PPPoE 環境下架構 IPSec 站點式 VPN

Home Home
登入註冊發表列印 載入圖片
引用 | 編輯 clarktsin
2009-05-15 17:15		 樓主
推文 x0
一、實驗環境:

    1.固定IP端(FTTB/固定制DSL…)
        Ⅰ.公網IP一組,Cisco 1841路由器一台
        Ⅱ.路由器 IOS feature Code 附帶 k8/k9 的版本

    2.非固定IP端(PPPoE撥接上網)
        Ⅰ.非固定制ADSL+Cisco 1721路由器一台
        Ⅱ.路由器 IOS feature Code 附帶 y7及k8/k9 的版本







二、架構圖:









三、配置及說明:

hostname C1721_PPPoE
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 lifetime 28800
crypto isakmp key SeCrEt address 220.166.83.66
crypto isakmp keepalive 10 10
!
crypto ipsec transform-set MySet esp-des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
 set peer 220.166.83.66
 set transform-set MySet
 match address 101
!
interface FastEthernet0
 ip address 10.254.254.46 255.255.255.252
!
interface Dialer0                                                                                             此為PPPoE虛擬撥號介面
 ip address negotiated                                                                                  
 crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 101 permit ip 10.254.254.44 0.0.0.3 192.168.16.0 0.0.0.255









hostname C1841_Fixed_IP
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 lifetime 28800
crypto isakmp key SeCrEt address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 10
!
crypto ipsec transform-set MySet esp-des esp-md5-hmac
!
crypto dynamic-map DyMap 100
 set transform-set MySet
 reverse-route remote-peer 220.166.83.1
!
crypto map VPN 200 ipsec-isakmp dynamic DyMap
!
interface FastEthernet0/1
 ip address 220.166.83.66 255.255.255.0
 crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 220.166.83.1




四、驗證

C1721_PPPoE#show crypto isakmp sa
dst                      src                        state        conn-id   slot   status
220.166.83.66    218.170.50.162    QM_IDLE           1       0    ACTIVE


C1721_PPPoE#ping 192.168.16.254 source 10.254.254.46
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.254, timeout is 2 seconds:
Packet sent with a source address of 10.254.254.46
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/72/92 ms
C1721_PPPoE#






五、補充:

    就以上架構而言,當C1721 PPPoE動建或IPSec Lifetime逾時就會導致整個VPN中斷。若要重建VPN也只能仰賴C1721定義的關注流量去觸發IKE會談;但若今天流量發起者為C1841該如何解決。

    在不動架構的情況下,唯一的方法就週期性的從C1721送流量至C1841,在GRE Over IPSec的架構下可以靠DPD/Routing Protocol 來解決,但在PPPoE架構下可能得配置一個RTR 來週期發送icmp包,如此即能決解上述問題。

    RTR語法如下:

C1721_PPPoE#sh run | b rtr 99
rtr 99
 type echo protocol ipIcmpEcho 192.168.16.254 source-ipaddr 10.254.254.46
 timeout 1000
rtr schedule 99 life forever start-time now
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 authorization exec Local_Auth
 logging synchronous
!
end
C1721_PPPoE#

獻花 x0