L2TP OVER IPSEC(LNS地址在内网,通过公网映射).doc

1、L2TP OVER IPSEC(LNS 地址在内网，通过公网映射)组网LAC 公网地址为 202.109.207.163，LNS 在用户内网地址为 172.20.210.10，通过映射为公网地址 117.27.234.103。用户需求：PC 用户通过 PPPOE 拨号到 LAC 出发 L2TP 隧道建立，同时要求做 IPSEC 加密。配置：LAC：dis cu#version 5.20, Release 2512P04#sysname lac#l2tp enable#domain default enable system#ipv6#telnet server enable#port-secu

2、rity enable#password-recovery enable#acl number 3500rule 5 permit ip source 202.109.207.163 0 destination 172.20.210.10 0rule 10 permit ip source 172.20.210.10 0 destination 202.109.207.163 0#vlan 1#Ddomain authentication ppp localaccess-limit disablestate activeidle-cut disableself-service-url disa

3、bledomain systemaccess-limit disablestate activeidle-cut disableself-service-url disable#ike peer lacexchange-mode aggressivepre-shared-key cipher $c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag=id-type nameremote-name lnsremote-address 117.27.234.103local-address 202.109.207.163local-name lacnat traversal#ipse

4、c transform-set lacencapsulation-mode tunneltransform espesp authentication-algorithm sha1esp encryption-algorithm 3des#ipsec policy lac 1 isakmpsecurity acl 3500ike-peer lactransform-set lac#user-group systemgroup-attribute allow-guest#local-user adminpassword cipher $c$3$EiAlBrd/gVGFvSMRAmLoJwgze3

5、wHlYa1BQ=authorization-attribute level 3service-type telnetservice-type weblocal-user testpassword cipher $c$3$SQ3SM2FRQoXeMijjRitI72ToSwbJ9f09xw=service-type ppp#l2tp-group 1tunnel password cipher $c$3$TVsHV3HQRBs5eubLlDPrKCp8o8kwnA=tunnel name lacstart l2tp ip 172.20.210.10 domain #interface Aux0a

6、sync mode flowlink-protocol ppp#interface Cellular0/0async mode protocollink-protocol ppp#interface Virtual-Template1ppp authentication-mode pap chap domain #interface NULL0#interface Vlan-interface1pppoe-server bind Virtual-Template 1ip address 192.168.1.1 255.255.255.0#interface GigabitEthernet0/0

7、port link-mode routeip address 202.109.207.163 255.255.255.248ipsec policy lac#interface GigabitEthernet0/1port link-mode bridge#interface GigabitEthernet0/2port link-mode bridge#interface GigabitEthernet0/3port link-mode bridge#interface GigabitEthernet0/4port link-mode bridge#ip route-static 0.0.0

8、.0 0.0.0.0 202.109.207.161ip route-static 0.0.0.0 0.0.0.0 117.27.234.103#dialer-rule 1 ip permit#load xml-configuration#load tr069-configuration#user-interface tty 12user-interface aux 0user-interface vty 0 4authentication-mode scheme#returnLNS：#version 7.1.049, Release 0202#sysname lns#telnet serve

9、r enable#ip pool 1 192.168.101.1 192.168.101.254 #password-recovery enable#vlan 1#interface Virtual-Template1ppp authentication-mode pap chap remote address pool 1 ip address 192.168.200.254 255.255.255.0#interface NULL0#interface LoopBack0ip address 10.10.10.10 255.255.255.255# interface GigabitEth

10、ernet1/0#interface GigabitEthernet1/0.1498description to-12/32ip address 172.20.209.10 255.255.255.128vlan-type dot1q vid 1498#interface GigabitEthernet2/0#interface GigabitEthernet2/0.1499description to-11/32ip address 172.20.210.10 255.255.255.128vlan-type dot1q vid 1499ipsec apply policy lns#sche

