【原创】L2TP Over IPSec实验

Rps-Cheers · ‎01-08-2020

1、实验拓扑：

2、实验配置：

User/R1：

!

interface Serial0/0

ip address negotiated

encapsulation ppp

serial restart-delay 0

ppp chap hostname User@cisco.com

ppp chap password 0 cisco

end

LAC/R2:

interface Serial0/0

no ip address

encapsulation ppp

serial restart-delay 0

ppp authentication chap pap

ppp multilink

end

interface Serial0/1

ip address 150.1.1.1 255.255.255.0

serial restart-delay 0

end

vpdn enable

vpdn search-order domain dnis

vpdn-group 1

request-dialin

protocol l2tp

domain cisco.com

initiate-to ip 160.1.1.1 priority 1

local name LAC

l2tp tunnel password 0 cisco

router ospf 1

router-id 2.2.2.2

log-adjacency-changes

network 150.1.1.0 0.0.0.255 area 0

Internet/R3:

interface Serial0/0

ip address 150.1.1.2 255.255.255.0

serial restart-delay 0

interface Serial0/1

ip address 160.1.1.2 255.255.255.0

serial restart-delay 0

end

router ospf 1

router-id 3.3.3.3

log-adjacency-changes

network 150.1.1.0 0.0.0.255 area 0

network 160.1.1.0 0.0.0.255 area 0

LNS/R4:

interface Serial0/0

ip address 160.1.1.1 255.255.255.0

serial restart-delay 0

end

interface Loopback0

ip address 4.4.4.4 255.255.255.255

end

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

network 160.1.1.0 0.0.0.255 area 0

vpdn enable

vpdn-group 1

accept-dialin

protocol l2tp

virtual-template 1

terminate-from hostname LAC

source-ip 160.1.1.1

l2tp tunnel password 0 cisco

interface Virtual-Template1

ip unnumbered Loopback0

peer default ip address pool default

ppp authentication chap

end

ip local pool default 162.1.1.1 162.1.1.150

3、L2TP会话建立过程

User的PPP会话：

*Mar 1 00:35:34.323: %SYS-5-CONFIG_I: Configured from console by console

*Mar 1 00:35:35.631: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up

*Mar 1 00:35:35.635: Se0/0 PPP: Using default call direction

*Mar 1 00:35:35.635: Se0/0 PPP: Treating connection as a dedicated line

*Mar 1 00:35:35.639: Se0/0 PPP: Session handle[89000003] Session id[3]

*Mar 1 00:35:35.639: Se0/0 PPP: Phase is ESTABLISHING, Active Open

*Mar 1 00:35:35.639: Se0/0 PPP: Authorization required

*Mar 1 00:35:35.639: Se0/0 LCP: O CONFREQ [Closed] id 4 len 10

*Mar 1 00:35:35.639: Se0/0 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar 1 00:35:37.643: Se0/0 LCP: Timeout: State REQsent

*Mar 1 00:35:37.643: Se0/0 LCP: O CONFREQ [REQsent] id 5 len 10

*Mar 1 00:35:37.643: Se0/0 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar 1 00:35:37.747: Se0/0 LCP: I CONFREQ [REQsent] id 1 len 15

*Mar 1 00:35:37.747: Se0/0 LCP: AuthProto CHAP (0x0305C22305)

*Mar 1 00:35:37.751: Se0/0 LCP: MagicNumber 0x002D45B1 (0x0506002D45B1)

*Mar 1 00:35:37.751: Se0/0 LCP: O CONFACK [REQsent] id 1 len 15

*Mar 1 00:35:37.751: Se0/0 LCP: AuthProto CHAP (0x0305C22305)

*Mar 1 00:35:37.755: Se0/0 LCP: MagicNumber 0x002D45B1 (0x0506002D45B1)

*Mar 1 00:35:37.755: Se0/0 LCP: I CONFACK [ACKsent] id 5 len 10

*Mar 1 00:35:37.755: Se0/0 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar 1 00:35:37.759: Se0/0 LCP: State is Open

*Mar 1 00:35:37.759: Se0/0 PPP: No authorization without authentication

*Mar 1 00:35:37.759: Se0/0 PPP: Phase is AUTHENTICATING, by the peer

*Mar 1 00:35:37.919: Se0/0 CHAP: I CHALLENGE id 1 len 24 from "LNS"

*Mar 1 00:35:37.927: Se0/0 CHAP: Using hostname from interface CHAP

*Mar 1 00:35:37.927: Se0/0 CHAP: Using password from interface CHAP

*Mar 1 00:35:37.927: Se0/0 CHAP: O RESPONSE id 1 len 35 from "User@cisco.com"

*Mar 1 00:35:38.323: Se0/0 CHAP: I SUCCESS id 1 len 4

*Mar 1 00:35:38.323: Se0/0 PPP: Phase is FORWARDING, Attempting Forward

*Mar 1 00:35:38.327: Se0/0 PPP: Queue IPCP code[1] id[1]

*Mar 1 00:35:38.327: Se0/0 PPP: Phase is ESTABLISHING, Finish LCP

*Mar 1 00:35:38.331: Se0/0 PPP: Phase is UP

*Mar 1 00:35:38.331: Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10

*Mar 1 00:35:38.331: Se0/0 IPCP: Address 0.0.0.0 (0x030600000000)

*Mar 1 00:35:38.335: Se0/0 CDPCP: O CONFREQ [Closed] id 1 len 4

*Mar 1 00:35:38.335: Se0/0 PPP: Process pending ncp packets

*Mar 1 00:35:38.335: Se0/0 IPCP: Redirect packet to Se0/0

*Mar 1 00:35:38.335: Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10

*Mar 1 00:35:38.339: Se0/0 IPCP: Address 4.4.4.4 (0x030604040404)

*Mar 1 00:35:38.339: Se0/0 IPCP: O CONFACK [REQsent] id 1 len 10

*Mar 1 00:35:38.339: Se0/0 IPCP: Address 4.4.4.4 (0x030604040404)

*Mar 1 00:35:38.499: Se0/0 IPCP: I CONFNAK [ACKsent] id 1 len 10

*Mar 1 00:35:38.499: Se0/0 IPCP: Address 162.1.1.1 (0x0306A2010101)

*Mar 1 00:35:38.499: Se0/0 IPCP: O CONFREQ [ACKsent] id 2 len 10

*Mar 1 00:35:38.503: Se0/0 IPCP: Address 162.1.1.1 (0x0306A2010101)

*Mar 1 00:35:38.503: Se0/0 LCP: I PROTREJ [Open] id 2 len 10 protocol CDPCP (0x820701010004)

*Mar 1 00:35:38.503: Se0/0 CDPCP: State is Closed

*Mar 1 00:35:38.503: Se0/0 CDPCP: State is Listen

*Mar 1 00:35:38.615: Se0/0 IPCP: I CONFACK [ACKsent] id 2 len 10

*Mar 1 00:35:38.615: Se0/0 IPCP: Address 162.1.1.1 (0x0306A2010101)

*Mar 1 00:35:38.615: Se0/0 IPCP: State is Open

*Mar 1 00:35:38.619: Se0/0 IPCP: Install negotiated IP interface address 162.1.1.1

*Mar 1 00:35:38.627: Se0/0 IPCP: Install route to 4.4.4.4

*Mar 1 00:35:39.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up

LNS的PPP和后续协商会话：

*Mar 1 00:36:17.071: Vi2.1 LCP: I CONFREQ [Open] id 4 len 10

*Mar 1 00:36:17.071: Vi2.1 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar 1 00:36:17.071: Vi2.1 PPP: Terminating bound session

*Mar 1 00:36:17.071: Vi2.1 PPP: Sending Acct Event[Reneg] id[5]

*Mar 1 00:36:17.075: Vi2.1 IPCP: State is Closed

*Mar 1 00:36:17.079: Vi2.1 PPP: Send Message[Renegotiate]

