Tweet
CẤU HÌNH PPPoE AND VPN
Địa chỉ của các interface :
Device Interface Ip address
Client Lo0
Dialer1 10.10.10.10/24
203.106.10.2/24
Remote E0/0
S0/0 20.20.20.20/24
203.162.11.2/24
Server Lo1
S0/0 203.106.10.1/24
203.162.11.1/24
Cấu hình toàn bộ :
remote#sh run
Building configuration...
Current configuration : 1273 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname remote
!
logging rate-limit console 10 except errors
!
memory-size iomem 10
ip subnet-zero
!
!
no ip finger
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 203.106.10.2 255.255.255.0
!
!
crypto ipsec transform-set vnpro ah-md5-hmac esp-des
!
crypto map tam 10 ipsec-isakmp
set peer 203.106.10.2
set transform-set vnpro
match address 110
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 20.20.20.20 255.255.255.0
ip nat inside
no keepalive
half-duplex
!
interface Serial0/0
ip address 203.162.11.2 255.255.255.0
ip nat outside
crypto map tam
!
interface Serial0/1
no ip address
shutdown
!
ip nat inside source list 100 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 203.162.11.1
no ip http server
!
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 110 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
dial-peer cor custom
!
!
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
Client#sh run
Building configuration...
Current configuration : 1596 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Client
!
!
ip subnet-zero
!
!
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 203.162.11.2 255.255.255.0
!
!
crypto ipsec transform-set vnpro ah-md5-hmac esp-des
!
crypto map tam 10 ipsec-isakmp
set peer 203.162.11.2
set transform-set vnpro
match address 110
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.0
ip nat inside
!
interface Loopback1
no ip address
!
interface Ethernet0/0
no ip address
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/1
no ip address
shutdown
!
interface Dialer1
mtu 1492
ip address 203.106.10.2 255.255.255.0
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
crypto map tam
!
ip nat inside source list 100 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 203.106.10.1
ip http server
!
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
Server#sh run
Building configuration...
Current configuration : 858 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Server
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
!
mpls ldp logging neighbor-changes
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback1
ip address 203.106.10.1 255.255.255.0
!
interface Ethernet0/0
no ip address
half-duplex
pppoe enable
!
interface Serial0/0
ip address 203.162.11.1 255.255.255.0
clockrate 64000
no fair-queue
!
interface Virtual-Template1
ip unnumbered Loopback1
!
ip http server
ip classless
!
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
Cấu hình từng bước : Trong bài này chỉ cấu hình phần PPPoE và VPN. Các cấu hình còn lại coi như đã biết.
• Cấu hình PPPoE :
Server :
Tạo vpdn group :
Server(config)#vpdn enable
Server(config)#vpdn-group 1
Server(config-vpdn)#accept-dialin
Server(config-vpdn-acc-in)#protocol pppoe
Bật tính năng vpdn để thiết lập các PPPoE session
Server(config-vpdn-acc-in)#virtual-template 1 <- sử dụng virtual để giao tiếp với client
Server(config-vpdn-acc-in)#exit
Server(config)#int lo1
Server(config-if)#ip add 203.106.10.1 255.255.255.0
Server(config-if)#int e0/0
Server(config-if)#pppoe enable <- bật PPPoE trên interface kết nối với client
Tạo interface virtual-template :
Server(config)#int virtual-template 1
Server(config-if)#ip unnumbered lo1
Client :
Tạo vpdn group :
Client(config)#vpdn enable
Client(config)#vpdn-group 1
Client(config-vpdn)#request-dialin
Client(config-vpdn-req-in)#protocol pppoe
Bật PPPoE trên interface nối với server
Client(config)#int e0/0
Client(config-if)#pppoe enable
Kết hợp interface e0/0 với interface dialer để thiết lập encapsulation cho PPPoE client
Client(config-if)#pppoe-client dial-pool-number 1
Client(config-if)#exit
Cấu hình interface dialer :
Client(config)#int dialer 1
Client(config-if)#mtu 1492
Client(config-if)#ip add 203.106.10.2 255.255.255.0
Client(config-if)#ip nat outside
Client(config-if)#encapsulation ppp
Client(config-if)#dialer pool 1
Client(config-if)#dialer-group 1
Client(config-if)#exit
Client(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Client(config)#dialer-list 1 protocol ip permit
Tạo PAT :
Client(config)#ip nat inside source list 100 interface Dialer1 overload
Client(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Client(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any
Bật các lệnh debug và lệnh show để kiểm tra kết nối giữa Server và Client :