11、duler logfile size 16#line class auxuser-role network-operator#line class consoleuser-role network-admin# line class vtyuser-role network-operator#line aux 0user-role network-operator#line con 0user-role network-admin#line vty 0 63authentication-mode schemeuser-role network-operator#ip route-static

12、0.0.0.0 0 172.20.210.1ip route-static 172.20.128.208 28 172.20.109.1ip route-static 172.20.128.208 28 172.20.209.1#domain authentication ppp localauthorization ppp localaccounting ppp local#domain system#aaa session-limit ftp 32aaa session-limit telnet 32aaa session-limit http 32aaa session-limit ss

13、h 32aaa session-limit https 32domain default enable system#role name level-0description Predefined level-0 role#role name level-1description Predefined level-1 role#role name level-2description Predefined level-2 role#role name level-3description Predefined level-3 role#role name level-4description

14、Predefined level-4 role# role name level-5description Predefined level-5 role#role name level-6description Predefined level-6 role#role name level-7description Predefined level-7 role#role name level-8description Predefined level-8 role#role name level-9description Predefined level-9 role#role name

15、level-10description Predefined level-10 role#role name level-11description Predefined level-11 role#role name level-12description Predefined level-12 role#role name level-13description Predefined level-13 role#role name level-14description Predefined level-14 role#user-group system#local-user admin

16、class managepassword hash $h$6$rhjYlaMxTE8Yrgy/$pL4ngHJErR5IS6mIM2TVTpxVJoXAz3Z7twS5WUoHnTBAVcnQ6zRTt3l/IV25NzoxYG4+xduBzNhiM+NovY5gUQ=service-type telnetauthorization-attribute user-role network-adminauthorization-attribute user-role network-operator#local-user test class managepassword hash $h$6$a

17、eSFBsuE4NLmKV/p$Bmfz5WpYqTIdkrJhRl8v9xOkz2sxaxZ4Y0ZtkKglmyw3gvtamdEAxf0CItYelhqBRz/xZmmQF5DcZ3Y15oa5YA=service-type ftpservice-type telnetauthorization-attribute user-role network-operator#local-user test class networkpassword cipher $c$3$dxUAzslPK2voJ3xxO+kdUpqKQK52oAsuNQ= service-type pppauthoriza

18、tion-attribute user-role network-operator#ipsec transform-set lnsesp encryption-algorithm 3des-cbc esp authentication-algorithm sha1 #ipsec policy-template lns 1transform-set lns ike-profile lns#ipsec policy lns 1 isakmp template lns#l2tp-group 1 mode lnsallow l2tp virtual-template 1 remote lactunne

19、l name lnstunnel password cipher $c$3$TbJ0N3WspYQUVRSjjmPBxkFjo3Xhyg=#l2tp enable#ike identity fqdn lns#ike profile lnskeychain lacexchange-mode aggressivelocal-identity fqdn lnsmatch remote identity fqdn lacmatch local address GigabitEthernet2/0.1499#ike keychain lacpre-shared-key hostname lac key

20、cipher $c$3$QGKCezjZ+NqQIHxyMuZsfR/weMCQAw=#return一：概述首先，先将这两个概念理顺一下。IPSEC OVER GRE 即 IPSEC 在里，GRE 在外。首先先把需要加密的数据包封装成 IPSEC 包，然后在扔到 GRE 隧道里发到对端设备。做法是把 IPSEC 的加密策略作用在 Tunnel 口上，即在 Tunnel 口上监听匹配符合访问控制列表的数据流，来确认数据是否需要加密，需要则先加密封装为 IPSEC 包，然后封装成 GRE包进入隧道；反之未在访问控制列表中的数据流将以未加密的状态直接走 GRE 隧道，这样就会存在有些数据处于不安全的

