取消
显示结果 
搜索替代 
您的意思是: 
cancel
10727
查看次数
32
有帮助
15
评论
Kagamigawa
Spotlight
Spotlight

本帖最后由 zylccna2015 于 2020-1-24 13:19 编辑

  • 开始之前准备DDNS&L2TP/Ipsec为手机提供外部联入方案
    aaa new-model
    aaa authentication ppp default local
    !
    username root privilege 15 password 7 097D5FD4C434C47525FD507B
    !
    ip ddns update method 3322
    HTTP
    add http://kagamigawa:************@<s>/nic/update?system=dyndns&hostname=&myip=<a>
    interval maximum 0 0 1 0
    interval minimum 0 0 1 0
    !
    ip dhcp pool l2tp-pool
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 192.168.1.1
    !
    vpdn enable
    vpdn-group l2tpv2
    ! Default L2TP VPDN group
    accept-dialin
    protocol l2tp
    virtual-template 1
    no l2tp tunnel authentication
    !
    crypto isakmp policy 1
    encr aes 256
    hash md5
    authentication pre-share
    group 14
    crypto isakmp key ***** address 0.0.0.0
    crypto ipsec transform-set l2tp esp-3des esp-sha-hmac
    mode transport
    crypto dynamic-map l2tp 1
    set transform-set l2tp
    crypto map l2tp 1 ipsec-isakmp dynamic l2tp
    #
    interface dialer 1
    ip nbar protocol-discovery
    crypto map l2tp
    service-policy input WEBUI-MARKING-IN
    service-policy output WEBUI-QUEUING-OUT
    crypto map l2tp
    ip ddns update hostname kagamigawa.f3322.net
    ip ddns update 3322 host members.3322.net
    !
    interface Virtual-Template1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    peer default ip address dhcp-pool l2tp-pool
    ppp authentication chap eap ms-chap ms-chap-v2 pap
    end
  • 开启Guestshell与流量监测
    ip nbar http-services
    !
    class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-DSCP
    match dscp af41
    class-map match-all WEBUI-BROADCAST_VIDEO-NBAR
    match protocol attribute traffic-class broadcast-video
    match protocol attribute business-relevance business-relevant
    class-map match-all WEBUI-VOICE-NBAR
    match protocol attribute traffic-class voip-telephony
    match protocol attribute business-relevance business-relevant
    class-map match-all WEBUI-BULK_DATA-NBAR
    match protocol attribute traffic-class bulk-data
    match protocol attribute business-relevance business-relevant
    class-map match-all WEBUI-SIGNALING-NBAR
    match protocol attribute traffic-class signaling
    match protocol attribute business-relevance business-relevant
    class-map match-all WEBUI-NETWORK_CONTROL-DSCP
    match dscp cs6
    class-map match-all WEBUI-SCAVENGER-NBAR
    match protocol attribute business-relevance business-irrelevant
    class-map match-all WEBUI-SCAVENGER-DSCP
    match dscp cs1
    class-map match-all WEBUI-NETWORK_CONTROL-NBAR
    match protocol attribute traffic-class network-control
    match protocol attribute business-relevance business-relevant
    class-map match-all WEBUI-SIGNALING-DSCP
    match dscp cs3
    class-map match-all WEBUI-BULK_DATA-DSCP
    match dscp af11
    class-map match-all WEBUI-BROADCAST_VIDEO-DSCP
    match dscp cs5
    class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-NBAR
    match protocol attribute traffic-class multimedia-conferencing
    match protocol attribute business-relevance business-relevant
    class-map match-all WEBUI-VOICE-DSCP
    match dscp ef
    class-map match-all WEBUI-NETWORK_MANAGEMENT-NBAR
    match protocol attribute traffic-class ops-admin-mgmt
    match protocol attribute business-relevance business-relevant
    class-map match-all WEBUI-MULTIMEDIA_STREAMING-DSCP
    match dscp af31
    class-map match-all WEBUI-REALTIME_INTERACTIVE-NBAR
    match protocol attribute traffic-class real-time-interactive
    match protocol attribute business-relevance business-relevant
    class-map match-all WEBUI-TRANSACTIONAL_DATA-DSCP
    match dscp af21
    class-map match-all WEBUI-REALTIME_INTERACTIVE-DSCP
    match dscp cs4
    class-map match-all WEBUI-TRANSACTIONAL_DATA-NBAR
    match protocol attribute traffic-class transactional-data
    match protocol attribute business-relevance business-relevant
    class-map match-all WEBUI-NETWORK_MANAGEMENT-DSCP
    match dscp cs2
    class-map match-all WEBUI-MULTIMEDIA_STREAMING-NBAR
    match protocol attribute traffic-class multimedia-streaming
    match protocol attribute business-relevance business-relevant
    !
    ip name-server 8.8.8.8 8.8.4.4
    ip domain name home.lab
    ip domain look-up
    ip dns server
    !
    interface VirtualPortGroup0
    ip address 192.168.2.1 255.255.255.0
    ip nbar protocol-discovery