Client(config)#debug ip nat
Client#ping
Protocol [ip]:
Target IP address: 203.106.10.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.10
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.106.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/44 ms
*Mar 1 01:28:19.438: NAT: s=10.10.10.10->203.106.10.2, d=203.106.10.1 [50]
*Mar 1 01:28:19.438: NAT*: s=203.106.10.1, d=203.106.10.2->10.10.10.10 [50]
*Mar 1 01:28:19.442: NAT: s=10.10.10.10->203.106.10.2, d=203.106.10.1 [51]
*Mar 1 01:28:19.446: NAT*: s=203.106.10.1, d=203.106.10.2->10.10.10.10 [51]
Client#SH INT
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 000b.5f9a.d0e0 (bia 000b.5f9a.d0e0)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:32, output 00:00:03, output hang never
Last clearing of "show interface" counters never
<omitted>
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1492 bytes, BW 56 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Interface is bound to Di1 (Encapsulation PPP)
LCP Open
Listen: CDPCP
Open: IPCP
Last input 00:00:01, output never, output hang never
Last clearing of "show interface" counters 00:06:35
Dialer1 is up, line protocol is up (spoofing)
Hardware is Unknown
Internet address is 203.106.10.2/24
MTU 1492 bytes, BW 56 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
DTR is pulsed for 1 seconds on reset
Interface is bound to Vi1
Bound to:
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1492 bytes, BW 56 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Interface is bound to Di1 (Encapsulation PPP)
LCP Open
Listen: CDPCP
Open: IPCP
Server#SH INTER
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0009.e8d8.f840 (bia 0009.e8d8.f840)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1492 bytes, BW 100000 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Base PPPoE vaccess, loopback not set
DTR is pulsed for 5 seconds on reset
Virtual-Access1.1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback1 (203.106.10.1)
MTU 1492 bytes, BW 100000 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP
PPPoE vaccess, cloned from Virtual-Template1
85 packets input, 3414 bytes
87 packets output, 3499 bytes
Last clearing of "show interface" counters never
• Cấu hình VPN cho Client và remote :
Để cấu hình VPN ta cấu hình 2 phase :
- Phase 1 (IKE phase 1 hay còn gọi là ISAKMP ) : là phase dùng để tạo key, mã hoá key, và trao đổi key.
Nếu phase 1 thành công sẽ chuyển sang phase 2
- Phase 2 : là phase sử dụng IPSEC policy để bảo mật data.
Cấu hình như sau :
Phase 1 :
Client(config)#crypto isakmp enable
Client(config)#crypto isakmp key cisco address 203.162.11.2 255.255.255.0
Client(config)#crypto isakmp policy 10
Client(config-isakmp)#authentication pre-share
Client(config-isakmp)#encryption des
Client(config-isakmp)#hash md5
Client(config-isakmp)#group 2
Client(config-isakmp)#exit
Client(config)#crypto isakmp identity address
remote(config)#crypto isakmp enable
remote(config)#crypto isakmp key cisco address 203.106.10.2 255.255.255.0
remote(config)#crypto isakmp policy 10
remote(config-isakmp)#authentication pre
remote(config-isakmp)#encryption des
remote(config-isakmp)#hash md5
remote(config-isakmp)#group 2
remote(config-isakmp)#exit
remote(config)#crypto isakmp identity address
Phase 2 :
Client(config)#access-list 110 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Client(config)#crypto ipsec transform-set vnpro esp-des ah-md5-hmac
Client(cfg-crypto-trans)#exit
Client(config)#crypto map tam 10 ipsec-isakmp
Client(config-crypto-map)#set peer 203.162.11.2
Client(config-crypto-map)#set transform-set vnpro
Client(config-crypto-map)#match add 110
Client(config-crypto-map)#exit
Client(config)#int dialer 1
Client(config-if)#crypto map tam
remote(config)#access-list 110 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
remote(config)#crypto ipsec transform-set vnpro esp-des ah-md5-hmac
remote(cfg-crypto-trans)#exit
remote(config)#crypto map tam 10 ipsec-isakmp
remote(config-crypto-map)#set peer 203.106.10.2
remote(config-crypto-map)#set tran
remote(config-crypto-map)#set transform-set vnpro
remote(config-crypto-map)#match add 110
remote(config-crypto-map)#exit
remote(config)#int s0/0
remote(config-if)#crypto map tam
remote#debug crypto isakmp
Crypto ISAKMP debugging is on
remote#debug crypto ipsec
Crypto IPSEC debugging is on
remote#ping
Protocol [ip]:
Target IP address: 10.10.10.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 20.20.20.20
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/53/56 ms
Bật debug để quan sát quá trình ISAKMP negotiate giữa các peer trước khi cho phép SA được sử dụng cho IPSEC .
00:36:59: IPSEC(sa_request):
(key eng.msg.) src= 203.162.11.2, dest= 203.106.10.2,
src_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
dest_proxy= 20.20.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000Kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
!Interesting traffic từ remote đến client kích thích ISAKMP Main Mode.
! Quá trình ISAKMP negotiate bắt đầu trong IKE Phase 1 main mode :
00:36:59: ISAKMP: received ke message (1/2)
00:36:59: ISAKMP: local port 500, remote port 500
00:36:59: ISAKMP (0:1): beginning Main Mode exchange
Tại mode này, ISAKMP sẽ negotiate ISAKMP policy. Bên nào bắt đầu quá trình này trước sẽ gửi tất cả các policy mà nó có đến peer của nó. Trong cấu hình này là remote (203.162.11.2).Peer của router remote là router Client sẽ tìm trong các policy của nó cho đến khi có policy mactch với remote.
00:36:59: ISAKMP (0:1): sending packet to 203.106.10.2 (I) MM_NO_STATE
00:37:00: ISAKMP (0:1): received packet from 203.106.10.2 (I) MM_NO_STATE
00:37:00: ISAKMP (0:1): processing SA payload. message ID = 0
00:37:00: ISAKMP (0:1): found peer pre-shared key matching 203.106.10.2
00:37:00: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
00:37:00: ISAKMP: encryption DES-CBC
00:37:00: ISAKMP: hash MD5
00:37:00: ISAKMP: default group 2
00:37:00: ISAKMP: auth pre-share
00:37:00: ISAKMP: life type in seconds
00:37:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
00:37:00: ISAKMP (0:1): atts are acceptable. Next payload is 0
Tại đây 2 peer đã tìm thấy matching ISAKMP policy.
00:37:00: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Pre-share key dành cho xác thực đã được xác nhận.
00:37:00: ISAKMP (0:1): sending packet to 203.106.10.2 (I) MM_SA_SETUP
00:37:00: ISAKMP (0:1): received packet from 203.106.10.2 (I) MM_SA_SETUP
00:37:00: ISAKMP (0:1): processing KE payload. message ID = 0
00:37:01: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:37:01: ISAKMP (0:1): found peer pre-shared key matching 203.106.10.2
00:37:01: ISAKMP (0:1): SKEYID state generated
00:37:01: ISAKMP (0:1): processing vendor id payload
00:37:01: ISAKMP (0:1): processing vendor id payload
00:37:01: ISAKMP (0:1): processing vendor id payload
00:37:01: ISAKMP (0:1): speaking to another IOS box!
00:37:01: ISAKMP (0:1): processing vendor id payload
00:37:01: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
00:37:01: ISAKMP (1): Total payload length: 12
00:37:01: ISAKMP (0:1): sending packet to 203.106.10.2 (I) MM_KEY_EXCH
00:37:01: ISAKMP (0:1): received packet from 203.106.10.2 (I) MM_KEY_EXCH
00:37:01: ISAKMP (0:1): processing ID payload. message ID = 0
00:37:01: ISAKMP (0:1): processing HASH payload. message ID = 0
00:37:01: ISAKMP (0:1): SA has been authenticated with 203.106.10.2
! Main mode hoàn tất. Lúc này các peer đã được xác thực , secret key được tạo ra. Bắt đầu vào Phase 2 Quick Mode.
00:37:01: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -391346015
00:37:01:IPSEC(key_engine): got a queue event…
00:37:01:IPSEC(spi_response): getting spi 199818953 for SA from 203.106.10.2 to 203.162.11.2
00:37:01: ISAKMP (0:1): processing HASH payload. message ID = -391346015
00:37:01: ISAKMP (0:1): processing SA payload. message ID = -391346015
00:37:01: ISAKMP (0:1): Checking IPSec proposal 1
00:37:01: ISAKMP: transform 1, AH_MD5
00:37:01: ISAKMP: attributes in transform:
00:37:01: ISAKMP: encaps is 1
00:37:01: ISAKMP: SA life type in seconds
00:37:01: ISAKMP: SA life duration (basic) of 3600
00:37:01: ISAKMP: SA life type in kilobytes
00:37:01: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
00:37:01: ISAKMP: authenticator is HMAC-MD5
00:37:01: ISAKMP (0:1): atts are acceptable.
00:37:01: ISAKMP (0:1): Checking IPSec proposal 1
00:37:01: ISAKMP: transform 1, ESP_DES
00:37:01: ISAKMP: attributes in transform
00:37:01: ISAKMP: encaps is 1
00:37:01: ISAKMP: SA life type in seconds
00:37:01: ISAKMP: SA life duration (basic) of 3600
00:37:01: ISAKMP: SA life type in kilobytes
00:37:01: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
00:37:01: ISAKMP (0:1): atts are acceptable.
00:37:01: IPSEC(validate_proposal_request): proposal part #1,
(key eng.msg.) src= 203.162.11.2, dest= 203.106.10.2,
src_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
dest_proxy= 20.20.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000Kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
00:37:01: ISAKMP (0:1): processing NONCE payload. message ID = -391346015
00:37:01: ISAKMP (0:1): processing ID payload. message ID = -391346015
00:37:01: ISAKMP (0:1): processing ID payload. message ID = -391346015
! IPSEC policy đã được negotiate và đã được xác thực.
! Tiếp đến là quá trình thiết lập SA.
00:37:01: ISAKMP (0:1): Creating IPSec SAs
00:37:01: inbound SA from 203.106.10.2 to 203.162.11.2
(proxy 10.10.10.0 to 20.20.20.0)
00:37:01: has spi 0x75B29B72 and conn_id 2000 and flags 4
00:37:01: lifetime of 3600 seconds
00:37:01: lifetime of 4608000 kilobytes
00:37:01: outbound SA from 203.162.11.2 to 203.106.10.2 (proxy 20.20.20.0 to 10.10.10.0 )
00:37:01: has spi 721289306 and conn_id 2001 and flags 4
00:37:01: lifetime of 3600 seconds
00:37:01: lifetime of 4608000 kilobytes
00:37:01: ISAKMP (0:1): Creating IPSec SAs
00:37:01: inbound SA from 203.106.10.2 to 203.162.11.2
(proxy 10.10.10.0 to 20.20.20.0)
00:37:01: has spi 0x609CD1A8 and conn_id 2002 and flags 4
00:37:01: lifetime of 3600 seconds
00:37:01: lifetime of 4608000 kilobytes
00:37:01: outbound SA from 203.162.11.2 to 203.106.10.2 (proxy 20.20.20.0 to 10.10.10.0 )
00:37:01: has spi 199818953 and conn_id 2003 and flags 4
00:37:01: lifetime of 3600 seconds
00:37:01: lifetime of 4608000 kilobytes
00:37:01: IPSEC(key_engine) : got a queue event…
00:37:01: IPSEC(initialize_sas):,
(key eng.msg.) src= 203.162.11.2, dest= 203.106.10.2,
src_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
dest_proxy= 20.20.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000Kb,
spi= 0x609CD1A8 (199818953), conn_id= 2002, keysize= 0, flags= 0x4
! IPSEC SA đã được thiết lập và data có thể trao đôi đảm bảo secure.
Địa chỉ của các interface :
Device Interface Ip address
Client Lo0
Dialer1 10.10.10.10/24
203.106.10.2/24
Remote E0/0
S0/0 20.20.20.20/24
203.162.11.2/24
Server Lo1
S0/0 203.106.10.1/24
203.162.11.1/24
Cấu hình toàn bộ :
remote#sh run
Building configuration...
Current configuration : 1273 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname remote
!
logging rate-limit console 10 except errors
!
memory-size iomem 10
ip subnet-zero
!
!
no ip finger
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 203.106.10.2 255.255.255.0
!
!
crypto ipsec transform-set vnpro ah-md5-hmac esp-des
!
crypto map tam 10 ipsec-isakmp
set peer 203.106.10.2
set transform-set vnpro
match address 110
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 20.20.20.20 255.255.255.0
ip nat inside
no keepalive
half-duplex
!
interface Serial0/0
ip address 203.162.11.2 255.255.255.0
ip nat outside
crypto map tam
!
interface Serial0/1
no ip address
shutdown
!
ip nat inside source list 100 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 203.162.11.1
no ip http server
!
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 110 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
dial-peer cor custom
!
!
!
!
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
Client#sh run
Building configuration...
Current configuration : 1596 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Client
!
!
ip subnet-zero
!
!
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 203.162.11.2 255.255.255.0
!
!
crypto ipsec transform-set vnpro ah-md5-hmac esp-des
!
crypto map tam 10 ipsec-isakmp
set peer 203.162.11.2
set transform-set vnpro
match address 110
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.0
ip nat inside
!
interface Loopback1
no ip address
!
interface Ethernet0/0
no ip address
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/1
no ip address
shutdown
!
interface Dialer1
mtu 1492
ip address 203.106.10.2 255.255.255.0
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
crypto map tam
!
ip nat inside source list 100 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 203.106.10.1
ip http server
!
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
dialer-list 1 protocol ip permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
Server#sh run
Building configuration...
Current configuration : 858 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Server
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
!
mpls ldp logging neighbor-changes
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback1
ip address 203.106.10.1 255.255.255.0
!
interface Ethernet0/0
no ip address
half-duplex
pppoe enable
!
interface Serial0/0
ip address 203.162.11.1 255.255.255.0
clockrate 64000
no fair-queue
!
interface Virtual-Template1
ip unnumbered Loopback1
!
ip http server
ip classless
!
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
Cấu hình từng bước : Trong bài này chỉ cấu hình phần PPPoE và VPN. Các cấu hình còn lại coi như đã biết.
• Cấu hình PPPoE :
Server :
Tạo vpdn group :
Server(config)#vpdn enable
Server(config)#vpdn-group 1
Server(config-vpdn)#accept-dialin
Server(config-vpdn-acc-in)#protocol pppoe
Bật tính năng vpdn để thiết lập các PPPoE session
Server(config-vpdn-acc-in)#virtual-template 1 <- sử dụng virtual để giao tiếp với client
Server(config-vpdn-acc-in)#exit
Server(config)#int lo1
Server(config-if)#ip add 203.106.10.1 255.255.255.0
Server(config-if)#int e0/0
Server(config-if)#pppoe enable <- bật PPPoE trên interface kết nối với client
Tạo interface virtual-template :
Server(config)#int virtual-template 1
Server(config-if)#ip unnumbered lo1
Client :
Tạo vpdn group :
Client(config)#vpdn enable
Client(config)#vpdn-group 1
Client(config-vpdn)#request-dialin
Client(config-vpdn-req-in)#protocol pppoe
Bật PPPoE trên interface nối với server
Client(config)#int e0/0
Client(config-if)#pppoe enable
Kết hợp interface e0/0 với interface dialer để thiết lập encapsulation cho PPPoE client
Client(config-if)#pppoe-client dial-pool-number 1
Client(config-if)#exit
Cấu hình interface dialer :
Client(config)#int dialer 1
Client(config-if)#mtu 1492
Client(config-if)#ip add 203.106.10.2 255.255.255.0
Client(config-if)#ip nat outside
Client(config-if)#encapsulation ppp
Client(config-if)#dialer pool 1
Client(config-if)#dialer-group 1
Client(config-if)#exit
Client(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Client(config)#dialer-list 1 protocol ip permit
Tạo PAT :
Client(config)#ip nat inside source list 100 interface Dialer1 overload
Client(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Client(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any
