点击下载
本文文档

当前位置：首页 - 正文

L2TP OVER IPSEC(LNS地址在内网,通过公网映射)

来源：动视网责编：小OO 时间：2025-10-01 20:55:59

L2TP OVER IPSEC(LNS地址在内网,通过公网映射)

L2TPOVERIPSEC(LNS地址在内网，通过公网映射)组网LAC公网地址为202.109.207.163，LNS在用户内网地址为172.20.210.10，通过映射为公网地址117.27.234.103。用户需求：PC用户通过PPPOE拨号到LAC出发L2TP隧道建立，同时要求做IPSEC加密。配置：LAC：discu#version5.20,Release2512P04#sysnamelac#l2tpenable#domaindefaultenablesystem#ipv6#telne

推荐度：

点击下载本文 文档为doc格式

导读L2TPOVERIPSEC(LNS地址在内网，通过公网映射)组网LAC公网地址为202.109.207.163，LNS在用户内网地址为172.20.210.10，通过映射为公网地址117.27.234.103。用户需求：PC用户通过PPPOE拨号到LAC出发L2TP隧道建立，同时要求做IPSEC加密。配置：LAC：discu#version5.20,Release2512P04#sysnamelac#l2tpenable#domaindefaultenablesystem#ipv6#telne

L2TP OVER IPSEC

(LNS地址在内网，通过公网映射)

组网

LAC公网地址为202.109.207.163，LNS在用户内网地址为172.20.210.10，通过映射为公网地址117.27.234.103。

用户需求：PC用户通过PPPOE拨号到LAC出发L2TP隧道建立，同时要求做IPSEC加密。

配置：

LAC：

dis cu

#

version 5.20, Release 2512P04

#

sysname lac

#

l2tp enable

#

domain default enable system

#

ipv6

#

telnet server enable

#

port-security enable

#

password-recovery enable

#

acl number 3500

rule 5 permit ip source 202.109.207.163 0 destination 172.20.210.10 0

rule 10 permit ip source 172.20.210.10 0 destination 202.109.207.163 0

#

vlan 1

#

Ddomain h3c.com

authentication ppp local

access-limit disable

state active

idle-cut disable

self-service-url disable

domain system

access-limit disable

state active

idle-cut disable

self-service-url disable

#

ike peer lac

exchange-mode aggressive

pre-shared-key cipher $c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag==

