请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器

【原创】L2TP Over IPSec实验

已有 255 次阅读2020-1-9 12:37 |个人分类:security|系统分类:分享| L2TP, IPSec

1、实验拓扑:

2、实验配置:

User/R1

!

interface Serial0/0

 ip address negotiated

 encapsulation ppp

 serial restart-delay 0

 ppp chap hostname User@cisco.com

 ppp chap password 0 cisco

end

LAC/R2:

interface Serial0/0

 no ip address

 encapsulation ppp

 serial restart-delay 0

 ppp authentication chap pap

 ppp multilink

end

interface Serial0/1

 ip address 150.1.1.1 255.255.255.0

 serial restart-delay 0

end

vpdn enable

vpdn search-order domain dnis

vpdn-group 1

 request-dialin

  protocol l2tp

  domain cisco.com

 initiate-to ip 160.1.1.1 priority 1

 local name LAC

 l2tp tunnel password 0 cisco

router ospf 1

 router-id 2.2.2.2

 log-adjacency-changes

 network 150.1.1.0 0.0.0.255 area 0


Internet/R3:

interface Serial0/0

 ip address 150.1.1.2 255.255.255.0

 serial restart-delay 0

interface Serial0/1

 ip address 160.1.1.2 255.255.255.0

 serial restart-delay 0

end

router ospf 1

 router-id 3.3.3.3

 log-adjacency-changes

 network 150.1.1.0 0.0.0.255 area 0

 network 160.1.1.0 0.0.0.255 area 0


LNS/R4:

interface Serial0/0

 ip address 160.1.1.1 255.255.255.0

 serial restart-delay 0

end

interface Loopback0

 ip address 4.4.4.4 255.255.255.255

end

router ospf 1

 router-id 4.4.4.4

 log-adjacency-changes

 network 160.1.1.0 0.0.0.255 area 0

vpdn enable

vpdn-group 1

 accept-dialin

  protocol l2tp

  virtual-template 1

 terminate-from hostname LAC

 source-ip 160.1.1.1

 l2tp tunnel password 0 cisco

interface Virtual-Template1

 ip unnumbered Loopback0

 peer default ip address pool default

 ppp authentication chap

end

ip local pool default 162.1.1.1 162.1.1.150


3、L2TP会话建立过程

UserPPP会话:

*Mar  1 00:35:34.323: %SYS-5-CONFIG_I: Configured from console by console

*Mar  1 00:35:35.631: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up

*Mar  1 00:35:35.635: Se0/0 PPP: Using default call direction

*Mar  1 00:35:35.635: Se0/0 PPP: Treating connection as a dedicated line

*Mar  1 00:35:35.639: Se0/0 PPP: Session handle[89000003] Session id[3]

*Mar  1 00:35:35.639: Se0/0 PPP: Phase is ESTABLISHING, Active Open

*Mar  1 00:35:35.639: Se0/0 PPP: Authorization required

*Mar  1 00:35:35.639: Se0/0 LCP: O CONFREQ [Closed] id 4 len 10

*Mar  1 00:35:35.639: Se0/0 LCP:    MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar  1 00:35:37.643: Se0/0 LCP: Timeout: State REQsent

*Mar  1 00:35:37.643: Se0/0 LCP: O CONFREQ [REQsent] id 5 len 10

*Mar  1 00:35:37.643: Se0/0 LCP:    MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar  1 00:35:37.747: Se0/0 LCP: I CONFREQ [REQsent] id 1 len 15

*Mar  1 00:35:37.747: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 00:35:37.751: Se0/0 LCP:    MagicNumber 0x002D45B1 (0x0506002D45B1)

*Mar  1 00:35:37.751: Se0/0 LCP: O CONFACK [REQsent] id 1 len 15

*Mar  1 00:35:37.751: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 00:35:37.755: Se0/0 LCP:    MagicNumber 0x002D45B1 (0x0506002D45B1)

*Mar  1 00:35:37.755: Se0/0 LCP: I CONFACK [ACKsent] id 5 len 10

*Mar  1 00:35:37.755: Se0/0 LCP:    MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar  1 00:35:37.759: Se0/0 LCP: State is Open

*Mar  1 00:35:37.759: Se0/0 PPP: No authorization without authentication

*Mar  1 00:35:37.759: Se0/0 PPP: Phase is AUTHENTICATING, by the peer

*Mar  1 00:35:37.919: Se0/0 CHAP: I CHALLENGE id 1 len 24 from "LNS"

