Схема:
Задача: Построить L2TP-туннель между маршрутизатором ESR, который является L2TP-Client, и маршрутизатором Cisco-2811, который является L2TP-Server.
Пример конфигурации ESR:
esr# show running-config
object-group service IKE
port-range 500
port-range 4500
exit
object-group service L2TP
port-range 1701
exit
security zone trusted
exit
interface gigabitethernet 1/0/1
security-zone trusted
ip address 198.51.100.9/24exit
tunnel l2tp 1
security-zone trusted
authentication method mschap-v2 username user password ascii-text encrypted 8CB5107EA7005AFF
remote address 198.51.100.33
ipsec authentication method pre-shared-key
ipsec authentication pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
ipsec ike proposal ike_prop
ipsec proposal ipsec_prop
enable
exit
security zone-pair trusted self
rule 1
action permit
match protocol udp
match destination-port L2TP
enable
exit
rule 2
action permit
match protocol udp
match destination-port IKE
enable
exit
rule 3
action permit
match protocol esp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security ike proposal ike_prop
authentication algorithm sha2-256
encryption algorithm aes192
dh-group 15
exit
security ipsec proposal ipsec_prop
encryption algorithm aes128
exit
Пример конфигурации Cisco-2811:
Router#show running-config
aaa new-model
!
aaa authentication ppp L2TP_SERVER_AUTH local
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username user password 0 password
!
crypto isakmp policy 1
encr aes 192
hash sha256
authentication pre-share
group 15
crypto isakmp key password address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP_IPsec esp-aes esp-sha-hmac
mode transport
!
crypto dynamic-map L2TP_dmap 10
set nat demux
set transform-set L2TP_IPsec
!
crypto map L2TP_map 10 ipsec-isakmp dynamic L2TP_dmap
!
!
!
interface Loopback1
ip address 192.0.2.1 255.255.255.255
!
interface FastEthernet0/1
ip address 198.51.100.33 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
crypto map L2TP_map
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool L2TP_pool
ppp authentication ms-chap-v2 L2TP_SERVER_AUTH
!
ip local pool L2TP_pool 192.0.2.2 192.0.2.10
Вывод оперативной информации со стороны ESR при установленном L2TP-туннеле:
esr# show tunnels status
Tunnel Admin Link MTU Local IP Remote IP Last change
state state
---------------- ----- ----- ------ ---------------- ---------------- -------------------------
l2tp 1 Up Up 1500 192.0.2.3 192.0.2.1 25 minutes and 48 seconds
esr# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
l2tp_1(L2TP) 198.51.100.9 198.51.100.33 0xe5f556c53c1ab8b4 0x7ad68586ac74208a Established
esr# show security ipsec vpn status l2tp_1
Currently active IKE SA:
Name: l2tp_1(L2TP)
State: Established
Version: v1-only
Unique ID: 2
Local host: 198.51.100.9
Remote host: 198.51.100.33
Role: Initiator
Initiator spi: 0xe5f556c53c1ab8b4
Responder spi: 0x7ad68586ac74208a
Encryption algorithm: aes192
Authentication algorithm: sha2-256
Diffie-Hellman group: 15
Established: 28 minutes and 51 seconds ago
Rekey time: 28 minutes and 51 seconds
Reauthentication time: 28 minutes and 51 seconds
Child IPsec SAs:
Name: l2tp_1-2(L2TP)
State: Installed
Protocol: esp
Mode: Transport
Encryption algorithm: aes128
Authentication algorithm: sha1
Rekey time: 28 minutes and 51 seconds
Life time: 28 minutes and 51 seconds
Established: 28 minutes and 51 seconds ago
Traffic statistics:
Input bytes: 11619
Output bytes: 11176
Input packets: 387
Output packets: 386
-------------------------------------------------------------
Вывод оперативной информации со стороны Cisco-2811 при установленном L2TP-туннеле:
Router#show vpdn tunnel l2tp
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
23511 6041 esr-21 est 198.51.100.9 1 L2TP
Router#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: L2TP_map, local addr 198.51.100.33
protected vrf: (none)
local ident (addr/mask/prot/port): (198.51.100.33/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (198.51.100.9/255.255.255.255/17/0)
current_peer 198.51.100.9 port 500
PERMIT, flags={}
#pkts encaps: 316, #pkts encrypt: 316, #pkts digest: 316
#pkts decaps: 315, #pkts decrypt: 315, #pkts verify: 315
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 198.51.100.33, remote crypto endpt.: 198.51.100.9
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xC2AB5810(3266009104)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x4FBAC0CD(1337639117)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: FPGA:1, sibling_flags 80000006, crypto map: L2TP_map
sa timing: remaining key lifetime (k/sec): (4420342/2204)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC2AB5810(3266009104)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: FPGA:2, sibling_flags 80000006, crypto map: L2TP_map
sa timing: remaining key lifetime (k/sec): (4420340/2204)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas: