组网需求
如下图所示,AR1为企业分支网关,AR3为企业总部网关,分支通过AR1自拨号的方式与总部建立L2TP隧道实现互通。
现企业希望通过L2TP隧道传输的业务进行安全保护,防止被窃取或篡改等。此时,可以配置L2TP over IPSec的方式来加密保护企业分支和总部的业务。
配置思路
- 配置接口的IP地址和到对端的静态路由,保证两端路由可达。
- 在AR1上配置L2TP功能,PPP用户通过L2TP隧道向总部发出接入请求,总部认证成功后建立隧道。
- 在AR1上配置到达AR3的路由,使能AR1的自拨号功能。
- 在AR3上配置L2TP功能及PPP用户,并配置访问公网的路由。
- 配置ACL,以定义需要IPSec保护的数据流。
- 配置IPSec安全提议,定义IPSec的保护方法。
- 配置IKE对等体,定义对等体间IKE协商时的属性。
- 配置安全策略,并引用ACL、IPSec安全提议和IKE对等体,确定对何种数据流采取何种保护方法。
- 在接口上应用安全策略组,使接口具有IPSec的保护功能。
操作步骤
配置接口的IP地址和到对端的静态路由
AR1
<Huawei>sys [Huawei]sys AR1 [AR1]int g0/0/0 [AR1-GigabitEthernet0/0/0]ip add 12.12.12.1 24 [AR1-GigabitEthernet0/0/0]q [AR1]int g0/0/1 [AR1-GigabitEthernet0/0/1]ip add 10.1.1.1 24 [AR1-GigabitEthernet0/0/1]q [AR1]ip route-static 23.23.23.0 24 12.12.12.2
AR2
<Huawei>sys [Huawei]sys AR2 [AR2]int g0/0/0 [AR2-GigabitEthernet0/0/0]ip add 12.12.12.2 24 [AR2-GigabitEthernet0/0/0]q [AR2]int g0/0/1 [AR2-GigabitEthernet0/0/1]ip add 23.23.23.2 24 [AR2-GigabitEthernet0/0/1]q [AR2]ip route-static 10.1.1.0 24 12.12.12.1 [AR2]ip route-static 10.1.3.0 24 23.23.23.3
AR3
<Huawei>sys [Huawei]sys AR3 [AR3]int g0/0/0 [AR3-GigabitEthernet0/0/1]ip add 23.23.23.3 24 [AR3-GigabitEthernet0/0/1]q [AR3]int g0/0/1 [AR3-GigabitEthernet0/0/0]ip add 10.1.3.3 24 [AR3-GigabitEthernet0/0/0]q [AR3]ip route-static 12.12.12.0 24 23.23.23.2
配置L2TP(AR1)
AR1
#配置使能L2TP,并创建一个L2TP组并配置为用户名称为20wl的用户建立到达LNS的L2TP连接 [AR1]l2tp enable [AR1]l2tp-group 1 [AR1-l2tp1]tunnel name ar1 #指定隧道本端的名称 [AR1-l2tp1]start l2tp ip 23.23.23.3 fullusername 20wl #fullusername user-name:指定触发L2TP连接请求的用户全名。 #启用通道验证并设置通道验证密码。 [LAC-l2tp1] tunnel authentication [LAC-l2tp1] tunnel password cipher 20wl [LAC-l2tp1] quit #配置虚拟PPP用户的用户名和密码,PPP认证方式以及IP地址。 [AR1]interface Virtual-Template1 [AR1-Virtual-Template1]ppp chap user 20wl [AR1-Virtual-Template1]ppp chap password cipher 20wl [AR1-Virtual-Template1]ip address ppp-negotiate #配置自拨号建立L2TP隧道。 [AR1-Virtual-Template1]l2tp-auto-client enable [AR1-Virtual-Template1]q #配置私网路由,使得企业分支用户与总部私网互通。 [AR1]ip route-static 10.1.3.0 255.255.255.0 virtual-template 1
AR3
#配置AAA认证,用户名为20wl,密码为20wl [AR3]aaa [AR3-aaa]local-user 20wl password cipher 20wl [AR3-aaa]local-user huawei service-type ppp [AR3-aaa]q #配置IP地址池,为LAC的拨号接口分配IP地址 [AR3]ip pool 1 [AR3-ip-pool-1]network 13.13.13.0 mask 24 [AR3-ip-pool-1]gateway-list 13.13.13.1 [AR3-ip-pool-1]quit #创建虚拟接口模板并配置PPP协商等参数 [AR3]int virtual-template 1 [AR3-Virtual-Template1]ppp authentication-mode chap [AR3-Virtual-Template1]remote address pool 1 [AR3-Virtual-Template1]ip address 13.13.13.1 24 [AR3-Virtual-Template1]quit #使能L2TP服务,创建一个L2TP组 [AR3]l2tp enable [AR3]l2tp-group 1 #配置本端隧道名称及指定AR1的隧道名称 [AR3-l2tp1]tunnel name ar3 [AR3-l2tp1]allow l2tp virtual-template 1 remote ar1 #启用隧道认证功能并设置隧道认证字 [AR3-l2tp1]tunnel authentication [AR3-l2tp1]tunnel password cipher 20wl [AR3-l2tp1]quit #配置私网路由,使得企业总部与企业分支用户私网互通。 [AR3]ip route-static 10.1.1.0 24 virtual-template 1
配置ACL,定义各自要保护的数据流
AR1
[AR1]acl number 3100 [LAC-acl-adv-3100]rule permit ip source 12.12.12.0 0.0.0.255 destination 23.23.23.0 0.0.0.255 [AR1-acl-adv-3100]q
AR3
