龙空技术网

配置分支机构与总部之间通过L2TP over IPSec方式实现安全互通示例

刘俊辉个人博客 287

前言:

当前兄弟们对“l2tp tunnel”大约比较关心,姐妹们都需要学习一些“l2tp tunnel”的相关内容。那么小编在网摘上搜集了一些有关“l2tp tunnel””的相关内容,希望朋友们能喜欢,看官们一起来了解一下吧!

组网需求

如下图所示,AR1为企业分支网关,AR3为企业总部网关,分支通过AR1自拨号的方式与总部建立L2TP隧道实现互通。

现企业希望通过L2TP隧道传输的业务进行安全保护,防止被窃取或篡改等。此时,可以配置L2TP over IPSec的方式来加密保护企业分支和总部的业务。

配置思路配置接口的IP地址和到对端的静态路由,保证两端路由可达。在AR1上配置L2TP功能,PPP用户通过L2TP隧道向总部发出接入请求,总部认证成功后建立隧道。在AR1上配置到达AR3的路由,使能AR1的自拨号功能。在AR3上配置L2TP功能及PPP用户,并配置访问公网的路由。配置ACL,以定义需要IPSec保护的数据流。配置IPSec安全提议,定义IPSec的保护方法。配置IKE对等体,定义对等体间IKE协商时的属性。配置安全策略,并引用ACL、IPSec安全提议和IKE对等体,确定对何种数据流采取何种保护方法。在接口上应用安全策略组,使接口具有IPSec的保护功能。操作步骤配置接口的IP地址和到对端的静态路由AR1

<Huawei>sys[Huawei]sys AR1[AR1]int g0/0/0[AR1-GigabitEthernet0/0/0]ip add 12.12.12.1 24[AR1-GigabitEthernet0/0/0]q[AR1]int g0/0/1[AR1-GigabitEthernet0/0/1]ip add 10.1.1.1 24[AR1-GigabitEthernet0/0/1]q[AR1]ip route-static 23.23.23.0 24 12.12.12.2
AR2
<Huawei>sys[Huawei]sys AR2[AR2]int g0/0/0[AR2-GigabitEthernet0/0/0]ip add 12.12.12.2 24[AR2-GigabitEthernet0/0/0]q[AR2]int g0/0/1[AR2-GigabitEthernet0/0/1]ip add 23.23.23.2 24[AR2-GigabitEthernet0/0/1]q[AR2]ip route-static 10.1.1.0 24 12.12.12.1[AR2]ip route-static 10.1.3.0 24 23.23.23.3
AR3
<Huawei>sys[Huawei]sys AR3[AR3]int g0/0/0[AR3-GigabitEthernet0/0/1]ip add 23.23.23.3 24[AR3-GigabitEthernet0/0/1]q[AR3]int g0/0/1[AR3-GigabitEthernet0/0/0]ip add 10.1.3.3 24[AR3-GigabitEthernet0/0/0]q[AR3]ip route-static 12.12.12.0 24 23.23.23.2
配置L2TP(AR1)AR1
#配置使能L2TP,并创建一个L2TP组并配置为用户名称为20wl的用户建立到达LNS的L2TP连接[AR1]l2tp enable[AR1]l2tp-group 1[AR1-l2tp1]tunnel name ar1 #指定隧道本端的名称[AR1-l2tp1]start l2tp ip 23.23.23.3 fullusername 20wl#启用通道验证并设置通道验证密码。[LAC-l2tp1] tunnel authentication[LAC-l2tp1] tunnel password cipher 20wl[LAC-l2tp1] quit#配置虚拟PPP用户的用户名和密码,PPP认证方式以及IP地址。[AR1]interface Virtual-Template1[AR1-Virtual-Template1]ppp chap user 20wl[AR1-Virtual-Template1]ppp chap password cipher 20wl[AR1-Virtual-Template1]ip address ppp-negotiate#配置自拨号建立L2TP隧道。[AR1-Virtual-Template1]l2tp-auto-client enable[AR1-Virtual-Template1]q#配置私网路由,使得企业分支用户与总部私网互通。[AR1]ip route-static 10.1.2.0 255.255.255.0 virtual-template 1
AR3
#配置AAA认证,用户名为20wl,密码为20wl[AR3]aaa[AR3-aaa]local-user 20wl password cipher 20wl[AR3-aaa]local-user huawei service-type ppp[AR3-aaa]q#配置IP地址池,为LAC的拨号接口分配IP地址[AR3]ip pool 1[AR3-ip-pool-1]network 13.13.13.0 mask 24[AR3-ip-pool-1]gateway-list 13.13.13.1[AR3-ip-pool-1]quit#创建虚拟接口模板并配置PPP协商等参数[AR3]int virtual-template 1[AR3-Virtual-Template1]ppp authentication-mode chap[AR3-Virtual-Template1]remote address pool 1[AR3-Virtual-Template1]ip address 13.13.13.1 24[AR3-Virtual-Template1]quit#使能L2TP服务,创建一个L2TP组[AR3]l2tp enable[AR3]l2tp-group 1#配置本端隧道名称及指定AR1的隧道名称[AR3-l2tp1]tunnel name ar3[AR3-l2tp1]allow l2tp virtual-template 1 remote ar1#启用隧道认证功能并设置隧道认证字[AR3-l2tp1]tunnel authentication[AR3-l2tp1]tunnel password cipher 20wl[AR3-l2tp1]quit#配置私网路由,使得企业总部与企业分支用户私网互通。[AR3]ip route-static 10.1.1.0 24 virtual-template 1
配置ACL,定义各自要保护的数据流AR1
[AR1]acl number 3100[LAC-acl-adv-3100]rule permit ip source 12.12.12.0 0.0.0.255 destination 23.23.23.0 0.0.0.255[AR1-acl-adv-3100]q
AR3
[AR3]acl number 3100[LNS-acl-adv-3100]rule permit ip source 23.23.23.0 0.0.0.255 destination 12.12.12.0 0.0.0.255[AR3-acl-adv-3100]q
创建IPSec安全提议AR1
[AR1] ipsec proposal1[AR1-ipsec-proposal-1]esp authentication-algorithm sha2-256[AR1-ipsec-proposal-1]esp encryption-algorithm aes-128[AR1-ipsec-proposal-1]q
AR3
[AR3]ipsec proposal1[AR3-ipsec-proposal-1]esp authentication-algorithm sha2-256[AR3-ipsec-proposal-1]esp encryption-algorithm aes-128[AR3-ipsec-proposal-1]q
配置IKE对等体AR1
#配置IKE安全提议[AR1]ike proposal 1[AR1-ike-proposal-1]encryption-algorithm aes-cbc-128[AR1-ike-proposal-1]authentication-algorithm sha1[AR1-ike-proposal-1]dh group14[AR1-ike-proposal-1]q#配置ike对等体,并根据默认配置,配置预共享密钥和对端ID[AR1]ike peer 1 v1[AR1-ike-peer-1]ike-proposal 1[AR1-ike-peer-1]pre-shared-key cipher 20wl[AR1-ike-peer-1]remote-address 23.23.23.3[AR1-ike-peer-1]q
AR3
#配置IKE安全提议[AR3]ike proposal 1[AR3-ike-proposal-1]encryption-algorithm aes-cbc-128[AR3-ike-proposal-1]authentication-algorithm sha1[AR3-ike-proposal-1]dh group14[AR3-ike-proposal-1]q#配置ike对等体,并根据默认配置,配置预共享密钥和对端ID[AR3]ike peer 1 v1[AR3-ike-peer-1]ike-proposal 1[AR3-ike-peer-1]pre-shared-key cipher 20wl[AR3-ike-peer-1]remote-address 12.12.12.1[AR3-ike-peer-1]q
创建安全策略AR1
#配置IKE动态协商方式安全策略[AR1]ipsec policy 1 1 isakmp[AR1-ipsec-policy-isakmp-1-1]ike-peer 1[AR1-ipsec-policy-isakmp-1-1]proposal 1[AR1-ipsec-policy-isakmp-1-1]security acl 3100[AR1-ipsec-policy-isakmp-1-1]q
AR3
#配置IKE动态协商方式安全策略[AR3]ipsec policy 1 1 isakmp[AR3-ipsec-policy-isakmp-1-1]ike-peer 1[AR3-ipsec-policy-isakmp-1-1]proposal 1[AR3-ipsec-policy-isakmp-1-1]security acl 3100[AR3-ipsec-policy-isakmp-1-1]q
接口应用安全策略组,使接口具有IPSec的保护功能AR1
[AR1]interface g0/0/0[AR1-GigabitEthernet0/0/0]ipsec policy 1[AR1-GigabitEthernet0/0/0]q
AR3
[AR3]interface g0/0/1[AR3-GigabitEthernet0/0/1]ipsec policy 1[AR3-GigabitEthernet0/0/1]q
验证