id-type name

remote-name lns

remote-address 117.27.234.103

local-address 202.109.207.163

local-name lac

nat traversal

#

ipsec transform-set lac

encapsulation-mode tunnel

transform esp

esp authentication-algorithm sha1

esp encryption-algorithm 3des

#

ipsec policy lac 1 isakmp

security acl 3500

ike-peer lac

transform-set lac

#

user-group system

group-attribute allow-guest

#

local-user admin

password cipher $c$3$EiAlBrd/gVGFvSMRAmLoJwgze3wHlYa1BQ==

authorization-attribute level 3

service-type telnet

service-type web

local-user test

password cipher $c$3$SQ3SM2FRQoXeMijjRitI72ToSwbJ9f09xw==

service-type ppp

#

l2tp-group 1

tunnel password cipher $c$3$TVsHV3HQRBs5eubLlDPrKCp8o8kwnA==

tunnel name lac

start l2tp ip 172.20.210.10 domain h3c.com

#

interface Aux0

async mode flow

link-protocol ppp

#

interface Cellular0/0

async mode protocol

link-protocol ppp

#

interface Virtual-Template1

ppp authentication-mode pap chap domain h3c.com

#

interface NULL0

#

interface Vlan-interface1

pppoe-server bind Virtual-Template 1

ip address 192.168.1.1 255.255.255.0

#

interface GigabitEthernet0/0

port link-mode route

ip address 202.109.207.163 255.255.255.248

ipsec policy lac

#

interface GigabitEthernet0/1

port link-mode bridge

#

interface GigabitEthernet0/2

port link-mode bridge

#

interface GigabitEthernet0/3

port link-mode bridge

#

interface GigabitEthernet0/4

port link-mode bridge

#

ip route-static 0.0.0.0 0.0.0.0 202.109.207.161

ip route-static 0.0.0.0 0.0.0.0 117.27.234.103

#

dialer-rule 1 ip permit

#

load xml-configuration

#

load tr069-configuration

#

user-interface tty 12

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

LNS：

#

version 7.1.049, Release 0202

#

sysname lns

#

telnet server enable

#

ip pool 1 192.168.101.1 192.168.101.254

#

password-recovery enable

#

vlan 1

#

interface Virtual-Template1

ppp authentication-mode pap chap

remote address pool 1

ip address 192.168.200.254 255.255.255.0

#

interface NULL0

#

interface LoopBack0

ip address 10.10.10.10 255.255.255.255

interface GigabitEthernet1/0

#

interface GigabitEthernet1/0.1498

description to-12/32

ip address 172.20.209.10 255.255.255.128

vlan-type dot1q vid 1498

#

interface GigabitEthernet2/0

#

interface GigabitEthernet2/0.1499

description to-11/32

ip address 172.20.210.10 255.255.255.128

vlan-type dot1q vid 1499

ipsec apply policy lns

#

scheduler logfile size 16

#

line class aux

user-role network-operator

#

line class console

user-role network-admin

line class vty

user-role network-operator

#

line aux 0

user-role network-operator

#

line con 0

user-role network-admin

#

line vty 0 63

authentication-mode scheme

user-role network-operator

#

ip route-static 0.0.0.0 0 172.20.210.1

ip route-static 172.20.128.208 28 172.20.109.1

ip route-static 172.20.128.208 28 172.20.209.1

#

domain h3c.com

authentication ppp local

authorization ppp local

accounting ppp local

#

domain system

#

aaa session-limit ftp 32

aaa session-limit telnet 32

aaa session-limit http 32

aaa session-limit ssh 32

aaa session-limit https 32

domain default enable system

#

role name level-0

description Predefined level-0 role

#

role name level-1

description Predefined level-1 role

#

role name level-2

description Predefined level-2 role

#

role name level-3

description Predefined level-3 role

#

role name level-4

description Predefined level-4 role

role name level-5

description Predefined level-5 role

#

role name level-6

description Predefined level-6 role

#

role name level-7

description Predefined level-7 role

#

role name level-8

description Predefined level-8 role

#

role name level-9

description Predefined level-9 role

#

role name level-10

description Predefined level-10 role

#

role name level-11

description Predefined level-11 role

#

role name level-12

description Predefined level-12 role

#

role name level-13

description Predefined level-13 role

#

role name level-14

description Predefined level-14 role

#

user-group system

#

local-user admin class manage

password hash $h$6$rhjYlaMxTE8Yrgy/$pL4ngHJErR5IS6mIM2TVTpxVJoXAz3Z7twS5WUoHnTBAVcnQ6zRTt3l/IV25NzoxYG4+xduBzNhiM+NovY5gUQ==

service-type telnet

authorization-attribute user-role network-admin

authorization-attribute user-role network-operator

#

local-user test class manage

password hash $h$6$aeSFBsuE4NLmKV/p$Bmfz5WpYqTIdkrJhRl8v9xOkz2sxaxZ4Y0ZtkKglmyw3gvtamdEAxf0CItYelhqBRz/xZmmQF5DcZ3Y15oa5YA==

service-type ftp

service-type telnet

authorization-attribute user-role network-operator

#

local-user test class network

service-type ppp

authorization-attribute user-role network-operator

#

ipsec transform-set lns

esp encryption-algorithm 3des-cbc

esp authentication-algorithm sha1

#

ipsec policy-template lns 1

transform-set lns

ike-profile lns

#

ipsec policy lns 1 isakmp template lns

#

l2tp-group 1 mode lns

allow l2tp virtual-template 1 remote lac

tunnel name lns

tunnel password cipher $c$3$TbJ0N3WspYQUVRSjjmPBxkFjo3Xhyg==

#

l2tp enable

#

ike identity fqdn lns

#

ike profile lns

keychain lac

exchange-mode aggressive

local-identity fqdn lns

match remote identity fqdn lac

match local address GigabitEthernet2/0.1499

#

ike keychain lac

pre-shared-key hostname lac key cipher $c$3$QGKCezjZ+NqQIHxyMuZsfR/weMCQAw==

#

return

一：概述

首先，先将这两个概念理顺一下。IPSEC OVER GRE即IPSEC在里，GRE在外。首先先把需要加密的数据包封装成IPSEC包，然后在扔到GRE隧道里发到对端设备。做法是把IPSEC的加密策略作用在Tunnel口上，即在Tunnel口上监听匹配符合访问控制列表的数据流，来确认数据是否需要加密，需要则先加密封装为IPSEC包，然后封装成GRE包进入隧道；反之未在访问控制列表中的数据流将以未加密的状态直接走GRE隧道，这样就会存在有些数据处于不安全的传递状态。

而GRE OVER IPSEC 则是GRE在里，IPSEC在外，即先将数据封装成GRE包，然后在封装成IPSEC包后发到对端设备。做法是把IPSEC的加密测试作用在物理端口上，然后根据访问控制列表监控匹配是否有需要加密的GRE数据流，有则将GRE数据流加密封装成IPSEC包再进行传递，这样可以保证所有数据包都会被机密，包括隧道建立和路由的创建和传递。

二：IPSEC OVER GRE 与GRE OVER IPSEC的配置思路介绍

首先先介绍一下配置思路，有两种配置的区别在于ipsec over gre 是将ipsec加密封装应用在tunnel口上，使用acl匹配需要加密数据流来实现。而gre over ipsec是将ipsec加密封装应用在物理接口上，用acl来匹配需要加密的tunnel隧道。从这个来讲，后者会安全一点，ipsec会将所有数据包括隧道报文都进行加密。

因此我将配置过程分成三步，这样比较不会乱。第一步先配置公网ip及路由，让两端设备的公网ip先能互相ping通；第二步在配置GRE隧道，然后测试GRE隧道是否建立正常；第三步再创建ipsec加密并引用。

拓扑图如下：

A：GRE over IPSEC

R2：作为互联网，保证路由可达即可

：第一步先配置公网接口第一步配置公网接口

int s0/2/0 | int s0/2/0

Ip ad 12.1.1.1 24 | ip ad 23.1.1.3 24

Ip rou 0.0.0.0 0.0.0.0 12.1.1.2 | ip rou 0.0.0.0 0.0.0.0 23.1.1.2

第二步配置GRE | 配置GRE

Int tunnel 0 | int tunnel 0

Ip ad 192.168.13.1 24 | ip ad 192.168.13.2 24

Source 12.1.1.1 | source 23.1.1.3

Destination 23.1.1.3 | destination 12.1.1.1

Ip rou 192.168.3.1 0 tunnel0 | ip rou 192.168.1.1 0 tunnel0

第三步配置I第三步配置IPSEC

配置

Ike peer r1-r3 ike peer r3-r1

Pre-shared-key 12345 pre-shared-key 12345

Remote-address 23.1.1.3 remote-address 12.1.1.1

类型

Ipsec proposal r1-r3 ipsec proposal r3-r1

Encapsulation tunnel/transport Encapsulation tunnel/transport

Transform esp Transform esp

Esp authentication-algorithm sha1 Esp authentication-algorithm sha1

Esp encryption-algorithm 3des Esp encryption-algorithm 3des

匹配策略

Acl number 3013 acl number 3013

Rule 5 permit ip source 12.1.1.1 0 rule 5 permit ip source 23.1.1.3 0

Destination 23.1.1.1 0 destination 12.1.1.1 0

策略

Ipsec policy r13 1 isakmp ipsec policy r31 1 isakmp

Security acl 3013 security acl 3031

Ike-peer r1-r3 ike-peer r3-r1

Proposal r1-r3 proposal r3-r1

应用到接口

Int s0/2/0 int s0/2/0

Ipsec policy r13 ipsec policy r31

：IPSEC over GRE

R2：作为互联网，保证路由可达即可

：第一步先配置公网接口第一步配置公网接口

int s0/2/0 | int s0/2/0

Ip ad 12.1.1.1 24 | ip ad 23.1.1.3 24

Ip rou 0.0.0.0 0.0.0.0 12.1.1.2 | ip rou 0.0.0.0 0.0.0.0 23.1.1.2

第二步配置GRE | 配置GRE

Int tunnel 0 | int tunnel 0

Ip ad 192.168.13.1 24 | ip ad 192.168.13.2 24

Source 12.1.1.1 | source 23.1.1.3

Destination 23.1.1.3 | destination 12.1.1.1

Ip rou 192.168.3.1 0 tunnel0 | ip rou 192.168.1.1 0 tunnel0

第三步配置I第三步配置IPSEC

配置

Ike peer r1-r3 ike peer r3-r1

Pre-shared-key 12345 pre-shared-key 12345

Remote-address 192.168.13.2 remote-address 192.168.13.1

类型

Ipsec proposal r1-r3 ipsec proposal r3-r1

Encapsulation tunnel Encapsulation tunnel

Transform esp Transform esp

Esp authentication-algorithm sha1 Esp authentication-algorithm sha1

