拓扑如下:
要求:C1使用L2TP VPN加密访问Server
配置:
Gateway:
hostname Gateway interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip nat inside interface FastEthernet0/1 ip address 202.100.1.1 255.255.255.0 ip nat outside ip access-list extended PAT permit ip 10.1.1.0 0.0.0.255 any ip nat inside source list PAT interface FastEthernet0/1 overload ip route 0.0.0.0 0.0.0.0 202.100.1.10 vpdn enable //启用VPDN(Virtual Private Dial-up Networks)功能 vpdn-group 1 Default L2TP VPDN group accept-dialin //服务器为接受拨入 protocol l2tp virtual-template 1 //关联到虚拟模板用于克隆产生Virtual-Access接口 l2tp security crypto-profile L2TP-CRY-PROFILE no l2tp tunnel authentication //禁用L2TP的L2L认证 username cisco password 0 cisco123 ip local pool L2TP-Pool 123.1.1.100 123.1.1.200 interface Virtual-Template1 ip unnumbered FastEthernet0/0 //unnumbered任意一个有IP地址的接口,也可以任意配置IP地址 peer default ip address pool L2TP-Pool ppp authentication ms-chap-v2 //Windows默认算法 crypto isakmp policy 10 //策略只能如下,因为Windows默认会使用如下的策略 encr 3des authentication pre-share group 2 crypto isakmp key [email protected] address 0.0.0.0 0.0.0.0 crypto ipsec transform-set myset esp-3des esp-sha-hmac //策略只能如下,因为Windows默认会使用如下的策略 mode transport crypto map mymap 10 ipsec-isakmp profile L2TP-CRY-PROFILE set transform-set myset interface FastEthernet0/1 crypto map mymap
Server:
hostname Server no ip domain lookup interface FastEthernet0/0 ip address 10.1.1.10 255.255.255.0 no ip routing ip default-gateway 10.1.1.1 ip http server line vty 0 4 no login enable password cisco
ISP:
hostname ISP interface FastEthernet0/0 ip address 61.128.1.10 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 202.100.1.10 255.255.255.0 duplex auto speed auto
HomeGW:
hostname HomeGW interface Ethernet0/0 ip address 61.128.1.1 255.255.255.0 ip nat outside ip virtual-reassembly full-duplex interface Ethernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly half-duplex ip dhcp pool 192 network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 ip dhcp excluded-address 192.168.1.1 ip route 0.0.0.0 0.0.0.0 Ethernet0/0 ip access-list standard PAT permit any ip nat inside source list PAT interface Ethernet0/0 overload
验证:
拨号成功后在客户机上查看接口信息:
查看客户端路由:
从客户端Telnet到Server:
查看ISAKMP SA:
查看IKE和SA:
查看拨号上来的用户、接口和路由:
在ISP上抓包结果:
从路由器Gateway断开l2tpVPN的方法:
首先查看一个远端用户是从哪个接口连上来的,再使用clear清楚端口:
时间: 2024-11-06 09:31:45