R2(config-isakmp)#hash md5 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#exit R2(config)#crypto isakmp key cisco address 203.162.3.1 R2(config)#crypto ipsec transform-set vnpro esp-des R2(cfg-crypto-trans)#exit R2(config)#crypto map lee 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R2(config-crypto-map)#set peer 203.162.3.1 R2(config-crypto-map)#set transform-set vnpro R2(config-crypto-map)#match address 120 R2(config-crypto-map)#exit R2(config)#int s0/0 R2(config-if)#crypto map lee R2(config)#ip nat inside source route-map nonat interface s0/0 overload R2(config)#access-list 120 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255 R2(config)#access-list 130 deny ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255 R2(config)#access-list 130 permit ip any any R2(config)#route-map nonat R2(config-route-map)#match ip address 130 R3: R3(config)#crypto isakmp policy 10 R3(config-isakmp)#authentication pre-share R3(config-isakmp)#hash md5 R3(config-isakmp)#exit R3(config)#crypto isakmp key cisco address 203.30.30.2 R3(config)#crypto ipsec transform-set vnpro esp-des R3(cfg-crypto-trans)#exit R3(config)#crypto map lee 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R3(config-crypto-map)#set peer 203.30.30.2 R3(config-crypto-map)#set transform-set vnpro R3(config-crypto-map)#match address 120 R3(config-crypto-map)#exit R3(config)#int dialer 1 R3(config-if)#crypto map lee R3(config)#ip nat inside source route-map nonat interface dialer 1 overload R3(config)#access-list 120 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255 R3(config)#access-list 130 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255 R3(config)#access-list 130 permit ip any any R3(config)#route-map nonat R3(config-route-map)#match ip address 130 Kiểm tra: 1. Kiểm tra VPN: Ta sử dụng các lệnh show để xem thông tin về VPN: R3: R3#sh crypto map Crypto Map "lee" 10 ipsec-isakmp Peer = 203.30.30.2 Extended IP access list 120 access-list 120 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255 Current peer: 203.30.30.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ vnpro, } Interfaces using crypto map lee: Virtual-Access1 Dialer1 R3#sh crypto isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit R3#sh crypto ipsec transform-set Transform set vnpro: { esp-des } will negotiate = { Tunnel, }, R2: R2#sh crypto isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit R2#sh crypto ipsec transform-set Transform set vnpro: { esp-des } will negotiate = { Tunnel, }, R2#sh crypto map Crypto Map "lee" 10 ipsec-isakmp Peer = 203.162.3.1 Extended IP access list 120 access-list 120 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255 Current peer: 203.162.3.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ vnpro, } Interfaces using crypto map lee: Serial0/0 Tunnel0 2. Kiểm tra PPPoE: Ta sử dụng các lệnh show và debug để xem quá trình tạo kết nối và trao đổi dữ liệu như thế nào giữa client và server: R3#sh int Ethernet0/0 is up, line protocol is up Hardware is AmdP2, address is 0005.5e96.2cc0 (bia 0005.5e96.2cc0) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 192/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:41, output 00:00:05, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 47 packets input, 4752 bytes, 0 no buffer Received 6 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 317 packets output, 21918 bytes, 0 underruns 251 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 251 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface MTU 1492 bytes, BW 56 Kbit, DLY 100000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set DTR is pulsed for 5 seconds on reset Interface is bound to Di1 (Encapsulation PPP) LCP Open Listen: CDPCP Open: IPCP Last input 00:00:09, output never, output hang never Last clearing of "show interface" counters 00:02:56 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 39 packets input, 544 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 39 packets output, 616 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Dialer1 is up, line protocol is up (spoofing) Hardware is Unknown Internet address is 203.162.3.1/24 MTU 1492 bytes, BW 56 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set DTR is pulsed for 1 seconds on reset Interface is bound to Vi1 Last input never, output never, output hang never Last clearing of "show interface" counters 00:34:56 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/16 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 42 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 36 packets input, 504 bytes 36 packets output, 576 bytes Bound to: Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface MTU 1492 bytes, BW 56 Kbit, DLY 100000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set DTR is pulsed for 5 seconds on reset Interface is bound to Di1 (Encapsulation PPP) LCP Open Listen: CDPCP Open: IPCP Last input 00:00:04, output never, output hang never Last clearing of "show interface" counters 00:03:01 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 . R2(config-crypto-map)#set peer 203.162.3.1 R2(config-crypto-map)#set transform-set vnpro R2(config-crypto-map)#match address 120 R2(config-crypto-map)#exit R2(config)#int s0/0 R2(config-if)#crypto. R3(config-isakmp)#hash md5 R3(config-isakmp)#exit R3(config)#crypto isakmp key cisco address 203.30.30.2 R3(config)#crypto ipsec transform-set vnpro esp-des R3(cfg-crypto-trans)#exit R3(config)#crypto. transform-set vnpro R3(config-crypto-map)#match address 120 R3(config-crypto-map)#exit R3(config)#int dialer 1 R3(config-if)#crypto map lee R3(config)#ip nat inside source route-map nonat