Bật các lệnh debug và lệnh show để kiểm tra kết nối giữa Server và Client :
Client(config)#debug ip nat
Client#ping
Protocol [ip]:
Target IP address: 203.106.10.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.10
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.106.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/44 ms
*Mar 1 01:28:19.438: NAT: s=10.10.10.10->203.106.10.2, d=203.106.10.1 [50]
*Mar 1 01:28:19.438: NAT*: s=203.106.10.1, d=203.106.10.2->10.10.10.10 [50]
*Mar 1 01:28:19.442: NAT: s=10.10.10.10->203.106.10.2, d=203.106.10.1 [51]
*Mar 1 01:28:19.446: NAT*: s=203.106.10.1, d=203.106.10.2->10.10.10.10 [51]
Client#SH INT
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 000b.5f9a.d0e0 (bia 000b.5f9a.d0e0)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:32, output 00:00:03, output hang never
Last clearing of "show interface" counters never
<omitted>
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1492 bytes, BW 56 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Interface is bound to Di1 (Encapsulation PPP)
LCP Open
Listen: CDPCP
Open: IPCP
Last input 00:00:01, output never, output hang never
Last clearing of "show interface" counters 00:06:35
Dialer1 is up, line protocol is up (spoofing)
Hardware is Unknown
Internet address is 203.106.10.2/24
MTU 1492 bytes, BW 56 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
DTR is pulsed for 1 seconds on reset
Interface is bound to Vi1
Bound to:
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1492 bytes, BW 56 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Interface is bound to Di1 (Encapsulation PPP)
LCP Open
Listen: CDPCP
Open: IPCP
Server#SH INTER
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0009.e8d8.f840 (bia 0009.e8d8.f840)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1492 bytes, BW 100000 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Base PPPoE vaccess, loopback not set
DTR is pulsed for 5 seconds on reset
Virtual-Access1.1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback1 (203.106.10.1)
MTU 1492 bytes, BW 100000 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP
PPPoE vaccess, cloned from Virtual-Template1
85 packets input, 3414 bytes
87 packets output, 3499 bytes
Last clearing of "show interface" counters never
• Cấu hình VPN cho Client và remote :
Để cấu hình VPN ta cấu hình 2 phase :
- Phase 1 (IKE phase 1 hay còn gọi là ISAKMP ) : là phase dùng để tạo key, mã hoá key, và trao đổi key.
Nếu phase 1 thành công sẽ chuyển sang phase 2
- Phase 2 : là phase sử dụng IPSEC policy để bảo mật data.
Cấu hình như sau :
Phase 1 :
Client(config)#crypto isakmp enable
Client(config)#crypto isakmp key cisco address 203.162.11.2 255.255.255.0
Client(config)#crypto isakmp policy 10
Client(config-isakmp)#authentication pre-share
Client(config-isakmp)#encryption des
Client(config-isakmp)#hash md5
Client(config-isakmp)#group 2
Client(config-isakmp)#exit
Client(config)#crypto isakmp identity address
remote(config)#crypto isakmp enable
remote(config)#crypto isakmp key cisco address 203.106.10.2 255.255.255.0
remote(config)#crypto isakmp policy 10
remote(config-isakmp)#authentication pre
remote(config-isakmp)#encryption des
remote(config-isakmp)#hash md5
remote(config-isakmp)#group 2
remote(config-isakmp)#exit
remote(config)#crypto isakmp identity address
Phase 2 :
Client(config)#access-list 110 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Client(config)#crypto ipsec transform-set vnpro esp-des ah-md5-hmac
Client(cfg-crypto-trans)#exit
Client(config)#crypto map tam 10 ipsec-isakmp
Client(config-crypto-map)#set peer 203.162.11.2
Client(config-crypto-map)#set transform-set vnpro
Client(config-crypto-map)#match add 110
Client(config-crypto-map)#exit
Client(config)#int dialer 1
Client(config-if)#crypto map tam
remote(config)#access-list 110 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
remote(config)#crypto ipsec transform-set vnpro esp-des ah-md5-hmac
remote(cfg-crypto-trans)#exit
remote(config)#crypto map tam 10 ipsec-isakmp
remote(config-crypto-map)#set peer 203.106.10.2
remote(config-crypto-map)#set tran
remote(config-crypto-map)#set transform-set vnpro
remote(config-crypto-map)#match add 110
remote(config-crypto-map)#exit
remote(config)#int s0/0
remote(config-if)#crypto map tam
remote#debug crypto isakmp
Crypto ISAKMP debugging is on
remote#debug crypto ipsec
Crypto IPSEC debugging is on
remote#ping
Protocol [ip]:
Target IP address: 10.10.10.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 20.20.20.20
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/53/56 ms
Bật debug để quan sát quá trình ISAKMP negotiate giữa các peer trước khi cho phép SA được sử dụng cho IPSEC .
