cisco路由器L2TP VPN实验

来源：互联网发布：淘宝的vr眼镜有效果吗编辑：程序博客网时间：2024/05/16 10:45

文章写得很好，先在这里谢谢了。

网络拓朴：

VPN_Server路由器配置：

VPN_Server#shrun
Building configuration...

Currentconfiguration : 1513 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN_Server
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
aaa authentication ppp defaultlocal
!
aaa session-id common
ip cef
!
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username l2tp password 0 cisco
username cisco password 0 cisco
!
interface Loopback0
ip address 192.168.2.254255.255.255.0
!
interface Serial1/2
ip address 1.1.1.1 255.255.255.252
serialrestart-delay 0
!
interfaceVirtual-Template1
ip address 192.168.68.254 255.255.255.0
peer default ip address pool default
ppp authentication chap
!
ip local pool default 192.168.67.8192.168.67.100
ip route 0.0.0.0 0.0.0.0 1.1.1.2
no ip http server
no ip http secure-server
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
!
end

InterNet路由器配置：

InterNet#shrun
Building configuration...

Currentconfiguration : 620 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname InterNet
!
ip subnet-zero
!
interface FastEthernet0/0
ip address 3.3.3.1 255.255.255.252
duplex auto
speed auto
!
interface Serial1/0
ip address 1.1.1.2 255.255.255.252
serial restart-delay 0
!
ip classless
no ip http server
!
line con 0
line aux 0
line vty 0 4
!
end

为了防止成功拨上L2TPVPN后PC无法同时访问Internet可以通过以下方法避免：

把“在远程网络上使用默认网关”前面的勾去掉。

拨上后L2TPVPN接口的状态：

查看l2tp vpn状态：

VPN_Server#shl2tp

L2TP Tunnel andSession Information Total tunnels 1 sessions 1

LocID RemID RemoteName   State Remote Address Port SessionsL2TP Class/
                                                               VPDN Group
36200 23   revenco-f173fest   3.3.3.2        1701 1       1

LocID     RemID     TunID     Username,Intf/     State Last Chg UniqID
                                Vcid,Circuit
24        1         36200     l2tp,Vi2.1         est    00:14:5823

测试如下：

VPN成功拨上后接口信息：

PPP adapterl2tp:

       Connection-specific DNS Suffix . :
       Description . . . . . . . . . . . : WAN (PPP/SLIP)Interface
       Physical Address. . . . . . . . . : 00-53-45-00-00-00
       Dhcp Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.67.9
       Subnet Mask . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . :

要访问VPN_ServerLoopback 0接口IP（192.168.2.254）需要增加路由：

route add 192.168.2.0 mask 255.255.255.0 192.168.67.9-p

注：如果ippool与远程LAN在同一网段，则不需要手工增加路由，可以直接访问。

C:\>ping 192.168.2.254

Pinging192.168.2.254 with 32 bytes of data:

Reply from192.168.2.254: bytes=32 time=168ms TTL=255
Reply from 192.168.2.254: bytes=32 time=35ms TTL=255
Reply from 192.168.2.254: bytes=32 time=22ms TTL=255
Reply from 192.168.2.254: bytes=32 time=24ms TTL=255

Ping statistics for192.168.2.254:
Packets:Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum =22ms, Maximum = 168ms, Average = 62ms

C:\>tracert 192.168.2.254

Tracing route to192.168.2.254 over a maximum of 30 hops

1 65ms 63ms 57ms 192.168.2.254

Trace complete.