*Mar 1 00:36:17.083: Vi2.1 PPP: Phase is TERMINATING

*Mar 1 00:36:17.083: Vi2.1 LCP: State is Closed

*Mar 1 00:36:17.083: Vi2.1 PPP: Phase is DOWN

*Mar 1 00:36:17.087: Vi2.1 IPCP: Remove route to 162.1.1.1

*Mar 1 00:36:17.087: Vi2.1 Tnl/Sn 31878/2 L2TP: Unbinding session from idb

*Mar 1 00:36:17.091: Vi2.1 VPDN: Resetting interface

*Mar 1 00:36:17.095: uid:2 Tnl/Sn 31878/2 L2TP: Session state change from established to wait-for-service-selection-iccn

*Mar 1 00:36:17.131: ppp3 PPP: Send Message[Dynamic Bind Response]

*Mar 1 00:36:17.131: ppp3 PPP: Using vpn set call direction

*Mar 1 00:36:17.131: ppp3 PPP: Treating connection as a callin

*Mar 1 00:36:17.131: ppp3 PPP: Session handle[3A000005] Session id[3]

*Mar 1 00:36:17.135: ppp3 PPP: Phase is ESTABLISHING, Passive Open

*Mar 1 00:36:17.135: ppp3 LCP: State is Listen

*Mar 1 00:36:19.055: ppp3 LCP: I CONFREQ

id 5 len 10

*Mar 1 00:36:19.055: ppp3 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar 1 00:36:19.055: ppp3 PPP: Authorization required

*Mar 1 00:36:19.059: ppp3 LCP: O CONFREQ

id 1 len 15

*Mar 1 00:36:19.059: ppp3 LCP: AuthProto CHAP (0x0305C22305)

*Mar 1 00:36:19.059: ppp3 LCP: MagicNumber 0x002D45B1 (0x0506002D45B1)

*Mar 1 00:36:19.063: ppp3 LCP: O CONFACK

id 5 len 10

*Mar 1 00:36:19.063: ppp3 LCP: MagicNumber 0x002C9BC5 (0x0506002C9BC5)

*Mar 1 00:36:19.223: ppp3 LCP: I CONFACK [ACKsent] id 1 len 15

*Mar 1 00:36:19.223: ppp3 LCP: AuthProto CHAP (0x0305C22305)

*Mar 1 00:36:19.223: ppp3 LCP: MagicNumber 0x002D45B1 (0x0506002D45B1)

*Mar 1 00:36:19.223: ppp3 LCP: State is Open

*Mar 1 00:36:19.223: ppp3 PPP: Phase is AUTHENTICATING, by this end

*Mar 1 00:36:19.223: ppp3 CHAP: O CHALLENGE id 1 len 24 from "LNS"

*Mar 1 00:36:19.351: ppp3 CHAP: I RESPONSE id 1 len 35 from "User@cisco.com"

*Mar 1 00:36:19.351: ppp3 PPP: Phase is FORWARDING, Attempting Forward

*Mar 1 00:36:19.355: ppp3 PPP: Phase is AUTHENTICATING, Unauthenticated User

*Mar 1 00:36:19.359: ppp3 PPP: Sent CHAP LOGIN Request

*Mar 1 00:36:19.363: ppp3 PPP: Received LOGIN Response PASS

*Mar 1 00:36:19.367: ppp3 PPP: Phase is FORWARDING, Attempting Forward

*Mar 1 00:36:19.367: ppp3 PPP: Send Message[Connect Local]

*Mar 1 00:36:19.379: uid:3 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com bandwidth 1544 Kbps

*Mar 1 00:36:19.379: Vi2.1 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com, bandwidth 1544 Kbps

*Mar 1 00:36:19.383: ppp3 PPP: Bind to [Virtual-Access2.1]

*Mar 1 00:36:19.383: Vi2.1 PPP: Send Message[Static Bind Response]

*Mar 1 00:36:19.391: Vi2.1 Tnl/Sn 31878/2 L2TP: Session state change from wait-for-service-selection-iccn to established

