H3C网络学院路由交换第四卷实验指导书

步骤一：搭建实验环境

置GRE VPN

实验任务一：GRE VPN基本配置

在SWA上配置VLAN2，将接口E1/0/2加入VLAN2：

[SWA]vlan 2

[SWA-vlan2]port Ethernet 1/0/2

步骤二：检测公网连通性

查看SWA的路由表和端口状态，确认其工作正常。

[SWA]display ip interface brief *down: administratively down (s): spoofing

Interface Physical Protocol IP Address Description Vlan-interface1 up up 1.1.1.2 Vlan-inte... Vlan-interface2 up up 2.2.2.2 Vlan-inte... [SWA]display ip routing-table Routing Tables: Public

Destinations : 6 Routes : 6

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 Direct 0 0 1.1.1.2 Vlan1 1.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0 2.2.2.0/24 Direct 0 0 2.2.2.2 Vlan2 2.2.2.2/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

也可以使用display interface命令。

在RTA和RTB上配置公网接口互通所需的静态路由。

[RTA]interface GigabitEthernet0/0

[RTA-GigabitEthernet0/0]ip address 192.168.1.1 255.255.255.0 [RTA-GigabitEthernet0/0]interface GigabitEthernet0/1

[RTA-GigabitEthernet0/1]ip address 1.1.1.1 255.255.255.0

[RTA-GigabitEthernet0/1]ip route-static 2.2.2.0 255.255.255.0 1.1.1.2 [RTB]interface GigabitEthernet0/0

[RTB-GigabitEthernet0/0]ip address 192.168.2.1 255.255.255.0 [RTB-GigabitEthernet0/0]interface GigabitEthernet0/1

[RTB-GigabitEthernet0/1]ip address 2.2.2.1 255.255.255.0

[RTB-GigabitEthernet0/1]ip route-static 1.1.1.0 255.255.255.0 2.2.2.2

步骤三：配置GRE隧道接口

[RTA] interface Tunnel0

[RTA-Tunnel0] ip address 192.168.3.1 255.255.255.252 [RTA-Tunnel0] source 1.1.1.1

[RTA-Tunnel0] destination 2.2.2.1 [RTB] interface Tunnel0

[RTB-Tunnel0] ip address 192.168.3.2 255.255.255.252 [RTB-Tunnel0] source 2.2.2.1

[RTB-Tunnel0] destination 1.1.1.1

步骤四：为私网配置静态路由

[RTA] ip route-static 192.168.2.0 255.255.255.0 Tunnel0 [RTB] ip route-static 192.168.1.0 255.255.255.0 Tunnel0

配置时也可以用下一跳地址。 步骤五：检验隧道工作状况

查看RTA与RTB的路由表，可见公网、私网路由均存在于路由表中：

[RTB]display ip routing-table Routing Tables: Public

Destinations : 10 Routes : 10

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 Static 60 0 2.2.2.2 GE0/1 2.2.2.0/24 Direct 0 0 2.2.2.1 GE0/1 2.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/24 Static 60 0 192.168.3.2 Tun0 192.168.2.0/24 Direct 0 0 192.168.2.1 GE0/0 192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.3.0/30 Direct 0 0 192.168.3.2 Tun0 192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0

查看RTA和RTB的隧道接口状态，可见其使用GRE封装，状态为UP：

[RTB]display interface Tunnel 0 Tunnel0 current state: UP

Line protocol current state: UP Description: Tunnel0 Interface The Maximum Transmit Unit is 1476

Internet Address is 192.168.3.2/30 Primary

Encapsulation is TUNNEL, service-loopback-group ID not set. Tunnel source 2.2.2.1, destination 1.1.1.1 Tunnel keepalive disable

Tunnel protocol/transport GRE/IP GRE key disabled

Checksumming of GRE packets disabled

Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0 Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 300 seconds input: 15 bytes/sec, 0 packets/sec Last 300 seconds output: 21 bytes/sec, 0 packets/sec 133 packets input, 5701 bytes 0 input error

124 packets output, 7469 bytes 0 output error

在RTA上打开GRE协议调试开关用debugging命令检验路由器实际收发的报文，说明其地址已经改变。

terminal monitor

terminal debugging debugging gre packet

在PCA上对RTB运行ping命令，但只发送一个ICMP包：

C:\\Documents and Settings\\User>ping -n 1 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data:

Reply from 192.168.2.1: bytes=32 time<1ms TTL=254 Ping statistics for 192.168.2.1:

Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

观察RTA上的输出信息：

*Jun 26 16:15:30:443 2009 RTA GRE/7/debug: Tunnel0 packet:After encapsulation,

Outgoing packet header 1.1.1.1->2.2.2.1(length = 84)

*Jun 26 16:15:30:443 2009 RTA GRE/7/debug:Output: Gre packet has been fast-switc hed successfully, interface index is 0x2f0000.

可见RTA从Tunnel0接口发出了一个包，源地址为1.1.1.1，目的地址为2.2.2.1。因为发送的包已经被GRE封装后在公网发送了。 步骤六：清除静态路由

用undo ip route-static命令。 步骤七：为公网配置动态路由

[RTA]ospf 1

[RTA-ospf-1]area 0.0.0.0

[RTA-ospf-1-area-0.0.0.0]network 1.0.0.0 0.255.255.255 [RTB]ospf 1

[RTB-ospf-1]area 0.0.0.0

[RTB-ospf-1-area-0.0.0.0]network 2.0.0.0 0.255.255.255 [SWA]ospf 1

[SWA-ospf-1]area 0.0.0.0

[SWA-ospf-1-area-0.0.0.0]network 1.0.0.0 0.255.255.255 [SWA-ospf-1-area-0.0.0.0]network 2.0.0.0 0.255.255.255

步骤八：为私网配置动态路由

[RTA]rip 1

[RTA-rip-1]version 2

[RTA-rip-1]network 192.168.1.0 [RTA-rip-1]network 192.168.3.0 [RTB]rip

[RTB-rip-1]version 2

[RTB-rip-1]network 192.168.2.0 [RTB-rip-1]network 192.168.3.0

步骤九：再次检验隧道工作状况

查看RTA与RTB的路由表：

display ip routing-table Routing Tables: Public

Destinations : 10 Routes : 10

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 OSPF 10 2 2.2.2.2 GE0/1 2.2.2.0/24 Direct 0 0 2.2.2.1 GE0/1 2.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/24 RIP 100 1 192.168.3.1 Tun0 192.168.2.0/24 Direct 0 0 192.168.2.1 GE0/0 192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.3.0/30 Direct 0 0 192.168.3.2 Tun0 192.168.3.2/32 Direct 0 0 127.0.0.1 InLoop0

转入下一实验任务。

实验任务二：GRE VPN隧道验证

步骤一：单方配置隧道验证

首先在RTA上单方启动隧道验证：

[RTA-Tunnel0]gre key 1234

步骤二：检验隧道连通性

用ping命令验证PCA与PCB之间的连通性。由于仅单方配置了隧道验证，此时应该无法连通。

C:\\Documents and Settings\\User>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 192.168.2.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

步骤三：配置错误的隧道验证

在RTB上也启动隧道验证，但验证值配置与RTA不同：

[RTB-Tunnel0]gre key 12345

步骤四：检验隧道连通性

用ping命令验证PCA与PCB之间的连通性。由于配置的隧道验证值错误，此时应该无法连通。

C:\\Documents and Settings\\User>ping 192.168.2.1 Pinging 192.168.2.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 192.168.2.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

步骤五：正确配置隧道验证

在RTB上配置与RTA相同的验证值：

[RTB-Tunnel0]gre key 1234

步骤六：检验隧道连通性

用ping命令验证PCA与PCB之间的连通性。由于配置的隧道验证正确，此时应该可以连通。

C:\\Documents and Settings\\User>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 192.168.2.1: bytes=32 time=1ms TTL=254 Reply from 192.168.2.1: bytes=32 time<1ms TTL=254 Reply from 192.168.2.1: bytes=32 time<1ms TTL=254 Reply from 192.168.2.1: bytes=32 time<1ms TTL=254 Ping statistics for 192.168.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms

注意：

由于RTA和RTB上配置了RIP路由，如果隧道验证值长时间不匹配，RIP会删除来自对方的私网路由。在这种情况下，配置了正确的隧道验证值后需要等待RIP重新学习路由。

实验任务三：GRE VPN隧道Keepalive

步骤一：恢复静态路由配置

[RTA]undo rip

Warning : Undo RIP process? [Y/N]:y [RTA]undo ospf

Warning : Undo OSPF process? [Y/N]:y

[RTA]ip route-static 192.168.2.0 255.255.255.0 Tunnel0 [RTA]ip route-static 2.2.2.0 255.255.255.0 1.1.1.2 [RTB]undo rip

Warning : Undo RIP process? [Y/N]:y [RTB]undo ospf

Warning : Undo OSPF process? [Y/N]:y

[RTB]ip route-static 192.168.1.0 255.255.255.0 Tunnel0 [RTB]ip route-static 1.1.1.0 255.255.255.0 2.2.2.2

步骤二：模拟网络故障

[SWA-Vlan-interface2]shutdown

步骤三：检查RTA上的隧道接口状态

在RTA上检查隧道接口状态，发现隧道接口状态仍然正常：

[RTA]display interface Tunnel 0 Tunnel0 current state: UP

Line protocol current state: UP Description: Tunnel0 Interface The Maximum Transmit Unit is 1472

Internet Address is 192.168.3.1/30 Primary

Encapsulation is TUNNEL, service-loopback-group ID not set. Tunnel source 1.1.1.1, destination 2.2.2.1 Tunnel keepalive disable

Tunnel protocol/transport GRE/IP GRE key value is 1234

Checksumming of GRE packets disabled

Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0 Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 300 seconds input: 0 bytes/sec, 0 packets/sec Last 300 seconds output: 0 bytes/sec, 0 packets/sec 1016 packets input, 100223 bytes 10 input error

981 packets output, 41128 bytes 0 output error

这说明其无法了解对端变化情况。这是因为在RTA上，隧道源地址所属接口正常，隧道目的地址所需的路由仍然存在。 步骤四：恢复网络故障

[SWA-Vlan-interface2]undo shutdown

步骤五：配置隧道Keepalive

[RTA]interface Tunnel 0

[RTA-Tunnel0]keepalive [RTB]interface Tunnel 0 [RTB-Tunnel0]keepalive

步骤六：模拟网络故障

在RTA上启动debugging开关：

terminal monitor terminal debugging debugging gre all debugging tunnel all

关闭SWA的VLAN2接口，模拟公网路由突然发生故障。

[SWA-Vlan-interface2]shutdown

步骤七：观察效果，检验隧道连通性

在RTA上观察debugging信息。输出信息形如：

*Jun 26 17:31:54:794 2009 RTA TUNNEL/7/debug: Tunnel0 link state is UP, no change.

*Jun 26 17:31:55:508 2009 RTA TUNNEL/7/debug:

Before encapsulation, the packet's ulLoopTimes is 0. ...... ......

*Jun 26 17:32:55:968 2009 RTA TUNNEL/7/debug:

Before encapsulation, the packet's ulLoopTimes is 0. *Jun 26 17:33:00:293 2009 RTA TUNNEL/7/debug: Tunnel0 link state is UP, no change.

*Jun 26 17:33:05:332 2009 RTA TUNNEL/7/debug: Tunnel0 link state is UP, no change.

*Jun 26 17:33:06:45 2009 RTA TUNNEL/7/debug:

Before encapsulation, the packet's ulLoopTimes is 0. *Jun 26 17:33:10:369 2009 RTA TUNNEL/7/debug: Tunnel0 link state is UP, no change.

*Jun 26 17:33:15:408 2009 RTA TUNNEL/7/debug: Tunnel0 link state is UP, no change.

%Jun 26 17:33:16:168 2009 RTA TUNNEL/4/LINK UPDOWN: Tunnel0: link status is DOWN

%Jun 26 17:33:16:168 2009 RTA IFNET/4/UPDOWN: Line protocol on the interface Tunnel0 is DOWN *Jun 26 17:33:16:168 2009 RTA TUNNEL/7/debug: Tunnel0 down, because keepalive is not reached. *Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:

Can not get tunnel ID when tunnel(index = 0x2f0000) state is down. *Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:

Tunnel_DelTunnInUpTunnTbl: The tunnel(0x2f0000) state is down. *Jun 26 17:33:16:169 2009 RTA TUNNEL/7/debug:

Before encapsulation, the packet's ulLoopTimes is 0. *Jun 26 17:33:20:451 2009 RTA TUNNEL/7/debug: Tunnel0 down, because keepalive is not reached. *Jun 26 17:33:20:451 2009 RTA TUNNEL/7/debug: Tunnel0 link state is DOWN, no change.

*Jun 26 17:33:25:490 2009 RTA TUNNEL/7/debug: Tunnel0 down, because keepalive is not reached. *Jun 26 17:33:25:490 2009 RTA TUNNEL/7/debug: Tunnel0 link state is DOWN, no change.

*Jun 26 17:33:26:203 2009 RTA TUNNEL/7/debug:

可见经过一段时间后，Tunnel0接口状态变为DOWN，根据debugging信息，原因是keepalive消息丢失。 关闭debugging开关，查看Tunnel0接口信息：

undo debugging all

All possible debugging has been turned off display interface tunnel 0 Tunnel0 current state: DOWN

Line protocol current state: DOWN Description: Tunnel0 Interface The Maximum Transmit Unit is 1472

Internet Address is 192.168.3.1/30 Primary

Encapsulation is TUNNEL, service-loopback-group ID not set. Tunnel source 1.1.1.1, destination 2.2.2.1

Tunnel keepalive enable, Period(10 s), Retries(3) Tunnel protocol/transport GRE/IP GRE key value is 1234

Checksumming of GRE packets disabled

Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0 Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 300 seconds input: 2 bytes/sec, 0 packets/sec Last 300 seconds output: 2 bytes/sec, 0 packets/sec 1115 packets input, 101679 bytes 10 input error

1084 packets output, 44012 bytes 0 output error

可见Tunnel0接口状态确实已经变为DOWN。

在SWA上重新打开VLAN2接口，过一段时间之后， Tunnel0接口状态以及PCA与PCB之间的连通性可以恢复正常。

实验2配置L2TP VPN

实验1 配置GRE VPN ............................................................................................................................ - 1 - 1.1 实验内容与目标 ............................................................................................... 错误！未定义书签。 1.2 实验组网图 ....................................................................................................... 错误！未定义书签。 1.3 实验设备与版本 ............................................................................................... 错误！未定义书签。 1.4 实验过程 ........................................................................................................... 错误！未定义书签。

实验任务一： GRE VPN基本配置 ................................................................................................ - 1 -

步骤一： 搭建实验环境 .............................................................................................................................. - 1 - 步骤二： 检测公网连通性 .......................................................................................................................... - 1 - 步骤三： 配置GRE隧道接口 .................................................................................................................... - 1 - 步骤四： 为私网配置静态路由 .................................................................................................................. - 1 - 步骤五： 检验隧道工作状况 ...................................................................................................................... - 1 - 步骤六： 清除静态路由 .............................................................................................................................. - 2 - 步骤七： 为公网配置动态路由 .................................................................................................................. - 2 - 步骤八： 为私网配置动态路由 .................................................................................................................. - 2 - 步骤九： 再次检验隧道工作状况............................................................................................................... - 3 - 实验任务二： GRE VPN隧道验证 ................................................................................................ - 3 - 步骤一： 单方配置隧道验证 ...................................................................................................................... - 3 - 步骤二： 检验隧道连通性 .......................................................................................................................... - 3 - 步骤三： 配置错误的隧道验证 .................................................................................................................. - 3 - 步骤四： 检验隧道连通性 .......................................................................................................................... - 3 - 步骤五： 正确配置隧道验证 ...................................................................................................................... - 3 - 步骤六： 检验隧道连通性 .......................................................................................................................... - 3 - 实验任务三： GRE VPN隧道Keepalive ....................................................................................... - 4 - 步骤一： 恢复静态路由配置 ...................................................................................................................... - 4 - 步骤二： 模拟网络故障 .............................................................................................................................. - 4 - 步骤三： 检查RTA上的隧道接口状态 ..................................................................................................... - 4 - 步骤四： 恢复网络故障 .............................................................................................................................. - 4 - 步骤五： 配置隧道Keepalive ..................................................................................................................... - 4 - 步骤六： 模拟网络故障 .............................................................................................................................. - 5 - 步骤七： 观察效果，检验隧道连通性 ....................................................................................................... - 5 -

1.5 实验中的命令列表 ........................................................................................... 错误！未定义书签。 1.6 思考题 ............................................................................................................... 错误！未定义书签。

实验2 配置L2TP VPN

实验任务一：配置独立LAC模式

步骤一：搭建实验环境

连接设备。在SWA上配置VLAN2，将接口E1/0/2加入VLAN2。

- 11 -

实验2配置L2TP VPN

[SWA]vlan 2

[SWA-vlan2]port Ethernet 1/0/2

步骤二：检测公网连通性

查看SWA的路由表和端口状态，确认其工作正常。

[SWA]display ip interface brief *down: administratively down (s): spoofing

Interface Physical Protocol IP Address Description Vlan-interface1 up up 1.1.1.2 Vlan-inte... Vlan-interface2 up up 2.2.2.2 Vlan-inte... [SWA]display ip routing-table Routing Tables: Public

Destinations : 6 Routes : 6

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 Direct 0 0 1.1.1.2 Vlan1 1.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0 2.2.2.0/24 Direct 0 0 2.2.2.2 Vlan2 2.2.2.2/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

在RTA和RTB上配置公网接口互通所需的静态路由。

[RTA]interface GigabitEthernet0/0

[RTA-GigabitEthernet0/0]ip address 192.168.1.1 255.255.255.0 [RTA-GigabitEthernet0/0]interface GigabitEthernet0/1

[RTA-GigabitEthernet0/1]ip address 1.1.1.1 255.255.255.0

[RTA-GigabitEthernet0/1]ip route-static 2.2.2.0 255.255.255.0 1.1.1.2 [RTB]interface GigabitEthernet0/0

[RTB-GigabitEthernet0/0]ip address 192.168.2.1 255.255.255.0 [RTB-GigabitEthernet0/0]interface GigabitEthernet0/1

[RTB-GigabitEthernet0/1]ip address 2.2.2.1 255.255.255.0

[RTB-GigabitEthernet0/1]ip route-static 1.1.1.0 255.255.255.0 2.2.2.2

在RTA上检测与RTB的连通性。此时应该可以连通。 至此，实际上以SWA模拟的公网已经通信正常。 步骤三：配置PPPoE

首先配置验证域abc.com：

[RTA]domain abc.com

[RTA-isp-abc.com]authentication ppp local

然后配置PPPoE用户和密码：

[RTA]local-user vpdnuser

[RTA-luser-vpdnuser]password simple Hello [RTA-luser-vpdnuser]service-type ppp

配置一个虚模版接口，并为物理接口启动PPPoE服务，以接受PPPoE拨号连接并进行验证：

[RTA-isp-abc.com]interface Virtual-Template0

[RTA-Virtual-Template0]ppp authentication-mode chap domain abc.com [RTA-Virtual-Template0]interface GigabitEthernet0/0

