VPN祥解及其配置示例

2007-03-25 16:46:52

VPN及其配置示例

VPN的定义

虚拟专网（VPN-VIRTUAL PRIVATE NETWORK）指的是在公用网络上建立专用网络的技术。之所以称为虚拟网主要是因为整个VPN网络的任意两个节点之间的连接并没有传统专网所需的端到端的物理链路，而是架构在公用网络服务商所提供的网络平台（如INTERNET，ATM，FRAME RELAY等）之上的逻辑网络，用户数据在逻辑链路中传输。

VPN的功能

1、通过隧道（TUNNEL）或虚电路（VIRTUAL CIRCUIT）实现网络互联
2、支持用户安全管理
3、能够进行网络监控、故障诊断

VPN解决方案的优点

1、省钱：它可以节省长途电话费和长途专线电话费和长途专线网络费可以为用户节省30-25%的网络应用的开销。
2、选择灵活、速度快：通过vpn网关，用户可以选择多种internet连通技术，而且对于 INTERNET的容量可以实现按需定制；
3、安全性好：VPN的认证机制将更好地保证用户的隐私权和收发数据的完整性；
4、实现投资的保护：VPN技术的应用可以建立在用户现有的防火墙的基础上，用户正在使用的应用软件也不受影响。

VPN技术原理

1、 VPN系统使分布在不同地方的专用网络在不可信任的公共网络上安全的通信。
2、 VPN设备根据网管设置的规则，确定是否需要对数据进行加密或让数据直接通过。
3、对需要加密的数据，VPN设备对整个数据包进行加密和附上数字签名。
4、 VPN设备加上新的收据包头，其中包括目的地VPN设备需要的安全信息和一些初始化参数。
5、 VPN设备对加密后的数据、鉴别包以及源IP地址、目标VPN设备IP地址进行重新封装，重新封装后的数据包通过虚拟通道在公网上传输。
6、当数据包到达目标VPN设备时，数据包被解封装，数据包被解封装，数字签名，数字签名被核对无误后，收据包被解密。

VPN配置实例

Intranet 内联网配置:

Figure 3-8: Intranet VPN Scenario Physical Elements

Headquarters Router 配置

hq-sanjose# show running-config

Building configuration...

Current configuration:

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname hq-sanjose

boot system flash bootflash:

boot bootldr bootflash:c7100-boot-mz.120-1.1.T

boot config slot0:hq-sanjose-cfg-small

no logging buffered

crypto isakmp policy 1

authentication pre-share

lifetime 84600

crypto isakmp key test12345 address 172.24.2.5

crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac

mode transport

crypto map s1first local-address Serial1/0

crypto map s1first 1 ipsec-isakmp

/pre>

set peer 172.24.2.5

set transform-set proposal1

match address 101

interface Tunnel0

bandwidth 180

ip address 172.17.3.3 255.255.255.0

no ip directed-broadcast

tunnel source 172.17.2.4

tunnel destination 172.24.2.5

crypto map s1first

interface FastEthernet0/0

ip address 10.1.3.3 255.255.255.0

no ip directed-broadcast

no keepalive

full-duplex

no cdp enable

interface FastEthernet0/1

ip address 10.1.6.4 255.255.255.0

no ip directed-broadcast

no keepalive

full-duplex

no cdp enable

interface Serial1/0

ip address 172.17.2.4 255.255.255.0

no ip directed-broadcast

no ip mroute-cache

no keepalive

/pre>

fair-queue 64 256 0

framing c-bit

cablelength 10

dsu bandwidth 44210

clock source internal

no cdp enable

crypto map s1first

ip route 10.1.4.0 255.255.255.0 Tunnel0

access-list 101 permit gre host 172.17.2.4 host 172.24.2.5

line con 0

transport input none

line aux 0

line vty 0 4

login

end

/pre>

Remote Office Router 配置:

ro-rtp# show running-config

Building configuration...

Current configuration:

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname ro-rtp

boot system flash bootflash:

boot bootldr bootflash:c7100-boot-mz.120-1.1.T

boot config slot0:ro-rtp-cfg-small

no logging buffered

crypto isakmp policy 1

authentication pre-share

lifetime 84600

crypto isakmp key test12345 address 172.17.2.4

crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac

mode transport

crypto map s1first local-address Serial1/0

crypto map s1first 1 ipsec-isakmp

set peer 172.17.2.4

set transform-set proposal1

match address 101

interface Tunnel1

bandwidth 180

ip address 172.24.3.6 255.255.255.0

no ip directed-broadcast

tunnel source 172.24.2.5

tunnel destination 172.17.2.4

crypto map s1first

interface FastEthernet0/0

ip address 10.1.4.2 255.255.255.0

no ip directed-broadcast

no keepalive

full-duplex

no cdp enable

interface Serial1/0

ip address 172.24.2.5 255.255.255.0

no ip directed-broadcast

no ip mroute-cache

no keepalive

fair-queue 64 256 0

framing c-bit

cablelength 10

dsu bandwidth 44210

clock source internal

no cdp enable

crypto map s1first

ip route 10.1.3.0 255.255.255.0 Tunnel1

ip route 10.1.6.0 255.255.255.0 Tunnel1

access-list 101 permit gre host 172.24.2.5 host 172.17.2.4

line con 0

transport input none

line aux 0

line vty 0 4

login

end

Extranet外联网配置:

Figure 3-9: Extranet VPN Scenario Physical Elements

Headquarters Router配置:

hq-sanjose# show running-config

Building configuration...

Current configuration:

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname hq-sanjose

boot system flash bootflash:

boot bootldr bootflash:c7100-boot-mz.120-1.1.T

boot config slot0:hq-sanjose-cfg-small

no logging buffered

crypto isakmp policy 1

authentication pre-share

lifetime 84600

crypto isakmp key test12345 address 172.24.2.5

crypto isakmp key test67890 address 172.23.2.7

crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac

ode transport

crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac

crypto map s1first local-address Serial1/0

crypto map s1first 1 ipsec-isakmp

set peer 172.24.2.5

set transform-set proposal1

match address 101

crypto map s4second local-address Serial2/0

crypto map s4second 2 ipsec-isakmp

set peer 172.23.2.7

set transform-set proposal4

match address 111

interface Tunnel0

bandwidth 180

ip address 172.17.3.3 255.255.255.0

no ip directed-broadcast

tunnel source 172.17.2.4

tunnel destination 172.24.2.5

crypto map s1first

interface FastEthernet0/0

ip address 10.1.3.3 255.255.255.0

no ip directed-broadcast

no keepalive

full-duplex

no cdp enable

interface FastEthernet0/1

ip address 10.1.6.4 255.255.255.0

no ip directed-broadcast

ip nat inside

no keepalive

full-duplex

no cdp enable

interface Serial1/0

ip address 172.17.2.4 255.255.255.0

no ip directed-broadcast

no ip mroute-cache

no keepalive

fair-queue 64 256 0

framing c-bit

cablelength 10

dsu bandwidth 44210

clock source internal

no cdp enable

crypto map s1first

interface Serial2/0

ip address 172.16.2.2 255.255.255.0

no ip directed-broadcast

ip nat outside

no ip mroute-cache

no keepalive

fair-queue 64 256 0

framing c-bit

cablelength 10

dsu bandwidth 44210

clock source internal

no cdp enable

crypto map s4second

router bgp 10

network 10.2.2.2 mask 255.255.255.0

network 172.16.2.0 mask 255.255.255.0

ip route 10.1.4.0 255.255.255.0 Tunnel0

ip nat inside source static 10.1.6.5 10.2.2.2

access-list 101 permit gre host 172.17.2.4 host 172.24.2.5

access-list 111 permit ip host 10.2.2.2 host 10.1.5.3

line con 0

transport input none

line aux 0

line vty 0 4

login

end

Business Partner Router 配置:

bus-ptnr# show running-config

Building configuration...

Current configuration:

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname bus-ptnr

boot system flash bootflash:

boot bootldr bootflash:c7100-boot-mz.120-1.1.T

boot config slot0:bus-ptnr-cfg-small

no logging buffered

crypto isakmp policy 1

authentication pre-share

lifetime 84600

crypto isakmp key test67890 address 172.16.2.2

crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac

crypto map s4second local-address Serial1/0

crypto map s4second 2 ipsec-isakmp

set peer 172.16.2.2

set transform-set proposal4

match address 111

interface FastEthernet0/0

ip address 10.1.5.2 255.255.255.0

no ip directed-broadcast

no keepalive

full-duplex

no cdp enable

interface Serial1/0

ip address 172.23.2.7 255.255.255.0

no ip directed-broadcast

no ip mroute-cache

no keepalive

fair-queue 64 256 0

framing c-bit

cablelength 10

dsu bandwidth 44210

clock source internal

no cdp enable

crypto map s4second

router bgp 10

network 10.1.5.0 mask 255.255.255.0

network 172.16.2.0 mask 255.255.255.0

access-list 111 permit ip host 10.1.5.3 host 10.2.2.2

line con 0

transport input none

line aux 0

line vty 0 4

上一篇 RAID技术祥解 raid0/raid1/raid3/raid5/raid6　　下一篇 Windows XP/2003 CD-KEY序列号修改器

类别：网络NETWORK ┆ 技术圈() ┆ 阅读() ┆ 评论() ┆推送到技术圈 ┆返回首页

相关文章

文章评论

昵称：
验证码：		点击图片可刷新验证码　　博客过2级，无需填写验证码
内容：

随意的风

VPN祥解及其配置示例