User/R1:
!
interface Serial0/0
ip address negotiated
encapsulation ppp
serial restart-delay 0
ppp chap hostname User@cisco.com
ppp chap password 0 cisco
end
LAC/R2:
interface Serial0/0
no ip address
encapsulation ppp
serial restart-delay 0
ppp authentication chap pap
ppp multilink
end
interface Serial0/1
ip address 150.1.1.1 255.255.255.0
serial restart-delay 0
end
vpdn enable
vpdn search-order domain dnis
vpdn-group 1
request-dialin
protocol l2tp
domain cisco.com
initiate-to ip 160.1.1.1 priority 1
local name LAC
l2tp tunnel password 0 cisco
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 150.1.1.0 0.0.0.255 area 0
Internet/R3:
interface Serial0/0
ip address 150.1.1.2 255.255.255.0
serial restart-delay 0
interface Serial0/1
ip address 160.1.1.2 255.255.255.0
serial restart-delay 0
end
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 150.1.1.0 0.0.0.255 area 0
network 160.1.1.0 0.0.0.255 area 0
LNS/R4:
interface Serial0/0
ip address 160.1.1.1 255.255.255.0
serial restart-delay 0
end
interface Loopback0
ip address 4.4.4.4 255.255.255.255
end
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 160.1.1.0 0.0.0.255 area 0
vpdn enable
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname LAC
source-ip 160.1.1.1
l2tp tunnel password 0 cisco
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool default
ppp authentication chap
end
ip local pool default 162.1.1.1 162.1.1.150
User的PPP会话:
*Mar 1 00:35:34.323: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:35:35.631: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:35:35.635: Se0/0 PPP: Using default call direction
*Mar 1 00:35:35.635: Se0/0 PPP: Treating connection as a dedicated line
*Mar 1 00:35:35.639: Se0/0 PPP: Session handle[89000003] Session id[3]
*Mar 1 00:35:35.639: Se0/0 PPP: Phase is ESTABLISHING, Active Open
*Mar 1 00:35:35.639: Se0/0 PPP: Authorization required
*Mar 1 00:35:35.639: Se0/0 LCP: O CONFREQ [Closed] id 4 len 10
*Mar 1 00:35:35.639: Se0/0 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)
*Mar 1 00:35:37.643: Se0/0 LCP: Timeout: State REQsent
*Mar 1 00:35:37.643: Se0/0 LCP: O CONFREQ [REQsent] id 5 len 10
*Mar 1 00:35:37.643: Se0/0 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)
*Mar 1 00:35:37.747: Se0/0 LCP: I CONFREQ [REQsent] id 1 len 15
*Mar 1 00:35:37.747: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:35:37.751: Se0/0 LCP: MagicNumber 0x002D45B1 (0x0506002D45B1)
*Mar 1 00:35:37.751: Se0/0 LCP: O CONFACK [REQsent] id 1 len 15
*Mar 1 00:35:37.751: Se0/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:35:37.755: Se0/0 LCP: MagicNumber 0x002D45B1 (0x0506002D45B1)
*Mar 1 00:35:37.755: Se0/0 LCP: I CONFACK [ACKsent] id 5 len 10
*Mar 1 00:35:37.755: Se0/0 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)
*Mar 1 00:35:37.759: Se0/0 LCP: State is Open
*Mar 1 00:35:37.759: Se0/0 PPP: No authorization without authentication
*Mar 1 00:35:37.759: Se0/0 PPP: Phase is AUTHENTICATING, by the peer
*Mar 1 00:35:37.919: Se0/0 CHAP: I CHALLENGE id 1 len 24 from "LNS"
*Mar 1 00:35:37.927: Se0/0 CHAP: Using hostname from interface CHAP
*Mar 1 00:35:37.927: Se0/0 CHAP: Using password from interface CHAP
*Mar 1 00:35:37.927: Se0/0 CHAP: O RESPONSE id 1 len 35 from "User@cisco.com"
*Mar 1 00:35:38.323: Se0/0 CHAP: I SUCCESS id 1 len 4
*Mar 1 00:35:38.323: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 00:35:38.327: Se0/0 PPP: Queue IPCP code[1] id[1]
*Mar 1 00:35:38.327: Se0/0 PPP: Phase is ESTABLISHING, Finish LCP
*Mar 1 00:35:38.331: Se0/0 PPP: Phase is UP
*Mar 1 00:35:38.331: Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar 1 00:35:38.331: Se0/0 IPCP: Address 0.0.0.0 (0x030600000000)
*Mar 1 00:35:38.335: Se0/0 CDPCP: O CONFREQ [Closed] id 1 len 4
*Mar 1 00:35:38.335: Se0/0 PPP: Process pending ncp packets
*Mar 1 00:35:38.335: Se0/0 IPCP: Redirect packet to Se0/0
*Mar 1 00:35:38.335: Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10
*Mar 1 00:35:38.339: Se0/0 IPCP: Address 4.4.4.4 (0x030604040404)
*Mar 1 00:35:38.339: Se0/0 IPCP: O CONFACK [REQsent] id 1 len 10
*Mar 1 00:35:38.339: Se0/0 IPCP: Address 4.4.4.4 (0x030604040404)
*Mar 1 00:35:38.499: Se0/0 IPCP: I CONFNAK [ACKsent] id 1 len 10
*Mar 1 00:35:38.499: Se0/0 IPCP: Address 162.1.1.1 (0x0306A2010101)
*Mar 1 00:35:38.499: Se0/0 IPCP: O CONFREQ [ACKsent] id 2 len 10
*Mar 1 00:35:38.503: Se0/0 IPCP: Address 162.1.1.1 (0x0306A2010101)
*Mar 1 00:35:38.503: Se0/0 LCP: I PROTREJ [Open] id 2 len 10 protocol CDPCP (0x820701010004)
*Mar 1 00:35:38.503: Se0/0 CDPCP: State is Closed
*Mar 1 00:35:38.503: Se0/0 CDPCP: State is Listen
*Mar 1 00:35:38.615: Se0/0 IPCP: I CONFACK [ACKsent] id 2 len 10
*Mar 1 00:35:38.615: Se0/0 IPCP: Address 162.1.1.1 (0x0306A2010101)
*Mar 1 00:35:38.615: Se0/0 IPCP: State is Open
*Mar 1 00:35:38.619: Se0/0 IPCP: Install negotiated IP interface address 162.1.1.1
*Mar 1 00:35:38.627: Se0/0 IPCP: Install route to 4.4.4.4
*Mar 1 00:35:39.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
LNS的PPP和后续协商会话:
*Mar 1 00:36:17.071: Vi2.1 LCP: I CONFREQ [Open] id 4 len 10
*Mar 1 00:36:17.071: Vi2.1 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)
*Mar 1 00:36:17.071: Vi2.1 PPP: Terminating bound session
*Mar 1 00:36:17.071: Vi2.1 PPP: Sending Acct Event[Reneg] id[5]
*Mar 1 00:36:17.075: Vi2.1 IPCP: State is Closed
*Mar 1 00:36:17.079: Vi2.1 PPP: Send Message[Renegotiate]
*Mar 1 00:36:17.083: Vi2.1 PPP: Phase is TERMINATING
*Mar 1 00:36:17.083: Vi2.1 LCP: State is Closed
*Mar 1 00:36:17.083: Vi2.1 PPP: Phase is DOWN
*Mar 1 00:36:17.087: Vi2.1 IPCP: Remove route to 162.1.1.1
*Mar 1 00:36:17.087: Vi2.1 Tnl/Sn 31878/2 L2TP: Unbinding session from idb
*Mar 1 00:36:17.091: Vi2.1 VPDN: Resetting interface
*Mar 1 00:36:17.095: uid:2 Tnl/Sn 31878/2 L2TP: Session state change from established to wait-for-service-selection-iccn
*Mar 1 00:36:17.131: ppp3 PPP: Send Message[Dynamic Bind Response]
*Mar 1 00:36:17.131: ppp3 PPP: Using vpn set call direction
*Mar 1 00:36:17.131: ppp3 PPP: Treating connection as a callin
*Mar 1 00:36:17.131: ppp3 PPP: Session handle[3A000005] Session id[3]
*Mar 1 00:36:17.135: ppp3 PPP: Phase is ESTABLISHING, Passive Open
*Mar 1 00:36:17.135: ppp3 LCP: State is Listen
*Mar 1 00:36:19.055: ppp3 LCP: I CONFREQ
*Mar 1 00:36:19.055: ppp3 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)
*Mar 1 00:36:19.055: ppp3 PPP: Authorization required
*Mar 1 00:36:19.059: ppp3 LCP: O CONFREQ
*Mar 1 00:36:19.059: ppp3 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:36:19.059: ppp3 LCP: MagicNumber 0x002D45B1 (0x0506002D45B1)
*Mar 1 00:36:19.063: ppp3 LCP: O CONFACK
*Mar 1 00:36:19.063: ppp3 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)
*Mar 1 00:36:19.223: ppp3 LCP: I CONFACK [ACKsent] id 1 len 15
*Mar 1 00:36:19.223: ppp3 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:36:19.223: ppp3 LCP: MagicNumber 0x002D45B1 (0x0506002D45B1)
*Mar 1 00:36:19.223: ppp3 LCP: State is Open
*Mar 1 00:36:19.223: ppp3 PPP: Phase is AUTHENTICATING, by this end
*Mar 1 00:36:19.223: ppp3 CHAP: O CHALLENGE id 1 len 24 from "LNS"
*Mar 1 00:36:19.351: ppp3 CHAP: I RESPONSE id 1 len 35 from "User@cisco.com"
*Mar 1 00:36:19.351: ppp3 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 00:36:19.355: ppp3 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar 1 00:36:19.359: ppp3 PPP: Sent CHAP LOGIN Request
*Mar 1 00:36:19.363: ppp3 PPP: Received LOGIN Response PASS
*Mar 1 00:36:19.367: ppp3 PPP: Phase is FORWARDING, Attempting Forward
*Mar 1 00:36:19.367: ppp3 PPP: Send Message[Connect Local]
*Mar 1 00:36:19.379: uid:3 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com bandwidth 1544 Kbps
*Mar 1 00:36:19.379: Vi2.1 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com, bandwidth 1544 Kbps
*Mar 1 00:36:19.383: ppp3 PPP: Bind to [Virtual-Access2.1]
*Mar 1 00:36:19.383: Vi2.1 PPP: Send Message[Static Bind Response]
*Mar 1 00:36:19.391: Vi2.1 Tnl/Sn 31878/2 L2TP: Session state change from wait-for-service-selection-iccn to established
*Mar 1 00:36:19.391: Vi2.1 Tnl/Sn 31878/2 L2TP: VPDN session up
*Mar 1 00:36:19.399: Vi2.1 PPP: Phase is AUTHENTICATING, Authenticated User
*Mar 1 00:36:19.399: Vi2.1 PPP: Sent LCP AUTHOR Request
*Mar 1 00:36:19.403: Vi2.1 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:36:19.407: Vi2.1 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:36:19.411: Vi2.1 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:36:19.411: Vi2.1 CHAP: O SUCCESS id 1 len 4
*Mar 1 00:36:19.415: Vi2.1 PPP: Phase is UP
*Mar 1 00:36:19.415: Vi2.1 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar 1 00:36:19.419: Vi2.1 IPCP: Address 4.4.4.4 (0x030604040404)
*Mar 1 00:36:19.419: Vi2.1 PPP: Process pending ncp packets
*Mar 1 00:36:19.771: Vi2.1 IPCP: I CONFREQ [REQsent] id 1 len 10
*Mar 1 00:36:19.771: Vi2.1 IPCP: Address 0.0.0.0 (0x030600000000)
*Mar 1 00:36:19.771: Vi2.1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0
*Mar 1 00:36:19.775: Vi2.1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0
*Mar 1 00:36:19.775: Vi2.1 IPCP: Pool returned 162.1.1.1
*Mar 1 00:36:19.775: Vi2.1 IPCP: O CONFNAK [REQsent] id 1 len 10
*Mar 1 00:36:19.779: Vi2.1 IPCP: Address 162.1.1.1 (0x0306A2010101)
*Mar 1 00:36:19.779: Vi2.1 IPCP: I CONFACK [REQsent] id 1 len 10
*Mar 1 00:36:19.779: Vi2.1 IPCP: Address 4.4.4.4 (0x030604040404)
*Mar 1 00:36:19.783: Vi2.1 CDPCP: I CONFREQ [Not negotiated] id 1 len 4
*Mar 1 00:36:19.783: Vi2.1 LCP: O PROTREJ [Open] id 2 len 10 protocol CDPCP (0x820701010004)
*Mar 1 00:36:19.911: Vi2.1 IPCP: I CONFREQ [ACKrcvd] id 2 len 10
*Mar 1 00:36:19.911: Vi2.1 IPCP: Address 162.1.1.1 (0x0306A2010101)
*Mar 1 00:36:19.911: Vi2.1 IPCP: O CONFACK [ACKrcvd] id 2 len 10
*Mar 1 00:36:19.915: Vi2.1 IPCP: Address 162.1.1.1 (0x0306A2010101)
*Mar 1 00:36:19.915: Vi2.1 IPCP: State is Open
*Mar 1 00:36:19.923: Vi2.1 IPCP: Install route to 162.1.1.1
LNS#debug vpdn event
VPDN events debugging is on
LNS#
*Mar 1 00:52:12.215: Vi2.1 VPDN: Resetting interface
LNS#
*Mar 1 00:52:14.371: uid:4 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com bandwidth 1544 Kbps
*Mar 1 00:52:14.371: Vi2.1 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com, bandwidth 1544 Kbps
*Mar 1 00:52:14.379: Vi2.1 Tnl/Sn 31878/2 L2TP: VPDN session up
如此在User上即可获取到IP地址:
User#sho ip int brief
Interface IP-Address OK? Method Status Protocol
Serial0/0 162.1.1.1 YES IPCP up up
Serial0/1 unassigned YES unset administratively down down
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
在LAC和LNS上也可以看见L2TP的建立:
LAC#sho vpdn session
L2TP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
2 2 39819 User@cisco.co, Se0/0 est 00:24:29 1
LNS#sho vpdn session
%No active L2F tunnels
L2TP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
2 2 31878 User@cisco.co, Vi2.1 est 00:01:35 4
LAC:
LAC#sho run | s crypto
crypto isakmp policy 10
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 160.1.1.1
crypto ipsec transform-set Trans esp-des esp-md5-hmac
mode transport
crypto map L2TP 10 ipsec-isakmp
set peer 160.1.1.1
set transform-set Trans
match address 101
LAC#sho run int s0/1
Building configuration...