DEBUG信息：

VPN_Server#debug l2tp event
L2TP events debugging is on
VPN_Server#
*Oct 16 15:55:55.850: L2X tnl   102424:_____: Createlogical tunnel
*Oct 16 15:55:55.850: L2TP tnl  102424:_____: Create tunnel
*Oct 16 15:55:55.854: L2TP tnl  102424:_____:    version set to V2
*Oct 16 15:55:55.858: L2TP tnl  102424:_____:    remote ip set to 3.3.3.2
*Oct 16 15:55:55.858: L2TP tnl  102424:_____:    local ip set to 1.1.1.1
*Oct 16 15:55:55.866: L2TP tnl  102424:16555: FSM-CC ev Rx-SCCRQ
*Oct 16 15:55:55.870: L2TP tnl  102424:16555:FSM-CC   Idle->Proc-SCCRQ
*Oct 16 15:55:55.874: L2TP tnl  102424:16555: FSM-CC do Rx-SCCRQ
*Oct 16 15:55:55.878:L2X       _____:_____: Tunnel author started for revenco-f173f1d
*Oct 16 15:55:55.918:L2X       _____:_____: Tunnel author found
*Oct 16 15:55:55.922: L2TP tnl  102424:16555: Author reply, data source: "1"
*Oct 16 15:55:55.926:L2X       _____:_____: class [AAA author, group "1"]
*Oct 16 15:55:55.926:L2X       _____:_____:   created
*Oct 16 15:55:55.930:L2X       _____:_____: class [AAA author, group "1"]
*Oct 16 15:55:55.934:L2X       _____:_____:   App locked0->1
*Oct 16 15:55:55.934:L2X       _____:_____: class [AAA author, group "1"]
*Oct 16 15:55:55.938:L2X       _____:_____:   Protocol locked0->1
*Oct 16 15:55:55.942: L2TP tnl  102424:16555:    class name AAA author, group "1"
*Oct 16 15:55:55.946:L2X       _____:_____: class [AAA author, group "1"]
*Oct 16 15:55:55.946:L2X       _____:_____:   App unlocked1->0
*Oct 16 15:55:55.950: L2TP tnl  102424:16555:    peer cap sync set
*Oct 16 15:55:55.954: L2TP tnl  102424:16555: FSM-CC ev SCCRQ-OK
*Oct 16 15:55:55.958: L2TP tnl  102424:16555:FSM-CC   Proc-SCCRQ->Wt-SCCCN
*Oct 16 15:55:55.958: L2TP tnl  102424:16555: FSM-CC do Tx-SCCRP
*Oct 16 15:55:55.966: L2TP tnl  102424:16555: Open sock1.1.1.1:1701->3.3.3.2:1701
*Oct 16 15:55:55.966: L2TP tnl  102424:16555: FSM-CC ev Sock-Ready
*Oct 16 15:55:55.970: L2TP tnl  102424:16555:FSM-CC    inWt-SCCCN
*Oct 16 15:55:55.970: L2TP tnl  102424:16555: FSM-CC do Ignore-Sock-Up
*Oct 16 15:55:56.082: L2TP tnl  102424:16555: FSM-CC ev Rx-SCCCN
*Oct 16 15:55:56.082: L2TP tnl  102424:16555:FSM-CC   Wt-SCCCN->Proc-SCCCN
*Oct 16 15:55:56.082: L2TP tnl  102424:16555: FSM-CC do Rx-SCCCN
*Oct 16 15:55:56.082: L2TP tnl  102424:16555: FSM-CC ev SCCCN-OK
*Oct 16 15:55:56.082: L2TP tnl  102424:16555:FSM-CC   Proc-SCCCN->established
*Oct 16 15:55:56.082: L2TP tnl  102424:16555: FSM-CC do Established
*Oct 16 15:55:56.082: L2TP tnl  102424:16555: Control channel up
*Oct 16 15:55:56.082: L2TP tnl  102424:16555:  1.1.1.1<->3.3.3.2
*Oct 16 15:55:56.094: L2X _____:_____:_____:Create logical session
*Oct 16 15:55:56.094: L2TP _____:_____:_____: Createsession
*Oct 16 15:55:56.094: L2TP_____:_____:_____:   Using ICRQFSM
*Oct 16 15:55:56.094: L2TP_____:_____:_____:    remote ip set to 3.3.3.2
*Oct 16 15:55:56.094: L2TP_____:_____:_____:    local ip set to 1.1.1.1
*Oct 16 15:55:56.094: L2TP tnl  102424:16555: FSM-CC ev Session-Conn
*Oct 16 15:55:56.094: L2TP tnl  102424:16555:FSM-CC    inestablished
*Oct 16 15:55:56.094: L2TP tnl  102424:16555: FSM-CC do Session-Conn-Est
*Oct 16 15:55:56.094: L2TP tnl  102424:16555:   Session count now1
*Oct 16 15:55:56.094: L2TP_____:102424:26   : FSM-Sn evCC-Up
*Oct 16 15:55:56.094: L2TP_____:102424:26   :FSM-Sn    inIdle
*Oct 16 15:55:56.094: L2TP_____:102424:26   : FSM-Sn doCC-Up-Ignore0-1
*Oct 16 15:55:56.094: L2TP_____:102424:26   : Sessionattached
*Oct 16 15:55:56.094: L2TP_____:102424:26   : no cookiesenabled
*Oct 16 15:55:56.094: L2TP_____:102424:26   : FSM-Sn evRx-ICRQ
*Oct 16 15:55:56.094: L2TP_____:102424:26   :FSM-Sn   Idle->Proc-ICRQ
*Oct 16 15:55:56.094: L2TP_____:102424:26   : FSM-Sn doRx-ICRQ
*Oct 16 15:55:56.094: L2TP_____:102424:26  :   Chose applicationVPDN
*Oct 16 15:55:56.094: L2TP_____:102424:26  :   App type set toVPDN
*Oct 16 15:55:56.094: L2TP tnl  102424:16555:   VPDN Sessioncount now 1
*Oct 16 15:55:56.094: L2TP_____:102424:26   : VPDN: processAVPs
*Oct 16 15:55:56.094: L2TP_____:102424:26   : Local AC isnow UP
*Oct 16 15:55:56.094: L2TP_____:102424:26   : Remote AC isnow UP
*Oct 16 15:55:56.094: L2TP_____:102424:26  :
*Oct 16 15:55:56.110: L2TP_____:102424:26  :   App type set toVPDN
*Oct 16 15:55:56.110: L2TP_____:102424:26  :   Session classname VPDN group1 ip addr 0.0.0.0
*Oct 16 15:55:56.114: L2TP_____:102424:26  :   UDP checksum ignore isenabled
*Oct 16 15:55:56.118: L2TP_____:102424:26  :   Framing set to sync
*Oct 16 15:55:56.118: L2TP_____:102424:26  :   Bearer set to none
*Oct 16 15:55:56.118: L2TP_____:102424:26  :   group set to "VPDN group 1 ipaddr 0.0.0.0"
*Oct 16 15:55:56.118: L2TP_____:102424:26   : FSM-Sn evICRQ-OK
*Oct 16 15:55:56.118: L2TP_____:102424:26   :FSM-Sn   Proc-ICRQ->Wt-Tx-ICRP
*Oct 16 15:55:56.118: L2TP_____:102424:26   : FSM-Sn doTx-ICRP-Local-Check
*Oct 16 15:55:56.118: L2TP_____:102424:26   : FSM-Sn evLocal-Cont
*Oct 16 15:55:56.118: L2TP_____:102424:26   :FSM-Sn   Wt-Tx-ICRP->Wt-Rx-ICCN
*Oct 16 15:55:56.118: L2TP_____:102424:26   : FSM-Sn doTx-ICRP
*Oct 16 15:55:56.118: L2TP_____:102424:26   : Open sock1.1.1.1:1701->3.3.3.2:1701
