CẤU HÌNH PPPoE AND VPN pptx

crypto isakmp policy 10 hash md5.!. Các cấu hình còn lại coi như đã biết.. • Cấu hình PPPoE : Server : Tạo vpdn group : Serverconfig#vpdn enable Serverconfig#vpdn-group 1 Serverconfig-vp

Trang 1

CẤU HÌNH PPPoE AND VPN

Địa chỉ của các interface :

Device Interface Ip address

Client Lo0

Dialer1 10.10.10.10/24

203.106.10.2/24

Remote E0/0

S0/0 20.20.20.20/24

203.162.11.2/24

Server Lo1

S0/0 203.106.10.1/24

203.162.11.1/24

Cấu hình toàn bộ :

remote#sh run

Building configuration

Current configuration : 1273 bytes

!

version 12.1

no service single-slot-reload-enable service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname remote

!

logging rate-limit console 10 except errors

!

memory-size iomem 10

ip subnet-zero

!

no ip finger

!

crypto isakmp policy 10

hash md5

Trang 2

authentication pre-share

group 2

crypto isakmp key cisco address 203.106.10.2 255.255.255.0

!

crypto ipsec transform-set vnpro ah-md5-hmac esp-des

!

crypto map tam 10 ipsec-isakmp

set peer 203.106.10.2

set transform-set vnpro

match address 110

!

call rsvp-sync

!

interface Ethernet0/0

ip address 20.20.20.20 255.255.255.0

ip nat inside

no keepalive

half-duplex

!

interface Serial0/0

ip address 203.162.11.2 255.255.255.0

ip nat outside

crypto map tam

!

interface Serial0/1

no ip address

shutdown

!

ip nat inside source list 100 interface Serial0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 203.162.11.1

no ip http server

!

access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 100 permit ip 20.20.20.0 0.0.0.255 any

access-list 110 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

!

dial-peer cor custom

Trang 3

!

line con 0

transport input none

line aux 0

line vty 0 4

!

no scheduler allocate

end

Client#sh run

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

!

hostname Client

!

ip subnet-zero

!

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 203.162.11.2 255.255.255.0

!

crypto ipsec transform-set vnpro ah-md5-hmac esp-des

Trang 4

crypto map tam 10 ipsec-isakmp set peer 203.162.11.2

set transform-set vnpro

match address 110

!

voice call carrier capacity active

!

mta receive maximum-recipients 0

!

interface Loopback0

ip address 10.10.10.10 255.255.255.0

ip nat inside

!

interface Loopback1

no ip address

!

no ip address

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface Serial0/1

no ip address

shutdown

!

interface Dialer1

mtu 1492

Trang 5

ip address 203.106.10.2 255.255.255.0

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

crypto map tam

!

ip nat inside source list 100 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 203.106.10.1

ip http server

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 access-list 100 permit ip 10.10.10.0 0.0.0.255 any

access-list 110 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 dialer-list 1 protocol ip permit

!

call rsvp-sync

!

mgcp profile default

!

line con 0

line aux 0

line vty 0 4

!

end

Server#sh run

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

Trang 6

!

hostname Server

!

logging queue-limit 100

!

ip subnet-zero

!

vpdn enable

!

vpdn-group 1

accept-dialin

protocol pppoe

virtual-template 1

!

mpls ldp logging neighbor-changes

!

no voice hpi capture buffer

no voice hpi capture destination

!

mta receive maximum-recipients 0

!

interface Loopback1

ip address 203.106.10.1 255.255.255.0

!

no ip address

half-duplex

pppoe enable

!

interface Serial0/0

ip address 203.162.11.1 255.255.255.0

Trang 7

clockrate 64000

no fair-queue

!

interface Virtual-Template1

ip unnumbered Loopback1

!

ip http server

ip classless

!

call rsvp-sync

!

mgcp profile default

!

line con 0

line aux 0

line vty 0 4

!