[AR3]acl number 3100 [LNS-acl-adv-3100]rule permit ip source 23.23.23.0 0.0.0.255 destination 12.12.12.0 0.0.0.255 [AR3-acl-adv-3100]q
创建IPSec安全提议
AR1
[AR1] ipsec proposal1 [AR1-ipsec-proposal-1]esp authentication-algorithm sha2-256 [AR1-ipsec-proposal-1]esp encryption-algorithm aes-128 [AR1-ipsec-proposal-1]q
AR3
[AR3]ipsec proposal1 [AR3-ipsec-proposal-1]esp authentication-algorithm sha2-256 [AR3-ipsec-proposal-1]esp encryption-algorithm aes-128 [AR3-ipsec-proposal-1]q
配置IKE对等体
AR1
#配置IKE安全提议 [AR1]ike proposal 1 [AR1-ike-proposal-1]encryption-algorithm aes-cbc-128 [AR1-ike-proposal-1]authentication-algorithm sha1 [AR1-ike-proposal-1]dh group14 [AR1-ike-proposal-1]q #配置ike对等体,并根据默认配置,配置预共享密钥和对端ID [AR1]ike peer 1 v1 [AR1-ike-peer-1]ike-proposal 1 [AR1-ike-peer-1]pre-shared-key cipher 20wl [AR1-ike-peer-1]remote-address 23.23.23.3 [AR1-ike-peer-1]q
AR3
#配置IKE安全提议 [AR3]ike proposal 1 [AR3-ike-proposal-1]encryption-algorithm aes-cbc-128 [AR3-ike-proposal-1]authentication-algorithm sha1 [AR3-ike-proposal-1]dh group14 [AR3-ike-proposal-1]q #配置ike对等体,并根据默认配置,配置预共享密钥和对端ID [AR3]ike peer 1 v1 [AR3-ike-peer-1]ike-proposal 1 [AR3-ike-peer-1]pre-shared-key cipher 20wl [AR3-ike-peer-1]remote-address 12.12.12.1 [AR3-ike-peer-1]q
创建安全策略
AR1
#配置IKE动态协商方式安全策略 [AR1]ipsec policy 1 1 isakmp [AR1-ipsec-policy-isakmp-1-1]ike-peer 1 [AR1-ipsec-policy-isakmp-1-1]proposal 1 [AR1-ipsec-policy-isakmp-1-1]security acl 3100 [AR1-ipsec-policy-isakmp-1-1]q
AR3
#配置IKE动态协商方式安全策略 [AR3]ipsec policy 1 1 isakmp [AR3-ipsec-policy-isakmp-1-1]ike-peer 1 [AR3-ipsec-policy-isakmp-1-1]proposal 1 [AR3-ipsec-policy-isakmp-1-1]security acl 3100 [AR3-ipsec-policy-isakmp-1-1]q
接口应用安全策略组,使接口具有IPSec的保护功能
AR1
[AR1]interface g0/0/0 [AR1-GigabitEthernet0/0/0]ipsec policy 1 [AR1-GigabitEthernet0/0/0]q
AR3
[AR3]interface g0/0/1 [AR3-GigabitEthernet0/0/1]ipsec policy 1 [AR3-GigabitEthernet0/0/1]q
验证
配置成功后,在主机PC1执行ping操作可以ping通主机PC2
AR1
[AR1]display ipsec statistics esp Inpacket count : 581 Inpacket auth count : 0 Inpacket decap count : 0 Outpacket count : 626 Outpacket auth count : 0 Outpacket encap count : 0 Inpacket drop count : 0 Outpacket drop count : 0 BadAuthLen count : 0 AuthFail count : 0 InSAAclCheckFail count : 0 PktDuplicateDrop count : 0 PktSeqNoTooSmallDrop count: 0 PktInSAMissDrop count : 0 [AR1]display ike sa Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------------- 2 23.23.23.3 0 RD|ST 2 1 23.23.23.3 0 RD|ST 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP [AR1]display l2tp tunnel Total tunnel = 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1 23.23.23.3 42246 1 1 #Total tunnel:本端建立的L2TP隧道的数目 #LocalTID:L2TP隧道的本端ID #RemoteTID:L2TP隧道的远端ID #RemoteAddress:L2TP隧道的远端IP地址 #Port:L2TP隧道远端使用的端口号 #Sessions:L2TP隧道上承载的会话数目 #Remote Name:L2TP隧道远端的隧道名称
AR3
[AR3]display ike sa Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------------- 4 12.12.12.1 0 RD 2 2 12.12.12.1 0 RD 1 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP [AR3]display l2tp tunnel Total tunnel = 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1 12.12.12.1 42246 1 1 [AR3]