*Mar  1 00:35:37.927: Se0/0 CHAP: Using hostname from interface CHAP

*Mar  1 00:35:37.927: Se0/0 CHAP: Using password from interface CHAP

*Mar  1 00:35:37.927: Se0/0 CHAP: O RESPONSE id 1 len 35 from "User@cisco.com"

*Mar  1 00:35:38.323: Se0/0 CHAP: I SUCCESS id 1 len 4

*Mar  1 00:35:38.323: Se0/0 PPP: Phase is FORWARDING, Attempting Forward

*Mar  1 00:35:38.327: Se0/0 PPP: Queue IPCP code[1] id[1]

*Mar  1 00:35:38.327: Se0/0 PPP: Phase is ESTABLISHING, Finish LCP

*Mar  1 00:35:38.331: Se0/0 PPP: Phase is UP

*Mar  1 00:35:38.331: Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10

*Mar  1 00:35:38.331: Se0/0 IPCP:    Address 0.0.0.0 (0x030600000000)

*Mar  1 00:35:38.335: Se0/0 CDPCP: O CONFREQ [Closed] id 1 len 4

*Mar  1 00:35:38.335: Se0/0 PPP: Process pending ncp packets

*Mar  1 00:35:38.335: Se0/0 IPCP: Redirect packet to Se0/0

*Mar  1 00:35:38.335: Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10

*Mar  1 00:35:38.339: Se0/0 IPCP:    Address 4.4.4.4 (0x030604040404)

*Mar  1 00:35:38.339: Se0/0 IPCP: O CONFACK [REQsent] id 1 len 10

*Mar  1 00:35:38.339: Se0/0 IPCP:    Address 4.4.4.4 (0x030604040404)

*Mar  1 00:35:38.499: Se0/0 IPCP: I CONFNAK [ACKsent] id 1 len 10

*Mar  1 00:35:38.499: Se0/0 IPCP:    Address 162.1.1.1 (0x0306A2010101)

*Mar  1 00:35:38.499: Se0/0 IPCP: O CONFREQ [ACKsent] id 2 len 10

*Mar  1 00:35:38.503: Se0/0 IPCP:    Address 162.1.1.1 (0x0306A2010101)

*Mar  1 00:35:38.503: Se0/0 LCP: I PROTREJ [Open] id 2 len 10 protocol CDPCP (0x820701010004)

*Mar  1 00:35:38.503: Se0/0 CDPCP: State is Closed

*Mar  1 00:35:38.503: Se0/0 CDPCP: State is Listen

*Mar  1 00:35:38.615: Se0/0 IPCP: I CONFACK [ACKsent] id 2 len 10

*Mar  1 00:35:38.615: Se0/0 IPCP:    Address 162.1.1.1 (0x0306A2010101)

*Mar  1 00:35:38.615: Se0/0 IPCP: State is Open

*Mar  1 00:35:38.619: Se0/0 IPCP: Install negotiated IP interface address 162.1.1.1

*Mar  1 00:35:38.627: Se0/0 IPCP: Install route to 4.4.4.4

*Mar  1 00:35:39.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up


LNSPPP和后续协商会话

*Mar  1 00:36:17.071: Vi2.1 LCP: I CONFREQ [Open] id 4 len 10

*Mar  1 00:36:17.071: Vi2.1 LCP:    MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar  1 00:36:17.071: Vi2.1 PPP: Terminating bound session

*Mar  1 00:36:17.071: Vi2.1 PPP: Sending Acct Event[Reneg] id[5]

*Mar  1 00:36:17.075: Vi2.1 IPCP: State is Closed

*Mar  1 00:36:17.079: Vi2.1 PPP: Send Message[Renegotiate]

*Mar  1 00:36:17.083: Vi2.1 PPP: Phase is TERMINATING

*Mar  1 00:36:17.083: Vi2.1 LCP: State is Closed

*Mar  1 00:36:17.083: Vi2.1 PPP: Phase is DOWN

*Mar  1 00:36:17.087: Vi2.1 IPCP: Remove route to 162.1.1.1

*Mar  1 00:36:17.087: Vi2.1 Tnl/Sn 31878/2 L2TP: Unbinding session from idb

*Mar  1 00:36:17.091: Vi2.1 VPDN: Resetting interface

*Mar  1 00:36:17.095: uid:2 Tnl/Sn 31878/2 L2TP: Session state change from established to wait-for-service-selection-iccn

*Mar  1 00:36:17.131: ppp3 PPP: Send Message[Dynamic Bind Response]

*Mar  1 00:36:17.131: ppp3 PPP: Using vpn set call direction

*Mar  1 00:36:17.131: ppp3 PPP: Treating connection as a callin

*Mar  1 00:36:17.131: ppp3 PPP: Session handle[3A000005] Session id[3]

*Mar  1 00:36:17.135: ppp3 PPP: Phase is ESTABLISHING, Passive Open

*Mar  1 00:36:17.135: ppp3 LCP: State is Listen

*Mar  1 00:36:19.055: ppp3 LCP: I CONFREQ [Listen] id 5 len 10

*Mar  1 00:36:19.055: ppp3 LCP:    MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar  1 00:36:19.055: ppp3 PPP: Authorization required

*Mar  1 00:36:19.059: ppp3 LCP: O CONFREQ [Listen] id 1 len 15

*Mar  1 00:36:19.059: ppp3 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 00:36:19.059: ppp3 LCP:    MagicNumber 0x002D45B1 (0x0506002D45B1)

*Mar  1 00:36:19.063: ppp3 LCP: O CONFACK [Listen] id 5 len 10

*Mar  1 00:36:19.063: ppp3 LCP:    MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar  1 00:36:19.223: ppp3 LCP: I CONFACK [ACKsent] id 1 len 15

*Mar  1 00:36:19.223: ppp3 LCP:    AuthProto CHAP (0x0305C22305)

*Mar  1 00:36:19.223: ppp3 LCP:    MagicNumber 0x002D45B1 (0x0506002D45B1)

*Mar  1 00:36:19.223: ppp3 LCP: State is Open

*Mar  1 00:36:19.223: ppp3 PPP: Phase is AUTHENTICATING, by this end

*Mar  1 00:36:19.223: ppp3 CHAP: O CHALLENGE id 1 len 24 from "LNS"

*Mar  1 00:36:19.351: ppp3 CHAP: I RESPONSE id 1 len 35 from "User@cisco.com"

*Mar  1 00:36:19.351: ppp3 PPP: Phase is FORWARDING, Attempting Forward

*Mar  1 00:36:19.355: ppp3 PPP: Phase is AUTHENTICATING, Unauthenticated User

*Mar  1 00:36:19.359: ppp3 PPP: Sent CHAP LOGIN Request

*Mar  1 00:36:19.363: ppp3 PPP: Received LOGIN Response PASS

*Mar  1 00:36:19.367: ppp3 PPP: Phase is FORWARDING, Attempting Forward

*Mar  1 00:36:19.367: ppp3 PPP: Send Message[Connect Local]

*Mar  1 00:36:19.379: uid:3 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com bandwidth 1544 Kbps

*Mar  1 00:36:19.379: Vi2.1 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com, bandwidth 1544 Kbps

*Mar  1 00:36:19.383: ppp3 PPP: Bind to [Virtual-Access2.1]

*Mar  1 00:36:19.383: Vi2.1 PPP: Send Message[Static Bind Response]

*Mar  1 00:36:19.391: Vi2.1 Tnl/Sn 31878/2 L2TP: Session state change from wait-for-service-selection-iccn to established

*Mar  1 00:36:19.391: Vi2.1 Tnl/Sn 31878/2 L2TP: VPDN session up

*Mar  1 00:36:19.399: Vi2.1 PPP: Phase is AUTHENTICATING, Authenticated User

*Mar  1 00:36:19.399: Vi2.1 PPP: Sent LCP AUTHOR Request

*Mar  1 00:36:19.403: Vi2.1 PPP: Sent IPCP AUTHOR Request

*Mar  1 00:36:19.407: Vi2.1 LCP: Received AAA AUTHOR Response PASS

*Mar  1 00:36:19.411: Vi2.1 IPCP: Received AAA AUTHOR Response PASS

*Mar  1 00:36:19.411: Vi2.1 CHAP: O SUCCESS id 1 len 4

*Mar  1 00:36:19.415: Vi2.1 PPP: Phase is UP

*Mar  1 00:36:19.415: Vi2.1 IPCP: O CONFREQ [Closed] id 1 len 10

*Mar  1 00:36:19.419: Vi2.1 IPCP:    Address 4.4.4.4 (0x030604040404)