Current configuration : 104 bytes
!
interface Serial0/1
ip address 150.1.1.1 255.255.255.0
serial restart-delay 0
crypto map L2TP
end
access-list 101 permit udp host 150.1.1.1 eq 1701 host 160.1.1.1 eq 1701
LNS:
crypto isakmp policy 10
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 150.1.1.1
crypto ipsec transform-set Trans esp-des esp-md5-hmac
mode transport
crypto map L2TP 10 ipsec-isakmp
set peer 150.1.1.1
set transform-set Trans
match address 101
LNS#sho run int s0/0
Building configuration...
Current configuration : 104 bytes
!
interface Serial0/0
ip address 160.1.1.1 255.255.255.0
serial restart-delay 0
crypto map L2TP
end
access-list 101 permit udp host 160.1.1.1 eq 1701 host 150.1.1.1 eq 1701
如此即可建立LAC和LNS之间的IPSec隧道加密,保护L2TP的信息:
LAC#sho crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial0/1 150.1.1.1 set HMAC_SHA+DES_56_CB 0 0
2001 Serial0/1 150.1.1.1 set DES+MD5 0 38
2002 Serial0/1 150.1.1.1 set DES+MD5 55 0
此处还存问题,可能由于ACL的原因,这里的User不能到LNS上!
删除LAC和LNS上的IPSec配置,在User端和LNS之间配置IPSec隧道加密:
User#sho run | s crypto
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 4.4.4.4
crypto ipsec transform-set Trans esp-des esp-md5-hmac
mode transport
crypto map MAP 10 ipsec-isakmp
set peer 4.4.4.4
set transform-set Trans
match address 101
crypto map MAP
User#sho run | s access
access-list 101 permit ip host 162.1.1.1 host 4.4.4.4
User#sho run int s0/0
Building configuration...
Current configuration : 170 bytes
!
interface Serial0/0
ip address negotiated
encapsulation ppp
serial restart-delay 0
ppp chap hostname User@cisco.com
ppp chap password 0 cisco
crypto map MAP
LNS#sho run | s crypto
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 150.1.1.1
crypto isakmp key cisco address 162.1.1.1
crypto ipsec transform-set Trans esp-des esp-md5-hmac
mode transport
crypto map L2TP 10 ipsec-isakmp
set peer 150.1.1.1
set transform-set Trans
match address 101
crypto map MAP 10 ipsec-isakmp
set peer 162.1.1.1
set transform-set Trans
match address 101
crypto map MAP
LNS#sho run | s access
access-list 101 permit ip host 4.4.4.4 host 162.1.1.1
LNS#sho run int virtual-te1
Building configuration...
Current configuration : 139 bytes
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool default
ppp authentication chap
crypto map MAP
end
User#sho crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial0/0 162.1.1.1 set HMAC_SHA+DES_56_CB 0 0
2001 Serial0/0 162.1.1.1 set DES+MD5 0 9
2002 Serial0/0 162.1.1.1 set DES+MD5 9 0
User#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/127/180 ms
User#sho crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial0/0 162.1.1.1 set HMAC_SHA+DES_56_CB 0 0
2001 Serial0/0 162.1.1.1 set DES+MD5 0 14
2002 Serial0/0 162.1.1.1 set DES+MD5 14 0
只有注册用户才能在此添加评论。 如果您已经注册,请登录。 如果您还没有注册,请注册并登录。