    ip nat inside
    no mop enabled
    no mop sysid
    service-policy input WEBUI-MARKING-IN
    service-policy output WEBUI-QUEUING-OUT
    !
    ip nat inside source list 1 interface Dialer1 overload
    access-list 1 permit 192.168.0.0 0.0.255.255
    !
    app-hosting appid guestshell
    app-vnic gateway0 virtualportgroup 0 guest-interface 0
    guest-ipaddress 192.168.2.100 netmask 255.255.0.0
    app-default-gateway 192.168.2.1 guest-interface 0
    name-server0 192.168.2.1
  • 进入Guestshell准备依赖库与软件包
    Gateway#guestshell
    [guestshell@guestshell ~]$ sudo su
    [root@guestshell guestshell]#cd /tmp
    yum install -y nano
    yum install -y epel-release
    yum install -y systemd-sysv
    pip install --upgrade pip
    pip install http://192.168.0.64/shadowsocks-master.zip -U #相关提供请自行github或联系我
    rpm -i http://192.168.0.64/privoxy-3.0.26-1.el7.x86_64.rpm
    wget http://192.168.0.64/gfwlist.action
  • 配置SSPrivoxy-Pac
    #==================配置SS====================
    mkdir /etc/shadowsocks
    nano /etc/shadowsocks/shadowsocks.json
    {
    "server": "64.64.239.111",
    "server_port": 53160,
    "local_address": "192.168.2.100",
    "local_port": 1080,
    "password": "*********",
    "method": "**********",
    "fast_open": true,
    "workers": 1
    }
    #==============配置SS服务启动脚本===============
    nano /etc/systemd/system/shadowsocks.service
    [Unit]
    Description=Shadowsocks
    [Service]
    TimeoutStartSec=0
    ExecStart=/usr/bin/sslocal -c /etc/shadowsocks/shadowsocks.json
    [Install]
    WantedBy=multi-user.target
    #
    systemctl enable shadowsocks.service
    #================检查SS服务启动状态=============
    [root@guestshell tmp]#systemctl start shadowsocks.service
    [root@guestshell tmp]#systemctl status -l shadowsocks.service
    #
    ● shadowsocks.service - Shadowsocks
    Loaded: loaded (/etc/systemd/system/shadowsocks.service; enabled; vendor preset: disabled)
    Active: active (running) since Thu 2020-01-23 19:26:31 UTC; 7h ago
    Main PID: 33 (sslocal)
    CGroup: /system.slice/libvirtd.service/system.slice/shadowsocks.service
    └─33 /usr/bin/python /usr/bin/sslocal -c /etc/shadowsocks/shadowsocks.json
    #
    [root@guestshell tmp]# curl --socks5 192.168.2.100:1080 http://httpbin.org/ip #测试返回ip
    {
    "origin": "64.XX.2XX.11X"
    }
    #===============配置privoxy服务启动脚本================
    [Unit]
    Description=Privoxy Web Proxy With Advanced Filtering Capabilities
    Wants=network-online.target
    After=network-online.target
    [Service]
    Type=simple
    PIDFile=/run/privoxy.pid
    ExecStart=/usr/sbin/privoxy --no-daemon --pidfile /run/privoxy.pid --user privoxy /etc/privoxy/config
    [Install]
    WantedBy=multi-user.target
    #
    systemctl enable privoxy.service
    #================检查privoxy服务启动状态=============
    [root@guestshell tmp]# systemctl start privoxy
    [root@guestshell tmp]# systemctl status privoxy
    ● privoxy.service - Privoxy Web Proxy With Advanced Filtering Capabilities
    Loaded: loaded (/etc/systemd/system/privoxy.service; enabled; vendor preset: disabled)
    Active: active (running) since Thu 2020-01-23 19:44:51 UTC; 7h ago
    Main PID: 1967 (privoxy)
    CGroup: /system.slice/libvirtd.service/system.slice/privoxy.service
    └─1967 /usr/sbin/privoxy --no-daemon --pidfile /run/privoxy.pid --user privoxy /etc/privoxy/config
    #================配置PAC及http代理=============
    [root@guestshell tmp]# ll
    total 76
    -rw-r--r-- 1 root root 74726 Jan 23 19:44 gfwlist.action
    cp gfwlist.action /etc/privoxy/
    echo 'actionsfile gfwlist.action' >> /etc/privoxy/config
    echo 'listen-address 192.168.2.100:8118' >> /etc/privoxy/config
    #================配置PROFILE =================
    nano /etc/profile
    export http_proxy=http://192.168.2.100:8118
    export https_proxy=http://192.168.2.100:8118
    #================重启服务====================
    systemctl restart privoxy.service
    #================检查NAT生效====================
    Gateway#sh ip nat translations | inc 192.168.2.100
    tcp 49.113.73.239:5696 192.168.2.100:60516 64.64.239.111:53160 64.64.239.111:53160
    tcp 49.113.73.239:5674 192.168.2.100:60526 64.64.239.111:53160 64.64.239.111:53160
    tcp 49.113.73.239:5689 192.168.2.100:60554 64.64.239.111:53160 64.64.239.111:53160
    tcp 49.113.73.239:5688 192.168.2.100:60550 64.64.239.111:53160 64.64.239.111:53160
    tcp 49.113.73.239:5665 192.168.2.100:60562 64.64.239.111:53160 64.64.239.111:53160
  • 配置终端(win/mac/ios

