PIC

[ РАЗРАБОТКИ РЭА

CISCO ]

Cisco L2TP в роли сервера с шифрованием по IPSec


aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!                                           
aaa session-id common
!
ip dhcp excluded-address 192.168.50.1 192.168.50.40
ip dhcp ping packets 1
!
ip dhcp pool l2tp
   network 192.168.50.0 255.255.255.0
   dns-server 192.168.44.3
   domain-name my.local
   netbios-name-server 192.168.44.3
   lease 10
!        
!       
vpdn enable
!
vpdn-group 2
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 2
 lcp renegotiation on-mismatch
 l2tp security crypto-profile L2TP
 no l2tp tunnel authentication
 ip pmtu
 ip mtu adjust   
!
!
username l2tp password xxxxxx
!
!
crypto isakmp policy 110
 encr 3des
 authentication pre-share
 group 2  
!
!
crypto isakmp key ****** address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP esp-3des esp-sha-hmac
 mode transport    
!
!
crypto map L2TP2 110 ipsec-isakmp profile L2TP
 set transform-set L2TP  
!
!
interface FastEthernet4
 crypto map L2TP2   
!
!
interface Virtual-Template2
 ip unnumbered FastEthernet4
 ip virtual-reassembly
 autodetect encapsulation ppp
 peer default ip address dhcp-pool l2tp
 ppp authentication ms-chap-v2
 ppp encrypt mppe auto
!        
!
line vty 0 4
 privilege level 15
 transport input ssh
!

Вариант 2

aaa new-model
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
no ip dhcp use vrf connected
!
ip dhcp pool VPN
   network 192.168.10.192 255.255.255.252
   default-router 192.168.10.6
   option 249 ip 10.0.0.1 172.0.0.1 10.0.0.2 172.0.0.1
   domain-name domain.local
!
vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 lcp renegotiation on-mismatch
 no l2tp tunnel authentication
 ip pmtu
 ip mtu adjust
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp key ****** address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP1 esp-3des esp-sha-hmac
 mode transport
crypto ipsec transform-set L2TP2 esp-3des esp-md5-hmac
 mode transport
crypto ipsec df-bit clear
!
crypto dynamic-map DYN_MAP_L2TP1 10
 set transform-set L2TP1 L2TP2
!
crypto map L2TP1 6000 ipsec-isakmp dynamic DYN_MAP_L2TP1
!
interface FastEthernet1
 .....
 crypto map L2TP1
!
interface Virtual-Template1
 ip address 172.0.0.1 255.255.255.0
 autodetect encapsulation ppp
 peer default ip address dhcp-pool VPN
 ppp encrypt mppe auto
 ppp authentication ms-chap-v2
 ppp ipcp dns 192.168.10.50
 ppp ipcp wins 192.168.10.50
 ppp ipcp mask 255.255.255.0