00:36:59: IPSEC(sa_request):
(key eng.msg.) src= 203.162.11.2, dest= 203.106.10.2,
src_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
dest_proxy= 20.20.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000Kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
!Interesting traffic từ remote đến client kích thích ISAKMP Main Mode.
! Quá trình ISAKMP negotiate bắt đầu trong IKE Phase 1 main mode :
00:36:59: ISAKMP: received ke message (1/2)
00:36:59: ISAKMP: local port 500, remote port 500
00:36:59: ISAKMP (0:1): beginning Main Mode exchange
Tại mode này, ISAKMP sẽ negotiate ISAKMP policy. Bên nào bắt đầu quá trình này trước sẽ gửi tất cả các policy mà nó có đến peer của nó. Trong cấu hình này là remote (203.162.11.2).Peer của router remote là router Client sẽ tìm trong các policy của nó cho đến khi có policy mactch với remote.
00:36:59: ISAKMP (0:1): sending packet to 203.106.10.2 (I) MM_NO_STATE
00:37:00: ISAKMP (0:1): received packet from 203.106.10.2 (I) MM_NO_STATE
00:37:00: ISAKMP (0:1): processing SA payload. message ID = 0
00:37:00: ISAKMP (0:1): found peer pre-shared key matching 203.106.10.2
00:37:00: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
00:37:00: ISAKMP: encryption DES-CBC
00:37:00: ISAKMP: hash MD5
00:37:00: ISAKMP: default group 2
00:37:00: ISAKMP: auth pre-share
00:37:00: ISAKMP: life type in seconds
00:37:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
00:37:00: ISAKMP (0:1): atts are acceptable. Next payload is 0
Tại đây 2 peer đã tìm thấy matching ISAKMP policy.
00:37:00: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Pre-share key dành cho xác thực đã được xác nhận.
00:37:00: ISAKMP (0:1): sending packet to 203.106.10.2 (I) MM_SA_SETUP
00:37:00: ISAKMP (0:1): received packet from 203.106.10.2 (I) MM_SA_SETUP
00:37:00: ISAKMP (0:1): processing KE payload. message ID = 0
00:37:01: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:37:01: ISAKMP (0:1): found peer pre-shared key matching 203.106.10.2
00:37:01: ISAKMP (0:1): SKEYID state generated
00:37:01: ISAKMP (0:1): processing vendor id payload
00:37:01: ISAKMP (0:1): processing vendor id payload
00:37:01: ISAKMP (0:1): processing vendor id payload
00:37:01: ISAKMP (0:1): speaking to another IOS box!
00:37:01: ISAKMP (0:1): processing vendor id payload
00:37:01: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
00:37:01: ISAKMP (1): Total payload length: 12
00:37:01: ISAKMP (0:1): sending packet to 203.106.10.2 (I) MM_KEY_EXCH
00:37:01: ISAKMP (0:1): received packet from 203.106.10.2 (I) MM_KEY_EXCH
00:37:01: ISAKMP (0:1): processing ID payload. message ID = 0
00:37:01: ISAKMP (0:1): processing HASH payload. message ID = 0
00:37:01: ISAKMP (0:1): SA has been authenticated with 203.106.10.2
! Main mode hoàn tất. Lúc này các peer đã được xác thực , secret key được tạo ra. Bắt đầu vào Phase 2 Quick Mode.