[RTA-GigabitEthernet0/0]pppoe-server bind Virtual-Template 0

步骤四：配置LAC

[RTA] l2tp enable [RTA]l2tp-group 1

[RTA-l2tp1] tunnel password simple aabbcc

- 12 -

实验2配置L2TP VPN

[RTA-l2tp1] tunnel name LAC

[RTA-l2tp1] start l2tp ip 2.2.2.1 domain abc.com

步骤五：配置LNS

在RTB上进行配置。首先启动L2TP功能：

[RTB]l2tp enable

然后配置abc.com域，并配置IP地址池。此域用于提供对L2TP VPN用户进行身份验证的参数，此地址池用于对L2TP VPN客户端分配IP地址：

[RTB]domain abc.com

[RTB-isp-abc.com]authentication ppp local

[RTB-isp-abc.com]ip pool 1 192.168.1.2 192.168.1.100

随后添加一个本地用户，并配置其密码和服务类型，用于对L2TP VPN用户进行身份验证：

[RTB-isp-abc.com]local-user vpdnuser

[RTB-luser-vpdnuser]password simple Hello [RTB-luser-vpdnuser]service-type ppp

接着配置L2TP组，指定其接受来自abc.com域且名为LAC的对端设备发起的控制连接，并配置了相应的隧道本端名称、隧道验证密码等：

[RTB-luser-vpdnuser]l2tp-group 1

[RTB-l2tp1]allow l2tp virtual-template 1 remote LAC domain abc.com [RTB-l2tp1]tunnel password simple aabbcc [RTB-l2tp1]tunnel name LNS

最后还需要配置一个虚模版接口，以便对拨入的L2TP VPN用户进行身份验证，为其分配地址并与其进行IP通信：

[RTB-l2tp1]interface Virtual-Template1

[RTB-Virtual-Template1]ppp authentication-mode chap domain abc.com [RTB-Virtual-Template1]remote address pool 1

[RTB-Virtual-Template1]ip address 192.168.1.1 255.255.255.0

步骤六：配置PPPoE客户端，发起L2TP呼叫

在PCA上创建PPPoE连接。在Windows XP中，在任务栏上单击【开始】->【所有程序】->【附件】->【通讯】->【新建连接向导】，打开如图2-1所示的【新建连接向导】窗口。

图2-1 【新建连接向导】窗口

单击【下一步】，进入图2-2所示的窗口。选择【连接到Internet】。

图2-2 选择网络连接类型

单击【下一步】，进入图2-3所示的窗口，选择【手动设置我的连接】。

单击【下一步】，进入图2-4所示的窗口，选择【用要求用户名和密码的宽带连接来连接】。

图2-3 选择配置连接的方式

图2-4 选择连接类型

单击【下一步】，进入图2-5所示的窗口，在【ISP名称】文本框中输入连接名称，例如“我的PPPoE连接”。 单击【下一步】，指定可使用此连接的用户，再单击【下一步】进入图2-6所示的窗口。在【用户名】处输入用户名vpdnuser@abc.com，在【密码】和【确认密码】处输入密码Hello。如有必要，清除【把它作为默认的Internet连接】复选框。

- 13 -

实验2配置L2TP VPN

单击【下一步】，再单击【完成】，即可完成连接设置。

图2-5 设置连接名称 图2-6 设置Internet账户信息

在任务栏单击【开始】->【设置】->【控制面板】，打开【网络连接】窗口，可以看到刚刚配置的“我的PPPoE连接”，双击之，进入图2-7所示的窗口，单击【连接】按钮即可发起连接。拨号成功后在【网络连接】窗口中可以看到此连接的状态为“已连接上”。

图2-7 发起连接

步骤七：检测私网连通性

从PCA上ping PCB，检测连通性。应该可以连通。 步骤八：观察隧道建立过程

在RTA和RTB上用display命令查看相关信息，可见RTA与RTB之间建立了一个L2TP隧道，其中有一个L2TP会话：

[RTA]display l2tp tunnel Total tunnel = 1

LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1 2.2.2.1 1701 1 LNS [RTA]display l2tp session Total session = 1

LocalSID RemoteSID LocalTID 11984 3303 1 display l2tp tunnel Total tunnel = 1

LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1 1.1.1.1 1701 1 LAC display l2tp session Total session = 1

LocalSID RemoteSID LocalTID 3303 11984 1

用reset命令终止隧道：

reset l2tp tunnel name LAC

Clear L2TP tunnel remote name = LAC

用display命令查看相关信息，发现隧道和会话都消失。 在RTA和RTB上打开debugging开关。

debugging l2tp event debugging l2tp control debugging l2tp event debugging l2tp control

重新发起呼叫，通过debugging信息观察隧道建立的过程：

%Jun 29 16:10:23:450 2009 RTA IFNET/4/UPDOWN:

Line protocol on the interface Virtual-Template0:0 is UP

*Jun 29 16:10:23:453 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: LAC is establishing a call on interface: Virtual-Template0:0

*Jun 29 16:10:23:454 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Handle call UP, IfIndex =3145728

*Jun 29 16:10:23:454 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: LNS address in RADIUS = 2.2.2.1 *Jun 29 16:10:23:454 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: VPDN group number in RADIUS

- 14 -

实验2配置L2TP VPN

= 1

*Jun 29 16:10:23:454 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: LNS address = 2.2.2.1 *Jun 29 16:10:23:454 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Add new call 11564 to tunnel 1 call list (total 1)

*Jun 29 16:10:23:454 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Get UDP port number successfully: port 1701

*Jun 29 16:10:23:454 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Message Type: START_CONTROL_CONNECTION_REQUEST *Jun 29 16:10:23:598 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Protocol version: 100

*Jun 29 16:10:23:699 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Host name: LAC *Jun 29 16:10:23:799 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Vendor name: H3C

*Jun 29 16:10:23:910 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Framing capability :3 *Jun 29 16:10:24:11 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Assigned Tunnel ID: 1

*Jun 29 16:10:24:61 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Receive window size: 128

*Jun 29 16:10:24:212 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Challenge :59 1A BB 52 70 E2 15 CD 82 C2 CC 3F 49 2F AB D4

*Jun 29 16:10:24:313 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 started the Hello timer (60 seconds)

*Jun 29 16:10:24:414 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 sent a SCCRQ message

*Jun 29 16:10:24:515 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 recv ctrl message and restarted Hello timer

*Jun 29 16:10:24:615 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Received message type: 2

*Jun 29 16:10:24:666 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Board 0 recv from SOCK call ID=0 tunnel ID=1 MsgType = 2 Length = 117 *Jun 29 16:10:24:767 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Proc a control message from the peer: type=2, len = 117

*Jun 29 16:10:24:878 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 recv SCCRP when in state 2

*Jun 29 16:10:24:978 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 started the Hello timer (60 seconds)

*Jun 29 16:10:25:79 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Checked SCCRP MSG TYPE = 2

*Jun 29 16:10:25:230 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Parse AVP Protocol version, value: 100

*Jun 29 16:10:25:281 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Parse AVP Framing capability, value: 3

*Jun 29 16:10:25:432 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Parse AVP Host name, value: LNS *Jun 29 16:10:25:532 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Parse AVP Remote tunnel ID: 1

*Jun 29 16:10:25:633 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Parse AVP Bearer capability, value: 3 *Jun 29 16:10:25:784 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Parse AVP Receive window size: 128

*Jun 29 16:10:25:885 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Parse AVP Challenge, Value: 81 14 35 54 9E DC AA 1D 55 3F 1D CA 6D 7F 51 AE

*Jun 29 16:10:25:996 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Parse AVP Challenge response: 9F 97 EC A2 E6 84 68 56 77 FD EC 56 74 9A 6B 5D

*Jun 29 16:10:26:46 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Message Type: START_CONTROL_CONNECTION_CONNECTED

*Jun 29 16:10:26:147 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Challenge response:1D B5 3C B0 3C 23 C7 16 BC 70 76 22 2F F2 D3 2F

*Jun 29 16:10:26:248 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 sent SCCCN to tunnel 1

*Jun 29 16:10:26:349 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1: waiting for calls

*Jun 29 16:10:26:449 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Message Type: INCOMING_CALL_REQUEST

- 15 -

实验2配置L2TP VPN

*Jun 29 16:10:26:550 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Assigned call ID: 11564

*Jun 29 16:10:26:651 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Call serial number: 11564

*Jun 29 16:10:26:802 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Bearer type : 3 *Jun 29 16:10:26:953 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Physical channel number: 0

*Jun 29 16:10:27:64 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Dialed number: 8888

*Jun 29 16:10:27:215 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Call 11564 sent a ICRQ message

*Jun 29 16:10:27:316 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 recv ctrl message and restarted Hello timer

*Jun 29 16:10:27:417 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Received message type: 11

*Jun 29 16:10:27:517 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Board 0 recv from SOCK call ID=11564 tunnel ID=1 MsgType = 11 Length = 28 *Jun 29 16:10:27:618 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Proc a control message from the peer: type=11, len = 28

*Jun 29 16:10:27:719 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Call 11564 recv ICRP in state 4 from Call 0 *Jun 29 16:10:27:769 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 restarted the Hello timer (60 seconds)

*Jun 29 16:10:27:870 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Checked ICRP MSG TYPE = 11

*Jun 29 16:10:27:971 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Parse AVP remote call ID: 13787

*Jun 29 16:10:28:82 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Message Type: INCOMING_CALL_CONNECTED *Jun 29 16:10:28:182 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Tx connect speed: 0

*Jun 29 16:10:28:283 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Framing type : 3 *Jun 29 16:10:28:434 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Initial received LCP options

*Jun 29 16:10:28:535 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Last sent LCP options

*Jun 29 16:10:28:636 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Last received LCP options

*Jun 29 16:10:28:737 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Proxy authentication type : 2

*Jun 29 16:10:28:837 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Proxy authentication name : vpdnuser@abc.com

*Jun 29 16:10:28:938 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Proxy authentication challenge

*Jun 29 16:10:29:39 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Proxy authentication ID : 1

*Jun 29 16:10:29:150 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Parse AVP Proxy authenticate response:95 01 9b 56 4e 1b 7b 26 2a ee 75 3a 34 24 d7 a9

*Jun 29 16:10:29:251 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Proxy private group number : 0 *Jun 29 16:10:29:351 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Rx connect speed: 0

*Jun 29 16:10:29:452 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Call 11564 sent a ICCN message to remote Call 13787

*Jun 29 16:10:29:503 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 recv ctrl message and restarted Hello timer

*Jun 29 16:10:29:603 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Received message type: 16

*Jun 29 16:10:29:754 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Board 0 recv from SOCK call ID=11564 tunnel ID=1 MsgType = 16 Length = 36 *Jun 29 16:10:29:855 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Proc a control message from the peer: type=16, len = 36

*Jun 29 16:10:29:956 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result

- 16 -

实验2配置L2TP VPN

0

*Jun 29 16:10:30:107 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result 0

*Jun 29 16:10:30:218 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result 0

*Jun 29 16:10:30:319 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result 0

*Jun 29 16:10:30:420 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result 0

*Jun 29 16:10:30:520 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result 0

*Jun 29 16:10:30:621 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result 0

*Jun 29 16:10:33:528 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result 0

*Jun 29 16:10:43:604 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result 0

*Jun 29 16:10:53:681 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result 0

断开连接，观察debugging信息：

*Jun 29 16:10:56:752 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc peer data. Result 0

%Jun 29 16:10:56:781 2009 RTA IFNET/4/UPDOWN:

Line protocol on the interface Virtual-Template0:0 is DOWN

*Jun 29 16:10:56:782 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: CALL 11564 DOWN on interface: Virtual-Template0:0

*Jun 29 16:10:56:783 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc l2tp down msg, call in the state 9

*Jun 29 16:10:56:783 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Message Type: CALL_DISCONNECT_NOTIFY

*Jun 29 16:10:56:784 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Result code: LOSS_OF_CARRIER

*Jun 29 16:10:56:784 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Assigned call ID: 11564

*Jun 29 16:10:56:784 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Call 11564 sent a CDN message

*Jun 29 16:10:56:784 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Cleared the data structure of call 11564 *Jun 29 16:10:56:881 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Proc call ID = 11564 Down *Jun 29 16:10:56:982 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Disabled L2TP successfully on interface 3145728 *Jun 29 16:10:57:82 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 recv ctrl message and restarted Hello timer

*Jun 29 16:10:57:183 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Received message type: 39856

*Jun 29 16:10:57:294 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Board 0 recv from SOCK call ID=0 tunnel ID=1 Length = 12

*Jun 29 16:10:57:395 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Proc peer control len = 12

*Jun 29 16:11:23:524 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Hello timer of tunnel 1 expired in 60 seconds

*Jun 29 16:11:23:524 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Tunnel 1 sent StopCCN to Tunnel 1

*Jun 29 16:11:23:525 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Message Type: STOP_CONTROL_CONNECTION_NOTIFICATION *Jun 29 16:11:23:525 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Assigned Tunnel ID: 1

*Jun 29 16:11:23:525 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Put AVP Result code:

- 17 -

实验2配置L2TP VPN

LOSS_OF_CARRIER

*Jun 29 16:11:23:525 2009 RTA L2TP/7/L2TDBG: L2TP_EVENT: Cleared Tunnel remote ID:1, local ID:1

*Jun 29 16:11:23:770 2009 RTA L2TP/7/L2TDBG: L2TP_CONTROL: Received ctrl message is ZLB, discard it

这样就可以了解呼叫中L2TP的主要信息交换过程。限于篇幅，此处不列出RTB的debugging输出信息，请自行观察。

实验任务二：配置客户LAC模式

步骤一：执行基本配置 步骤二：配置公网路由

删除所有静态路由。在RTA上删除所有PPPoE和L2TP配置。

[RTA-GigabitEthernet0/0]undo pppoe-server bind

All PPPoE Sessions on GigabitEthernet0/0 will be deleted, continue?[Y/N]:y [RTA]undo domain abc.com [RTA]undo l2tp enable [RTA]undo l2tp-group 1

[RTA]undo interface Virtual-Template 0 [RTA]undo local-user vpdnuser [RTA]undo domain abc.com

在RTA、RTB和SWA上配置OSPF：

[RTA]ospf

[RTA-ospf-1]area 0

[RTA-ospf-1-area-0.0.0.0]network 1.0.0.0 0.255.255.255 [RTA-ospf-1-area-0.0.0.0]network 3.0.0.0 0.255.255.255 [SWA]ospf

[SWA-ospf-1]area 0

[SWA-ospf-1-area-0.0.0.0]network 1.0.0.0 0.255.255.255 [SWA-ospf-1-area-0.0.0.0]network 2.0.0.0 0.255.255.255 [RTB]ospf

[RTB-ospf-1]area 0

[RTB-ospf-1-area-0.0.0.0]network 2.0.0.0 0.255.255.255

步骤三：安装iNode客户端

在PCA上安装iNode客户端。启动安装程序，跟随安装向导完成安装即可。 注意：

要使iNode客户端支持L2TP功能，在安装过程中必须确认安装虚拟网卡（Virtual NIC）。 步骤四：配置iNode客户端

启动iNode客户端程序，在其主界面窗口中单击菜单【文件】|【新建连接】，启动新建连接向导，如图2-8所示。

单击【下一步】，进入图2-9所示窗口，单击选定【L2TP IPSec VPN协议】。

图2-8 进入新建连接向导 图2-9 选择认证协议

- 18 -

实验2配置L2TP VPN

单击【下一步】，进入错误！未找到引用源。所示窗口，单击选定【普通连接】。 单击【下一步】，进入图2-11所示窗口，在【连接名】处输入一个连接名称，例如“我的VPN连接”，在【登录用户名】处输入用户名，在【登录密码】处输入密码。

图2-10 选择连接类型 图2-11 设置用户名和密码

单击【下一步】，进入错误！未找到引用源。所示窗口，输入LNS服务器地址。

单击【高级】进入图2-13所示的窗口，进入【L2TP设置】选项卡，输入隧道名称LAC，选择认证模式为CHAP，单击选定【使用隧道验证密码】并输入隧道验证密码aabbcc。单击【确定】回到错误！未找到引用源。所示窗口。

图2-12 VPN连接基本设置 图2-13 VPN连接高级属性

单击【下一步】进入图2-14所示的窗口，单击【创建】，即可创建新建连接。

图2-14 完成新建连接向导

步骤五：配置LNS

在RTB上保留上一实验任务中的LNS配置即可。为方便起见，此处列出相关的配置作为参考：

[RTB]l2tp enable

[RTB]domain abc.com

[RTB-isp-abc.com]authentication ppp local

[RTB-isp-abc.com]ip pool 1 192.168.1.2 192.168.1.100 [RTB-isp-abc.com]local-user vpdnuser

[RTB-luser-vpdnuser]password simple Hello [RTB-luser-vpdnuser]service-type ppp [RTB-luser-vpdnuser]l2tp-group 1

[RTB-l2tp1]allow l2tp virtual-template 1 remote LAC domain abc.com [RTB-l2tp1]tunnel password simple aabbcc [RTB-l2tp1]tunnel name LNS

[RTB-l2tp1]interface Virtual-Template1

[RTB-Virtual-Template1]ppp authentication-mode chap domain abc.com [RTB-Virtual-Template1]remote address pool 1

步骤六：发起L2TP呼叫，建立L2TP隧道

在PCA上用查看连接，可见除了物理的以太网连接之外，还出现了一个新的连接，其地址处于192.168.1.0/24网段，是从RTB的接口Virtual-template 1上动态获得的。

C:\\Documents and Settings\\User>ipconfig Windows IP Configuration

Ethernet adapter {7E6CC322-8F6E-490A-AD0D-A86FBDF2D2B6}:

Media State . . . . . . . . . . . : Media disconnected Ethernet adapter 本地连接 3:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 192.168.1.3

Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 192.168.1.3 Ethernet adapter 本地连接:

- 19 -

实验2配置L2TP VPN

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 3.3.3.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 3.3.3.1

在RTB上用display命令查看L2TP隧道和会话信息，可见隧道已建立，其中包含一个会话：

display l2tp tunnel Total tunnel = 1

LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1 3.3.3.2 1082 1 LAC display l2tp session Total session = 1

