相信读者如果参加工作了的话,或多或少都有用过×××(虚拟专用网)了吧,这个可是个好东西啊,可以在外访问公司内网的资源,小编目前非常的喜欢这个技术,当然使用这个技术不仅仅只有这点点好处,使用×××的优势有以下几点:

1.降低企业成本。当用×××进行远程访问时,只需付市内电话费,节约了昂贵的长途电话费;

2.可以大大节约链路租用费、设备购置费以及网络维护费, 减少企业的运营成本;

3.能将Internet、企业内部网络(Intranet)、企业外部网络(Extranet)及远程接人功能 (Remote Access)整合于同一条对外线路中,不需要像以前那样,同时管理Internet专线,长途数据专线等多种不同线路。

4.使用带有加密×××技术能保证数据在网络中穿行的安全

实现×××所用到的协议

1.二层协议{pptp l2tp l2f}

2.三层协议 {gre ipsec}

×××的分类

1.vpdn 拨号vpn pptp l2tp 单机---网络 (用户vpn)

2.专线vpn 网络---网络 (企业网vpn)

在这篇博客中小编先来实现一下用到三层协议gre的×××,在以后的文章中小编还会实现IPSEC的×××

配置任务:

1.创建接口

interface tunnel 编号

tunnel-protocol gre

sourec 隧道源地址

destination 隧道结束地址

ip add 该接口地址

2.路由

动态(rip实现隧道和内网之间的连通)

实验拓扑如图1-1所示:

网络安全性——GRE_vpn

图1-1

华为设备实现

step 1:FW1的配置

Fw1

[fw1]dis cu

#

sysname fw1 //设置设备名

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.101.254 255.255.255.0 //内网网关

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet0/4

ip address 61.130.130.1 255.255.255.252 //外网接口地址

#

interface Encrypt1/0

#

interface Tunnel10 //新建隧道10

ip address 192.168.4.1 255.255.255.0

source 61.130.130.1 //配置源地址

destination 61.130.132.1 //配置目标地址

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust //内网口加入信任区域

add interface Ethernet0/0

set priority 85

#

firewall zone untrust //外网口加入非信任区域

add interface Ethernet0/4

add interface Tunnel10

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

rip //rip路由申明内网段和隧道网段

network 192.168.101.0

network 192.168.4.0

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 61.130.130.2 preference 60 //配置通往外网的默认路由

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

setp 2:FW2配置

核心配置同fw1的配置一致

[fw2]dis cu

#

sysname fw2

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.102.254 255.255.255.0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet0/4

ip address 61.130.132.1 255.255.255.252

#

interface Encrypt1/0

#

interface Tunnel20

ip address 192.168.4.2 255.255.255.0

source 61.130.132.1

destination 61.130.130.1

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

set priority 85

#

firewall zone untrust

add interface Ethernet0/4

add interface Tunnel20

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

rip

network 192.168.4.0

network 192.168.102.0

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 61.130.132.2 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

step 3:三层交换机配置

<ISP>dis cu

#

sysname ISP

#

radius scheme system

server-type huawei

primary authentication 127.0.0.1 1645

primary accounting 127.0.0.1 1646

user-name-format without-domain

domain system

radius-scheme system

access-limit disable

state active

idle-cut disable

self-service-url disable

messenger time disable

domain default enable system

#

local-server nas-ip 127.0.0.1 key huawei

#

vlan 1

#

vlan 10

#

vlan 20

#

interface Vlan-interface10

ip address 61.130.130.2 255.255.255.252

#

interface Vlan-interface20

ip address 61.130.132.2 255.255.255.252

#

interface Aux0/0

#

interface Ethernet0/1

port access vlan 10

#

interface Ethernet0/2

port access vlan 20

#

interface NULL0

#

user-interface aux 0

user-interface vty 0 4

#

return

网络安全性——GRE_GRE_02

setp 4:集中测试

在fw1上查看路由表

在fw2上查看路由表

网络安全性——GRE_vpn_03

在总公司端ping分公司端的网关

网络安全性——GRE_vpn_04

接下来小编把在思科设备上的配置也附上,这里小编实用路由器代替防火墙来配置的,主机是用loopback实现的

实验拓扑如图2-1所示

网络安全性——GRE_网络安全性_05

图2-1

Step 1:fw1的配置

fw1#sho run

Building configuration...

Current configuration : 944 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname fw1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

ip domain name lab.local

!

interface Loopback0

ip address 192.168.101.254 255.255.255.0

!

interface Tunnel10

ip address 192.168.4.1 255.255.255.0

tunnel source 61.130.130.1

tunnel destination 61.130.132.1

!

interface FastEthernet0/0

ip address 61.130.130.1 255.255.255.0

duplex auto

speed auto

!

router rip

network 192.168.4.0

network 192.168.101.0

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 61.130.130.2

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

End

Step 2:fw2的配置

fw2#sho run

Building configuration...

Current configuration : 944 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname fw2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

no ip domain lookup

ip domain name lab.local

!

interface Loopback0

ip address 192.168.102.254 255.255.255.0

!

interface Tunnel20

ip address 192.168.4.2 255.255.255.0

tunnel source 61.130.132.1

tunnel destination 61.130.130.1

!

interface FastEthernet0/0

ip address 61.130.132.1 255.255.255.0

duplex auto

speed auto

!

router rip

network 192.168.4.0

network 192.168.102.0

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 61.130.132.2

!

!

!

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end

Step 3:ISP的配置

核心配置就只是配置了两个端口的IP

interface FastEthernet0/0

ip address 61.130.130.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 61.130.132.2 255.255.255.0

duplex auto

speed auto

Step 4:测试

在fw1上ping fw2的loopback口IP

网络安全性——GRE_vpn_06

查看fw1的路由表

网络安全性——GRE_vpn_07

在fw2上ping fw1的loopback口IP

网络安全性——GRE_GRE_08

查看fw2的路由表

网络安全性——GRE_GRE_09

好了到此所有的任务完成,还是比较简单的,但是企业使用gre来实现×××是比较少的,因为它不具有加密功能,安全性很低啦,小编这里只是做了做简单的实验,在之后的博客中小编将会细讲IPSEC来实现×××,敬请关注哈。。