end

Cấu hình từng bước : Trong bài này chỉ cấu hình phần PPPoE và VPN Các cấu hình còn lại coi như đã biết

• Cấu hình PPPoE :

Server :

Tạo vpdn group :

Server(config)#vpdn enable

Server(config)#vpdn-group 1

Server(config-vpdn)#accept-dialin

Server(config-vpdn-acc-in)#protocol pppoe

Bật tính năng vpdn để thiết lập các PPPoE session

Server(config-vpdn-acc-in)#virtual-template 1 <- sử dụng virtual để giao tiếp với client

Trang 8

Server(config-vpdn-acc-in)#exit

Server(config)#int lo1

Server(config-if)#ip add 203.106.10.1 255.255.255.0

Server(config-if)#int e0/0

Server(config-if)#pppoe enable <- bật PPPoE trên interface kết nối với client

Tạo interface virtual-template :

Server(config)#int virtual-template 1

Server(config-if)#ip unnumbered lo1

Client :

Tạo vpdn group :

Client(config)#vpdn enable

Client(config)#vpdn-group 1

Client(config-vpdn)#request-dialin

Client(config-vpdn-req-in)#protocol pppoe

Bật PPPoE trên interface nối với server

Client(config)#int e0/0

Client(config-if)#pppoe enable

Kết hợp interface e0/0 với interface dialer để thiết lập encapsulation cho PPPoE client Client(config-if)#pppoe-client dial-pool-number 1

Client(config-if)#exit

Cấu hình interface dialer :

Client(config)#int dialer 1

Client(config-if)#mtu 1492

Client(config-if)#ip add 203.106.10.2 255.255.255.0

Client(config-if)#ip nat outside

Client(config-if)#encapsulation ppp

Client(config-if)#dialer pool 1

Client(config-if)#dialer-group 1

Client(config-if)#exit

Client(config)#access-list 1 permit 10.10.10.0 0.0.0.255

Client(config)#dialer-list 1 protocol ip permit

Tạo PAT :

Client(config)#ip nat inside source list 100 interface Dialer1 overload

Client(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 Client(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any

Bật các lệnh debug và lệnh show để kiểm tra kết nối giữa Server và Client :

Client(config)#debug ip nat

Trang 9

Client#ping

Protocol [ip]:

Target IP address: 203.106.10.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.10.10.10

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 203.106.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/44 ms

*Mar 1 01:28:19.438: NAT: s=10.10.10.10->203.106.10.2, d=203.106.10.1 [50]

*Mar 1 01:28:19.438: NAT*: s=203.106.10.1, d=203.106.10.2->10.10.10.10 [50]

*Mar 1 01:28:19.442: NAT: s=10.10.10.10->203.106.10.2, d=203.106.10.1 [51]

*Mar 1 01:28:19.446: NAT*: s=203.106.10.1, d=203.106.10.2->10.10.10.10 [51] Client#SH INT

Ethernet0/0 is up, line protocol is up

Hardware is AmdP2, address is 000b.5f9a.d0e0 (bia 000b.5f9a.d0e0)

MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:32, output 00:00:03, output hang never

Last clearing of "show interface" counters never

Virtual-Access1 is up, line protocol is up

Hardware is Virtual Access interface

Encapsulation PPP, loopback not set

Interface is bound to Di1 (Encapsulation PPP)

LCP Open

Listen: CDPCP

Trang 10

Open: IPCP

Last input 00:00:01, output never, output hang never

Last clearing of "show interface" counters 00:06:35

Dialer1 is up, line protocol is up (spoofing)

Hardware is Unknown

Internet address is 203.106.10.2/24

DTR is pulsed for 1 seconds on reset

Interface is bound to Vi1

Bound to:

Interface is bound to Di1 (Encapsulation PPP)

