PPP over Ethernet with VPN Tác giả Lê Anh Đức PPP over Ethernet kết hợp với VPN Mô tả: Error! Ở topo trên, ta có, R3 sẽ làm PPPoE client, còn R1 sẽ làm PPPoE server, thực hiện kết nối với các mạng trong Internet với ISP làm router gi ả lập ISP. Router R2 là router ở chi nhánh, thực hiện NAT để cho mang private ra internet. Chú ý: Các router R3, R1 là các route 2600, chạy IOS version 12.2 trở lên. Kết hợp với đó, ta sẽ tạo một tunnel private giữa R3 và R2, để các traffic từ các mạng LAN trong nội bộ giữa 2 chi nhánh sẽ sử dụng để liên lạc với nhau qua môi trường Internet. Cấu hình: R1 version 12.2 hostname R1 vpdn enable vpdn-group 1 accept-dialin protocol pppoe virtual-template 1 voice call carrier capacity active mta receive maximum-recipients 0 interface Loopback1 ip address 203.162.3.2 255.255.255.255 interface Ethernet0/0 no ip address half-duplex pppoe enable interface Serial0/0 ip address 203.20.20.2 255.255.255.252 no fair-queue interface Virtual-Template1 ip unnumbered Loopback1 ip classless ip route 0.0.0.0 0.0.0.0 203.20.20.1 ip http server call rsvp-sync mgcp profile default dial-peer cor custom line con 0 line aux 0 line vty 0 4 end R2 Building configuration Current configuration : 1290 bytes version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname R2 memory-size iomem 10 ip subnet-zero crypto isakmp policy 10 ßtạo các chính sách xác minh cho VPN (phải đồng bộ) hash md5 authentication pre-share crypto isakmp key cisco address 203.162.3.1 ßtạo key để xác minh crypto ipsec transform-set vnpro esp-des ßtạo chính sách mã hoá cho luống traffic trong tunnel crypto map lee 10 ipsec-isakmp ßtạo crypto map để match traffic set peer 203.162.3.1 set transform-set vnpro match address 120 voice call carrier capacity active mta receive maximum-recipients 0 interface Ethernet0/0 ip address 10.10.2.1 255.255.255.0 ip nat inside half-duplex interface Serial0/0 ip address 203.30.30.2 255.255.255.252 ip nat outside no fair-queue crypto map lee ßáp crypto map vào interface S0/0 interface Serial0/1 no ip address shutdown ip nat inside source route-map nonat interface Serial0/0 overloadßtạo NAT ip classless ip route 0.0.0.0 0.0.0.0 203.30.30.1 ip http server access-list 120 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255ßxác định traffic được mã hoá access-list 130 deny ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255ßmi ễn NAT cho traffic trong tunnel access-list 130 permit ip any any route-map nonat permit 10 match ip address 130 call rsvp-sync mgcp profile default dial-peer cor custom line con 0 line aux 0 line vty 0 4 end R3 Building configuration *Mar 1 01:25:49.913: %SYS-5-CONFIG_I: Configured from console by console Current configuration : 1523 bytes version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname R3 memory-size iomem 10 ip subnet-zero vpdn enable ßbật PPPoE vpdn-group 1 ßtạo vpdn group để giao tiếp với server request-dialin ßxác định đây là PPPoE client protocol pppoe crypto isakmp policy 10 ßtạo chính sách xác minh hash md5 authentication pre-share crypto isakmp key cisco address 203.30.30.2 ßtạo key để xác minh crypto ipsec transform-set vnpro esp-des ßxác định giải thuật mã hoá cho traffic trong tunnel crypto map lee 10 ipsec-isakmp ßtạo crypto map để xác định traffci được mã hoá set peer 203.30.30.2 set transform-set vnpro match address 120 voice call carrier capacity active mta receive maximum-recipients 0 interface Loopback0 ip address 10.10.1.1 255.255.255.0 ip nat inside interface Ethernet0/0 no ip address half-duplex pppoe enable ßbật PPPoE trên interface nối với server pppoe-client dial-pool-number 1 ßsử dụng Dieler để giao tiếp với PPPoE server interface Serial0/0 no ip address shutdown no fair-queue interface Dialer1 ßxây dựng interface Dialer mtu 1492 ip address 203.162.3.1 255.255.255.0 ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 crypto map lee ßgán crypto map vào interface này ip nat inside source route-map nonat interface Dialer1 overload ßsử dụng PAT ip classless ip route 0.0.0.0 0.0.0.0 203.162.3.2 ip http server access-list 120 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255 ßxác đ ịnh traffic được bảo vệ access-list 130 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255 ßmiễn NAT cho traffic trong tunnel access-list 130 permit ip any any dialer-list 1 protocol ip permit route-map nonat permit 10 match ip address 130 call rsvp-sync mgcp profile default dial-peer cor custom line con 0 line aux 0 line vty 0 4 end ISP Building configuration 01:17:31: %SYS-5-CONFIG_I: Configured from console by console Current configuration: version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname ISP ip subnet-zero interface Ethernet0 no ip address no ip directed-broadcast shutdown interface Serial0 ip address 203.20.20.1 255.255.255.252 no ip directed-broadcast no ip mroute-cache no fair-queue clockrate 64000 interface Serial1 ip address 203.30.30.1 255.255.255.252 no ip directed-broadcast clockrate 64000 ip classless ip route 10.10.1.0 255.255.255.0 203.20.20.2 ßISP sử dụng static routing ip route 10.10.2.0 255.255.255.0 203.30.30.2 ip route 203.162.0.0 255.255.0.0 203.20.20.2 line con 0 transport input none PPPoE Tunnel and Session Information Total tunnels 1 sessions 1 PPPoE Tunnel Information VPDN group: 1 Session count: 1 PPPoE Session Information SID RemMAC LocMAC Intf VASt OIntf VLAN/ VP/VC 1 0005.5e96.2cc0 0004.c052.7ce0 Vi1 UP Et0/0 R1#debug vpdn pppoe-data PPPoE data packets debugging is on R1# ßkhi client ping ra ngoài, ta sẽ thấy trên server xuất hiện debug sau: *Mar 1 00:56:26.538: PPPoE 1: O L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 FF 03 C0 21 09 6C 00 0C 04 E2 EC A9 00 00 00 CD *Mar 1 00:56:26.538: PPPoE 1: I L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 C0 21 0A 6C 00 0C 05 82 38 4E 00 00 00 CD *Mar 1 00:56:27.027: PPPoE 1: I L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 C0 21 09 6C 00 0C 05 82 38 4E 00 00 00 00 *Mar 1 00:56:27.027: PPPoE 1: O L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 FF 03 C0 21 0A 6C 00 0C 04 E2 EC A9 00 00 00 00 *Mar 1 00:56:27.223: PPPoE 1: I L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 00 21 45 00 00 64 00 2C 00 00 FE 01 0E B3 CB A2 03 01 CB 14 14 02 08 00 A8 FA 10 25 0F D8 00 00 00 00 00 34 B5 1E AB CD AB CD AB CD AB CD AB *Mar 1 00:56:27.223: PPPoE 1: O L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 00 05 5E 96 2C C0 00 04 C0 52 7C E0 88 64 11 00 00 01 00 66 00 21 45 00 00 64 00 2C 00 00 FF 01 0D B3 CB 14 14 02 CB A2 03 01 00 00 B0 FA 10 *Mar 1 00:56:27.231: PPPoE 1: I L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 00 21 45 00 00 64 00 2D 00 00 FE 01 0E B2 CB A2 03 01 CB 14 14 02 08 00 A8 F1 10 26 0F D8 00 00 00 00 00 34 B5 26 AB CD AB CD AB CD AB CD AB *Mar 1 00:56:27.231: PPPoE 1: O L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 00 05 5E 96 2C C0 00 04 C0 52 7C E0 88 64 11 00 00 01 00 66 00 21 45 00 00 64 00 2D 00 00 FF 01 0D B2 CB 14 14 02 CB A2 03 01 00 00 B0 F1 10 *Mar 1 00:56:27.239: PPPoE 1: I L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 00 21 45 00 00 64 00 2E 00 00 FE 01 0E B1 CB A2 03 01 CB 14 14 02 08 00 A8 E8 10 27 0F D8 00 00 00 00 00 34 B5 2E AB CD AB CD AB CD AB CD AB *Mar 1 00:56:27.239: PPPoE 1: O L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 00 05 5E 96 2C C0 00 04 C0 52 7C E0 88 64 11 00 00 01 00 66 00 21 45 00 00 64 00 2E 00 00 FF 01 0D B1 CB 14 14 02 CB A2 03 01 00 00 B0 E8 10 *Mar 1 00:56:27.247: PPPoE 1: I L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 00 21 45 00 00 64 00 2F 00 00 FE 01 0E B0 CB A2 03 01 CB 14 14 02 08 00 A8 DF 10 28 0F D8 00 00 00 00 00 34 B5 36 AB CD AB CD AB CD AB CD AB *Mar 1 00:56:27.247: PPPoE 1: O L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 00 05 5E 96 2C C0 00 04 C0 52 7C E0 88 64 11 00 00 01 00 66 00 21 45 00 00 64 00 2F 00 00 FF 01 0D B0 CB 14 14 02 CB A2 03 01 00 00 B0 DF 10 *Mar 1 00:56:27.255: PPPoE 1: I L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 00 21 45 00 00 64 00 30 00 00 FE 01 0E AF CB A2 03 01 CB 14 14 02 08 00 A8 D6 10 29 0F D8 00 00 00 00 00 34 B5 3E AB CD AB CD AB CD AB CD AB *Mar 1 00:56:27.255: PPPoE 1: O L:0004.c052.7ce0 R:0005.5e96.2cc0 Et0/0 00 05 5E 96 2C C0 00 04 C0 52 7C E0 88 64 11 00 00 01 00 66 00 21 45 00 00 64 00 30 00 00 FF 01 0D AF CB 14 14 02 CB A2 03 01 00 00 B0 D6 10 Chú ý: nhớ phải test VPN trước (Nếu muốn debug) vì n ếu không Tunnel sẽ được tạo và ta sẽ không xem được các sự kiện xảy ra. . enable vpdn-group 1 accept-dialin protocol pppoe virtual-template 1 voice call carrier capacity active mta receive maximum-recipients 0 interface Loopback1 ip address 203 .162 .3.2 255.255.255.255. msec no service password-encryption hostname R3 memory-size iomem 10 ip subnet-zero vpdn enable ßbật PPPoE vpdn-group 1 ßtạo vpdn group để giao tiếp với server request-dialin ßxác định đây. key cisco address 203 .162 .3.1 ßtạo key để xác minh crypto ipsec transform-set vnpro esp-des ßtạo chính sách mã hoá cho luống traffic trong tunnel crypto map lee 10 ipsec-isakmp ßtạo crypto map