LocalSID RemoteSID LocalTID 30512 41 1

- 20 -

实验3 IPSec VPN基本配置

实验1 配置L2TP VPN ......................................................................................................................... - 11 - 1.1 实验内容与目标 ............................................................................................... 错误！未定义书签。 1.2 实验组网图 ....................................................................................................... 错误！未定义书签。 1.3 实验设备与版本 ............................................................................................... 错误！未定义书签。 1.4 实验过程 ........................................................................................................... 错误！未定义书签。

实验任务一： 配置独立LAC模式 .............................................................................................. - 11 - 步骤一： 搭建实验环境 ............................................................................................................................ - 11 - 步骤二： 检测公网连通性 ........................................................................................................................ - 12 - 步骤三： 配置PPPoE ................................................................................................................................ - 12 - 步骤四： 配置LAC ................................................................................................................................... - 12 - 步骤五： 配置LNS .................................................................................................................................... - 13 - 步骤六： 配置PPPoE客户端，发起L2TP呼叫 ..................................................................................... - 13 - 步骤七： 检测私网连通性 ........................................................................................................................ - 14 - 步骤八： 观察隧道建立过程 .................................................................................................................... - 14 - 实验任务二： 配置客户LAC模式 .............................................................................................. - 18 - 步骤一： 执行基本配置 ............................................................................................................................ - 18 - 步骤二： 配置公网路由 ............................................................................................................................ - 18 - 步骤三： 安装iNode客户端 ..................................................................................................................... - 18 - 步骤四： 配置iNode客户端 ..................................................................................................................... - 18 - 步骤五： 配置LNS .................................................................................................................................... - 19 - 步骤六： 发起L2TP呼叫，建立L2TP隧道 ........................................................................................... - 19 - 步骤七： 观察隧道建立过程 .........................................................................................错误！未定义书签。

1.5 实验中的命令列表 ........................................................................................... 错误！未定义书签。 1.6 思考题 ............................................................................................................... 错误！未定义书签。

实验3 IPSec VPN基本配置

实验任务一：配置IPSec+IKE主模式

本实验任务要求在RTA和RTB之间建立隧道。使用IKE预共享密钥验证方式。 步骤一：搭建实验环境

连接设备。在SWA上配置VLAN2，将接口E1/0/2加入VLAN2。

[SWA]vlan 2

[SWA-vlan2]port Ethernet 1/0/2

步骤二：配置路由协议

在RTA、SWA和RTB之间配置OSPF：

[RTA] ospf 1

[RTA-ospf-1] area 0.0.0.0

[RTA-ospf-1-area-0.0.0.0] network 1.0.0.0 0.255.255.255

- 30 -

实验3 IPSec VPN基本配置

[SWA] ospf 1

[SWA-ospf-1] area 0.0.0.0

[SWA-ospf-1-area-0.0.0.0] network 1.0.0.0 0.255.255.255 [SWA-ospf-1-area-0.0.0.0] network 2.0.0.0 0.255.255.255 [RTB]ospf 1

[RTB-ospf-1] area 0.0.0.0

[RTB-ospf-1-area-0.0.0.0] network 2.0.0.0 0.255.255.255

OSPF自治系统不包括RTA、RTB与PCA、PCB互连的接口，因此，作为模拟公网设备的SWA上不具备192.168.1.0和192.168.2.0网段的路由，只有公网路由。

在RTA和RTB上为私网配置静态路由：

[RTA-ospf-1-area-0.0.0.0] ip route-static 192.168.2.0 255.255.255.0 1.1.1.2 [RTB-ospf-1-area-0.0.0.0] ip route-static 192.168.1.0 255.255.255.0 2.2.2.2

配置后查看RTA、RTB和SWA的路由表，可见SWA上没有私网路由：

display ip routing-table Routing Tables: Public

Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 Direct 0 0 1.1.1.1 GE0/1 1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 2.2.2.0/24 OSPF 10 2 1.1.1.2 GE0/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/24 Direct 0 0 192.168.1.1 GE0/0 192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.2.0/24 Static 60 0 1.1.1.2 GE0/1 display ip routing-table Routing Tables: Public

Destinations : 6 Routes : 6

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 Direct 0 0 1.1.1.2 Vlan1 1.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0 2.2.2.0/24 Direct 0 0 2.2.2.2 Vlan2 2.2.2.2/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

验证PCA与PCB之间的连通性：

C:\\Documents and Settings\\User>ping 192.168.2.2 Pinging 192.168.2.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 192.168.2.2:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

可见由于此时SWA没有私网的路由，PCA是无法ping通PCB的。 步骤三：配置安全ACL

由于IPSec隧道需要保护的是私网数据，因此安全ACL应匹配192.168.1.0/24网段与192.168.2.0/24网段之间的数据流。

[RTA]acl number 3000

[RTA-acl-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192 .168.2.0 0.0.0.255 [RTB]acl number 3000

[RTB-acl-adv-3000] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192 .168.1.0 0.0.0.255

- 31 -

实验3 IPSec VPN基本配置

步骤四：配置IPSec安全提议

[RTA]ipsec proposal prop1

[RTA-ipsec-proposal-prop1] esp authentication-algorithm sha1 [RTA-ipsec-proposal-prop1] esp encryption-algorithm aes 128 [RTB]ipsec proposal prop1

[RTB-ipsec-proposal-prop1] esp authentication-algorithm sha1 [RTB-ipsec-proposal-prop1] esp encryption-algorithm aes 128

步骤五：配置IKE对等体

使用默认的预共享密钥方式：

[RTA]ike peer rtb

[RTA-ike-peer-rtb] pre-shared-key aabbcc [RTA-ike-peer-rtb] remote-address 2.2.2.1 [RTB]ike peer rta

[RTB-ike-peer-rtb] pre-shared-key aabbcc [RTB-ike-peer-rtb] remote-address 1.1.1.1

步骤六：配置IPSec安全策略

[RTA]ipsec policy policy1 10 isakmp

[RTA-ipsec-policy-isakmp-policy1-10] security acl 3000 [RTA-ipsec-policy-isakmp-policy1-10] ike-peer rtb [RTA-ipsec-policy-isakmp-policy1-10] proposal prop1 [RTB]ipsec policy policy1 10 isakmp

[RTB-ipsec-policy-isakmp-policy1-10] security acl 3000 [RTB-ipsec-policy-isakmp-policy1-10] ike-peer rta [RTB-ipsec-policy-isakmp-policy1-10] proposal prop1

步骤七：应用IPSec安全策略

[RTA-ipsec-policy-isakmp-policy1-10]interface GigabitEthernet0/1 [RTA-GigabitEthernet0/1] ipsec policy policy1

[RTB-ipsec-policy-isakmp-policy1-10]interface GigabitEthernet0/1 [RTB-GigabitEthernet0/1] ipsec policy policy1

步骤八：检验配置

在RTA和RTB上用display命令检查配置参数：

[RTA]display ike proposal

priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds)

--------------------------------------------------------------------------- default PRE_SHARED SHA DES_CBC MODP_768 86400 [RTA]display ipsec proposal IPsec proposal name: prop1 encapsulation mode: tunnel transform: esp-new

ESP protocol: authentication sha1-hmac-96, encryption 128-bits aes [RTA]display ike peer

--------------------------- IKE Peer: rtb

exchange mode: main on phase 1

pre-shared-key cipher vu+xq9XR8U0= peer id type: ip

peer ip address: 2.2.2.1 local ip address: peer name:

nat traversal: disable dpd:

--------------------------- [RTA]display ipsec policy

===========================================

- 32 -

实验3 IPSec VPN基本配置

IPsec Policy Group: \"policy1\"

Using interface: {GigabitEthernet0/1}

=========================================== ----------------------------- IPsec policy name: \"policy1\" sequence number: 10 mode: isakmp

----------------------------- security data flow : 3000 selector mode: standard ike-peer name: rtb

perfect forward secrecy: None proposal name: prop1

IPsec sa local duration(time based): 3600 seconds

IPsec sa local duration(traffic based): 1843200 kilobytes

由这些命令输出可以看到当前配置所设定的IPSec/IKE参数。 步骤九：检验隧道工作状况

除第一个ICMP Echo Request包被报告超时之外，其他的都成功收到Echo Reply包。这是因为第一个包触发了IKE协商，在IPSec SA成功建立之前，这个包无法获得IPSec服务，只能被丢弃。而IPSec SA很快就成功建立了，后续的包也就可以顺利到达目的。

在RTA与RTB上查看IPSec/IKE相关信息：

display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

---------------------------------------------------------- 9 1.1.1.1 RD 2 IPSEC 8 1.1.1.1 RD 1 IPSEC flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT display ike sa verbose

--------------------------------------------- connection id: 8

transmitting entity: responder

--------------------------------------------- local ip: 2.2.2.1

local id type: IPV4_ADDR local id: 2.2.2.1 remote ip: 1.1.1.1

remote id type: IPV4_ADDR remote id: 1.1.1.1

authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400

remaining key duration(sec): 86233 exchange-mode: MAIN

diffie-hellman group: GROUP1 nat traversal: NO

display ipsec sa

=============================== Interface: GigabitEthernet0/1 path MTU: 1500

=============================== ----------------------------- IPsec policy name: \"policy1\" sequence number: 10 mode: isakmp

-----------------------------

- 33 -

实验3 IPSec VPN基本配置

connection id: 6

encapsulation mode: tunnel perfect forward secrecy: None tunnel:

local address: 2.2.2.1 remote address: 1.1.1.1 Flow :

sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs]

spi: 2214754656 (0x84027960)

proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887436620/3404 max received sequence-number: 3 anti-replay check enable: Y anti-replay window size: 32

udp encapsulation used for nat traversal: N [outbound ESP SAs]

spi: 2662000603 (0x9eaae7db)

proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887436620/3404 max sent sequence-number: 4

udp encapsulation used for nat traversal: N

display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

---------------------------------------------------------- 13 2.2.2.1 RD|ST 2 IPSEC 12 2.2.2.1 RD|ST 1 IPSEC flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

display ike sa verbose

--------------------------------------------- connection id: 12

transmitting entity: initiator

--------------------------------------------- local ip: 1.1.1.1

local id type: IPV4_ADDR local id: 1.1.1.1 remote ip: 2.2.2.1

remote id type: IPV4_ADDR remote id: 2.2.2.1

authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400

remaining key duration(sec): 86388 exchange-mode: MAIN

diffie-hellman group: GROUP1 nat traversal: NO

display ipsec sa

=============================== Interface: GigabitEthernet0/1 path MTU: 1500

=============================== ----------------------------- IPsec policy name: \"policy1\" sequence number: 10 mode: isakmp

----------------------------- connection id: 7

encapsulation mode: tunnel

- 34 -

实验3 IPSec VPN基本配置

perfect forward secrecy: None tunnel:

local address: 1.1.1.1 remote address: 2.2.2.1 Flow :

sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs]

spi: 2662000603 (0x9eaae7db)

proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887436620/3294 max received sequence-number: 3 anti-replay check enable: Y anti-replay window size: 32

udp encapsulation used for nat traversal: N [outbound ESP SAs]

spi: 2214754656 (0x84027960)

proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887436620/3294 max sent sequence-number: 4

udp encapsulation used for nat traversal: N

可见ISAKMP SA和IPSec SA都已经正常生成。观察IPSec SA中IP地址、SPI等参数的对应关系。其中可以观察到RTA和RTB的对应方向的SPI值是相同的，采用的验证算法和加密算法也相同。

步骤十：观察IPSec工作过程

为了了解IKE和IPSec协商和加密操作过程，首先清除IPSec SA和ISAKMP SA，中断IPSec隧道，以便重新观察整个过程：

reset ike sa reset ipsec sa reset ike sa reset ipsec sa

打开debugging开关：

terminal monitor

% Current terminal monitor is on terminal debugging

% Current terminal debugging is on debugging ike exchange debugging ipsec packet

在PCA上ping PCB，重新触发IPSec隧道建立：

C:\\Documents and Settings\\User>ping 192.168.2.2 Pinging 192.168.2.2 with 32 bytes of data: Request timed out.

Reply from 192.168.2.2: bytes=32 time=1ms TTL=254 Reply from 192.168.2.2: bytes=32 time=1ms TTL=254 Reply from 192.168.2.2: bytes=32 time=1ms TTL=254 Ping statistics for 192.168.2.2:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms

观察debugging输出信息，分析其过程：

*Jun 30 19:05:54:456 2009 RTA IPSEC/7/DBG:IPSec drop packet! Notify IKE to negotiate SA for IPsec policy: policy1-10

*Jun 30 19:05:54:457 2009 RTA IKE/7/DEBUG:Connection name is 2.2.2.1,1.1.1.1,,policy1,10-9C77264,0

- 35 -

实验3 IPSec VPN基本配置

*Jun 30 19:05:54:457 2009 RTA IKE/7/DEBUG:exchange lookup by name: name 2.2.2.1,1.1.1.1 phase 1

*Jun 30 19:05:54:458 2009 RTA IKE/7/DEBUG:exchange lookup by name: name 2.2.2.1,1.1.1.1 phase 1

*Jun 30 19:05:54:458 2009 RTA IKE/7/DEBUG:exchange create(i): 9deb004 at 37349s *Jun 30 19:05:54:458 2009 RTA IKE/7/DEBUG:exchange validate: checking for required SA

*Jun 30 19:05:54:459 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 0, advancing...

*Jun 30 19:05:54:532 2009 RTA IKE/7/DEBUG:exchange lookup from cookie: icookie 1b425f2e661042b0

*Jun 30 19:05:54:532 2009 RTA IKE/7/DEBUG: checking 2.2.2.1,1.1.1.1 && 1... *Jun 30 19:05:54:533 2009 RTA IKE/7/DEBUG: found exchange 2.2.2.1,1.1.1.1 && 1... *Jun 30 19:05:54:533 2009 RTA IKE/7/DEBUG:exchange validate: checking for required SA

*Jun 30 19:05:54:533 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 1, advancing... *Jun 30 19:05:54:534 2009 RTA IKE/7/DEBUG:exchange validate: checking for required KEY_EXCH *Jun 30 19:05:54:534 2009 RTA IKE/7/DEBUG:exchange validate: checking for required NONCE

*Jun 30 19:05:54:534 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 2, advancing... *Jun 30 19:05:54:706 2009 RTA IKE/7/DEBUG:exchange validate: checking for required KEY_EXCH *Jun 30 19:05:54:706 2009 RTA IKE/7/DEBUG:exchange validate: checking for required NONCE

*Jun 30 19:05:54:707 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 3, advancing... *Jun 30 19:05:54:707 2009 RTA IKE/7/DEBUG:exchange validate: checking for required ID *Jun 30 19:05:54:707 2009 RTA IKE/7/DEBUG:exchange validate: checking for required AUTH

*Jun 30 19:05:54:707 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 4, advancing... *Jun 30 19:05:54:710 2009 RTA IKE/7/DEBUG:exchange validate: checking for required ID *Jun 30 19:05:54:711 2009 RTA IKE/7/DEBUG:exchange validate: checking for required AUTH

*Jun 30 19:05:54:711 2009 RTA IKE/7/DEBUG:exchange lookup by name: name 2.2.2.1,1.1.1.1 phase 1

*Jun 30 19:05:54:712 2009 RTA IKE/7/DEBUG: checking 2.2.2.1,1.1.1.1 && 1... *Jun 30 19:05:54:712 2009 RTA IKE/7/DEBUG:exchange lookup by name: name 2.2.2.1,1.1.1.1,,policy1,10-9C77264,0 phase 2

*Jun 30 19:05:54:712 2009 RTA IKE/7/DEBUG: checking 2.2.2.1,1.1.1.1 && 1... *Jun 30 19:05:54:713 2009 RTA IKE/7/DEBUG:exchange create(i): 9e76504 at 37339s *Jun 30 19:05:54:715 2009 RTA IKE/7/DEBUG:exchange validate: checking for required HASH *Jun 30 19:05:54:715 2009 RTA IKE/7/DEBUG:exchange validate: checking for required SA *Jun 30 19:05:54:715 2009 RTA IKE/7/DEBUG:exchange validate: checking for required NONCE

*Jun 30 19:05:54:716 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 0, advancing...

*Jun 30 19:05:54:716 2009 RTA IKE/7/DEBUG:exchange release: freeing exchange 9deb004 *Jun 30 19:05:54:719 2009 RTA IKE/7/DEBUG:exchange validate: checking for required HASH *Jun 30 19:05:54:719 2009 RTA IKE/7/DEBUG:exchange validate: checking for required SA *Jun 30 19:05:54:720 2009 RTA IKE/7/DEBUG:exchange validate: checking for required NONCE

*Jun 30 19:05:54:721 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 1, advancing... *Jun 30 19:05:54:723 2009 RTA IKE/7/DEBUG:exchange validate: checking for required

- 36 -

实验3 IPSec VPN基本配置

HASH

*Jun 30 19:05:54:724 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 2, advancing...

*Jun 30 19:05:54:725 2009 RTA IKE/7/DEBUG:finalize exchange: c0a80100/ffffff00 -> c0a80200/ffffff00

*Jun 30 19:05:54:726 2009 RTA IKE/7/DEBUG:exchange release: freeing exchange 9e76504

*Jun 30 19:05:59:481 2009 RTA IPSEC/7/DBG:--- Send IPSec packet ---

*Jun 30 19:05:59:481 2009 RTA IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

*Jun 30 19:05:59:482 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2373309221(0x8d75d325)

*Jun 30 19:05:59:482 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jun 30 19:05:59:482 2009 RTA IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:1

*Jun 30 19:05:59:483 2009 RTA IPSEC/7/DBG:Now send it to IP output process... *Jun 30 19:05:59:484 2009 RTA IPSEC/7/DBG:--- Receive IPSec(ESP) packet --- *Jun 30 19:05:59:484 2009 RTA IPSEC/7/DBG:Src:2.2.2.1 Dst:1.1.1.1 SPI:2774282573(0xa55c314d)

*Jun 30 19:05:59:484 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jun 30 19:05:59:485 2009 RTA IPSEC/7/DBG:Replay Checking Enabled! SN:1

*Jun 30 19:05:59:485 2009 RTA IPSEC/7/DBG:ESP new input: Authentication succeed! *Jun 30 19:05:59:486 2009 RTA IPSEC/7/DBG:IPSEC Task: Decryption succeed!

*Jun 30 19:05:59:486 2009 RTA IPSEC/7/DBG:Tunnel mode. Org Src:192.168.2.2 Org Dst:192.168.1.2

*Jun 30 19:05:59:486 2009 RTA IPSEC/7/DBG:Now send it to IP input process... *Jun 30 19:06:00:482 2009 RTA IPSEC/7/DBG:--- Send IPSec packet ---

*Jun 30 19:06:00:482 2009 RTA IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

*Jun 30 19:06:00:483 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2373309221(0x8d75d325)

*Jun 30 19:06:00:483 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jun 30 19:06:00:483 2009 RTA IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:2

*Jun 30 19:06:00:484 2009 RTA IPSEC/7/DBG:Now send it to IP output process... *Jun 30 19:06:00:484 2009 RTA IPSEC/7/DBG:--- Receive IPSec(ESP) packet --- *Jun 30 19:06:00:485 2009 RTA IPSEC/7/DBG:Src:2.2.2.1 Dst:1.1.1.1 SPI:2774282573(0xa55c314d)

*Jun 30 19:06:00:485 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jun 30 19:06:00:486 2009 RTA IPSEC/7/DBG:Replay Checking Enabled! SN:2

*Jun 30 19:06:00:486 2009 RTA IPSEC/7/DBG:ESP new input: Authentication succeed! *Jun 30 19:06:00:487 2009 RTA IPSEC/7/DBG:IPSEC Task: Decryption succeed!

*Jun 30 19:06:00:487 2009 RTA IPSEC/7/DBG:Tunnel mode. Org Src:192.168.2.2 Org Dst:192.168.1.2

*Jun 30 19:06:00:487 2009 RTA IPSEC/7/DBG:Now send it to IP input process... *Jun 30 19:06:01:484 2009 RTA IPSEC/7/DBG:--- Send IPSec packet ---

*Jun 30 19:06:01:484 2009 RTA IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

*Jun 30 19:06:01:485 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2373309221(0x8d75d325)

*Jun 30 19:06:01:485 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jun 30 19:06:01:485 2009 RTA IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:3

*Jun 30 19:06:01:486 2009 RTA IPSEC/7/DBG:Now send it to IP output process... *Jun 30 19:06:01:486 2009 RTA IPSEC/7/DBG:--- Receive IPSec(ESP) packet --- *Jun 30 19:06:01:487 2009 RTA IPSEC/7/DBG:Src:2.2.2.1 Dst:1.1.1.1 SPI:2774282573(0xa55c314d)

*Jun 30 19:06:01:487 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jun 30 19:06:01:487 2009 RTA IPSEC/7/DBG:Replay Checking Enabled! SN:3

- 37 -

实验3 IPSec VPN基本配置

*Jun 30 19:06:01:488 2009 RTA IPSEC/7/DBG:ESP new input: Authentication succeed! *Jun 30 19:06:01:488 2009 RTA IPSEC/7/DBG:IPSEC Task: Decryption succeed!

*Jun 30 19:06:01:489 2009 RTA IPSEC/7/DBG:Tunnel mode. Org Src:192.168.2.2 Org Dst:192.168.1.2

*Jun 30 19:06:01:489 2009 RTA IPSEC/7/DBG:Now send it to IP input process...

这样就可以看到IKE的交换过程，以及IPSec对数据包的加密处理过程。

实验任务二：配置IPSec+IKE野蛮模式

本实验任务要求在RTA和RTB之间建立隧道。SWA作为NAS，为RTA分配地址。 步骤一：配置IP地址

根据表3-1配置各接口的地址。其中PCA、PCB的默认网关分别配置为RTA和RTB。

表3-1 各设备接口IP地址

1. 设备 RTA GE0/1 GE0/0 RTB GE0/1 VLAN1 SWA VLAN2 PCA PCB 以太口 以太口 2.2.2.2/24 192.168.1.2/24 192.168.2.2/24 2.2.2.1/24 1.1.1.2/24 自动获取 192.168.2.1/24 2. 接口 3. 地址 GE0/0 192.168.1.1/24 步骤二：清除所有IPSec和IKE配置

在RTA和RTB上清楚所有IPSec和IKE配置，使用命令如：

[RTA]interface GigabitEthernet 0/1

[RTA-GigabitEthernet0/1]undo ipsec policy [RTA]undo ipsec policy policy1 [RTA]undo ipsec proposal prop1 [RTA]undo ike peer rtb [RTA]undo ike proposal 10 [RTA]undo acl number 3000

步骤三：配置公网连接

在SWA上配置DHCP Server。设置RTA从SWA动态获得IP地址和默认路由。

[SWA]dhcp server ip-pool 1

[SWA-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0 [SWA-dhcp-pool-1] gateway-list 1.1.1.2 [SWA-dhcp-pool-1]dhcp enable [RTA]undo ospf 1

Warning : Undo OSPF process? [Y/N]:y

[RTA]undo ip route-static 192.168.2.0 255.255.255.0 [RTA]interface GigabitEthernet0/1

[RTA-GigabitEthernet0/1] ip address dhcp-alloc

- 38 -

实验3 IPSec VPN基本配置

在RTA上查看路由，可见已经从SWA获得地址和默认路由。

在PCA上验证PCA与PCB之间的连通性。由于SWA没有私网路由，应该是无法连通的：

C:\\Documents and Settings\\User>PING 192.168.2.2

Pinging 192.168.2.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 192.168.2.2:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

步骤四：配置安全ACL

安全ACL应匹配192.168.1.0/24网段与192.168.2.0/24网段之间的数据流。

[RTA]acl number 3000

[RTA-acl-adv-3000] rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 [RTB]acl number 3000

[RTB-acl-adv-3000] rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

步骤五：配置IPSec安全提议

[RTA]ipsec proposal prop1

[RTA-ipsec-proposal-prop1] esp authentication-algorithm sha1 [RTA-ipsec-proposal-prop1] esp encryption-algorithm aes 128 [RTB]ipsec proposal prop1

[RTB-ipsec-proposal-prop1] esp authentication-algorithm sha1 [RTB-ipsec-proposal-prop1] esp encryption-algorithm aes 128

步骤六：配置IKE对等体

[RTA]ike local-name rta [RTA]ike peer rtb

[RTA-ike-peer-rtb] exchange-mode aggressive [RTA-ike-peer-rtb] pre-shared-key aabbcc [RTA-ike-peer-rtb] id-type name [RTA-ike-peer-rtb] remote-name rtb

[RTA-ike-peer-rtb] remote-address 2.2.2.1 [RTB]ike local-name rtb [RTB]ike peer rta

[RTB-ike-peer-rta] exchange-mode aggressive [RTB-ike-peer-rta] pre-shared-key aabbcc [RTB-ike-peer-rta] id-type name [RTB-ike-peer-rta] remote-name rta

步骤七：配置并应用IPSec安全策略

[RTA]ipsec policy policy1 10 isakmp

[RTA-ipsec-policy-isakmp-policy1-10] security acl 3000 [RTA-ipsec-policy-isakmp-policy1-10] ike-peer rtb [RTA-ipsec-policy-isakmp-policy1-10] proposal prop1

[RTA-ipsec-policy-isakmp-policy1-10]interface GigabitEthernet0/1 [RTA-GigabitEthernet0/1] ipsec policy policy1 [RTB]ipsec policy policy1 10 isakmp

[RTB-ipsec-policy-isakmp-policy1-10] security acl 3000 [RTB-ipsec-policy-isakmp-policy1-10] ike-peer rta [RTB-ipsec-policy-isakmp-policy1-10] proposal prop1

[RTB-ipsec-policy-isakmp-policy1-10]interface GigabitEthernet0/1 [RTB-GigabitEthernet0/1] ipsec policy policy1

步骤八：检验配置

[RTA]display ike proposal

- 39 -

实验3 IPSec VPN基本配置

display ike peer

--------------------------- IKE Peer: rtb

exchange mode: aggressive on phase 1 pre-shared-key cipher vu+xq9XR8U0= peer id type: name

peer ip address: 2.2.2.1 local ip address: peer name: rtb

nat traversal: disable dpd:

--------------------------- display ike peer

--------------------------- IKE Peer: rta

exchange mode: aggressive on phase 1 pre-shared-key cipher vu+xq9XR8U0= peer id type: name

peer ip address: 0.0.0.0 ~ 255.255.255.255 local ip address: peer name: rta

nat traversal: disable dpd:

---------------------------

可见野蛮模式已经启动。 步骤九：检验隧道工作状况

从PCA 检测与PCB的连通性可见除第一个ICMP Echo Request包被报告超时之外，其他的都成功收到Echo Reply包。这是因为第一个包触发了IKE协商，在IPSec SA成功建立之前，这个包无法得到IPSec服务，只能被丢弃。而IPSec SA很快就成功建立了，后续的包也就可以顺利到达目的。

在RTA与RTB上查看IPSec/IKE相关信息：

[RTB]display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

---------------------------------------------------------- 15 1.1.1.1 RD 2 IPSEC 14 1.1.1.1 RD 1 IPSEC flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT [RTB]

[RTB]display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

---------------------------------------------------------- 15 1.1.1.1 RD 2 IPSEC 14 1.1.1.1 RD 1 IPSEC flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT [RTB]display ipsec sa

=============================== Interface: GigabitEthernet0/1 path MTU: 1500

=============================== ----------------------------- IPsec policy name: \"policy1\" sequence number: 10 mode: isakmp

----------------------------- connection id: 7

- 40 -

实验3 IPSec VPN基本配置

encapsulation mode: tunnel perfect forward secrecy: None tunnel:

local address: 2.2.2.1 remote address: 1.1.1.1 Flow :

sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs]

spi: 1778280456 (0x69fe6808)

proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887436620/3398 max received sequence-number: 3 anti-replay check enable: Y anti-replay window size: 32

udp encapsulation used for nat traversal: N [outbound ESP SAs]

spi: 1538659040 (0x5bb612e0)

proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887436620/3398 max sent sequence-number: 4

udp encapsulation used for nat traversal: N [RTB]

display ike sa verbose

--------------------------------------------- connection id: 21

transmitting entity: initiator

--------------------------------------------- local ip: 1.1.1.1 local id type: FQDN local id: rta

remote ip: 2.2.2.1 remote id type: FQDN remote id: rtb

authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400

remaining key duration(sec): 86134 exchange-mode: AGGRESSIVE diffie-hellman group: GROUP1 nat traversal: NO

可见ISAKMP SA是通过IKE野蛮模式协商生成的。 步骤十：观察IPSec工作过程

为了了解IKE和IPSec协商和加密操作过程，首先清除IPSec SA和ISAKMP SA，中断IPSec隧道：

reset ike sa reset ipsec sa reset ike sa reset ipsec sa

打开debugging开关：

terminal monitor

% Current terminal monitor is on terminal debugging

% Current terminal debugging is on debugging ike exchange debugging ipsec packet

- 41 -

实验3 IPSec VPN基本配置

在PCA上ping PCB，重新触发IPSec隧道建立：

C:\\Documents and Settings\\User>ping 192.168.2.2 Pinging 192.168.2.2 with 32 bytes of data: Request timed out.

Reply from 192.168.2.2: bytes=32 time=1ms TTL=254 Reply from 192.168.2.2: bytes=32 time=1ms TTL=254 Reply from 192.168.2.2: bytes=32 time=1ms TTL=254 Ping statistics for 192.168.2.2:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms

观察debugging输出信息，分析其过程：

*Jul 1 11:09:10:328 2009 RTA IPSEC/7/DBG:IPSec drop packet! Notify IKE to negotiate SA for IPsec policy: policy1-10

*Jul 1 11:09:10:400 2009 RTA IKE/7/DEBUG:Connection name is 2.2.2.1,1.1.1.1,,policy1,10-9C9F5E4,0

*Jul 1 11:09:10:401 2009 RTA IKE/7/DEBUG:exchange lookup by name: name 2.2.2.1,1.1.1.1 phase 1

*Jul 1 11:09:10:401 2009 RTA IKE/7/DEBUG:exchange lookup by name: name 2.2.2.1,1.1.1.1 phase 1

*Jul 1 11:09:10:401 2009 RTA IKE/7/DEBUG:exchange create(i): 9d77ec4 at 8819s *Jul 1 11:09:10:401 2009 RTA IKE/7/DEBUG:exchange validate: checking for required SA

*Jul 1 11:09:10:401 2009 RTA IKE/7/DEBUG:exchange validate: checking for required KEY_EXCH *Jul 1 11:09:10:401 2009 RTA IKE/7/DEBUG:exchange validate: checking for required NONCE *Jul 1 11:09:10:401 2009 RTA IKE/7/DEBUG:exchange validate: checking for required ID

*Jul 1 11:09:10:494 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 0, advancing...

*Jul 1 11:09:10:684 2009 RTA IKE/7/DEBUG:exchange lookup from cookie: icookie 959fd8ff29aca69b

*Jul 1 11:09:10:686 2009 RTA IKE/7/DEBUG: checking 2.2.2.1,1.1.1.1 && 1... *Jul 1 11:09:10:787 2009 RTA IKE/7/DEBUG: found exchange 2.2.2.1,1.1.1.1 && 1... *Jul 1 11:09:10:887 2009 RTA IKE/7/DEBUG:exchange validate: checking for required SA

*Jul 1 11:09:10:938 2009 RTA IKE/7/DEBUG:exchange validate: checking for required KEY_EXCH *Jul 1 11:09:11:39 2009 RTA IKE/7/DEBUG:exchange validate: checking for required NONCE *Jul 1 11:09:11:139 2009 RTA IKE/7/DEBUG:exchange validate: checking for required ID

*Jul 1 11:09:11:240 2009 RTA IKE/7/DEBUG:exchange validate: checking for required AUTH

*Jul 1 11:09:11:341 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 1, advancing... *Jul 1 11:09:11:442 2009 RTA IKE/7/DEBUG:exchange validate: checking for required AUTH

*Jul 1 11:09:11:492 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 2, advancing...

*Jul 1 11:09:11:603 2009 RTA IKE/7/DEBUG:exchange lookup by name: name 2.2.2.1,1.1.1.1 phase 1

*Jul 1 11:09:11:704 2009 RTA IKE/7/DEBUG: checking 2.2.2.1,1.1.1.1 && 1... *Jul 1 11:09:11:804 2009 RTA IKE/7/DEBUG:exchange lookup by name: name 2.2.2.1,1.1.1.1,,policy1,10-9C9F5E4,0 phase 2

*Jul 1 11:09:11:905 2009 RTA IKE/7/DEBUG: checking 2.2.2.1,1.1.1.1 && 1... *Jul 1 11:09:11:955 2009 RTA IKE/7/DEBUG:exchange create(i): 9e202e4 at 8810s *Jul 1 11:09:12:56 2009 RTA IKE/7/DEBUG:exchange validate: checking for required HASH *Jul 1 11:09:12:157 2009 RTA IKE/7/DEBUG:exchange validate: checking for required SA

- 42 -

实验3 IPSec VPN基本配置

*Jul 1 11:09:12:258 2009 RTA IKE/7/DEBUG:exchange validate: checking for required NONCE

*Jul 1 11:09:12:358 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 0, advancing... *Jul 1 11:09:12:459 2009 RTA IKE/7/DEBUG:exchange validate: checking for required HASH *Jul 1 11:09:12:520 2009 RTA IKE/7/DEBUG:exchange validate: checking for required SA

*Jul 1 11:09:12:671 2009 RTA IKE/7/DEBUG:exchange validate: checking for required NONCE

*Jul 1 11:09:12:721 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 1, advancing... *Jul 1 11:09:12:822 2009 RTA IKE/7/DEBUG:exchange validate: checking for required HASH

*Jul 1 11:09:12:923 2009 RTA IKE/7/DEBUG:exchange run(i): finished step 2, advancing...

*Jul 1 11:09:13:24 2009 RTA IKE/7/DEBUG:finalize exchange: c0a80100/ffffff00 -> c0a80200/ffffff00

*Jul 1 11:09:13:74 2009 RTA IKE/7/DEBUG:exchange release: freeing exchange 9e202e4

*Jul 1 11:09:15:800 2009 RTA IPSEC/7/DBG:--- Send IPSec packet ---

*Jul 1 11:09:15:800 2009 RTA IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

*Jul 1 11:09:15:800 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:3369930988(0xc8dd10ec)

*Jul 1 11:09:15:800 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jul 1 11:09:15:801 2009 RTA IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:1

*Jul 1 11:09:15:801 2009 RTA IPSEC/7/DBG:Now send it to IP output process... *Jul 1 11:09:15:801 2009 RTA IPSEC/7/DBG:--- Receive IPSec(ESP) packet --- *Jul 1 11:09:15:801 2009 RTA IPSEC/7/DBG:Src:2.2.2.1 Dst:1.1.1.1 SPI:3935267720(0xea8f6b88)

*Jul 1 11:09:15:801 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jul 1 11:09:15:895 2009 RTA IPSEC/7/DBG:Replay Checking Enabled! SN:1

*Jul 1 11:09:15:996 2009 RTA IPSEC/7/DBG:ESP new input: Authentication succeed! *Jul 1 11:09:16:97 2009 RTA IPSEC/7/DBG:IPSEC Task: Decryption succeed!

*Jul 1 11:09:16:198 2009 RTA IPSEC/7/DBG:Tunnel mode. Org Src:192.168.2.2 Org Dst:192.168.1.2

*Jul 1 11:09:16:298 2009 RTA IPSEC/7/DBG:Now send it to IP input process... *Jul 1 11:09:16:800 2009 RTA IPSEC/7/DBG:--- Send IPSec packet ---

*Jul 1 11:09:16:800 2009 RTA IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

*Jul 1 11:09:16:800 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:3369930988(0xc8dd10ec)

*Jul 1 11:09:16:800 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jul 1 11:09:16:801 2009 RTA IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:2

*Jul 1 11:09:16:801 2009 RTA IPSEC/7/DBG:Now send it to IP output process... *Jul 1 11:09:16:893 2009 RTA IPSEC/7/DBG:--- Receive IPSec(ESP) packet --- *Jul 1 11:09:16:994 2009 RTA IPSEC/7/DBG:Src:2.2.2.1 Dst:1.1.1.1 SPI:3935267720(0xea8f6b88)

*Jul 1 11:09:17:94 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jul 1 11:09:17:145 2009 RTA IPSEC/7/DBG:Replay Checking Enabled! SN:2

*Jul 1 11:09:17:256 2009 RTA IPSEC/7/DBG:ESP new input: Authentication succeed! *Jul 1 11:09:17:356 2009 RTA IPSEC/7/DBG:IPSEC Task: Decryption succeed!

*Jul 1 11:09:17:457 2009 RTA IPSEC/7/DBG:Tunnel mode. Org Src:192.168.2.2 Org Dst:192.168.1.2

*Jul 1 11:09:17:508 2009 RTA IPSEC/7/DBG:Now send it to IP input process... *Jul 1 11:09:17:800 2009 RTA IPSEC/7/DBG:--- Send IPSec packet ---

*Jul 1 11:09:17:800 2009 RTA IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

- 43 -

实验3 IPSec VPN基本配置

*Jul 1 11:09:17:801 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:3369930988(0xc8dd10ec)

*Jul 1 11:09:17:901 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jul 1 11:09:17:951 2009 RTA IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:3

*Jul 1 11:09:18:52 2009 RTA IPSEC/7/DBG:Now send it to IP output process... *Jul 1 11:09:18:152 2009 RTA IPSEC/7/DBG:--- Receive IPSec(ESP) packet --- *Jul 1 11:09:18:253 2009 RTA IPSEC/7/DBG:Src:2.2.2.1 Dst:1.1.1.1 SPI:3935267720(0xea8f6b88)

*Jul 1 11:09:18:304 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:HMAC-SHA1-96

*Jul 1 11:09:18:404 2009 RTA IPSEC/7/DBG:Replay Checking Enabled! SN:3

*Jul 1 11:09:18:515 2009 RTA IPSEC/7/DBG:ESP new input: Authentication succeed! *Jul 1 11:09:18:566 2009 RTA IPSEC/7/DBG:IPSEC Task: Decryption succeed!

*Jul 1 11:09:18:666 2009 RTA IPSEC/7/DBG:Tunnel mode. Org Src:192.168.2.2 Org Dst:192.168.1.2

*Jul 1 11:09:18:767 2009 RTA IPSEC/7/DBG:Now send it to IP input process...

这样就可以看到IKE的交换过程，以及IPSec对数据包的加密处理过程。

- 44 -

实验4 配置IPSec保护传统VPN数据

实验1 IPSEC VPN基本配置 ................................................................................................................ - 30 - 1.1 实验内容与目标 ............................................................................................... 错误！未定义书签。 1.2 实验组网图 ....................................................................................................... 错误！未定义书签。 1.3 实验设备与版本 ............................................................................................... 错误！未定义书签。 1.4 实验过程 ........................................................................................................... 错误！未定义书签。

实验任务一： 配置IPSec+IKE主模式 ....................................................................................... - 30 -

步骤一： 搭建实验环境 ............................................................................................................................ - 30 - 步骤二： 配置路由协议 ............................................................................................................................ - 30 - 步骤三： 配置安全ACL ........................................................................................................................... - 31 - 步骤四： 配置IPSec安全提议 ................................................................................................................. - 32 - 步骤五： 配置IKE对等体 ........................................................................................................................ - 32 - 步骤六： 配置并应用IPSec安全策略 ..................................................................................................... - 32 - 步骤七： 检验配置 .................................................................................................................................... - 32 - 步骤八： 检验隧道工作状况 .................................................................................................................... - 33 - 步骤九： 观察IPSec工作过程 ................................................................................................................. - 35 - 实验任务二： 配置IPSec+IKE野蛮模式 ................................................................................... - 38 - 步骤一： 配置IP地址 ............................................................................................................................... - 38 - 步骤二： 清除所有IPSec和IKE配置 ..................................................................................................... - 38 - 步骤三： 配置公网连接 ............................................................................................................................ - 38 - 步骤四： 配置安全ACL ........................................................................................................................... - 39 - 步骤五： 配置IPSec安全提议 ................................................................................................................. - 39 - 步骤六： 配置IKE对等体 ........................................................................................................................ - 39 - 步骤七： 配置并应用IPSec安全策略 ..................................................................................................... - 39 - 步骤八： 检验配置 .................................................................................................................................... - 39 - 步骤九： 检验隧道工作状况 .................................................................................................................... - 40 - 步骤十： 观察IPSec工作过程 ................................................................................................................. - 41 -

1.5 实验中的命令列表 ........................................................................................... 错误！未定义书签。 1.6 思考题 ............................................................................................................... 错误！未定义书签。

实验4 配置IPSec保护传统VPN数据

实验任务一：配置GRE over IPSec

步骤一：搭建实验环境

连接设备。在SWA上配置VLAN2，将接口E1/0/2加入VLAN2。

[SWA]vlan 2

[SWA-vlan2]port Ethernet 1/0/2

步骤二：配置公网路由，检测公网连通性

查看SWA的路由表和端口状态，确认其工作正常：

- 49 -

实验4 配置IPSec保护传统VPN数据

[SWA]display ip interface brief *down: administratively down (s): spoofing

Interface Physical Protocol IP Address Description Vlan-interface1 up up 1.1.1.2 Vlan-inte... Vlan-interface2 up up 2.2.2.2 Vlan-inte...

在RTA和RTB上配置公网接口互通所需的OSPF协议：

[RTA]ospf 1

[RTA-ospf-1] area 0.0.0.0

[RTA-ospf-1-area-0.0.0.0] network 1.0.0.0 0.255.255.255 [SWA]ospf 1

[SWA-ospf-1] area 0.0.0.0

[SWA-ospf-1-area-0.0.0.0] network 1.0.0.0 0.255.255.255 [SWA-ospf-1-area-0.0.0.0] network 2.0.0.0 0.255.255.255 [RTB]ospf 1

[RTB-ospf-1] area 0.0.0.0

[RTB-ospf-1-area-0.0.0.0] network 2.0.0.0 0.255.255.255

在RTA上查看路由表，确认OSPF路由已正确学习：

display ip routing-table Routing Tables: Public

Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 Direct 0 0 1.1.1.1 GE0/1 1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 2.2.2.0/24 OSPF 10 2 1.1.1.2 GE0/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/24 Direct 0 0 192.168.1.1 GE0/0 192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0

检测RTA与RTB的连通性。此时应该可以连通：

ping 2.2.2.1

PING 2.2.2.1: 56 data bytes, press CTRL_C to break

Reply from 2.2.2.1: bytes=56 Sequence=1 ttl=254 time=1 ms Reply from 2.2.2.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 2.2.2.1: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 2.2.2.1: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 2.2.2.1: bytes=56 Sequence=5 ttl=254 time=1 ms --- 2.2.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss

round-trip min/avg/max = 1/1/1 ms

步骤三：配置GRE隧道接口

在RTA和RTB上建立隧道接口，配置隧道起点和终点。

[RTA] interface Tunnel0

[RTA-Tunnel0] ip address 192.168.3.1 255.255.255.252 [RTA-Tunnel0] source 1.1.1.1

[RTA-Tunnel0] destination 2.2.2.1 [RTB] interface Tunnel0

[RTB-Tunnel0] ip address 192.168.3.2 255.255.255.252 [RTB-Tunnel0] source 2.2.2.1

[RTB-Tunnel0] destination 1.1.1.1 [RTB-Tunnel0]

步骤四：配置私网路由

在RTA和RTB上为私网配置RIP协议：

- 50 -

实验4 配置IPSec保护传统VPN数据

[RTA]rip 1

[RTA-rip-1] version 2

[RTA-rip-1] network 192.168.1.0 [RTA-rip-1] network 192.168.3.0 [RTB]rip 1

[RTB-rip-1] version 2

[RTB-rip-1] network 192.168.2.0 [RTB-rip-1] network 192.168.3.0

在RTA和RTB上查看路由表，此时私网路由应已经正确学习：

display ip routing-table Routing Tables: Public

Destinations : 10 Routes : 10

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 Direct 0 0 1.1.1.1 GE0/1 1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 2.2.2.0/24 OSPF 10 2 1.1.1.2 GE0/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/24 Direct 0 0 192.168.1.1 GE0/0 192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.2.0/24 RIP 100 1 192.168.3.2 Tun0 192.168.3.0/30 Direct 0 0 192.168.3.1 Tun0 192.168.3.1/32 Direct 0 0 127.0.0.1 InLoop0

在PCA上检测与PCB的连通性，此时应该可以连通：

C:\\Documents and Settings\\User>ping 192.168.2.2 Pinging 192.168.2.2 with 32 bytes of data:

Reply from 192.168.2.2: bytes=32 time<1ms TTL=254 Reply from 192.168.2.2: bytes=32 time<1ms TTL=254 Reply from 192.168.2.2: bytes=32 time<1ms TTL=254 Reply from 192.168.2.2: bytes=32 time<1ms TTL=254 Ping statistics for 192.168.2.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

步骤五：配置IPSec保护GRE隧道

配置IPSec+IKE主模式，使用预共享密钥方式，对GRE隧道封装数据进行保护。

[RTA]acl number 3000

[RTA-acl-adv-3000] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.1 0 [RTA-acl-adv-3000]ike peer rtb

[RTA-ike-peer-rtb] pre-shared-key aabbcc [RTA-ike-peer-rtb] remote-address 2.2.2.1 [RTA-ike-peer-rtb]ipsec proposal prop1

[RTA-ipsec-proposal-prop1] transform ah-esp

[RTA-ipsec-proposal-prop1] ah authentication-algorithm sha1 [RTA-ipsec-proposal-prop1] undo esp authentication-algorithm [RTA-ipsec-proposal-prop1] esp encryption-algorithm aes 128 [RTA-ipsec-proposal-prop1]ipsec policy policy1 10 isakmp [RTA-ipsec-policy-isakmp-policy1-10] security acl 3000 [RTA-ipsec-policy-isakmp-policy1-10] ike-peer rtb [RTA-ipsec-policy-isakmp-policy1-10] proposal prop1

[RTA-ipsec-policy-isakmp-policy1-10]interface GigabitEthernet0/1 [RTA-GigabitEthernet0/1] ipsec policy policy1 [RTB]acl number 3000

[RTB-acl-adv-3000] rule 0 permit ip source 2.2.2.1 0 destination 1.1.1.1 0 [RTB-acl-adv-3000]ike peer rta

[RTB-ike-peer-rta] pre-shared-key aabbcc [RTB-ike-peer-rta] remote-address 1.1.1.1 [RTB-ike-peer-rta]ipsec proposal prop1

[RTB-ipsec-proposal-prop1] transform ah-esp

[RTB-ipsec-proposal-prop1] ah authentication-algorithm sha1

- 51 -

实验4 配置IPSec保护传统VPN数据

[RTB-ipsec-proposal-prop1] undo esp authentication-algorithm [RTB-ipsec-proposal-prop1] esp encryption-algorithm aes 128 [RTB-ipsec-proposal-prop1]ipsec policy policy1 10 isakmp [RTB-ipsec-policy-isakmp-policy1-10] security acl 3000 [RTB-ipsec-policy-isakmp-policy1-10] ike-peer rta [RTB-ipsec-policy-isakmp-policy1-10] proposal prop1

[RTB-ipsec-policy-isakmp-policy1-10]interface GigabitEthernet0/1 [RTB-GigabitEthernet0/1] ipsec policy policy1

注意安全ACL匹配的是隧道源、目的IP地址之间的数据流。 步骤六：检验隧道工作状况

稍候一会儿，检查RTA上的路由表，应该仍然具有来自RTB的RIP路由：

display ip routing-table Routing Tables: Public

Destinations : 10 Routes : 10

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 Direct 0 0 1.1.1.1 GE0/1 1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 2.2.2.0/24 OSPF 10 2 1.1.1.2 GE0/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/24 Direct 0 0 192.168.1.1 GE0/0 192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.2.0/24 RIP 100 1 192.168.3.2 Tun0 192.168.3.0/30 Direct 0 0 192.168.3.1 Tun0 192.168.3.1/32 Direct 0 0 127.0.0.1 InLoop0

用ping命令从PCA检测与PCB的连通性，可发现成功收到全部Echo Reply包。这是因为GRE隧道内的其他协议报文（如RIP）已经触发IPSec隧道的建立。

查看RTA与RTB的IPSec/IKE相关信息，可见：

display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

---------------------------------------------------------- 66 2.2.2.1 RD|ST 1 IPSEC 69 2.2.2.1 RD 2 IPSEC flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

display ike sa verbose

--------------------------------------------- connection id: 66

transmitting entity: initiator

--------------------------------------------- local ip: 1.1.1.1

local id type: IPV4_ADDR local id: 1.1.1.1 remote ip: 2.2.2.1

remote id type: IPV4_ADDR remote id: 2.2.2.1

authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400

remaining key duration(sec): 78383 exchange-mode: MAIN

diffie-hellman group: GROUP1 nat traversal: NO display ipsec sa

===============================

- 52 -

实验4 配置IPSec保护传统VPN数据

Interface: GigabitEthernet0/1 path MTU: 1500

=============================== ----------------------------- IPsec policy name: \"policy1\" sequence number: 10 mode: isakmp

----------------------------- connection id: 14

encapsulation mode: tunnel perfect forward secrecy: None tunnel:

local address: 1.1.1.1 remote address: 2.2.2.1 Flow :

sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP dest addr: 2.2.2.1/255.255.255.255 port: 0 protocol: IP [inbound AH SAs]

spi: 3113756668 (0xb99827fc) proposal: AH-SHA1HMAC96

sa remaining key duration (bytes/sec): 1887436800/2791 max received sequence-number: 770 anti-replay check enable: Y anti-replay window size: 32

udp encapsulation used for nat traversal: N [inbound ESP SAs]

spi: 4154738994 (0xf7a44932)

proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-NULL

sa remaining key duration (bytes/sec): 1887404339/2791 max received sequence-number: 770 anti-replay check enable: Y anti-replay window size: 32

udp encapsulation used for nat traversal: N [outbound ESP SAs]

spi: 2511737097 (0x95b61109)

proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-NULL

sa remaining key duration (bytes/sec): 1887375543/2791 max sent sequence-number: 1184

udp encapsulation used for nat traversal: N [outbound AH SAs]

spi: 2913836261 (0xadad9ce5) proposal: AH-SHA1HMAC96

sa remaining key duration (bytes/sec): 1887436800/2791 max sent sequence-number: 1184

udp encapsulation used for nat traversal: N

步骤七：观察IPSec工作过程

在RTA上打开debugging开关：

terminal monitor

% Current terminal monitor is on terminal debugging

% Current terminal debugging is on debug ike exchange debug ipsec packet

在RTA上ping RTB，同时观察debugging信息输出，检验路由器实际收发的报文：

C:\\Documents and Settings\\User>ping 192.168.2.2 Pinging 192.168.2.2 with 32 bytes of data:

Reply from 192.168.2.2: bytes=32 time=3ms TTL=254 Reply from 192.168.2.2: bytes=32 time=2ms TTL=254 Reply from 192.168.2.2: bytes=32 time=2ms TTL=254 Reply from 192.168.2.2: bytes=32 time=2ms TTL=254

- 53 -

实验4 配置IPSec保护传统VPN数据

Ping statistics for 192.168.2.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

Minimum = 2ms, Maximum = 3ms, Average = 2ms

RTA上的输出信息如下：

*Jul 1 15:00:20:517 2009 RTA IPSEC/7/DBG:--- Send IPSec packet ---

*Jul 1 15:00:20:517 2009 RTA IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

*Jul 1 15:00:20:517 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2511737097(0x95b61109)

*Jul 1 15:00:20:517 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:NULL

*Jul 1 15:00:20:517 2009 RTA IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:1645

*Jul 1 15:00:20:518 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2913836261(0xadad9ce5)

*Jul 1 15:00:20:518 2009 RTA IPSEC/7/DBG:New AH(RFC2402) Auth Alg:HMAC-SHA1-96 *Jul 1 15:00:20:518 2009 RTA IPSEC/7/DBG:Authentication finished! SN:1645 *Jul 1 15:00:20:518 2009 RTA IPSEC/7/DBG:Now send it to IP output process... *Jul 1 15:00:20:609 2009 RTA IPSEC/7/DBG:--- Receive IPSec(AH) packet --- *Jul 1 15:00:20:720 2009 RTA IPSEC/7/DBG:Src:2.2.2.1 Dst:1.1.1.1 SPI:3113756668(0xb99827fc)

*Jul 1 15:00:20:821 2009 RTA IPSEC/7/DBG:New AH(RFC2402) Auth Alg:HMAC-SHA1-96; *Jul 1 15:00:20:922 2009 RTA IPSEC/7/DBG:Replay Checking Enabled! SN:1110

*Jul 1 15:00:20:972 2009 RTA IPSEC/7/DBG:IPsec AH Input Process: Authentication Succeed!

*Jul 1 15:00:21:73 2009 RTA IPSEC/7/DBG:IPSEC task: Transport mode.

*Jul 1 15:00:21:173 2009 RTA IPSEC/7/DBG:IPSEC Task: Decryption succeed! *Jul 1 15:00:21:274 2009 RTA IPSEC/7/DBG:Tunnel mode. Org Src:2.2.2.1 Org Dst:1.1.1.1

*Jul 1 15:00:21:325 2009 RTA IPSEC/7/DBG:Now send it to IP input process... *Jul 1 15:00:21:517 2009 RTA IPSEC/7/DBG:--- Send IPSec packet ---

*Jul 1 15:00:21:518 2009 RTA IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

*Jul 1 15:00:21:617 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2511737097(0x95b61109)

*Jul 1 15:00:21:667 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:NULL

*Jul 1 15:00:21:768 2009 RTA IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:1646

*Jul 1 15:00:21:869 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2913836261(0xadad9ce5)

*Jul 1 15:00:21:919 2009 RTA IPSEC/7/DBG:New AH(RFC2402) Auth Alg:HMAC-SHA1-96 *Jul 1 15:00:22:20 2009 RTA IPSEC/7/DBG:Authentication finished! SN:1646

*Jul 1 15:00:22:121 2009 RTA IPSEC/7/DBG:Now send it to IP output process... *Jul 1 15:00:22:171 2009 RTA IPSEC/7/DBG:--- Receive IPSec(AH) packet --- *Jul 1 15:00:22:282 2009 RTA IPSEC/7/DBG:Src:2.2.2.1 Dst:1.1.1.1 SPI:3113756668(0xb99827fc)

*Jul 1 15:00:22:383 2009 RTA IPSEC/7/DBG:New AH(RFC2402) Auth Alg:HMAC-SHA1-96; *Jul 1 15:00:22:483 2009 RTA IPSEC/7/DBG:Replay Checking Enabled! SN:1111

*Jul 1 15:00:22:534 2009 RTA IPSEC/7/DBG:IPsec AH Input Process: Authentication Succeed!

*Jul 1 15:00:22:635 2009 RTA IPSEC/7/DBG:IPSEC task: Transport mode.

*Jul 1 15:00:22:735 2009 RTA IPSEC/7/DBG:IPSEC Task: Decryption succeed! *Jul 1 15:00:22:836 2009 RTA IPSEC/7/DBG:Tunnel mode. Org Src:2.2.2.1 Org Dst:1.1.1.1

*Jul 1 15:00:22:886 2009 RTA IPSEC/7/DBG:Now send it to IP input process... *Jul 1 15:00:22:987 2009 RTA IPSEC/7/DBG:--- Send IPSec packet ---

*Jul 1 15:00:23:88 2009 RTA IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

*Jul 1 15:00:23:149 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2511737097(0x95b61109)

*Jul 1 15:00:23:249 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES

- 54 -

实验4 配置IPSec保护传统VPN数据

Auth Alg:NULL

*Jul 1 15:00:23:350 2009 RTA IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:1647

*Jul 1 15:00:23:400 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2913836261(0xadad9ce5)

*Jul 1 15:00:23:501 2009 RTA IPSEC/7/DBG:New AH(RFC2402) Auth Alg:HMAC-SHA1-96 *Jul 1 15:00:23:552 2009 RTA IPSEC/7/DBG:Authentication finished! SN:1647 *Jul 1 15:00:23:652 2009 RTA IPSEC/7/DBG:Now send it to IP output process... *Jul 1 15:00:23:753 2009 RTA IPSEC/7/DBG:--- Receive IPSec(AH) packet --- *Jul 1 15:00:23:803 2009 RTA IPSEC/7/DBG:Src:2.2.2.1 Dst:1.1.1.1 SPI:3113756668(0xb99827fc)

*Jul 1 15:00:23:904 2009 RTA IPSEC/7/DBG:New AH(RFC2402) Auth Alg:HMAC-SHA1-96; *Jul 1 15:00:24:15 2009 RTA IPSEC/7/DBG:Replay Checking Enabled! SN:1112

*Jul 1 15:00:24:116 2009 RTA IPSEC/7/DBG:IPsec AH Input Process: Authentication Succeed!

*Jul 1 15:00:24:217 2009 RTA IPSEC/7/DBG:IPSEC task: Transport mode.

*Jul 1 15:00:24:267 2009 RTA IPSEC/7/DBG:IPSEC Task: Decryption succeed! *Jul 1 15:00:24:368 2009 RTA IPSEC/7/DBG:Tunnel mode. Org Src:2.2.2.1 Org Dst:1.1.1.1

*Jul 1 15:00:24:468 2009 RTA IPSEC/7/DBG:Now send it to IP input process... *Jul 1 15:00:24:519 2009 RTA IPSEC/7/DBG:--- Send IPSec packet ---

*Jul 1 15:00:24:620 2009 RTA IPSEC/7/DBG:Tunnel mode. Adding outer IP header succeed!

*Jul 1 15:00:24:720 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2511737097(0x95b61109)

*Jul 1 15:00:24:771 2009 RTA IPSEC/7/DBG:New ESP(RFC2406) Enc Alg:Rijndael/AES Auth Alg:NULL

*Jul 1 15:00:24:882 2009 RTA IPSEC/7/DBG:Encryption finished! New ESP(RFC2406) SN:1648

*Jul 1 15:00:24:982 2009 RTA IPSEC/7/DBG:Src:1.1.1.1 Dst:2.2.2.1 SPI:2913836261(0xadad9ce5)

*Jul 1 15:00:25:33 2009 RTA IPSEC/7/DBG:New AH(RFC2402) Auth Alg:HMAC-SHA1-96 *Jul 1 15:00:25:134 2009 RTA IPSEC/7/DBG:Authentication finished! SN:1648 *Jul 1 15:00:25:234 2009 RTA IPSEC/7/DBG:Now send it to IP output process... *Jul 1 15:00:25:285 2009 RTA IPSEC/7/DBG:--- Receive IPSec(AH) packet --- *Jul 1 15:00:25:385 2009 RTA IPSEC/7/DBG:Src:2.2.2.1 Dst:1.1.1.1 SPI:3113756668(0xb99827fc)

*Jul 1 15:00:25:486 2009 RTA IPSEC/7/DBG:New AH(RFC2402) Auth Alg:HMAC-SHA1-96; *Jul 1 15:00:25:587 2009 RTA IPSEC/7/DBG:Replay Checking Enabled! SN:1113

*Jul 1 15:00:25:688 2009 RTA IPSEC/7/DBG:IPsec AH Input Process: Authentication Succeed!

*Jul 1 15:00:25:799 2009 RTA IPSEC/7/DBG:IPSEC task: Transport mode.

*Jul 1 15:00:25:849 2009 RTA IPSEC/7/DBG:IPSEC Task: Decryption succeed! *Jul 1 15:00:25:950 2009 RTA IPSEC/7/DBG:Tunnel mode. Org Src:2.2.2.1 Org Dst:1.1.1.1

*Jul 1 15:00:26:00 2009 RTA IPSEC/7/DBG:Now send it to IP input process...

可见路由器通过隧道发送了4个包，收到了4个包。这些包的源地址是1.1.1.1，目的地址是2.2.2.1。这是由于所有包都被首先封装在GRE隧道中，再被封装在IPSec隧道中发送。

实验任务二：配置L2TP over IPSec

步骤一：搭建实验环境

连接设备。在SWA上配置VLAN2，将接口E1/0/2加入VLAN2。

[SWA]vlan 2

[SWA-vlan2]port Ethernet 1/0/2

步骤二：配置公网路由

[RTA]ospf 1

[RTA-ospf-1] area 0.0.0.0

[RTA-ospf-1-area-0.0.0.0] network 1.0.0.0 0.255.255.255

- 55 -

实验4 配置IPSec保护传统VPN数据

[RTA-ospf-1-area-0.0.0.0] network 3.0.0.0 0.255.255.255 [SWA]ospf 1

[SWA-ospf-1] area 0.0.0.0

[SWA-ospf-1-area-0.0.0.0] network 1.0.0.0 0.255.255.255 [SWA-ospf-1-area-0.0.0.0] network 2.0.0.0 0.255.255.255 [RTB]ospf 1

[RTB-ospf-1] area 0.0.0.0

[RTB-ospf-1-area-0.0.0.0] network 2.0.0.0 0.255.255.255 display ip routing-table Routing Tables: Public

Destinations : 11 Routes : 11

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 OSPF 10 2 2.2.2.2 GE0/1 2.2.2.0/24 Direct 0 0 2.2.2.1 GE0/1 2.2.2.1/32 Direct 0 0 127.0.0.1 InLoop0 3.3.3.0/24 OSPF 10 3 2.2.2.2 GE0/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/24 Direct 0 0 192.168.1.1 VT1

192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.9/32 Direct 0 0 192.168.1.9 VT1 192.168.2.0/24 Direct 0 0 192.168.2.1 GE0/0 192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0

步骤三：安装iNode客户端

在PCA上安装iNode客户端。启动安装程序，跟随安装向导完成安装即可。 注意：

要使iNode客户端支持L2TP功能，在安装过程中必须确认安装虚拟网卡（Virtual NIC）。 当使用iNode客户端建立L2TP连接时，如果系统提示【Windows IPSEC Services(IPSEC Services or IPsec Policy Agent) is running, please stop it and try again.】，则说明系统内的IPSec服务已经启动，需要关闭之。在【控制面板】->【管理工具】->【服务】中找到【IPSEC services】服务，将其禁用即可。

步骤四：在iNode客户端上配置L2TP

启动iNode客户端程序，在其主界面窗口中单击菜单【文件】|【新建连接】，启动新建连接向导，如图2-8所示。

图4-1 进入新建连接向导

单击【下一步】，进入图2-9所示窗口，单击选定【L2TP IPSec VPN协议】。

图4-2 选择认证协议

单击【下一步】，进入错误！未找到引用源。所示窗口，单击选定【普通连接】。

图4-3 选择连接类型

单击【下一步】，进入图2-11所示窗口，在【连接名】处输入一个连接名称，例如“我的VPN连接”，在【登录用户名】处输入用户名，在【登录密码】处输入密码。

图4-4 设置用户名和密码

- 56 -

实验4 配置IPSec保护传统VPN数据

单击【下一步】，进入错误！未找到引用源。所示窗口，输入LNS服务器地址。

图4-5 VPN连接基本设置

单击【高级】进入图2-13所示的窗口，进入【L2TP设置】选项卡，输入隧道名称LAC，选择认证模式为CHAP，单击选定【使用隧道验证密码】并输入隧道验证密码aabbcc。单击【确定】回到错误！未找到引用源。所示窗口。

图4-6 VPN连接高级属性

单击【下一步】进入图2-14所示的窗口，单击【创建】，即可创建新建连接。

图4-7 完成新建连接向导

步骤五：配置LNS

在RTB上执行下列配置：

[RTB]l2tp enable

[RTB]domain abc.com

[RTB-isp-abc.com]authentication ppp local

[RTB-isp-abc.com]ip pool 1 192.168.1.2 192.168.1.100 [RTB-isp-abc.com]local-user vpdnuser

[RTB-luser-vpdnuser]password simple Hello [RTB-luser-vpdnuser]service-type ppp [RTB-luser-vpdnuser]l2tp-group 1

[RTB-l2tp1]allow l2tp virtual-template 1 remote LAC domain abc.com [RTB-l2tp1]tunnel password simple aabbcc [RTB-l2tp1]tunnel name LNS

[RTB-l2tp1]interface Virtual-Template1

[RTB-Virtual-Template1]ppp authentication-mode chap domain abc.com [RTB-Virtual-Template1]remote address pool 1

步骤六：测试L2TP连通性

从PCA上发起L2TP连接。此时L2TP连接应可以正常工作。 确保L2TP工作正常后，进入下一步骤。 步骤七：在LNS上配置IPSec/IKE

在RTB上配置IPSec/IKE参数：

[RTB]ike local-name rtb [RTB]acl number 3000

[RTB-acl-adv-3000] rule deny ospf [RTB-acl-adv-3000] rule permit ip [RTB-acl-adv-3000]ike peer rta

[RTB-ike-peer-rta] exchange-mode aggressive

[RTB-ike-peer-rta] pre-shared-key cipher aabbcc [RTB-ike-peer-rta] id-type name [RTB-ike-peer-rta] remote-name rta

[RTB-ike-peer-rta]ipsec proposal prop1

[RTB-ipsec-proposal-prop1] esp authentication-algorithm sha1 [RTB-ipsec-proposal-prop1]ipsec policy policy1 10 isakmp [RTB-ipsec-policy-isakmp-policy1-10] security acl 3000 [RTB-ipsec-policy-isakmp-policy1-10] ike-peer rta [RTB-ipsec-policy-isakmp-policy1-10] proposal prop1

[RTB-ipsec-policy-isakmp-policy1-10]interface GigabitEthernet0/1 [RTB-GigabitEthernet0/1]ipsec policy policy1

- 57 -

实验4 配置IPSec保护传统VPN数据

步骤八：在iNode客户端配置IPSec/IKE

在iNode客户端界面上右击“我的VPN连接”图标，在弹出的快捷菜单中单击【属性】，进入图4-8所示的窗口。选中【启用IPSec安全协议】，并将【验证方法】选择为【预共享密钥】，将【身份验证字】设置为aabbcc。选中【使用LNS服务器】。

图4-8 VPN连接属性设置

单击【高级】，进入图4-9所示窗口。单击进入【IPSec设置】选项卡。将【封装模式】设置为【Tunnel】，【采用的安全协议】设置为ESP，【ESP协议验证算法】设置为【SHA】，【ESP协议加密算法】设置为【DES】。

图4-9 IPSec设置

单击进入【IKE设置】选项卡，如图4-10。将【协商模式】设置为【Aggressive】，【ID的类型】设置为【name】，【验证算法】设置为【SHA】，【加密算法】设置为【DES-CBC】，【Diffie-Hellman组标识】设置为【Group1】。将【本端安全网关名字】设置为rta，【对端安全网关设备名字】设置为rtb。

图4-10 IKE设置

单击【确定】，回到图4-8所示窗口，再单击【确定】完成属性设置。 步骤九：检验隧道工作状况

在PCA上查看连接：

C:\\Documents and Settings\\User>ipconfig

Windows IP Configuration

Ethernet adapter {7E6CC322-8F6E-490A-AD0D-A86FBDF2D2B6}:

Media State . . . . . . . . . . . : Media disconnected Ethernet adapter 本地连接 3:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 192.168.1.9

Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 192.168.1.9 Ethernet adapter 本地连接:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 3.3.3.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 3.3.3.1

可见连接已经建立，因此除原有的以太网连接之外，还出现一个L2TP连接。在PCA上检测与PCB的连通性，此时应可以连通：

C:\\Documents and Settings\\User>ping 192.168.2.2 Pinging 192.168.2.2 with 32 bytes of data:

Reply from 192.168.2.2: bytes=32 time=1ms TTL=255 Reply from 192.168.2.2: bytes=32 time=1ms TTL=255 Reply from 192.168.2.2: bytes=32 time=1ms TTL=255 Reply from 192.168.2.2: bytes=32 time=1ms TTL=255 Ping statistics for 192.168.2.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms

在RTB上查看IPSec和IKE信息：

[RTB]display ike sa

total phase-1 SAs: 1

- 58 -

实验4 配置IPSec保护传统VPN数据

connection-id peer flag phase doi

---------------------------------------------------------- 100 3.3.3.2 RD 2 IPSEC 98 3.3.3.2 RD 1 IPSEC flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT [RTB]

[RTB]display ike sa verbose

--------------------------------------------- connection id: 98

transmitting entity: responder

--------------------------------------------- local ip: 2.2.2.1 local id type: FQDN local id: rtb

remote ip: 3.3.3.2 remote id type: FQDN remote id: rta

authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400

remaining key duration(sec): 80682 exchange-mode: AGGRESSIVE diffie-hellman group: GROUP1 nat traversal: NO [RTB]display ipsec sa

=============================== Interface: GigabitEthernet0/1 path MTU: 1500

=============================== ----------------------------- IPsec policy name: \"policy1\" sequence number: 10 mode: isakmp

----------------------------- connection id: 19

encapsulation mode: tunnel perfect forward secrecy: None tunnel:

local address: 2.2.2.1 remote address: 3.3.3.2 Flow :

sour addr: 2.2.2.1/255.255.255.255 port: 1701 protocol: UDP dest addr: 3.3.3.2/255.255.255.255 port: 0 protocol: UDP [inbound ESP SAs]

spi: 1635075495 (0x617545a7)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887407971/1095 max received sequence-number: 409 anti-replay check enable: Y anti-replay window size: 32

udp encapsulation used for nat traversal: N [outbound ESP SAs]

spi: 1796827467 (0x6b19694b)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887421298/1095 max sent sequence-number: 337

udp encapsulation used for nat traversal: N [RTB]

可见ISAKMP SA是通过IKE野蛮模式协商生成的。

- 59 -

实验5 BGP MPLS VPN基础

实验1 CL0400020 *配置IPSEC保护传统VPN数据........................................................................ - 49 - 1.1 实验内容与目标 ............................................................................................... 错误！未定义书签。 1.2 预备知识和技能 ............................................................................................... 错误！未定义书签。 1.3 实验设计思路 ................................................................................................... 错误！未定义书签。 1.4 实验组网图 ....................................................................................................... 错误！未定义书签。 1.5 背景需求 ........................................................................................................... 错误！未定义书签。 1.6 实验设备与版本 ............................................................................................... 错误！未定义书签。 1.7 实验过程 ........................................................................................................... 错误！未定义书签。

实验任务一： GRE over IPSec ..................................................................................................... - 49 -

实验任务二： L2TP over IPSec .................................................................................................... - 55 - 1.8 实验中的命令列表 ........................................................................................... 错误！未定义书签。 1.9 思考题 ............................................................................................................... 错误！未定义书签。 1.10 工时估算 ......................................................................................................... 错误！未定义书签。

实验5 BGP MPLS VPN基础

实验任务一：BGP MPLS VPN基本配置

步骤一：搭建环境，执行基本配置 步骤二：配置公网IGP路由协议

在PE1、P、PE2设备上配置OSPF Router ID，并发布各公网接口地址网段路由，包括PE设备的loopback接口。

PE1设备上配置：

[PE1]ospf router-id 1.1.1.1 [PE1]ospf

[PE1-ospf-1]area 0

[PE1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0 [PE1-ospf-1-area-0.0.0.0]network 100.0.0.1 0.0.0.3

P设备上配置：

[P]ospf router-id 1.1.1.3 [P]ospf

[P-ospf-1]area 0

[P-ospf-1-area-0.0.0.0]network 1.1.1.3 0.0.0.0 [P-ospf-1-area-0.0.0.0]network 100.0.0.2 0.0.0.3 [P-ospf-1-area-0.0.0.0]network 100.0.0.0 0.0.0.3

PE2设备上配置：

[PE2]ospf router-id 1.1.1.2 [PE2]ospf

[PE2-ospf-1]area 0

[PE2-ospf-1-area-0.0.0.0]network 1.1.1.2 0.0.0.0 [PE2-ospf-1-area-0.0.0.0]network 100.0.0.6 0.0.0.3

检查OSPF邻居状况：

dis ospf peer

OSPF Process 1 with Router ID 1.1.1.1

- 69 -

实验5 BGP MPLS VPN基础

Neighbor Brief Information Area: 0.0.0.0

Router ID Address Pri Dead-Time Interface State 1.1.1.3 100.0.0.2 1 34 GE0/0 Full/BDR

dis ospf peer

OSPF Process 1 with Router ID 1.1.1.3 Neighbor Brief Information Area: 0.0.0.0

Router ID Address Pri Dead-Time Interface State 1.1.1.1 100.0.0.1 1 38 GE0/0 Full/DR 1.1.1.2 100.0.0.6 1 37 GE0/1 Full/BDR dis ospf peer

OSPF Process 1 with Router ID 1.1.1.2 Neighbor Brief Information Area: 0.0.0.0

Router ID Address Pri Dead-Time Interface State 1.1.1.3 100.0.0.5 1 36 GE0/0 Full/DR

检查PE路由：

dis ip routing-table Routing Tables: Public

Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 1.1.1.2/32 OSPF 10 2 100.0.0.2 GE0/0 1.1.1.3/32 OSPF 10 1 100.0.0.2 GE0/0 100.0.0.0/30 Direct 0 0 100.0.0.1 GE0/0 100.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 100.0.0.4/30 OSPF 10 2 100.0.0.2 GE0/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 dis ip rou

Routing Tables: Public

Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.1/32 OSPF 10 2 100.0.0.5 GE0/0 1.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0 1.1.1.3/32 OSPF 10 1 100.0.0.5 GE0/0 100.0.0.0/30 OSPF 10 2 100.0.0.5 GE0/0 100.0.0.4/30 Direct 0 0 100.0.0.6 GE0/0 100.0.0.6/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

检查PE互通性：

ping 1.1.1.2

PING 1.1.1.2: 56 data bytes, press CTRL_C to break

Reply from 1.1.1.2: bytes=56 Sequence=1 ttl=254 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=5 ttl=254 time=1 ms --- 1.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss

round-trip min/avg/max = 1/1/1 ms ping 1.1.1.2

PING 1.1.1.2: 56 data bytes, press CTRL_C to break

Reply from 1.1.1.2: bytes=56 Sequence=1 ttl=254 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=5 ttl=254 time=1 ms

- 70 -

实验5 BGP MPLS VPN基础

--- 1.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss

round-trip min/avg/max = 1/1/1 ms

步骤三：配置MPLS和MPLS LDP

在系统视图设置LSR ID并使能MPLS及MPLS LDP： PE1设备配置：

[PE1]mpls lsr-id 1.1.1.1 [PE1]mpls

Info: MPLS starting, please wait...OK. [PE1]mpls ldp [PE1-mpls-ldp]