131906j4hegfgzjzuhpqfn.png131907k9muxxzxheuvwyq3.png131907rh1hxdybyyxfz1mn.png

评论
wuhao0015
Spotlight
Spotlight
你这是啥设备啊 啥IOS。。。
Kagamigawa
Spotlight
Spotlight
wuhao0015 发表于 2020-1-24 21:39
你这是啥设备啊 啥IOS。。。

家用的csr1000v
Kagamigawa
Spotlight
Spotlight
wuhao0015 发表于 2020-1-24 21:39
你这是啥设备啊 啥IOS。。。

版本是 16.9.4
one-time
Level 13
Level 13
感谢楼主分享,谢谢~
Tiandao
Level 1
Level 1
虚拟的软路由给力啊,看来思科拥抱Linux时间挺长了!
Kagamigawa
Spotlight
Spotlight
boy6585948 发表于 2020-2-6 12:57
虚拟的软路由给力啊,看来思科拥抱Linux时间挺长了!

准备重新码一下文,最近发现用anyconnect搭配SSR更稳定一些
sufee
Level 1
Level 1
CIsco其他路由器可以安装配置吗?请详细说明一下。
Kagamigawa
Spotlight
Spotlight
sufee 发表于 2020-2-11 15:14
CIsco其他路由器可以安装配置吗?请详细说明一下。

可以 ISR4000系列和ASR1000系列均可以
gongsunyu
Level 1
Level 1
学习了,这都可以啊:lol
raoshine
Level 1
Level 1
学习了,这样也可以 厉害
qinshiling87534
Community Member
:D:D不错谢谢分享
sampsonlor
Level 1
Level 1
正打算上旁路由,搜到这篇帖子。问下楼主,我现在用的ISR C1111-4P,跑ios 16.9.5. 2GB的内存,应该也能这么用吧?想多请教一下。
sampsonlor
Level 1
Level 1
查了下cisco guest shell,ISR 4000才能支持....
Kagamigawa
Spotlight
Spotlight
sampsonlor 发表于 2020-8-11 20:20
正打算上旁路由,搜到这篇帖子。问下楼主,我现在用的ISR C1111-4P,跑ios 16.9.5. 2GB的内存,应该也能这 ...

2个G内存真就不能搞。至少4G CPU还得核心多点 3线程跑转发平面 1个跑控制
sampsonlor
Level 1
Level 1
zylccna2015 发表于 2020-8-12 14:34
2个G内存真就不能搞。至少4G CPU还得核心多点 3线程跑转发平面 1个跑控制

谢谢楼主。不管从硬件性能还是软件设置,看来只能再加一个网关服务器了。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接