21、传递状态。而 GRE OVER IPSEC 则是 GRE 在里，IPSEC 在外，即先将数据封装成 GRE 包，然后在封装成 IPSEC 包后发到对端设备。做法是把 IPSEC 的加密测试作用在物理端口上，然后根据访问控制列表监控匹配是否有需要加密的 GRE 数据流，有则将 GRE 数据流加密封装成 IPSEC 包再进行传递，这样可以保证所有数据包都会被机密，包括隧道建立和路由的创建和传递。二：IPSEC OVER GRE 与 GRE OVER IPSEC 的配置思路介绍首先先介绍一下配置思路，有两种配置的区别在于 ipsec over gre 是将 ipsec 加密封装应用在 tunnel

22、口上，使用 acl 匹配需要加密数据流来实现。而 gre over ipsec 是将 ipsec 加密封装应用在物理接口上，用 acl 来匹配需要加密的 tunnel 隧道。从这个来讲，后者会安全一点，ipsec 会将所有数据包括隧道报文都进行加密。因此我将配置过程分成三步，这样比较不会乱。第一步先配置公网 ip 及路由，让两端设备的公网 ip 先能互相 ping 通；第二步在配置 GRE 隧道，然后测试 GRE 隧道是否建立正常；第三步再创建 ipsec 加密并引用。拓扑图如下：A：GRE over IPSECR2：作为互联网，保证路由可达即可Int s0/2/0Ip ad 12.1.1.2

23、 24Int s0/2/124.1.1.2 24Int 0/2/2Ip ad 23.1.1.2 24R1： 第一步先配置公网接口 | R3:第一步配置公网接口int s0/2/0 | int s0/2/0Ip ad 12.1.1.1 24 | ip ad 23.1.1.3 24Ip rou 0.0.0.0 0.0.0.0 12.1.1.2 | ip rou 0.0.0.0 0.0.0.0 23.1.1.2第二步配置 GRE | 配置 GREInt tunnel 0 | int tunnel 0Ip ad 192.168.13.1 24 | ip ad 192.168.13.2 24 Sourc

24、e 12.1.1.1 | source 23.1.1.3 Destination 23.1.1.3 | destination 12.1.1.1 Ip rou 192.168.3.1 0 tunnel0 | ip rou 192.168.1.1 0 tunnel0 第三步配置 IPSEC 第三步配置 IPSECIKE 配置 Ike peer r1-r3 ike peer r3-r1 Pre-shared-key 12345 pre-shared-key 12345Remote-address 23.1.1.3 remote-address 12.1.1.1Ipsec 类型Ipsec propo

25、sal r1-r3 ipsec proposal r3-r1Encapsulation tunnel/transport Encapsulation tunnel/transportTransform esp Transform espEsp authentication-algorithm sha1 Esp authentication-algorithm sha1 Esp encryption-algorithm 3des Esp encryption-algorithm 3desACL 匹配策略Acl number 3013 acl number 3013Rule 5 permit ip

26、 source 12.1.1.1 0 rule 5 permit ip source 23.1.1.3 0Destination 23.1.1.1 0 destination 12.1.1.1 0Ipsec 策略Ipsec policy r13 1 isakmp ipsec policy r31 1 isakmpSecurity acl 3013 security acl 3031Ike-peer r1-r3 ike-peer r3-r1Proposal r1-r3 proposal r3-r1应用到接口Int s0/2/0 int s0/2/0Ipsec policy r13 ipsec p

27、olicy r31B：IPSEC over GRER2：作为互联网，保证路由可达即可Int s0/2/0Ip ad 12.1.1.2 24Int s0/2/124.1.1.2 24Int 0/2/2Ip ad 23.1.1.2 24R1： 第一步先配置公网接口 | R3:第一步配置公网接口int s0/2/0 | int s0/2/0Ip ad 12.1.1.1 24 | ip ad 23.1.1.3 24Ip rou 0.0.0.0 0.0.0.0 12.1.1.2 | ip rou 0.0.0.0 0.0.0.0 23.1.1.2第二步配置 GRE | 配置 GREInt tunnel 0