*Mar  1 00:36:19.419: Vi2.1 PPP: Process pending ncp packets

*Mar  1 00:36:19.771: Vi2.1 IPCP: I CONFREQ [REQsent] id 1 len 10

*Mar  1 00:36:19.771: Vi2.1 IPCP:    Address 0.0.0.0 (0x030600000000)

*Mar  1 00:36:19.771: Vi2.1 AAA/AUTHOR/IPCP: Start.  Her address 0.0.0.0, we want 0.0.0.0

*Mar  1 00:36:19.775: Vi2.1 AAA/AUTHOR/IPCP: Done.  Her address 0.0.0.0, we want 0.0.0.0

*Mar  1 00:36:19.775: Vi2.1 IPCP: Pool returned 162.1.1.1

*Mar  1 00:36:19.775: Vi2.1 IPCP: O CONFNAK [REQsent] id 1 len 10

*Mar  1 00:36:19.779: Vi2.1 IPCP:    Address 162.1.1.1 (0x0306A2010101)

*Mar  1 00:36:19.779: Vi2.1 IPCP: I CONFACK [REQsent] id 1 len 10

*Mar  1 00:36:19.779: Vi2.1 IPCP:    Address 4.4.4.4 (0x030604040404)

*Mar  1 00:36:19.783: Vi2.1 CDPCP: I CONFREQ [Not negotiated] id 1 len 4

*Mar  1 00:36:19.783: Vi2.1 LCP: O PROTREJ [Open] id 2 len 10 protocol CDPCP (0x820701010004)

*Mar  1 00:36:19.911: Vi2.1 IPCP: I CONFREQ [ACKrcvd] id 2 len 10

*Mar  1 00:36:19.911: Vi2.1 IPCP:    Address 162.1.1.1 (0x0306A2010101)

*Mar  1 00:36:19.911: Vi2.1 IPCP: O CONFACK [ACKrcvd] id 2 len 10

*Mar  1 00:36:19.915: Vi2.1 IPCP:    Address 162.1.1.1 (0x0306A2010101)

*Mar  1 00:36:19.915: Vi2.1 IPCP: State is Open

*Mar  1 00:36:19.923: Vi2.1 IPCP: Install route to 162.1.1.1


LNS#debug vpdn event

VPDN events debugging is on

LNS#

*Mar  1 00:52:12.215: Vi2.1 VPDN: Resetting interface

LNS#

*Mar  1 00:52:14.371: uid:4 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com bandwidth 1544 Kbps

*Mar  1 00:52:14.371: Vi2.1 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com, bandwidth 1544 Kbps

*Mar  1 00:52:14.379: Vi2.1 Tnl/Sn 31878/2 L2TP: VPDN session up

如此在User上即可获取到IP地址:

User#sho ip int brief

Interface                  IP-Address      OK? Method Status                Protocol

Serial0/0                  162.1.1.1       YES IPCP   up                    up     

Serial0/1                  unassigned      YES unset  administratively down down   

Serial0/2                  unassigned      YES unset  administratively down down   

Serial0/3                  unassigned      YES unset  administratively down down

LACLNS上也可以看见L2TP的建立:

LAC#sho vpdn session

 

L2TP Session Information Total tunnels 1 sessions 1

 

LocID      RemID      TunID      Username, Intf/      State  Last Chg Uniq ID  

                                 Vcid, Circuit                                 

2          2          39819      User@cisco.co, Se0/0 est    00:24:29 1

LNS#sho vpdn session

 

%No active L2F tunnels

 

L2TP Session Information Total tunnels 1 sessions 1

 

LocID      RemID      TunID      Username, Intf/      State  Last Chg Uniq ID  

                                 Vcid, Circuit                                 

2          2          31878      User@cisco.co, Vi2.1 est    00:01:35 4 


4、在此基础上实现IPSec

LAC

LAC#sho run | s crypto

crypto isakmp policy 10

 authentication pre-share

 group 2

 lifetime 3600

crypto isakmp key cisco address 160.1.1.1

crypto ipsec transform-set Trans esp-des esp-md5-hmac

 mode transport

crypto map L2TP 10 ipsec-isakmp

 set peer 160.1.1.1

 set transform-set Trans

 match address 101

LAC#sho run int s0/1

Building configuration...

 

Current configuration : 104 bytes

!

interface Serial0/1

 ip address 150.1.1.1 255.255.255.0

 serial restart-delay 0

 crypto map L2TP

end

access-list 101 permit udp  host 150.1.1.1 eq 1701  host 160.1.1.1 eq 1701

LNS

crypto isakmp policy 10

 authentication pre-share

 group 2

 lifetime 3600

crypto isakmp key cisco address 150.1.1.1

crypto ipsec transform-set Trans esp-des esp-md5-hmac

 mode transport

crypto map L2TP 10 ipsec-isakmp

 set peer 150.1.1.1

 set transform-set Trans

 match address 101

LNS#sho run int s0/0

Building configuration...

 

Current configuration : 104 bytes

!

interface Serial0/0

 ip address 160.1.1.1 255.255.255.0

 serial restart-delay 0

 crypto map L2TP

end

access-list 101 permit udp  host 160.1.1.1 eq 1701 host 150.1.1.1 eq 1701

如此即可建立LACLNS之间的IPSec隧道加密,保护L2TP的信息:

LAC#sho crypto engine connections active

 

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

   1 Serial0/1            150.1.1.1       set    HMAC_SHA+DES_56_CB        0        0

2001 Serial0/1            150.1.1.1       set    DES+MD5                   0       38

2002 Serial0/1            150.1.1.1       set    DES+MD5                  55        0

此处还存问题,可能由于ACL的原因,这里的User不能到LNS上!

 

删除LACLNS上的IPSec配置,在User端和LNS之间配置IPSec隧道加密:

User#sho run | s crypto                    

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 4.4.4.4

crypto ipsec transform-set Trans esp-des esp-md5-hmac

 mode transport

crypto map MAP 10 ipsec-isakmp

 set peer 4.4.4.4

 set transform-set Trans

 match address 101

 crypto map MAP

User#sho run |  s access

access-list 101 permit ip host 162.1.1.1 host 4.4.4.4

User#sho run int s0/0

Building configuration...

 

Current configuration : 170 bytes

!

interface Serial0/0

 ip address negotiated

 encapsulation ppp

 serial restart-delay 0

 ppp chap hostname User@cisco.com

 ppp chap password 0 cisco

 crypto map MAP

 

LNS#sho run |  s crypto

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key cisco address 150.1.1.1

crypto isakmp key cisco address 162.1.1.1

crypto ipsec transform-set Trans esp-des esp-md5-hmac

 mode transport

crypto map L2TP 10 ipsec-isakmp

 set peer 150.1.1.1

 set transform-set Trans

 match address 101

crypto map MAP 10 ipsec-isakmp

 set peer 162.1.1.1

 set transform-set Trans

 match address 101

 crypto map MAP

LNS#sho run | s access

access-list 101 permit ip host 4.4.4.4 host 162.1.1.1

LNS#sho run int virtual-te1

Building configuration...

 

Current configuration : 139 bytes

!

interface Virtual-Template1

 ip unnumbered Loopback0

 peer default ip address pool default

 ppp authentication chap

 crypto map MAP

end

 

User#sho crypto engine  connections  active

 

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

   1 Serial0/0            162.1.1.1       set    HMAC_SHA+DES_56_CB        0        0

2001 Serial0/0            162.1.1.1       set    DES+MD5                   0        9

2002 Serial0/0            162.1.1.1       set    DES+MD5                   9        0

User#ping 4.4.4.4

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 92/127/180 ms

User#sho crypto engine  connections  active

 

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

   1 Serial0/0            162.1.1.1       set    HMAC_SHA+DES_56_CB        0        0

2001 Serial0/0            162.1.1.1       set    DES+MD5                   0       14

2002 Serial0/0            162.1.1.1       set    DES+MD5                  14        0


  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)

路过

鸡蛋

鲜花

握手

雷人

评论 (0 个评论)

facelist

您需要登录后才可以评论 思科 CCO 登录 | 思科 CCO 注册   

Archiver | 思科社区  

GMT+8, 2020-4-1 06:49 , Processed in 0.069380 second(s), 22 queries .

京ICP备11014401号-17

© 2020 思科系统.版权所有 重要声明 | 保密声明 | 隐私权政策 | 商标 |

返回顶部