Share the Voluntary tunnel mode of L2tpexample.
分享一个关于l2tp 自主模式的案例
- In voluntary tunnel mode, on the other hand, remote access clients run L2TP software natively and function as the LAC in the L2TP connection model. The remote access client/LAC (referred to as the "LAC Client" in RFC 2661) connects to the LNS, and PPP frames are tunneled through the L2TP tunnel directly between the client and the LNS
自主模式,即用户通过本地客户端软件形式,即作为LAC 功能又行驶用户功能,通过ppp tunnel l2tp 模式,逻辑上直连LNS 的一种拨号模式。
区分于非自主模式:client--lac---lns 用户必须通过lac 来汇总用户拨号流量,此类模式更加简洁,但缺点在于对于lns 的流量压力即处理压力会增大。
如:非自主模式下lac 会进行ppp 的简短认证,认证成功后只发送一个short 的ppp 报文提供给LNS,LNS再做相关认证。
自主模式会处理全部的PPP报文认证。
The test environment ::
测试环境如下
1. PC : Windows 7
2. Router :isr4451
Router configuration:
路由器配置,即LNS配置案例:
The basic of the L2tp configuration :
vpdn enable
!
vpdn-group 1
! Default L2TPVPDN group
accept-dialin
protocoll2tp
virtual-template 1
no l2tp tunnelauthentication
l2tp tunneltimeout no-session 15
!
interfaceVirtual-Template1
ip unnumberedFastEthernet0/0
peer default ipaddress pool test
pppauthentication chap ms-chap ms-chap-v2
!
ip local pooltest 192.168.1.1
!
username jimi password 0 jimi
the IPsec configuration :
vpdn-group 1
l2tp security crypto-profilel2tp
crypto isakmp policy 1
encr 3des
authentication pre-share
group 14
crypto isakmp key markaddress 0.0.0.0
!
!
crypto ipsec transform-set l2tptrasformesp-3des esp-sha-hmac
mode transport
!
!
!
!
crypto map l2tpcryptomap 10 ipsec-isakmpprofile l2tp
set transform-set l2tptrasform
!
interface FastEthernet0/0
ip address 100.1.1.1 255.255.255.0
speed auto
duplex auto
cryptomap l2tpcryptomap
!
关于windows pc 作为客户端的拨号配置即设置:
Windows PCconfiguration:
这里的密钥指在IPsec 配置中所设置的key 即 关键字"mark".
The key is theisakmp key, which comes from the commands: “crypto isakmp key mark address 0.0.0.0 “
为什么需要在Windows L2tp 拨号中加入ipsec 加密的配置呢?因为Windows 拨号选项中只有l2tp/ipsec 配置。如其他用户拨号软件可以酌情对ipsec 进行调整。
Why we need to configuration the ipsec whenuse the window pc to act the LAC role?
When we start connection of the L2tp, thewindows PC will send the isakmp first. So we have to configuration the ipsec.