28、 | int tunnel 0Ip ad 192.168.13.1 24 | ip ad 192.168.13.2 24 Source 12.1.1.1 | source 23.1.1.3 Destination 23.1.1.3 | destination 12.1.1.1 Ip rou 192.168.3.1 0 tunnel0 | ip rou 192.168.1.1 0 tunnel0 第三步配置 IPSEC 第三步配置 IPSECIKE 配置 Ike peer r1-r3 ike peer r3-r1 Pre-shared-key 12345 pre-shared-key 12345

29、Remote-address 192.168.13.2 remote-address 192.168.13.1Ipsec 类型Ipsec proposal r1-r3 ipsec proposal r3-r1Encapsulation tunnel Encapsulation tunnelTransform esp Transform espEsp authentication-algorithm sha1 Esp authentication-algorithm sha1 Esp encryption-algorithm 3des Esp encryption-algorithm 3desA

30、CL 匹配策略Acl number 3013 acl number 3013Rule 5 permit ip source 192.168.1.1 0 rule 5 permit ip source 192.168.3.1 0Destination 192.168.3.1 0 destination 192.168.1.1 0Ipsec 策略Ipsec policy r13 1 isakmp ipsec policy r31 1 isakmpSecurity acl 3013 security acl 3031Ike-peer r1-r3 ike-peer r3-r1Proposal r1-r

31、3 proposal r3-r1应用到 TUNNEL 口Int tunnel 0 int tunnle 0Ipsec policy r13 ipsec policy r31三：ipsec over gre 与 gre over ipsec 报文路由转发和封装过程首先是 gre over ipsec 的路由转发过程：R1 路由表：dis ip rouRouting Tables: PublicDestinations : 13 Routes : 13Destination/Mask Proto Pre Cost NextHop Interface0.0.0.0/0 Static 60 0 12.

32、1.1.2 S0/2/012.1.1.0/24 Direct 0 0 12.1.1.1 S0/2/012.1.1.1/32 Direct 0 0 127.0.0.1 InLoop012.1.1.2/32 Direct 0 0 12.1.1.2 S0/2/0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.3.1/32 Static 60 0 192.168.13.1 Tun0192.

33、168.10.1/32 Static 60 0 192.168.110.1 Tun1192.168.13.0/24 Direct 0 0 192.168.13.1 Tun0192.168.13.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.110.0/24 Direct 0 0 192.168.110.1 Tun1192.168.110.1/32 Direct 0 0 127.0.0.1 InLoop0路由转发过程如下:192.168.1.1 发往 192.168.3.1：原始报文 匹配路由表 -tunnel0 GRE 封装后源地址为自己公网，目的为对方公网

34、 -路由到物理接口 -匹配到 acl -ipsec 加密封装 -对端ipsec over gre 的路由转发过程：R1 路由表：r1 dis ip rouRouting Tables: PublicDestinations : 13 Routes : 13Destination/Mask Proto Pre Cost NextHop Interface0.0.0.0/0 Static 60 0 12.1.1.2 S0/2/012.1.1.0/24 Direct 0 0 12.1.1.1 S0/2/012.1.1.1/32 Direct 0 0 127.0.0.1 InLoop012.1.1.2

35、/32 Direct 0 0 12.1.1.2 S0/2/0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.3.1/32 Static 60 0 192.168.13.1 Tun0192.168.10.1/32 Static 60 0 192.168.110.1 Tun1192.168.13.0/24 Direct 0 0 192.168.13.1 Tun0192.168.13.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.110.0/24 Direct 0 0 192.168.110.1 Tun1192.168.110.1/32 Direct 0 0 127.0.0.1 InLoop0路由转发过程如下:192.168.1.1 发往 192.168.3.1：原始报文 匹配路由表 -tunnel0 匹配到 acl -ipsec 加密隧道封装 源地址本端 tunnel 口地址，目的为对端 tunnel 口地址 - GRE 封装后源地址为自己公网，目的为对方公网 -路由到物理接口 -对端