*Mar 1 00:36:19.391: Vi2.1 Tnl/Sn 31878/2 L2TP: VPDN session up

*Mar 1 00:36:19.399: Vi2.1 PPP: Phase is AUTHENTICATING, Authenticated User

*Mar 1 00:36:19.399: Vi2.1 PPP: Sent LCP AUTHOR Request

*Mar 1 00:36:19.403: Vi2.1 PPP: Sent IPCP AUTHOR Request

*Mar 1 00:36:19.407: Vi2.1 LCP: Received AAA AUTHOR Response PASS

*Mar 1 00:36:19.411: Vi2.1 IPCP: Received AAA AUTHOR Response PASS

*Mar 1 00:36:19.411: Vi2.1 CHAP: O SUCCESS id 1 len 4

*Mar 1 00:36:19.415: Vi2.1 PPP: Phase is UP

*Mar 1 00:36:19.415: Vi2.1 IPCP: O CONFREQ [Closed] id 1 len 10

*Mar 1 00:36:19.419: Vi2.1 IPCP: Address 4.4.4.4 (0x030604040404)

*Mar 1 00:36:19.419: Vi2.1 PPP: Process pending ncp packets

*Mar 1 00:36:19.771: Vi2.1 IPCP: I CONFREQ [REQsent] id 1 len 10

*Mar 1 00:36:19.771: Vi2.1 IPCP: Address 0.0.0.0 (0x030600000000)

*Mar 1 00:36:19.771: Vi2.1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 0.0.0.0

*Mar 1 00:36:19.775: Vi2.1 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 0.0.0.0

*Mar 1 00:36:19.775: Vi2.1 IPCP: Pool returned 162.1.1.1

*Mar 1 00:36:19.775: Vi2.1 IPCP: O CONFNAK [REQsent] id 1 len 10

*Mar 1 00:36:19.779: Vi2.1 IPCP: Address 162.1.1.1 (0x0306A2010101)

*Mar 1 00:36:19.779: Vi2.1 IPCP: I CONFACK [REQsent] id 1 len 10

*Mar 1 00:36:19.779: Vi2.1 IPCP: Address 4.4.4.4 (0x030604040404)

*Mar 1 00:36:19.783: Vi2.1 CDPCP: I CONFREQ [Not negotiated] id 1 len 4

*Mar 1 00:36:19.783: Vi2.1 LCP: O PROTREJ [Open] id 2 len 10 protocol CDPCP (0x820701010004)

*Mar 1 00:36:19.911: Vi2.1 IPCP: I CONFREQ [ACKrcvd] id 2 len 10

*Mar 1 00:36:19.911: Vi2.1 IPCP: Address 162.1.1.1 (0x0306A2010101)

*Mar 1 00:36:19.911: Vi2.1 IPCP: O CONFACK [ACKrcvd] id 2 len 10

*Mar 1 00:36:19.915: Vi2.1 IPCP: Address 162.1.1.1 (0x0306A2010101)

*Mar 1 00:36:19.915: Vi2.1 IPCP: State is Open

*Mar 1 00:36:19.923: Vi2.1 IPCP: Install route to 162.1.1.1

LNS#debug vpdn event

VPDN events debugging is on

LNS#

*Mar 1 00:52:12.215: Vi2.1 VPDN: Resetting interface

LNS#

*Mar 1 00:52:14.371: uid:4 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com bandwidth 1544 Kbps

*Mar 1 00:52:14.371: Vi2.1 Tnl/Sn 31878/2 L2TP: Virtual interface created for User@cisco.com, bandwidth 1544 Kbps

*Mar 1 00:52:14.379: Vi2.1 Tnl/Sn 31878/2 L2TP: VPDN session up

如此在User上即可获取到IP地址：

User#sho ip int brief

Interface IP-Address OK? Method Status Protocol

Serial0/0 162.1.1.1 YES IPCP up up

Serial0/1 unassigned YES unset administratively down down

Serial0/2 unassigned YES unset administratively down down

Serial0/3 unassigned YES unset administratively down down

在LAC和LNS上也可以看见L2TP的建立：

LAC#sho vpdn session

L2TP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID

Vcid, Circuit

2 2 39819 User@cisco.co, Se0/0 est 00:24:29 1

LNS#sho vpdn session

%No active L2F tunnels

L2TP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID

Vcid, Circuit

2 2 31878 User@cisco.co, Vi2.1 est 00:01:35 4

4、在此基础上实现IPSec

LAC：

LAC#sho run | s crypto

crypto isakmp policy 10

authentication pre-share

group 2

lifetime 3600

crypto isakmp key cisco address 160.1.1.1

crypto ipsec transform-set Trans esp-des esp-md5-hmac

mode transport

crypto map L2TP 10 ipsec-isakmp

set peer 160.1.1.1

set transform-set Trans

match address 101

LAC#sho run int s0/1

Building configuration...