*Oct 16 15:55:56.118: L2TP_____:102424:26   : FSM-Sn evSock-Ready
*Oct 16 15:55:56.118: L2TP_____:102424:26   :FSM-Sn    inWt-Rx-ICCN
*Oct 16 15:55:56.118: L2TP_____:102424:26   : FSM-Sn doIgnore-Sock-Up
*Oct 16 15:55:56.122: L2TP_____:102424:26  :
*Oct 16 15:55:56.126: L2TP_____:102424:26   : FSM-Sn evDP-Setup
*Oct 16 15:55:56.126: L2TP_____:102424:26   :FSM-Sn    inWt-Rx-ICCN
*Oct 16 15:55:56.130: L2TP_____:102424:26   : FSM-Sn doIgnore-DP-Setup
*Oct 16 15:55:56.218: L2TP_____:102424:26   : FSM-Sn evRx-ICCN
*Oct 16 15:55:56.218: L2TP_____:102424:26   :FSM-Sn   Wt-Rx-ICCN->Proc-ICCN
*Oct 16 15:55:56.218: L2TP_____:102424:26   : FSM-Sn doRx-ICCN
*Oct 16 15:55:56.218: L2TP_____:102424:26  :   MTU is 65535
*Oct 16 15:55:56.218: L2TP_____:102424:26   : Session dataplane UP
*Oct 16 15:55:56.222: L2TP_____:102424:26   : VPDN: processAVPs
*Oct 16 15:55:56.226: L2TP_____:102424:26  :
*Oct 16 15:55:56.230: L2TP_____:102424:26   : FSM-Sn evICCN-OK
*Oct 16 15:55:56.234: L2TP_____:102424:26   :FSM-Sn   Proc-ICCN->established
*Oct 16 15:55:56.234: L2TP_____:102424:26   : FSM-Sn doEstablished
*Oct 16 15:55:56.242: L2TP_____:102424:26   : Sessionup
*Oct 16 15:55:56.246: L2TP_____:102424:26  :  1.1.1.1<->3.3.3.2
*Oct 16 15:55:56.654: L2TP_____:102424:26  :
*Oct 16 15:55:56.658:L2TP   25:102424:26   : FSM-Sn evDP-Setup
*Oct 16 15:55:56.666:L2TP   25:102424:26   :FSM-Sn    inestablished
*Oct 16 15:55:56.666:L2TP   25:102424:26   : FSM-Sn doDP-Set
*Oct 16 15:55:56.678:L2TP   25:102424:26  :
*Oct 16 15:55:56.778:L2TP   25:102424:26  :   App type set toVPDN
*Oct 16 15:55:56.782:L2TP   25:102424:26  :   Session classname VPDN group1 ip addr 0.0.0.0
*Oct 16 15:55:56.786:L2TP   25:102424:26  :   Framing set to sync
*Oct 16 15:55:56.786:L2TP   25:102424:26  :   Bearer set to none
*Oct 16 15:55:56.790:L2TP   25:102424:26  :   group set to "VPDN group 1 ipaddr 3.3.3.2"

如果要在InterNet路由器f0/0接口上启用ACL，要使L2TPVPN能成功拨通，则需要有一条下面的ACL：
InterNet#sh access-lists l2tp
Extended IP access list l2tp
permit udp any eq 1701 host 1.1.1.1 eq 1701 (249matches)

PPTP VPN和L2TPVPN配置一样，只是把Protocol改为PPTP，同时在InterNet路由器ACL中需要有下列条目：
InterNet#sh access-lists l2tp
Extended IP access list l2tp
permit tcp any host 1.1.1.1 eq 1723 (61 matches)
permit gre host 3.3.3.2 host 1.1.1.1 (105 matches)
InterNet#sh run interface f0/0
Building configuration...
Current configuration : 119 bytes
!
interface FastEthernet0/0
ip address 3.3.3.1 255.255.255.252
ip access-group l2tp in
duplex auto
speed auto
end

阅读全文

0 0

cisco路由器L2TP&nbsp;VPN实验

cisco路由器L2TP VPN实验