配置成功后,在主机PC1执行ping操作可以ping通主机PC2

AR1

[AR1]display ipsec statistics esp Inpacket count            : 581 Inpacket auth count       : 0 Inpacket decap count      : 0 Outpacket count           : 626 Outpacket auth count      : 0 Outpacket encap count     : 0 Inpacket drop count       : 0 Outpacket drop count      : 0 BadAuthLen count          : 0 AuthFail count            : 0 InSAAclCheckFail count    : 0 PktDuplicateDrop count    : 0 PktSeqNoTooSmallDrop count: 0 PktInSAMissDrop count     : 0 [AR1]display ike sa     Conn-ID  Peer            VPN   Flag(s)                Phase    ---------------------------------------------------------------        2    23.23.23.3      0     RD|ST                  2             1    23.23.23.3      0     RD|ST                  1       Flag Description:  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP[AR1]display l2tp tunnel  Total tunnel = 1 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName 1        1         23.23.23.3       42246  1        1#Total tunnel:本端建立的L2TP隧道的数目#LocalTID:L2TP隧道的本端ID#RemoteTID:L2TP隧道的远端ID#RemoteAddress:L2TP隧道的远端IP地址#Port:L2TP隧道远端使用的端口号#Sessions:L2TP隧道上承载的会话数目#Remote Name:L2TP隧道远端的隧道名称
AR3
[AR3]display ike sa     Conn-ID  Peer            VPN   Flag(s)                Phase    ---------------------------------------------------------------        4    12.12.12.1      0     RD                     2             2    12.12.12.1      0     RD                     1       Flag Description:  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP[AR3]display l2tp tunnel  Total tunnel = 1 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName 1        1         12.12.12.1       42246  1        1[AR3]

标签: #l2tp tunnel