Current configuration : 104 bytes

!

interface Serial0/1

ip address 150.1.1.1 255.255.255.0

serial restart-delay 0

crypto map L2TP

end

access-list 101 permit udp host 150.1.1.1 eq 1701 host 160.1.1.1 eq 1701

LNS：

crypto isakmp policy 10

authentication pre-share

group 2

lifetime 3600

crypto isakmp key cisco address 150.1.1.1

crypto ipsec transform-set Trans esp-des esp-md5-hmac

mode transport

crypto map L2TP 10 ipsec-isakmp

set peer 150.1.1.1

set transform-set Trans

match address 101

LNS#sho run int s0/0

Building configuration...

Current configuration : 104 bytes

!

interface Serial0/0

ip address 160.1.1.1 255.255.255.0

serial restart-delay 0

crypto map L2TP

end

access-list 101 permit udp host 160.1.1.1 eq 1701 host 150.1.1.1 eq 1701

如此即可建立LAC和LNS之间的IPSec隧道加密，保护L2TP的信息：

LAC#sho crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 Serial0/1 150.1.1.1 set HMAC_SHA+DES_56_CB 0 0

2001 Serial0/1 150.1.1.1 set DES+MD5 0 38

2002 Serial0/1 150.1.1.1 set DES+MD5 55 0

此处还存问题，可能由于ACL的原因，这里的User不能到LNS上！

删除LAC和LNS上的IPSec配置，在User端和LNS之间配置IPSec隧道加密：

User#sho run | s crypto

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 4.4.4.4

crypto ipsec transform-set Trans esp-des esp-md5-hmac

mode transport

crypto map MAP 10 ipsec-isakmp

set peer 4.4.4.4

set transform-set Trans

match address 101

crypto map MAP

User#sho run | s access

access-list 101 permit ip host 162.1.1.1 host 4.4.4.4

User#sho run int s0/0

Building configuration...

Current configuration : 170 bytes

!

interface Serial0/0

ip address negotiated

encapsulation ppp

serial restart-delay 0

ppp chap hostname User@cisco.com

ppp chap password 0 cisco

crypto map MAP

LNS#sho run | s crypto

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 150.1.1.1

crypto isakmp key cisco address 162.1.1.1

crypto ipsec transform-set Trans esp-des esp-md5-hmac

mode transport

crypto map L2TP 10 ipsec-isakmp

set peer 150.1.1.1

set transform-set Trans

match address 101

crypto map MAP 10 ipsec-isakmp

set peer 162.1.1.1

set transform-set Trans

match address 101

crypto map MAP

LNS#sho run | s access

access-list 101 permit ip host 4.4.4.4 host 162.1.1.1

LNS#sho run int virtual-te1

Building configuration...

Current configuration : 139 bytes

!

interface Virtual-Template1

ip unnumbered Loopback0

peer default ip address pool default

ppp authentication chap

crypto map MAP

end

User#sho crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 Serial0/0 162.1.1.1 set HMAC_SHA+DES_56_CB 0 0

2001 Serial0/0 162.1.1.1 set DES+MD5 0 9

2002 Serial0/0 162.1.1.1 set DES+MD5 9 0

User#ping 4.4.4.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 92/127/180 ms

User#sho crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 Serial0/0 162.1.1.1 set HMAC_SHA+DES_56_CB 0 0

2001 Serial0/0 162.1.1.1 set DES+MD5 0 14

2002 Serial0/0 162.1.1.1 set DES+MD5 14 0

【原创】L2TP Over IPSec实验

【原创翻译】保护用户，揭开最后1％的威胁

【原创翻译】网络安全不是儿戏

【原创翻译】MWC系列：为5G时代准备FastWeb网络