LCP Open

Listen: CDPCP

Open: IPCP

Server#SH INTER

Ethernet0/0 is up, line protocol is up

Hardware is AmdP2, address is 0009.e8d8.f840 (bia 0009.e8d8.f840) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

ARP type: ARPA, ARP Timeout 04:00:00

Base PPPoE vaccess, loopback not set

DTR is pulsed for 5 seconds on reset

Virtual-Access1.1 is up, line protocol is up

Interface is unnumbered Using address of Loopback1 (203.106.10.1)

Trang 11

Encapsulation PPP, LCP Open

Open: IPCP

PPPoE vaccess, cloned from Virtual-Template1

85 packets input, 3414 bytes

87 packets output, 3499 bytes

Last clearing of "show interface" counters never

• Cấu hình VPN cho Client và remote :

Để cấu hình VPN ta cấu hình 2 phase :

- Phase 1 (IKE phase 1 hay còn gọi là ISAKMP ) : là phase dùng để tạo key, mã hoá key,

và trao đổi key

Nếu phase 1 thành công sẽ chuyển sang phase 2

- Phase 2 : là phase sử dụng IPSEC policy để bảo mật data

Cấu hình như sau :

Phase 1 :

Client(config)#crypto isakmp enable

Client(config)#crypto isakmp key cisco address 203.162.11.2 255.255.255.0

Client(config)#crypto isakmp policy 10

Client(config-isakmp)#authentication pre-share

Client(config-isakmp)#encryption des

Client(config-isakmp)#hash md5

Client(config-isakmp)#group 2

Client(config-isakmp)#exit

Client(config)#crypto isakmp identity address

remote(config)#crypto isakmp enable

remote(config)#crypto isakmp key cisco address 203.106.10.2 255.255.255.0

remote(config)#crypto isakmp policy 10

remote(config-isakmp)#authentication pre

remote(config-isakmp)#encryption des

remote(config-isakmp)#hash md5

remote(config-isakmp)#group 2

remote(config-isakmp)#exit

remote(config)#crypto isakmp identity address

Phase 2 :

Client(config)#access-list 110 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

Client(config)#crypto ipsec transform-set vnpro esp-des ah-md5-hmac

Trang 12

Client(config)#crypto map tam 10 ipsec-isakmp

Client(config-crypto-map)#set peer 203.162.11.2

Client(config-crypto-map)#set transform-set vnpro

Client(config-crypto-map)#match add 110

Client(config-crypto-map)#exit

Client(config)#int dialer 1

Client(config-if)#crypto map tam

remote(config)#access-list 110 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 remote(config)#crypto ipsec transform-set vnpro esp-des ah-md5-hmac

remote(cfg-crypto-trans)#exit

remote(config)#crypto map tam 10 ipsec-isakmp

remote(config-crypto-map)#set peer 203.106.10.2

remote(config-crypto-map)#set tran

remote(config-crypto-map)#set transform-set vnpro

remote(config-crypto-map)#match add 110

remote(config-crypto-map)#exit

remote(config)#int s0/0

remote(config-if)#crypto map tam

remote#debug crypto isakmp

Crypto ISAKMP debugging is on

remote#debug crypto ipsec

Crypto IPSEC debugging is on

remote#ping

Protocol [ip]:

Target IP address: 10.10.10.10

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 20.20.20.20

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Trang 13

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 52/53/56 ms

Bật debug để quan sát quá trình ISAKMP negotiate giữa các peer trước khi cho phép SA được sử dụng cho IPSEC

00:36:59: IPSEC(sa_request):

(key eng.msg.) src= 203.162.11.2, dest= 203.106.10.2,

src_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),

dest_proxy= 20.20.20.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac,

lifedur= 3600s and 4608000Kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

!Interesting traffic từ remote đến client kích thích ISAKMP Main Mode

! Quá trình ISAKMP negotiate bắt đầu trong IKE Phase 1 main mode :

00:36:59: ISAKMP: received ke message (1/2)

