Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 16 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
16
Dung lượng
47,5 KB
Nội dung
CẤU HÌNH PPPoE AND VPN Địa chỉ của các interface : Device Interface Ip address Client Lo0 Dialer1 10.10.10.10/24 203.106.10.2/24 Remote E0/0 S0/0 20.20.20.20/24 203.162.11.2/24 Server Lo1 S0/0 203.106.10.1/24 203.162.11.1/24 Cấu hình toàn bộ : remote#sh run Building configuration Current configuration : 1273 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname remote ! logging rate-limit console 10 except errors ! memory-size iomem 10 ip subnet-zero ! ! no ip finger ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 203.106.10.2 255.255.255.0 ! ! crypto ipsec transform-set vnpro ah-md5-hmac esp-des ! crypto map tam 10 ipsec-isakmp set peer 203.106.10.2 set transform-set vnpro match address 110 ! call rsvp-sync ! ! ! ! ! ! ! ! interface Ethernet0/0 ip address 20.20.20.20 255.255.255.0 ip nat inside no keepalive half-duplex ! interface Serial0/0 ip address 203.162.11.2 255.255.255.0 ip nat outside crypto map tam ! interface Serial0/1 no ip address shutdown ! ip nat inside source list 100 interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 203.162.11.1 no ip http server ! access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 100 permit ip 20.20.20.0 0.0.0.255 any access-list 110 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 ! dial-peer cor custom ! ! ! ! ! line con 0 transport input none line aux 0 line vty 0 4 ! no scheduler allocate end Client#sh run Building configuration Current configuration : 1596 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Client ! ! ip subnet-zero ! ! ! vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 203.162.11.2 255.255.255.0 ! ! crypto ipsec transform-set vnpro ah-md5-hmac esp-des ! crypto map tam 10 ipsec-isakmp set peer 203.162.11.2 set transform-set vnpro match address 110 ! ! ! voice call carrier capacity active ! ! ! ! ! ! ! ! mta receive maximum-recipients 0 ! ! ! ! interface Loopback0 ip address 10.10.10.10 255.255.255.0 ip nat inside ! interface Loopback1 no ip address ! interface Ethernet0/0 no ip address half-duplex pppoe enable pppoe-client dial-pool-number 1 ! interface Serial0/0 no ip address shutdown no fair-queue ! interface Serial0/1 no ip address shutdown ! interface Dialer1 mtu 1492 ip address 203.106.10.2 255.255.255.0 ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 crypto map tam ! ip nat inside source list 100 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 203.106.10.1 ip http server ! ! access-list 1 permit 10.10.10.0 0.0.0.255 access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 access-list 100 permit ip 10.10.10.0 0.0.0.255 any access-list 110 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 dialer-list 1 protocol ip permit ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end Server#sh run Building configuration Current configuration : 858 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Server ! logging queue-limit 100 ! ip subnet-zero ! ! ! vpdn enable ! vpdn-group 1 accept-dialin protocol pppoe virtual-template 1 ! mpls ldp logging neighbor-changes ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! mta receive maximum-recipients 0 ! ! ! ! interface Loopback1 ip address 203.106.10.1 255.255.255.0 ! interface Ethernet0/0 no ip address half-duplex pppoe enable ! interface Serial0/0 ip address 203.162.11.1 255.255.255.0 clockrate 64000 no fair-queue ! interface Virtual-Template1 ip unnumbered Loopback1 ! ip http server ip classless ! ! ! ! ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end Cấu hình từng bước : Trong bài này chỉ cấu hình phần PPPoE và VPN. Các cấu hình còn lại coi như đã biết. • Cấu hình PPPoE : Server : Tạo vpdn group : Server(config)#vpdn enable Server(config)#vpdn-group 1 Server(config-vpdn)#accept-dialin Server(config-vpdn-acc-in)#protocol pppoe Bật tính năng vpdn để thiết lập các PPPoE session Server(config-vpdn-acc-in)#virtual-template 1 <- sử dụng virtual để giao tiếp với client Server(config-vpdn-acc-in)#exit Server(config)#int lo1 Server(config-if)#ip add 203.106.10.1 255.255.255.0 Server(config-if)#int e0/0 Server(config-if)#pppoe enable <- bật PPPoE trên interface kết nối với client Tạo interface virtual-template : Server(config)#int virtual-template 1 Server(config-if)#ip unnumbered lo1 Client : Tạo vpdn group : Client(config)#vpdn enable Client(config)#vpdn-group 1 Client(config-vpdn)#request-dialin Client(config-vpdn-req-in)#protocol pppoe Bật PPPoE trên interface nối với server Client(config)#int e0/0 Client(config-if)#pppoe enable Kết hợp interface e0/0 với interface dialer để thiết lập encapsulation cho PPPoE client Client(config-if)#pppoe-client dial-pool-number 1 Client(config-if)#exit Cấu hình interface dialer : Client(config)#int dialer 1 Client(config-if)#mtu 1492 Client(config-if)#ip add 203.106.10.2 255.255.255.0 Client(config-if)#ip nat outside Client(config-if)#encapsulation ppp Client(config-if)#dialer pool 1 Client(config-if)#dialer-group 1 Client(config-if)#exit Client(config)#access-list 1 permit 10.10.10.0 0.0.0.255 Client(config)#dialer-list 1 protocol ip permit Tạo PAT : Client(config)#ip nat inside source list 100 interface Dialer1 overload Client(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 Client(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any Bật các lệnh debug và lệnh show để kiểm tra kết nối giữa Server và Client : Client(config)#debug ip nat Client#ping Protocol [ip]: Target IP address: 203.106.10.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.10.10.10 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 203.106.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/44 ms *Mar 1 01:28:19.438: NAT: s=10.10.10.10->203.106.10.2, d=203.106.10.1 [50] *Mar 1 01:28:19.438: NAT*: s=203.106.10.1, d=203.106.10.2->10.10.10.10 [50] *Mar 1 01:28:19.442: NAT: s=10.10.10.10->203.106.10.2, d=203.106.10.1 [51] *Mar 1 01:28:19.446: NAT*: s=203.106.10.1, d=203.106.10.2->10.10.10.10 [51] Client#SH INT Ethernet0/0 is up, line protocol is up Hardware is AmdP2, address is 000b.5f9a.d0e0 (bia 000b.5f9a.d0e0) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:32, output 00:00:03, output hang never Last clearing of "show interface" counters never <omitted> Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface MTU 1492 bytes, BW 56 Kbit, DLY 100000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Interface is bound to Di1 (Encapsulation PPP) LCP Open Listen: CDPCP Open: IPCP Last input 00:00:01, output never, output hang never Last clearing of "show interface" counters 00:06:35 Dialer1 is up, line protocol is up (spoofing) Hardware is Unknown Internet address is 203.106.10.2/24 MTU 1492 bytes, BW 56 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set DTR is pulsed for 1 seconds on reset Interface is bound to Vi1 Bound to: Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface MTU 1492 bytes, BW 56 Kbit, DLY 100000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Interface is bound to Di1 (Encapsulation PPP) LCP Open Listen: CDPCP Open: IPCP Server#SH INTER Ethernet0/0 is up, line protocol is up Hardware is AmdP2, address is 0009.e8d8.f840 (bia 0009.e8d8.f840) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface MTU 1492 bytes, BW 100000 Kbit, DLY 100000 usec, reliability 255/255, txload 1/255, rxload 1/255 Base PPPoE vaccess, loopback not set DTR is pulsed for 5 seconds on reset Virtual-Access1.1 is up, line protocol is up Hardware is Virtual Access interface Interface is unnumbered. Using address of Loopback1 (203.106.10.1) [...]... usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: IPCP PPPoE vaccess, cloned from Virtual-Template1 85 packets input, 3414 bytes 87 packets output, 3499 bytes Last clearing of "show interface" counters never • Cấu hình VPN cho Client và remote : Để cấu hình VPN ta cấu hình 2 phase : - Phase 1 (IKE phase 1 hay còn gọi là ISAKMP ) : là phase dùng để tạo key, mã hoá... 203.106.10.2 to 203.162.11.2 (proxy 10.10.10.0 to 20.20.20.0) 00:37:01: has spi 0x75B29B72 and conn_id 2000 and flags 4 00:37:01: lifetime of 3600 seconds 00:37:01: lifetime of 4608000 kilobytes 00:37:01: outbound SA from 203.162.11.2 to 203.106.10.2 (proxy 20.20.20.0 to 10.10.10.0 ) 00:37:01: has spi 721289306 and conn_id 2001 and flags 4 00:37:01: lifetime of 3600 seconds 00:37:01: lifetime of 4608000 kilobytes... 203.106.10.2 to 203.162.11.2 (proxy 10.10.10.0 to 20.20.20.0) 00:37:01: has spi 0x609CD1A8 and conn_id 2002 and flags 4 00:37:01: lifetime of 3600 seconds 00:37:01: lifetime of 4608000 kilobytes 00:37:01: outbound SA from 203.162.11.2 to 203.106.10.2 (proxy 20.20.20.0 to 10.10.10.0 ) 00:37:01: has spi 199818953 and conn_id 2003 and flags 4 00:37:01: lifetime of 3600 seconds 00:37:01: lifetime of 4608000 kilobytes... 1 (IKE phase 1 hay còn gọi là ISAKMP ) : là phase dùng để tạo key, mã hoá key, và trao đổi key Nếu phase 1 thành công sẽ chuyển sang phase 2 - Phase 2 : là phase sử dụng IPSEC policy để bảo mật data Cấu hình như sau : Phase 1 : Client(config)#crypto isakmp enable Client(config)#crypto isakmp key cisco address 203.162.11.2 255.255.255.0 Client(config)#crypto isakmp policy 10 Client(config-isakmp)#authentication... port 500 00:36:59: ISAKMP (0:1): beginning Main Mode exchange Tại mode này, ISAKMP sẽ negotiate ISAKMP policy Bên nào bắt đầu quá trình này trước sẽ gửi tất cả các policy mà nó có đến peer của nó Trong cấu hình này là remote (203.162.11.2).Peer của router remote là router Client sẽ tìm trong các policy của nó cho đến khi có policy mactch với remote 00:36:59: ISAKMP (0:1): sending packet to 203.106.10.2... src= 203.162.11.2, dest= 203.106.10.2, src_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4), dest_proxy= 20.20.20.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac, lifedur= 3600s and 4608000Kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004 00:37:01: ISAKMP (0:1): processing NONCE payload message ID = -391346015 00:37:01: ISAKMP (0:1): processing ID payload message ID = -391346015... src= 203.162.11.2, dest= 203.106.10.2, src_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4), dest_proxy= 20.20.20.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac, lifedur= 3600s and 4608000Kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004 !Interesting traffic từ remote đến client kích thích ISAKMP Main Mode ! Quá trình ISAKMP negotiate bắt đầu trong IKE Phase 1 main mode... debugging is on remote#debug crypto ipsec Crypto IPSEC debugging is on remote#ping Protocol [ip]: Target IP address: 10.10.10.10 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 20.20.20.20 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]:... src= 203.162.11.2, dest= 203.106.10.2, src_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4), dest_proxy= 20.20.20.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac, lifedur= 3600s and 4608000Kb, spi= 0x609CD1A8 (199818953), conn_id= 2002, keysize= 0, flags= 0x4 ! IPSEC SA đã được thiết lập và data có thể trao đôi đảm bảo secure . con 0 line aux 0 line vty 0 4 ! ! end Cấu hình từng bước : Trong bài này chỉ cấu hình phần PPPoE và VPN. Các cấu hình còn lại coi như đã biết. • Cấu hình PPPoE : Server : Tạo vpdn group : Server(config)#vpdn. CẤU HÌNH PPPoE AND VPN Địa chỉ của các interface : Device Interface Ip address Client Lo0 Dialer1 10.10.10.10/24 203.106.10.2/24 Remote. of "show interface" counters never • Cấu hình VPN cho Client và remote : Để cấu hình VPN ta cấu hình 2 phase : - Phase 1 (IKE phase 1 hay còn gọi là ISAKMP ) : là phase dùng để tạo