P设备配置：

[P]mpls lsr-id 1.1.1.3 [P]mpls

Mpls starting, please wait... OK! [P]mpls ldp [P-mpls-ldp]

PE2设备配置：

[PE2]mpls lsr-id 1.1.1.2 [PE2]mpls

Mpls starting, please wait... OK! [PE2]mpls ldp [PE2-mpls-ldp]

在接口视图使能MPLS及MPLS LDP，需要在PE和P设备的所有公网接口使能MPLS和MPLS LDP。

PE1设备配置：

[PE1]int g0/0

[PE1-GigabitEthernet0/0]mpls

[PE1-GigabitEthernet0/0]mpls ldp

P设备配置：

[P]int g0/0

[P-GigabitEthernet0/0]mpls

[P-GigabitEthernet0/0]mpls ldp [P]int g0/1

[P-GigabitEthernet0/1]mpls

[P-GigabitEthernet0/1]mpls ldp

PE2设备配置：

[PE2]int g0/0

[PE2-GigabitEthernet0/0]mpls

[PE2-GigabitEthernet0/0]mpls ldp

配置完成后，检查MPLS LDP邻居建立状况。 在PE1设备上检查：

dis mpls ldp session

LDP Session(s) in Public Network Total number of sessions: 1

----------------------------------------------------------------------------- Peer-ID Status LAM SsnRole FT MD5 KA-Sent/Rcv

- 71 -

实验5 BGP MPLS VPN基础

----------------------------------------------------------------------------- 1.1.1.3:0 Operational DU Passive Off Off 10/10

----------------------------------------------------------------------------- LAM : Label Advertisement Mode FT : Fault Tolerance

在P设备上检查：

dis mpls ldp session

LDP Session(s) in Public Network Total number of sessions: 2

----------------------------------------------------------------------------- Peer-ID Status LAM SsnRole FT MD5 KA-Sent/Rcv

----------------------------------------------------------------------------- 1.1.1.1:0 Operational DU Active Off Off 13/13 1.1.1.2:0 Operational DU Active Off Off 9/9

----------------------------------------------------------------------------- LAM : Label Advertisement Mode FT : Fault Tolerance

在PE2设备上检查：

dis mpls ldp session

LDP Session(s) in Public Network Total number of sessions: 1

----------------------------------------------------------------------------- Peer-ID Status LAM SsnRole FT MD5 KA-Sent/Rcv

----------------------------------------------------------------------------- 1.1.1.3:0 Operational DU Passive Off Off 12/12

----------------------------------------------------------------------------- LAM : Label Advertisement Mode FT : Fault Tolerance

检查PE之间的LSP是否建成。 在PE1设备上检查：

dis mpls ldp lsp

LDP LSP Information

----------------------------------------------------------------------------- SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface

----------------------------------------------------------------------------- 1 1.1.1.1/32 3/NULL 127.0.0.1 -------/InLoop0 2 1.1.1.2/32 NULL/1024 100.0.0.2 -------/GE0/0 3 1.1.1.3/32 NULL/3 100.0.0.2 -------/GE0/0

----------------------------------------------------------------------------- A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale

在PE2设备上检查：

dis mpls ldp lsp

LDP LSP Information

----------------------------------------------------------------------------- SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface

----------------------------------------------------------------------------- 1 1.1.1.1/32 NULL/1025 100.0.0.5 -------/GE0/0

- 72 -

实验5 BGP MPLS VPN基础

2 1.1.1.2/32 3/NULL 127.0.0.1 -------/InLoop0 3 1.1.1.3/32 NULL/3 100.0.0.5 -------/GE0/0

----------------------------------------------------------------------------- A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale

步骤四：配置VPN及其RD和RT

PE1设备配置：

[PE1]ip vpn-instance vpn1

[PE1-vpn-instance-vpn1]route-distinguisher 100:1 [PE1-vpn-instance-vpn1]vpn-target 100:1 both IVT Assignment result:

VPN-Target assignment is successful EVT Assignment result:

VPN-Target assignment is successful [PE1]ip vpn-instance vpn2

[PE1-vpn-instance-vpn2]route-distinguisher 200:1 [PE1-vpn-instance-vpn2]vpn-target 200:1 both IVT Assignment result:

VPN-Target assignment is successful EVT Assignment result:

VPN-Target assignment is successful

PE2设备配置：

[PE2]ip vpn-instance vpn1

[PE2-vpn-instance-vpn1]route-distinguisher 100:1 [PE2-vpn-instance-vpn1]vpn-target 100:1 both IVT Assignment result:

VPN-Target assignment is successful EVT Assignment result:

VPN-Target assignment is successful [PE2]ip vpn-instance vpn2

[PE2-vpn-instance-vpn2]route-distinguisher 200:1 [PE2-vpn-instance-vpn2]vpn-target 200:1 both IVT Assignment result:

VPN-Target assignment is successful EVT Assignment result:

VPN-Target assignment is successful

步骤五：配置私网接口与VPN绑定

PE1设备配置：

[PE1]int Ethernet 5/0

[PE1-Ethernet5/0]ip binding vpn-instance vpn1

! All IP related configurations on this interface are removed [PE1]int Ethernet 5/1

[PE1-Ethernet5/1]ip binding vpn-instance vpn2

! All IP related configurations on this interface are removed

PE2设备配置：

[PE2]int Ethernet 5/0

[PE2-Ethernet5/0]ip binding vpn-instance vpn1

! All IP related configurations on this interface are removed [PE2]int Ethernet 5/1

[PE2-Ethernet5/1]ip binding vpn-instance vpn2

! All IP related configurations on this interface are removed

- 73 -

实验5 BGP MPLS VPN基础

步骤六：配置PE和CE之间的路由协议

PE和CE之间的路由协议有多种选择，其中在PE设备上需要运行对应路由协议的多实例。本实验采用应用最为广泛的OSPF路由协议。

PE1设备配置：

[PE1]ospf 10 vpn-instance vpn1 [PE1-ospf-10]area 0

[PE1-ospf-10-area-0.0.0.0]network 192.168.1.1 0.0.0.3 [PE1]ospf 20 vpn-instance vpn2 [PE1-ospf-20]area 0

[PE1-ospf-20-area-0.0.0.0]network 172.32.1.1 0.0.0.3

CE1设备配置：

[CE1]ospf

[CE1-ospf-1]area 0

[CE1-ospf-1-area-0.0.0.0]network 192.168.1.2 0.0.0.3

[CE1-ospf-1-area-0.0.0.0]network 192.168.254.0 0.0.0.255

CE2设备配置：

[CE2]ospf

[CE2-ospf-1]area 0

[CE2-ospf-1-area-0.0.0.0]network 172.32.1.2 0.0.0.3

[CE2-ospf-1-area-0.0.0.0]network 172.32.254.0 0.0.0.255

PE2设备配置：

[PE2]ospf 10 vpn-instance vpn1 [PE2-ospf-10]area 0

[PE2-ospf-10-area-0.0.0.0]network 192.168.2.1 0.0.0.3 [PE2]ospf 20 vpn-instance vpn2 [PE2-ospf-20]area 0

[PE2-ospf-20-area-0.0.0.0]network 172.32.2.1 0.0.0.3

CE3设备配置：

[CE3]ospf

[CE3-ospf-1]area 0

[CE3-ospf-1-area-0.0.0.0]network 192.168.2.2 0.0.0.3

[CE3-ospf-1-area-0.0.0.0]network 192.168.255.0 0.0.0.255

CE4设备配置：

[CE4]ospf

[CE4-ospf-1]area 0

[CE4-ospf-1-area-0.0.0.0]network 172.32.2.2 0.0.0.3

[CE4-ospf-1-area-0.0.0.0]network 172.32.255.0 0.0.0.255

检查PE和CE之间的OSPF邻居状况。

在PE1设备上检查，PE1和CE1及CE2建立起OSPF邻居：

dis ospf 10 peer

OSPF Process 10 with Router ID 192.168.1.1 Neighbor Brief Information Area: 0.0.0.0

Router ID Address Pri Dead-Time Interface State 192.168.254.254 192.168.1.2 1 32 Eth5/0 Full/BDR dis ospf 20 peer

OSPF Process 20 with Router ID 172.32.1.1 Neighbor Brief Information Area: 0.0.0.0

Router ID Address Pri Dead-Time Interface State 172.32.254.254 172.32.1.2 1 37 Eth5/1 Full/BDR

- 74 -

实验5 BGP MPLS VPN基础

在PE2设备上检查，PE2和CE3及CE4建立起OSPF邻居：

dis ospf 10 peer

OSPF Process 10 with Router ID 192.168.2.1 Neighbor Brief Information Area: 0.0.0.0

Router ID Address Pri Dead-Time Interface State 192.168.255.254 192.168.2.2 1 31 Eth5/0 Full/BDR dis ospf 20 peer

OSPF Process 20 with Router ID 172.32.2.1 Neighbor Brief Information Area: 0.0.0.0

Router ID Address Pri Dead-Time Interface State 172.32.255.254 172.32.2.2 1 36 Eth5/1 Full/BDR

检查PE学习到了本段CE设备的私网路由。

在PE1设备上检查，VPN1学习到了PCA的路由，VPN2学习到了PCB的路由：

dis ip routing-table vpn-instance vpn1 Routing Tables: vpn1

Destinations : 5 Routes : 5

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/30 Direct 0 0 192.168.1.1 Eth5/0 192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.254.0/24 OSPF 10 2 192.168.1.2 Eth5/0 dis ip routing-table vpn-instance vpn2 Routing Tables: vpn2

Destinations : 5 Routes : 5

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.32.1.0/30 Direct 0 0 172.32.1.1 Eth5/1 172.32.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.32.254.0/24 OSPF 10 2 172.32.1.2 Eth5/1

在PE2设备上检查，VPN1学习到了PCC的路由，VPN2学习到了PCD的路由：

dis ip routing-table vpn-instance vpn1 Routing Tables: vpn1

Destinations : 5 Routes : 5

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.2.0/30 Direct 0 0 192.168.2.1 Eth5/0 192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.255.0/24 OSPF 10 2 192.168.2.2 Eth5/0

dis ip routing-table vpn-instance vpn2 Routing Tables: vpn2

Destinations : 5 Routes : 5

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.32.2.0/30 Direct 0 0 172.32.2.1 Eth5/1 172.32.2.1/32 Direct 0 0 127.0.0.1 InLoop0 172.32.255.0/24 OSPF 10 2 172.32.2.2 Eth5/1

步骤七：配置PE之间普通BGP邻居

PE1设备配置：

[PE1]bgp 100

[PE1-bgp]peer 1.1.1.2 as-number 100

[PE1-bgp]peer 1.1.1.2 connect-interface LoopBack 0

- 75 -

实验5 BGP MPLS VPN基础

PE2设备配置：

[PE2]bgp 100

[PE2-bgp]peer 1.1.1.1 as-number 100

[PE2-bgp]peer 1.1.1.1 connect-interface LoopBack 0

检查普通BGP邻居建立情况。 在PE1设备上检查：

display bgp peer

BGP local router ID : 1.1.1.1 Local AS number : 100

Total number of peers : 1 Peers in established state : 1 Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

1.1.1.2 100 2 2 0 0 00:00:47 Established

在PE2设备上检查：

dis bgp peer

BGP local router ID : 1.1.1.2 Local AS number : 100

Total number of peers : 1 Peers in established state : 1 Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

1.1.1.1 100 10 11 0 0 00:09:45 Established

步骤八：配置PE之间MP-BGP邻居

首先在BGP VPNv4视图下使能BGP邻居。 PE1设备配置：

[PE1-bgp]ipv4-family vpnv4

[PE1-bgp-af-vpnv4]peer 1.1.1.2 enable

PE2设备配置：

[PE2-bgp]ipv4-family vpnv4

[PE2-bgp-af-vpnv4]peer 1.1.1.1 enable

检查MP-BGP邻居建立状况。 在PE1设备上检查：

dis bgp vpnv4 all peer BGP local router ID : 1.1.1.1 Local AS number : 100

Total number of peers : 1 Peers in established state : 1 Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

1.1.1.2 100 3 3 0 0 00:00:52 Established

在PE2设备上检查：

dis bgp vpnv4 all peer BGP local router ID : 1.1.1.2 Local AS number : 100

Total number of peers : 1 Peers in established state : 1 Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State

1.1.1.1 100 4 3 0 0 00:02:00 Established

步骤九：配置本地VPN路由与MP-BGP之间的路由引入引出

首先将本地VPN的路由引入到MP-BGP，以传递给远端PE。 PE1设备配置：

[PE1-bgp]ipv4-family vpn-instance vpn1 [PE1-bgp-vpn1]import-route ospf 10

- 76 -

实验5 BGP MPLS VPN基础

[PE1-bgp-vpn1]import-route direct

[PE1-bgp]ipv4-family vpn-instance vpn2

[PE1-bgp-vpn2]import-route ospf 20 [PE1-bgp-vpn2]import-route direct

PE2设备配置：

[PE2-bgp]ipv4-family vpn-instance vpn1 [PE2-bgp-vpn1]import-route ospf 10 [PE2-bgp-vpn1]import-route direct

[PE2-bgp]ipv4-family vpn-instance vpn2 [PE2-bgp-vpn2]import-route ospf 20 [PE2-bgp-vpn2]import-route direct

将通过MP-BGP路由协议从远端PE学习到的私网路由引入到PE和CE之间的路由协议，以设法将这部分路由传给对应VPN的CE设备。

PE1设备配置：

[PE1]ospf 10

[PE1-ospf-10]import-route bgp [PE1]ospf 20

[PE1-ospf-20]import-route bgp

PE2设备配置：

[PE2]ospf 10

[PE2-ospf-10]import-route bgp [PE2]ospf 20

[PE2-ospf-20]import-route bgp

检查PE设备是否学习到远端VPN的私网路由。在PE1设备上检查：

dis ip routing-table vpn-instance vpn1 Routing Tables: vpn1

Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/30 Direct 0 0 192.168.1.1 Eth5/0 192.168.1.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.2.0/30 BGP 255 0 1.1.1.2 NULL0 192.168.254.0/24 OSPF 10 2 192.168.1.2 Eth5/0 192.168.255.0/24 BGP 255 3 1.1.1.2 NULL0 dis ip routing-table vpn-instance vpn2 Routing Tables: vpn2

Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.32.1.0/30 Direct 0 0 172.32.1.1 Eth5/1 172.32.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.32.2.0/30 BGP 255 0 1.1.1.2 NULL0 172.32.254.0/24 OSPF 10 2 172.32.1.2 Eth5/1 172.32.255.0/24 BGP 255 3 1.1.1.2 NULL0

在PE2设备上检查：

dis ip routing-table vpn-instance vpn1 Routing Tables: vpn1

Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/30 BGP 255 0 1.1.1.1 NULL0 192.168.2.0/30 Direct 0 0 192.168.2.1 Eth5/0 192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0

- 77 -

实验5 BGP MPLS VPN基础

192.168.254.0/24 BGP 255 3 1.1.1.1 NULL0 192.168.255.0/24 OSPF 10 2 192.168.2.2 Eth5/0 dis ip routing-table vpn-instance vpn2 Routing Tables: vpn2

Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.32.1.0/30 BGP 255 0 1.1.1.1 NULL0 172.32.2.0/30 Direct 0 0 172.32.2.1 Eth5/1 172.32.2.1/32 Direct 0 0 127.0.0.1 InLoop0 172.32.254.0/24 BGP 255 3 1.1.1.1 NULL0 172.32.255.0/24 OSPF 10 2 172.32.2.2 Eth5/1

检查CE设备是否学习到远端VPN的私网路由。 在CE1设备上检查：

dis ip routing-table Routing Tables: Public

Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/30 Direct 0 0 192.168.1.2 Vlan100 192.168.1.2/32 Direct 0 0 127.0.0.1 InLoop0 192.168.2.0/30 O_ASE 150 1 192.168.1.1 Vlan100 192.168.254.0/24 Direct 0 0 192.168.254.254 Vlan200 192.168.254.254/32 Direct 0 0 127.0.0.1 InLoop0 192.168.255.0/24 OSPF 10 4 192.168.1.1 Vlan100

在CE2设备上检查：

dis ip routing-table Routing Tables: Public

Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.32.1.0/30 Direct 0 0 172.32.1.2 Vlan100 172.32.1.2/32 Direct 0 0 127.0.0.1 InLoop0 172.32.2.0/30 O_ASE 150 1 172.32.1.1 Vlan100 172.32.254.0/24 Direct 0 0 172.32.254.254 Vlan200 172.32.254.254/32 Direct 0 0 127.0.0.1 InLoop0 172.32.255.0/24 OSPF 10 4 172.32.1.1 Vlan100

在CE3设备上检查：

dis ip routing-table Routing Tables: Public

Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 192.168.1.0/30 O_ASE 150 1 192.168.2.1 Vlan100 192.168.2.0/30 Direct 0 0 192.168.2.2 Vlan100 192.168.2.2/32 Direct 0 0 127.0.0.1 InLoop0 192.168.254.0/24 OSPF 10 4 192.168.2.1 Vlan100 192.168.255.0/24 Direct 0 0 192.168.255.254 Vlan200 192.168.255.254/32 Direct 0 0 127.0.0.1 InLoop0

在CE4设备上检查：

dis ip routing-table Routing Tables: Public

Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface

- 78 -

实验5 BGP MPLS VPN基础

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.32.1.0/30 O_ASE 150 1 172.32.2.1 Vlan100 172.32.2.0/30 Direct 0 0 172.32.2.2 Vlan100 172.32.2.2/32 Direct 0 0 127.0.0.1 InLoop0 172.32.254.0/24 OSPF 10 4 172.32.2.1 Vlan100 172.32.255.0/24 Direct 0 0 172.32.255.254 Vlan200 172.32.255.254/32 Direct 0 0 127.0.0.1 InLoop0

检查用户业务之间的互通性。 PCA访问PCC，可以互通：

C:\\Documents and Settings\>ping 192.168.255.1 Pinging 192.168.255.1 with 32 bytes of data:

Reply from 192.168.255.1: bytes=32 time=1ms TTL=251 Reply from 192.168.255.1: bytes=32 time=1ms TTL=251 Reply from 192.168.255.1: bytes=32 time=1ms TTL=251 Reply from 192.168.255.1: bytes=32 time=1ms TTL=251 Ping statistics for 192.168.255.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms

PCA访问PCB，不能互通：

C:\\Documents and Settings\ping 172.32.254.1 Pinging 172.32.254.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 172.32.254.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PCA访问PCD，不能互通：

C:\\Documents and Settings\ping 172.32.255.1 Pinging 172.32.255.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 172.32.255.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PCB访问PCC，不能互通：

