L2tp over ipsec vpn配置
网络拓扑图:
配置vpn时要确保Winserver15能够ping通ASA的eth0接口上的IP地址
ASA的配置:
配置ike策略:
crypto ikev1 policy 10 //配置ike1的策略
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
配置地址池:(地址池名字:l2tp)
ip local pool l2tp 172.16.10.113-172.16.10.127(地址范围)//配置名为l2tp的地址池
配置隧道组(L2tp要用默认隧道DefaultRAGroup)
tunnel-group DefaultRAGroup general-attributes
address-pool l2tp //关联地址池
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key cisco //预共享密钥
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2 //win支持MS-CHAP-v2
配置transform-set
crypto ipsec ikev1 transform-set trans esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set trans mode transport(默认是tunnel,L2tp要走transport)
配置 dynamic-map(用来绑定上面的transform-set)
crypto dynamic-map dy 1001 set ikev1 transform-set trans
配置map(用来绑定上面的dynamic-map)
crypto map map 1001 ipsec-isakmp dynamic dy
在接口上应用map
crypto ikev1 enable outside
crypto map map interface outside
创建vpn用户
username chen password chen mschap