实验目的:

应用L2TP结合IPSec建立×××,实现分remote-client通过虚拟专用网连接,连接到总公司边界路由,进行认证,建立×××,实现安全通信。

实验拓扑:

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC

实验配置要点:

R1和R2配置IP和OSPF,并且为PC自动下放IP地址,R3配置NATIP地址。

 

R3的配置:

vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 10
 l2tp security crypto-profile pro
 no l2tp tunnel authentication
        
username cisco password 0 cisco

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set l2tp esp-3des esp-md5-hmac
 mode transport
!
crypto map l2tpmap 10 ipsec-isakmp profile pro
 set transform-set l2tp
interface FastEthernet0/0
 ip address 192.168.34.3 255.255.255.0
 ip nat inside
interface FastEthernet0/1
 ip address 192.168.23.3 255.255.255.0
 ip nat outside
 crypto map l2tpmap
interface Virtual-Template10
 ip unnumbered FastEthernet0/1
 peer default ip address pool v2tppool
 ppp authentication chap
 ppp ipcp dns 8.8.8.8


ip local pool v2tppool 172.16.0.100 172.16.0.110
ip route 0.0.0.0 0.0.0.0 192.168.23.2
ip nat inside source list 10 interface FastEthernet0/1 overload
access-list 10 permit 192.168.34.0 0.0.0.255
R4配置:
no ip routing

interface FastEthernet0/0
 ip address 192.168.34.4 255.255.255.0

ip default-gateway 192.168.34.3
R2配置:
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0

interface FastEthernet0/1
 ip address 192.168.23.2 255.255.255.0

router ospf 100
 router-id 2.2.2.2
 log-adjacency-changes
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 0
 default-information originate always

ip route 0.0.0.0 0.0.0.0 192.168.23.3
R1配置:
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.20.254
!
ip dhcp pool vpnpool
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1
   dns-server 192.168.20.254
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0

interface FastEthernet0/1
 ip address 192.168.20.1 255.255.255.0

router ospf 100
 router-id 1.1.1.1
 log-adjacency-changes
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.20.0 0.0.0.255 area 0

客户端配置:

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_02

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_03

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_04

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_05

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_06

设置完成以后要做一些设置:

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_07

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_08

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_09

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_10

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_11

隧道分离:

 分离前:

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_12

解决:

 

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_13

 分离后:

 

L2TP over IPSEC(使用IPSEC传输模式保护)_L2TP IPSEC_14

这样就可以访问互联网了。