C:\\Documents and Settings\ping 192.168.255.1 Pinging 192.168.255.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 192.168.255.1

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PCB访问PCD，可以互通：

C:\\Documents and Settings\>ping 172.32.255.1 Pinging 172.32.255.1 with 32 bytes of data:

Reply from 172.32.255.1: bytes=32 time=1ms TTL=251 Reply from 172.32.255.1: bytes=32 time=1ms TTL=251 Reply from 172.32.255.1: bytes=32 time=1ms TTL=251 Reply from 172.32.255.1: bytes=32 time=1ms TTL=251 Ping statistics for 172.32.255.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

- 79 -

实验5 BGP MPLS VPN基础

Minimum = 1ms, Maximum = 1ms, Average = 1ms

PCC访问PCD，不能互通：

C:\\Documents and Settings\ping 172.32.255.1 Pinging 172.32.255.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 172.32.255.1

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

实验结果与组网需求相符。

- 80 -

实验1 以太网交换机配置基础

实验1 L00010003 BGP MPLS VPN实验 ............................................................................................ - 69 - 1.1 实验内容与目标 ............................................................................................... 错误！未定义书签。 1.2 预报知识和技能 ............................................................................................... 错误！未定义书签。 1.3 实验设计思路 ................................................................................................... 错误！未定义书签。 1.4 实验组网图 ....................................................................................................... 错误！未定义书签。 1.5 实验设备与版本 ............................................................................................... 错误！未定义书签。 1.6 实验过程 ........................................................................................................... 错误！未定义书签。

实验任务一： BGP MPLS VPN基本组网实验 ............................................................................ - 69 -

步骤一： 配置公网隧道 ............................................................................................................................ - 69 - 步骤二： 配置本地VPN ................................................................................................错误！未定义书签。 步骤三： 配置MP-BGP路由协议 .................................................................................错误！未定义书签。

1.7 实验中的命令列表 ........................................................................................... 错误！未定义书签。 1.8 思考题 ............................................................................................................... 错误！未定义书签。 1.9 工时估算 ........................................................................................................... 错误！未定义书签。

- 1 -

实验6 VoIP基本配置

实验1 以太网交换机配置基础（标题1） ............................................................... 错误！未定义书签。 1.1 实验内容与目标（标题2） ............................................................................ 错误！未定义书签。 1.2 实验组网图（插图格式选择“FIGURE”样式） ............................................ 错误！未定义书签。 1.3 背景需求 ........................................................................................................... 错误！未定义书签。 1.4 实验设备与版本 ............................................................................................... 错误！未定义书签。 1.5 实验过程 ........................................................................................................... 错误！未定义书签。

实验任务一： 实验任务的描述（采用“标题3”样式，手动编号） ........... 错误！未定义书签。

步骤一： 步骤的名称（采用“标题4”样式，手动编号） .........................................错误！未定义书签。 步骤二： xxxxxxxxxxxxxxxxxxxxx................................................................................错误！未定义书签。 实验任务二： XXXXXXXXX .............................................................................. 错误！未定义书签。 步骤一： ...........................................................................................................................错误！未定义书签。 步骤二： ...........................................................................................................................错误！未定义书签。

1.6 实验中的命令列表 ........................................................................................... 错误！未定义书签。 1.7 思考题 ............................................................................................................... 错误！未定义书签。

实验6 VoIP基本配置

实验任务一：通过IP网络转发语音数据

步骤一：建立物理连接

此步骤可能会用到以下命令：

display version

reset saved-configuration reboot

步骤二：IP地址等基础配置

配置RTA：

system-view

[RTA] interface ethernet 0/0

[RTA-ethernet0/0] ip address 1.1.1.1 24

配置RTB：

system-view

[RTB]interface ethernet 0/0

[RTB-ethernet0/0]ip address 1.1.1.2 24

步骤三：配置POTS语音实体

配置RTA：

system-view [RTA] voice-setup

[RTA-voice] dial-program

[RTA-voice-dial] entity 1001 pots

[RTA-voice-dial-entity1001] match-template 0101001 [RTA-voice-dial-entity1001] line 1/0 [RTA-voice-dial-entity1001] quit

- 86 -

实验6 VoIP基本配置

配置RTB：

system-view [RTB] voice-setup

[RTB-voice] dial-program

[RTB-voice-dial] entity 2001 pots

[RTB-voice-dial-entity2001] match-template 05712001 [RTB-voice-dial-entity2001] line 1/0 [RTB-voice-dial-entity2001] quit

步骤四：配置VoIP语音实体

配置RTA：

system-view1 [RTA] voice-setup

[RTA-voice] dial-program

[RTA-voice-dial] entity 0571 voip

[RTA-voice-dial-entity755] match-template 0571.... [RTA-voice-dial-entity755] address ip 1.1.1.2 [RTA-voice-dial-entity755] quit

配置RTB：

system-view [RTB] voice-setup

[RTB-voice] dial-program

[RTB-voice-dial] entity 010 voip

[RTB-voice-dial-entity10] match-template 010.... [RTB-voice-dial-entity10] address ip 1.1.1.1 [RTB-voice-dial-entity10] quit

步骤五：检验通话情况

- 87 -

实验7配置流量监管

实验1 VOIP配置基础 ................................................................................................................... - 86 - 1.1 实验内容与目标 ............................................................................................... 错误！未定义书签。 1.2 实验组网图 ....................................................................................................... 错误！未定义书签。 1.3 实验设备和器材 ............................................................................................... 错误！未定义书签。 1.4 实验过程 ........................................................................................................... 错误！未定义书签。

实验任务一： 通过IP网络转发语音数据 .................................................................................. - 86 - 步骤一： 建立物理连接 ............................................................................................................................ - 86 - 步骤二： IP地址等基础配置 .................................................................................................................... - 86 - 步骤三： 配置POTS语音实体 ................................................................................................................. - 86 - 步骤四： 配置VoIP语音实体................................................................................................................... - 87 -

1.5 实验中的命令列表 ........................................................................................... 错误！未定义书签。 1.6 思考题 ............................................................................................................... 错误！未定义书签。

实验7 配置流量监管

实验任务一：配置入方向的流量监管

步骤一：搭建试验环境，进行基本连通性配置

接口地址和协议的配置：

[RTA] interface Serial 0/1

[RTA-Serial0/1] ip address 1.1.1.1 24 [RTA-Serial0/1] link-protocol ppp [RTA] interface Ethernet 0/0

[RTA-Ethernet0/0] ip address 192.168.1.1 24 [RTB] interface Serial 0/1

[RTB-Serial0/1] ip address 1.1.1.2 24 [RTB-Serial0/1] link-protocol ppp [RTB] interface Ethernet 0/0

[RTB-Ethernet0/0] ip address 192.168.2.1 24

静态路由的配置：

[RTA] ip route-static 192.168.2.0 255.255.255.0 1.1.1.2 [RTB] ip route-static 192.168.1.0 255.255.255.0 1.1.1.1

验证连通性：

C:\\>ping 192.168.2.2

Pinging 192.168.2.2 with 32 bytes of data:

Reply from 192.168.2.2: bytes=32 time=1ms TTL=253 Reply from 192.168.2.2: bytes=32 time=1ms TTL=253 Reply from 192.168.2.2: bytes=32 time=1ms TTL=253 Reply from 192.168.2.2: bytes=32 time=7ms TTL=253 Ping statistics for 192.168.2.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 7ms, Average = 2ms C:\\>

- 89 -

实验7配置流量监管

步骤二：观察不配置CAR时的下载速率

如下图，可见下载684KB大小文件耗时91s，平均速率7.70KByte/sec，约为61.6Kbps。 步骤三：配置CAR限速和标记

配置CAR限速为32Kbps，同时对允许通过的报文重标记IP Precedence为5。

[RTA]acl nu 2000

[RTA-acl-basic-2000]rule permit source 192.168.1.2 0 [RTA-acl-basic-2000]quit [RTA]int e0/0

[RTA-Ethernet0/0]qos car inbound acl 2000 cir 32 green remark-prec-pass 5 red di scard

[RTA-Ethernet0/0]

步骤四：观察配置CAR之后的下载速率

观察配置CAR之后的下载速率，如下图所示。同时在PCB上抓包查看报文IP Precedence。 可见下载684KB大小文件耗时296s，平均速率2.36KByte/sec，约为18.88Kbps。时间加长，速率降低。

用抓包工具（如Ethereal）抓取PCA传送给PCB的包，可以看到报文IP Precedence被修改为5：

步骤五：在设备上查看流量监管的统计信息

[RTA]dis qos car interface Ethernet 0/0 Interface: Ethernet0/0 Direction: Inbound

Rule(s): If-match acl 2000

CIR 32 (kbps), CBS 2000 (byte), EBS 0 (byte) Green Action: remark ip-precedence 5 and pass Red Action : discard

Green : 529(Packets) 733817(Bytes) Red : 291(Packets) 402968(Bytes) [RTA]

- 90 -

实验8 配置拥塞管理

实验1 以太网交换机配置基础（标题1） ............................................................... 错误！未定义书签。 1.1 实验内容与目标（标题2） ............................................................................ 错误！未定义书签。 1.2 实验组网图（插图格式选择“FIGURE”样式） ............................................ 错误！未定义书签。 1.3 背景需求 ........................................................................................................... 错误！未定义书签。 1.4 实验设备与版本 ............................................................................................... 错误！未定义书签。 1.5 实验过程 ........................................................................................................... 错误！未定义书签。

实验任务一： 实验任务的描述（采用“标题3”样式，手动编号） ........... 错误！未定义书签。

步骤一： 步骤的名称（采用“标题4”样式，手动编号） .........................................错误！未定义书签。 步骤二： xxxxxxxxxxxxxxxxxxxxx................................................................................错误！未定义书签。 实验任务二： XXXXXXXXX .............................................................................. 错误！未定义书签。 步骤一： ...........................................................................................................................错误！未定义书签。 步骤二： ...........................................................................................................................错误！未定义书签。

1.6 实验中的命令列表 ........................................................................................... 错误！未定义书签。 1.7 思考题 ............................................................................................................... 错误！未定义书签。

实验8 配置拥塞管理

实验任务一：配置CBQ

步骤一：连接设备，执行基本配置

[RTA]interface Serial 0/1

[RTA-Serial0/1]ip address 1.1.1.1 24

[RTA-Serial0/1] qos lr outbound cir 128 [RTA-Serial0/1]interface Ethernet0/0

[RTA-Ethernet0/0]ip address 192.168.1.1 24

[RTA-Ethernet0/0]ip route-static 192.168.2.0 24 1.1.1.2 [RTB]interface Serial 0/1

[RTB-Serial0/1]ip address 1.1.1.2 24

[RTA-Serial0/1] qos lr outbound cir 128 [RTB-Serial0/1]interface Ethernet0/0

[RTB-Ethernet0/0]ip address 192.168.2.1 24

[RTB-Ethernet0/0]ip route-static 192.168.1.0 24 1.1.1.1

步骤二：配置VoIP

RTA设备VoIP配置：

#配置到RTB的语音实体 [RTA] voice-setup

[RTA-voice] dial-program

[RTA-voice-dial] entity 0755 voip

[RTA-voice-dial-entity755] match-template 0755.... [RTA-voice-dial-entity755] address ip 1.1.1.2 [RTA-voice-dial-entity755] quit

# 配置本地FXS端口Line 1/0对应的POTS语音实体 [RTA-voice-dial] entity 1001 pots

[RTA-voice-dial-entity1001] match-template 0101001 [RTA-voice-dial-entity1001] line 1/0

- 94 -

实验8 配置拥塞管理

[RTA-voice-dial-entity1001] quit

[RTA-voice-dial]default entity compression 2nd-level g711alaw

RTB设备VoIP配置：

# 配置到RTA设备的VoIP语音实体。 [RTB] voice-setup

[RTB-voice] dial-program

[RTB-voice-dial] entity 010 voip

[RTB-voice-dial-entity10] match-template 010.... [RTB-voice-dial-entity10] address ip 1.1.1.1 [RTB-voice-dial-entity10] quit

# 配置本地FXS端口Line 1/0对应POTS语音实体。 [RTB-voice-dial] entity 2001 pots

[RTB-voice-dial-entity1001] match-template 07552001 [RTB-voice-dial-entity1001] line 1/0 [RTB-voice-dial-entity1001] quit

[RTB-voice-dial]default entity compression 2nd-level g711alaw

以上VoIP配置中使用G.711a语音编码，占用64K带宽。 步骤三：检查拥塞时的语音效果 步骤四：配置CBQ

#配置匹配语音流的访问控制列表 [RTB]acl num 2000

[RTB-acl-basic-2000]rul 0 per source 1.1.1.1 0 #配置匹配ftp数据流的访问控制列表 [RTB]acl num 2001

[RTB-acl-basic-2001]rule permit source 192.168.2.2 0 #配置匹配语音流的类

[RTB]traffic classifier EF-voice

[RTB-classifier-EF-voice]if-match acl 2000 #配置匹配ftp数据流的类

[RTB]traffic classifier AF-ftp

[RTB-classifier-AF-ftp]if-match acl 2001 #配置EF队列，对语音流分配64K带宽 [RTB]traffic behavior EF-voice

[RTB-behavior-EF-voice]queue ef bandwidth 64 #配置AF队列，对ftp数据流保证50K带宽 [RTB]traffic behavior AF-ftp

[RTB-behavior-AF-ftp]queue af bandwidth 50 #配置QoS策略，把类和流行位绑定 [RTB]qos policy CBQ

[RTB-qospolicy-CBQ]classifier EF-voice behavior EF-voice [RTB-qospolicy-CBQ]classifier AF-ftp behavior AF-ftp #把QoS策略应用到端口

[RTB]interface Serial 0/1

[RTB-Serial0/1]qos apply policy CBQ outbound

步骤五：再次检查拥塞时的语音效果

- 95 -

实验9 配置链路有效性增强机制

实验1 CL0800020 配置拥塞管理 ........................................................................................................ - 94 - 1.1 实验内容与目标 ............................................................................................... 错误！未定义书签。 1.2 预备知识和技能 ............................................................................................... 错误！未定义书签。 1.3 实验组网图 ....................................................................................................... 错误！未定义书签。 1.4 背景需求 ........................................................................................................... 错误！未定义书签。 1.5 实验设备与版本 ............................................................................................... 错误！未定义书签。 1.6 实验过程 ........................................................................................................... 错误！未定义书签。

实验任务一： 配置CBQ............................................................................................................... - 94 -

步骤一： 连接设备，执行基本配置 ......................................................................................................... - 94 - 步骤二： 配置VoIP ................................................................................................................................... - 94 - 步骤三： 检查拥塞时的语音效果............................................................................................................. - 95 - 步骤四： 配置CBQ ................................................................................................................................... - 95 - 步骤五： 再次检查拥塞时的语音效果 ..................................................................................................... - 95 -

1.7 实验中的命令列表 ........................................................................................... 错误！未定义书签。 1.8 思考题 ............................................................................................................... 错误！未定义书签。

实验9 配置链路有效性增强机制

实验任务一：配置STAC-LZS内容压缩

步骤一：搭建试验环境，进行基本连通性配置

接口地址和协议的配置：

[RTA] interface Serial 0/1

[RTA-Serial0/1] ip address 1.1.1.1 24 [RTA-Serial0/1] link-protocol ppp [RTA] interface Ethernet 0/0

[RTA-Ethernet0/0] ip address 192.168.1.1 24 [RTB] interface Serial 0/1

[RTB-Serial0/1] ip address 1.1.1.2 24 [RTB-Serial0/1] link-protocol ppp [RTB] interface Ethernet 0/0

[RTB-Ethernet0/0] ip address 192.168.2.1 24

静态路由的配置：

[RTA] ip route-static 192.168.2.0 255.255.255.0 1.1.1.2 [RTB] ip route-static 192.168.1.0 255.255.255.0 1.1.1.1

步骤二：观察不配置内容压缩时的链路传输速率。

可以看到在不配置压缩时，传送701206byes文件耗时106s，平均传输速率为6615Byte/sec，约为52.9kbps。

步骤三：在RTA和RTB上配置链路压缩机制。

[RTA-Serial0/0]ppp compression stac-lzs [RTB-Serial0/0]ppp compression stac-lzs

- 100 -

实验9 配置链路有效性增强机制

步骤四：观察配置压缩后的链路传输速率。

可以看到在配置STAC-LZS内容压缩之后，传送同一个文件耗时50s，平均传输速率14024Byte/sec，约为112.2kbps（实际物理带宽为64kbps）。传输速率大大提高。 步骤五：在设备上查看压缩统计信息。

[RTB]dis ppp compression stac-lzs

Staz-lzs compression Interface: Serial2/0 Received:

Compress/Error/Discard/Total: 1370/0/0/1370 (Packets) Sent:

Compress/Error/Total: 1371/0/1371 (Packets) [RTB]

- 101 -

实验9 配置链路有效性增强机制

实验1 CL0800030 *配置链路有效性增强机制 ................................................................................. - 100 - 1.1 实验内容与目标 ............................................................................................... 错误！未定义书签。 1.2 预备知识和技能 ............................................................................................... 错误！未定义书签。 1.3 实验设计思路 ................................................................................................... 错误！未定义书签。 1.4 实验组网图 ....................................................................................................... 错误！未定义书签。 1.5 背景需求 ........................................................................................................... 错误！未定义书签。 1.6 实验设备与版本 ............................................................................................... 错误！未定义书签。 1.7 实验过程 ........................................................................................................... 错误！未定义书签。

实验任务一： 配置头压缩 ................................................................................ 错误！未定义书签。 步骤一： 连接设备，执行基本配置 ..............................................................................错误！未定义书签。 步骤二： 配置VoIP ................................................................................................................................. - 100 - 步骤三： 检查语音效果 .................................................................................................错误！未定义书签。 步骤四： 配置头压缩 .....................................................................................................错误！未定义书签。 步骤五： 再次检查语音效果 .........................................................................................错误！未定义书签。 实验任务二： 配置LFI..................................................................................... 错误！未定义书签。 步骤一： 连接设备，执行基本配置 ..............................................................................错误！未定义书签。 步骤二： 配置VoIP ........................................................................................................错误！未定义书签。 步骤三： 配置CBQ ........................................................................................................错误！未定义书签。 步骤四： 制造拥塞，检查语音效果 ..............................................................................错误！未定义书签。 步骤五： 配置LFI ..........................................................................................................错误！未定义书签。 步骤六： 再次检查语音效果 .........................................................................................错误！未定义书签。

1.8 实验中的命令列表 ........................................................................................... 错误！未定义书签。 1.9 思考题 ............................................................................................................... 错误！未定义书签。 1.10 工时估算 ......................................................................................................... 错误！未定义书签。

- 1 -