Esp encryption-algorithm 3des Esp encryption-algorithm 3des

匹配策略

Acl number 3013 acl number 3013

Rule 5 permit ip source 192.168.1.1 0 rule 5 permit ip source 192.168.3.1 0

Destination 192.168.3.1 0 destination 192.168.1.1 0

策略

Ipsec policy r13 1 isakmp ipsec policy r31 1 isakmp

Security acl 3013 security acl 3031

Ike-peer r1-r3 ike-peer r3-r1

Proposal r1-r3 proposal r3-r1

应用到TUNNEL口

Int tunnel 0 int tunnle 0

Ipsec policy r13 ipsec policy r31

三：ipsec over gre 与gre over ipsec 报文路由转发和封装过程

首先是gre over ipsec的路由转发过程：

R1路由表：

dis ip rou

Routing Tables: Public

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/0 Static 60 0 12.1.1.2 S0/2/0

12.1.1.0/24 Direct 0 0 12.1.1.1 S0/2/0

12.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

12.1.1.2/32 Direct 0 0 12.1.1.2 S0/2/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0

192.168.3.1/32 Static 60 0 192.168.13.1 Tun0

192.168.10.1/32 Static 60 0 192.168.110.1 Tun1

192.168.13.0/24 Direct 0 0 192.168.13.1 Tun0

192.168.13.1/32 Direct 0 0 127.0.0.1 InLoop0

192.168.110.0/24 Direct 0 0 192.168.110.1 Tun1

192.168.110.1/32 Direct 0 0 127.0.0.1 InLoop0

路由转发过程如下:

192.168.1.1发往192.168.3.1：原始报文匹配路由表 ->tunnel0 > GRE封装后源地址为自己公网，目的为对方公网 ->路由到物理接口 ->匹配到acl ->ipsec加密封装 ->对端

ipsec over gre的路由转发过程：

R1路由表：

[r1] dis ip rou

Routing Tables: Public

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/0 Static 60 0 12.1.1.2 S0/2/0

12.1.1.0/24 Direct 0 0 12.1.1.1 S0/2/0

12.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0

12.1.1.2/32 Direct 0 0 12.1.1.2 S0/2/0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0

192.168.3.1/32 Static 60 0 192.168.13.1 Tun0

192.168.10.1/32 Static 60 0 192.168.110.1 Tun1

192.168.13.0/24 Direct 0 0 192.168.13.1 Tun0

192.168.13.1/32 Direct 0 0 127.0.0.1 InLoop0

192.168.110.0/24 Direct 0 0 192.168.110.1 Tun1

192.168.110.1/32 Direct 0 0 127.0.0.1 InLoop0

路由转发过程如下:

192.168.1.1发往192.168.3.1：原始报文匹配路由表 ->tunnel0 >匹配到acl ->ipsec加密隧道封装源地址本端tunnel口地址，目的为对端tunnel口地址 -> GRE封装后源地址为自己公网，目的为对方公网 ->路由到物理接口 ->对端

L2TP OVER IPSEC(LNS地址在内网,通过公网映射)

L2TPOVERIPSEC(LNS地址在内网，通过公网映射)组网LAC公网地址为202.109.207.163，LNS在用户内网地址为172.20.210.10，通过映射为公网地址117.27.234.103。用户需求：PC用户通过PPPOE拨号到LAC出发L2TP隧道建立，同时要求做IPSEC加密。配置：LAC：discu#version5.20,Release2512P04#sysnamelac#l2tpenable#domaindefaultenablesystem#ipv6#telne

推荐度：

点击下载本文 文档为doc格式

热门焦点

L2TP OVER IPSEC(LNS地址在内网,通过公网映射)

L2TP OVER IPSEC(LNS地址在内网,通过公网映射)

L2TP OVER IPSEC(LNS地址在内网,通过公网映射)

最新推荐

猜你喜欢

热门推荐