00:36:59: ISAKMP: local port 500, remote port 500

00:36:59: ISAKMP (0:1): beginning Main Mode exchange

Tại mode này, ISAKMP sẽ negotiate ISAKMP policy Bên nào bắt đầu quá trình này trước sẽ gửi tất cả các policy mà nó có đến peer của nó Trong cấu hình này là remote (203.162.11.2).Peer của router remote là router Client sẽ tìm trong các policy của nó cho đến khi có policy mactch với remote

00:36:59: ISAKMP (0:1): sending packet to 203.106.10.2 (I) MM_NO_STATE

00:37:00: ISAKMP (0:1): received packet from 203.106.10.2 (I) MM_NO_STATE 00:37:00: ISAKMP (0:1): processing SA payload message ID = 0

00:37:00: ISAKMP (0:1): found peer pre-shared key matching 203.106.10.2

00:37:00: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy 00:37:00: ISAKMP: encryption DES-CBC

00:37:00: ISAKMP: hash MD5

00:37:00: ISAKMP: default group 2

00:37:00: ISAKMP: auth pre-share

00:37:00: ISAKMP: life type in seconds

00:37:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

00:37:00: ISAKMP (0:1): atts are acceptable Next payload is 0

Tại đây 2 peer đã tìm thấy matching ISAKMP policy

00:37:00: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Trang 14

Pre-share key dành cho xác thực đã được xác nhận.

00:37:00: ISAKMP (0:1): sending packet to 203.106.10.2 (I) MM_SA_SETUP

00:37:00: ISAKMP (0:1): received packet from 203.106.10.2 (I) MM_SA_SETUP 00:37:00: ISAKMP (0:1): processing KE payload message ID = 0

00:37:01: ISAKMP (0:1): processing NONCE payload message ID = 0

00:37:01: ISAKMP (0:1): found peer pre-shared key matching 203.106.10.2

00:37:01: ISAKMP (0:1): SKEYID state generated

00:37:01: ISAKMP (0:1): processing vendor id payload

00:37:01: ISAKMP (0:1): speaking to another IOS box!

00:37:01: ISAKMP (0:1): processing vendor id payload

00:37:01: ISAKMP (1): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

00:37:01: ISAKMP (1): Total payload length: 12

00:37:01: ISAKMP (0:1): sending packet to 203.106.10.2 (I) MM_KEY_EXCH 00:37:01: ISAKMP (0:1): received packet from 203.106.10.2 (I) MM_KEY_EXCH 00:37:01: ISAKMP (0:1): processing ID payload message ID = 0

00:37:01: ISAKMP (0:1): processing HASH payload message ID = 0

00:37:01: ISAKMP (0:1): SA has been authenticated with 203.106.10.2

! Main mode hoàn tất Lúc này các peer đã được xác thực , secret key được tạo ra Bắt đầu vào Phase 2 Quick Mode

00:37:01: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -391346015 00:37:01:IPSEC(key_engine): got a queue event…

00:37:01:IPSEC(spi_response): getting spi 199818953 for SA from 203.106.10.2 to 203.162.11.2

00:37:01: ISAKMP (0:1): processing HASH payload message ID = -391346015 00:37:01: ISAKMP (0:1): processing SA payload message ID = -391346015

00:37:01: ISAKMP (0:1): Checking IPSec proposal 1

00:37:01: ISAKMP: transform 1, AH_MD5

00:37:01: ISAKMP: attributes in transform:

00:37:01: ISAKMP: encaps is 1

00:37:01: ISAKMP: SA life type in seconds

00:37:01: ISAKMP: SA life duration (basic) of 3600

00:37:01: ISAKMP: SA life type in kilobytes

00:37:01: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

00:37:01: ISAKMP: authenticator is HMAC-MD5

00:37:01: ISAKMP (0:1): atts are acceptable

Định dạng
Số trang	16
Dung lượng	47,5 KB