00:37:01: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -391346015
00:37:01:IPSEC(key_engine): got a queue event…
00:37:01:IPSEC(spi_response): getting spi 199818953 for SA from 203.106.10.2 to 203.162.11.2
00:37:01: ISAKMP (0:1): processing HASH payload. message ID = -391346015
00:37:01: ISAKMP (0:1): processing SA payload. message ID = -391346015
00:37:01: ISAKMP (0:1): Checking IPSec proposal 1
00:37:01: ISAKMP: transform 1, AH_MD5
00:37:01: ISAKMP: attributes in transform:
00:37:01: ISAKMP: encaps is 1
00:37:01: ISAKMP: SA life type in seconds
00:37:01: ISAKMP: SA life duration (basic) of 3600
00:37:01: ISAKMP: SA life type in kilobytes
00:37:01: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
00:37:01: ISAKMP: authenticator is HMAC-MD5
00:37:01: ISAKMP (0:1): atts are acceptable.
00:37:01: ISAKMP (0:1): Checking IPSec proposal 1
00:37:01: ISAKMP: transform 1, ESP_DES
00:37:01: ISAKMP: attributes in transform
00:37:01: ISAKMP: encaps is 1
00:37:01: ISAKMP: SA life type in seconds
00:37:01: ISAKMP: SA life duration (basic) of 3600
00:37:01: ISAKMP: SA life type in kilobytes
00:37:01: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
00:37:01: ISAKMP (0:1): atts are acceptable.
00:37:01: IPSEC(validate_proposal_request): proposal part #1,
(key eng.msg.) src= 203.162.11.2, dest= 203.106.10.2,
src_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
dest_proxy= 20.20.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000Kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
00:37:01: ISAKMP (0:1): processing NONCE payload. message ID = -391346015
00:37:01: ISAKMP (0:1): processing ID payload. message ID = -391346015
00:37:01: ISAKMP (0:1): processing ID payload. message ID = -391346015
! IPSEC policy đã được negotiate và đã được xác thực.
! Tiếp đến là quá trình thiết lập SA.
00:37:01: ISAKMP (0:1): Creating IPSec SAs
00:37:01: inbound SA from 203.106.10.2 to 203.162.11.2
(proxy 10.10.10.0 to 20.20.20.0)
00:37:01: has spi 0x75B29B72 and conn_id 2000 and flags 4
00:37:01: lifetime of 3600 seconds
00:37:01: lifetime of 4608000 kilobytes
00:37:01: outbound SA from 203.162.11.2 to 203.106.10.2 (proxy 20.20.20.0 to 10.10.10.0 )
00:37:01: has spi 721289306 and conn_id 2001 and flags 4
00:37:01: lifetime of 3600 seconds
00:37:01: lifetime of 4608000 kilobytes
00:37:01: ISAKMP (0:1): Creating IPSec SAs
00:37:01: inbound SA from 203.106.10.2 to 203.162.11.2
(proxy 10.10.10.0 to 20.20.20.0)
00:37:01: has spi 0x609CD1A8 and conn_id 2002 and flags 4
00:37:01: lifetime of 3600 seconds
00:37:01: lifetime of 4608000 kilobytes
00:37:01: outbound SA from 203.162.11.2 to 203.106.10.2 (proxy 20.20.20.0 to 10.10.10.0 )
00:37:01: has spi 199818953 and conn_id 2003 and flags 4
00:37:01: lifetime of 3600 seconds
00:37:01: lifetime of 4608000 kilobytes
00:37:01: IPSEC(key_engine) : got a queue event…
00:37:01: IPSEC(initialize_sas):,
(key eng.msg.) src= 203.162.11.2, dest= 203.106.10.2,
src_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
dest_proxy= 20.20.20.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000Kb,
spi= 0x609CD1A8 (199818953), conn_id= 2002, keysize= 0, flags= 0x4
! IPSEC SA đã được thiết lập và data có thể trao đôi đảm bảo secure.