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

附原版配置  http://pan.baidu.com/share/link?shareid=2163115506&uk=4144237329

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=3026转载请注明转自CCIE那点事
如果喜欢:点此订阅本站
上篇文章: