LAN-to-LANVPN与远程访问VPN
概述
随着公司的发展,LAN-to-LAN VPN的特性满足不了移动办公用户的需求。远程访问VPN,可以满足在外工作员工访问公司内部信息的需求,更好的适应公司业务发展需求。本实验主要介绍LAN-to-LAN VPN与远程访问VPN的结合。
一.实验目的
- 熟悉LAN-to-LANVPN;
- 了解并掌握远程访问VPN原理及配置;
- 掌握LAN-TO-LANVPN与远程访问VPN的结合;
二.实验拓扑
说明:
本实验所有涉及路由器全部用c7200-adventerprisek9-mz[1].124-20.T镜像。Site1模拟公司的总部。Site2模拟公司分部。本实验采用LAN-to-LANVPN与远程访问VPN的结合。ISP上只有自己三个接口网段的路由。两个站点的本地回环地址模拟身后网络(即内部网络),通过默认路由指向ISP,实现彼此的通信。配置完成之前,站点到站点之间的内部网络是不能通信的。对于远程访问VPN,桥接到一个XP客户端(即C1,通过虚拟机实现),实现XP能够通过VPN客户端软件拨号连接上公司总部(Site1),同时也能连接到分公司的网络(Site)。但是XP客户端的访问Internet的流量不会受到VPN的影响。
三.实验要求
- 站点到站点之间的内部网络能够通过VPN通信;
- 客户端可以通过VPN访问两个站点内部网路;
- 客户端访问Internet的流量要与VPN流量分开,不收VPN的影响;
四.实验步骤
1.基本网络配置
开始之前,结合拓扑图,先把基本的网络环境搭建起来。
R1(Site1)配置
|
Site1(config)#inter loo0 Site 1(config-if)#ip add 192.168.1.1 255.255.255.0 Site 1(config-if)#inter fa0/0 Site 1(config-if)#ip add 100.1.1.1 255.255.255.0 Site 1(config-if)#no shut Site 1(config-if)#exit Site 1(config)#ip route 0.0.0.0 0.0.0.0 100.1.1.254 //通过缺省路由访问到Internet,实现站点之间的互通 |
ISP配置
|
ISP(config)#inter fa0/1 ISP(config-if)#ip add 100.1.1.254 255.255.255.0 ISP(config-if)#no shut ISP(config-if)#inter fa1/0 ISP(config-if)#ip add 200.1.1.254 255.255.255.0 ISP(config-if)#no shut ISP(config-if)#inter fa0/0 ISP(config-if)#ip add 11.11.11.254 255.255.255.0 ISP(config-if)#no shut ISP(config-if)#exit |
Site2配置
|
Site2(config)#inter fa0/0 Site2(config-if)#ip add 200.1.1.1 255.255.255.0 Site2(config-if)#no shut Site2(config-if)#inter loo0 Site2(config-if)#ip add 172.16.1.1 255.255.255.0 Site2(config-if)#no shut Site2(config)#ip route 0.0.0.0 0.0.0.0 200.1.1.254 |
PC配置
|
C:\>ipconfig Windows IP Configuration Ethernet adapter 本地连接: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 11.11.11.11 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 11.11.11.254 |
验证连通性
Site1到Site2和PC
|
Site1#ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/76/140 ms Site1# Site1#ping 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/52/92 ms |
Site2到Site1和PC
|
Site2#ping 100.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/67/136 ms Site2#ping 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/50/84 ms |
2.LAN-to-LANVPN配置
Site1配置
|
第一阶段配置: Site1(config)#crypto isakmp policy 10 Site1(config-isakmp)#authentication pre-share //使用预共享密钥认证 Site1(config-isakmp)#encryption 3des Site1(config-isakmp)#group 2 Site1(config-isakmp)#hash md5 Site1(config-isakmp)#exit //以上分别定义认证方式、IKE数据加密算法、DH算法、IKE数据完整性算法 Site1(config)#crypto isakmp key freeit address 200.1.1.1 //设置预共享密钥为freeit,对等体为200.1.1.1。 第二阶段配置 Site1(config)#crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac Site1(cfg-crypto-trans)#exit //设置IPSec转换集 Site1(config)#ip access-list extended VPN Site1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 Site1(config-ext-nacl)#exit //定义感兴趣流量 Site1(config)#crypto map MAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Site1(config-crypto-map)#set peer 200.1.1.1 Site1(config-crypto-map)#set transform-set IPSEC Site1(config-crypto-map)#match address VPN //创建crypto map(第二阶段策略汇总) Site1(config-crypto-map)#inter fa0/0 Site1(config-if)#crypto map MAP Site1(config-if)#exit //端口调用crypto map。 |
Site2配置(同Site1)
|
Site2(config)#crypto isakmp policy 10 Site2(config-isakmp)# encr 3des Site2(config-isakmp)# hash md5 Site2(config-isakmp)# authentication pre-share Site2(config-isakmp)# group 2 Site2(config-isakmp)#crypto isakmp key freeit address 100.1.1.1 Site2(config)#crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac Site2(cfg-crypto-trans)#exit Site2(config)#ip access-list extended VPN Site2(config-ext-nacl)# permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 Site2(config-ext-nacl)#exit Site2(config)#crypto map MAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Site2(config-crypto-map)# set peer 100.1.1.1 Site2(config-crypto-map)#set transform-set IPSEC Site2(config-crypto-map)# match address VPN Site2(config-crypto-map)#exit Site2(config)#inter fa0/0 Site2(config-if)#crypto map MAP Site2(config-if)#exit |
验证两个站点之间的VPN连通性
验证之前我们先查看是否有SA建立
|
Site1(config)#do sho crypto isa sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status IPv6 Crypto ISAKMP SA Site1(config)#do sho crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: MAP, local addr 100.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) current_peer 200.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 //加解密数据数为0,没有建立SA #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 100.1.1.1, remote crypto endpt.: 200.1.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: |
从Site1向Site2发ICMP包
|
Site1#ping 172.16.1.1 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 184/205/236 ms //一共成功4个包 再次查看SA Site1#sho cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 200.1.1.1 100.1.1.1 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA Site1#sho cry ip sa interface: FastEthernet0/0 Crypto map tag: MAP, local addr 100.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) current_peer 200.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 //加解密4个包,说明两个站点之间的VPN设置没有问题 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 100.1.1.1, remote crypto endpt.: 200.1.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x7EFD608F(2130534543) inbound esp sas: spi: 0x9B456C18(2605018136) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, crypto map: MAP sa timing: remaining key lifetime (k/sec): (4523978/3552) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x7EFD608F(2130534543) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, crypto map: MAP sa timing: remaining key lifetime (k/sec): (4523978/3552) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: |
3.远程访问VPN
本实验主要是LAN-to-LANVPN与远程访问的VPN的一个结合,首先设置LAN-to-LAN VPN,然后设置远程访问VPN。让远程访问的客户端能够访问两个站点的内部资源,并且不影响客户端的上网。
针对本实验而言,对于远程访问VPN,所有设置都在路由器上设置,客户端只需安装一个VPN客户端即可登录。
3.1.基本配置
Site1上配置
|
Site1(config)#aaa new-model //开启AAA认证 Site1(config)#aaa authentication login noauthen none Site1(config)#lin con 0 Site1(config-line)#login authentication noauthen Site1(config-line)#exit //以上是设置AAA线下保护 Site1(config)#username test password test //创建用户名(客户端登录是通过拨号连接,需要输入账户) Site1(config)#aaa authentication login ezvpn-authen local Site1(config)#aaa authorization network ezvpn-author local //设置客户端登录认证和授权 Site1(config)#ip local pool EZVPN-POOL 172.16.10.100 172.16.10.150 //设置地址池。客户端连接上VPN服务器之后要想与内部网络通信,要获得内部网络的地址 Site1(config)#crypto isakmp client configuration group ezvpn //创建客户端登录组,为登录的客户端分组。 Site1(config-isakmp-group)#key gyh //身份认证密钥。相当于LAN-to-LAN 中的预共享密钥 Site1(config-isakmp-group)#pool EZVPN-POOL //调用地址池 Site1(config-isakmp-group)#exit 上面设置了一系列的认证、授权、组等。需要进行调用,怎样调用就成问题了。如果直接调用到MAP里,最后会影响到LAN-to-LAN的配置。本实验我们以模板的形式调用。如下: Site1(config)#crypto isakmp profile ezvpn % A profile is deemed incomplete until it has match identity statements Site1(conf-isa-prof)#match identity group ezvpn//调用客户端组 Site1(conf-isa-prof)#client authentication list ezvpn-authen//调用认证 Site1(conf-isa-prof)#isakmp authorization list ezvpn-author//调用授权 Site1(conf-isa-prof)#client configuration address respond //相应客户端的地址请求 Site1(conf-isa-prof)#exit 然后调用到动态MAP里,后续…. 与LAN-to-LAN VPN一样,远程访问VPN也要设置crypto map。但是因为客户端是动态从VPN服务器哪里获取的地址,所以不能用静态MAP,要用到动态MAP。如下: Site1(config)#crypto dynamic-map DYMAP 10 Site1(config-crypto-map)#set transform-set IPSEC//调用转换集 Site1(config-crypto-map)#set isakmp-profile ezvpn//调用模板 Site1(config-crypto-map)#reverse-route //反向路由注入。当客户端成功连接到VPN后,获取的地址段的网段会注入到VPN服务器的路由表,以便VPN服务器能够回应客户端。 Site1(config-crypto-map)#exit 接下来就是调用crypto map了,动态的crypto map不能直接调用到接口,要借助静态map才能调用,LAN-to-LAN VPN我们已经调了一个静态MAP,不能使用第二个,但是可以使用另一个编号,如下: Site1(config)#crypto map MAP 20 ipsec-isakmp dynamic DYMAP |
3.2.客户端设置
前面的准备工作已经完成,下面就是怎么通过客户端来连接了。
在客户端上安装VPN 客户端(安装过程略)…打开:
新建连接
点击保存
点击OK后连接对话框消失,在电脑桌面右下角找到图标,打开:
连接成功后我们可以发送ICMP包来测试
发送之前加密包数量为40,解密包为0
发送之后,加解密包增长,说明连接建立,客户端连接到公司是在VPN的保护之下。
查看Site1的路由表
|
Site1(config)#do sho ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 100.1.1.254 to network 0.0.0.0 100.0.0.0/24 is subnetted, 1 subnets C 100.1.1.0 is directly connected, FastEthernet0/0 172.16.0.0/32 is subnetted, 1 subnets S 172.16.10.100 [1/0] via 11.11.11.11 C 192.168.1.0/24 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 100.1.1.254 |
出现客户端地址池的网段。
3.3.隧道分离
看下图:
安全路由是缺省网络,也就是说,客户端现在的所有流量都处于IPSec VPN的保护之下,即便是访问Internet的流量。这样的话客户端就上不了网了。这样的结果不是我们想要的。所以要实施隧道分离,把客户端的其他流量与VPN流量分离开,互不影响。
Site1配置
|
Site1(config)#ip access-list extended Split Site1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any //设置内部网络到任何地址(对客户端来说就是任何到达Site1内部网络的流量) Site1(config)#crypto isakmp client configuration group ezvpn Site1(config-isakmp-group)#acl Split //把ACL设置调用到客户端组里。 |
接下来断开客户端再次连接查看
如图,安全路由变成了到192.168.1.0/24网络,也就是Site1的内部网络。
3.4.客户端到Site2的连接(LAN-to-LAN与远程访问VPN的结合)
此步骤的实验体现了LAN-to-LAN VPN与远程访问VPN的结合,实际意义也就是:远程办公用户能够通过VPN连接到公司总部,也能连接到公司的分部。具体实施步骤如下:
Site1上添加感兴趣流量和隧道分离的流量:
|
Site1(config)# ip access-list extended VPN Site1(config-ext-nacl)#permit ip 172.16.10.0 0.0.0.255 172.16.1.0 0.0.0.255 Site1(config-ext-nacl)#exit Site1(config)#ip access-list extended Split Site1(config-ext-nacl)#permit ip 172.16.1.0 0.0.0.255 any Site1(config-ext-nacl)#exit Site1(config)#do sho ip access Extended IP access list Split 10 permit ip 192.168.1.0 0.0.0.255 any 20 permit ip 172.16.1.0 0.0.0.255 any Extended IP access list VPN 10 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 (9 matches) 20 permit ip 172.16.10.0 0.0.0.255 172.16.1.0 0.0.0.255 |
说明:隧道分离的acl流量恰好就是客户端获取到的安全路由(即客户端能到达什么地方),所以,要想能够连接上Site2,就要添加到达Site2内部网络的流量。对于Site1上的感兴趣流量的添加,是因为客户端要访问site2是通过连接上site1之后,再借助地址池分配的网段(在site1内部)来连接site2,所以就等于site1到site2的vpn流量,也就是LAN-to-LAN VPN流量。
Site2上的感兴趣流量添加
|
Site2(config)#ip access-list extended VPN Site2(config-ext-nacl)#permit ip 172.16.1.0 0.0.0.255 172.16.10.0 0.0.0.255 Site2(config-ext-nacl)#exit Site2(config)#do sho ip access Extended IP access list VPN 10 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 (8 matches) 20 permit ip 172.16.1.0 0.0.0.255 172.16.10.0 0.0.0.255 |
测试:客户端连接上Site1后向site2发送ICMP流量
查看ipsec sa
|
Site2#sho crypto ipsec sa protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0) current_peer 100.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 200.1.1.1, remote crypto endpt.: 100.1.1.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xD6AD8A79(3601697401) inbound esp sas: spi: 0xFEB648D4(4273359060) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 5, flow_id: SW:5, crypto map: MAP sa timing: remaining key lifetime (k/sec): (4564354/3470) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD6AD8A79(3601697401) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 6, flow_id: SW:6, crypto map: MAP sa timing: remaining key lifetime (k/sec): (4564354/3470) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: |
最终各路由器配置
Site1配置:
aaanew-model
!
!
aaaauthentication login noauthen none
aaaauthentication login ezvpn-authen local
aaaauthorization network ezvpn-author local
!
!
aaasession-id common
ipsource-route
!
usernametest password 0 test
!
!
cryptoisakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
cryptoisakmp key freeit address 200.1.1.1
!
cryptoisakmp client configuration group ezvpn
key gyh
pool EZVPN-POOL
acl Split
cryptoisakmp profile ezvpn
match identity group ezvpn
client authentication list ezvpn-authen
isakmp authorization list ezvpn-author
client configuration address respond
!
!
cryptoipsec transform-set IPSEC esp-3des esp-sha-hmac
!
cryptodynamic-map DYMAP 10
set transform-set IPSEC
set isakmp-profile ezvpn
reverse-route
!
!
cryptomap MAP 10 ipsec-isakmp
set peer 200.1.1.1
set transform-set IPSEC
match address VPN
cryptomap MAP 20 ipsec-isakmp dynamic DYMAP
!
interfaceLoopback0
ip address 192.168.1.1 255.255.255.0
!
interfaceFastEthernet0/0
ip address 100.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map MAP
!
iplocal pool EZVPN-POOL 172.16.10.100 172.16.10.150
ipforward-protocol nd
iproute 0.0.0.0 0.0.0.0 100.1.1.254
!
ipaccess-list extended Split
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.16.1.0 0.0.0.255 any
ipaccess-list extended VPN
permit ip 192.168.1.0 0.0.0.255 172.16.1.00.0.0.255
permit ip 172.16.10.0 0.0.0.255 172.16.1.00.0.0.255
!
!
end
ISP配置:
interfaceFastEthernet0/0
ip address 11.11.11.254 255.255.255.0
duplex auto
speed auto
!
interfaceFastEthernet0/1
ip address 100.1.1.254 255.255.255.0
duplex auto
speed auto
!
interfaceFastEthernet1/0
ip address 200.1.1.254 255.255.255.0
duplex full
site2配置
cryptoisakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
cryptoisakmp key freeit address 100.1.1.1
!
!
cryptoipsec transform-set IPSEC esp-3des esp-sha-hmac
!
cryptomap MAP 10 ipsec-isakmp
set peer 100.1.1.1
set transform-set IPSEC
match address VPN
!
!
!
interfaceLoopback0
ip address 172.16.1.1 255.255.255.0
!
interfaceFastEthernet0/0
ip address 200.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map MAP
!
!
ipforward-protocol nd
iproute 0.0.0.0 0.0.0.0 200.1.1.254
noip http server
noip http secure-server
!
!
ipaccess-list extended VPN
permit ip 172.16.1.0 0.0.0.255 192.168.1.00.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.16.10.00.0.0.255
!