实验三L2TP VPN的路由器配置.doc

实验三 L2TP VPN的路由器配置一、实验目的:了解CISCO 路由器下L2TP VPN的配置方法。二、实验环境： l Windows server 2000操作系统l 必须在连网的环境中进行三、实验内容及步骤：步骤一 网络连通性配置1. 路由器基本配置：（略）2. 路由器接口配置：ISP：Isp(config)#int f0/0Isp(config-if)#ip add 10.1.1.1 255.255.255.0Isp(config-if)#no shutIsp(config-if)#int f0/1Isp(config-if)#ip add 192.168.1.1 255.255.255.0Isp(config-if)#no shutLNS:Lns(config)#int f0/0Lns(config-if)#ip add 192.168.1.2 255.255.255.0Lns(config-if)#no shutLNS(config)#int lo 0LNS(config-if)#ip add 100.1.1.1 255.255.255.03.配置LNS路由器的静态路由Lns(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.14.  配置VPN Client之前首先要保证能和LNS通信才行，将c0（客户端）的IP地址设为10.1.1.2，网关为10.1.1.1，通过ping命令测试c0到LNS路由器的连通性。步骤二 L2TP VPN服务器的配置：LNS：LNS(config)#username hngy password cisco /配置登录VPN服务器的用户名和密码LNS(config)#vpdn enable /开启VPN服务（vpdn默认是关闭的）LNS(config-vpdn)#vpdn-group 1 /创建VPN组LNS(config-vpdn)#accept-dialin /接收VPN拨号访问LNS(config-vpdn-acc-in)#protocol l2tp /定义使用的VPN协议为L2TPLNS(config-vpdn-acc-in)#virtual-template 1/创建新的虚拟访问组1（一个虚拟拨号组里最多可以建立25个虚拟接口）LNS(config-vpdn-acc-in)#exitLNS(config-vpdn)#no l2tp tunnel authentication /取消L2TP通道验证功能（也可以开启认证功能，这时候，需要搭建一台CA，然后申请证书，并且客户端也需要申请证书才能连上R1，这样会更安全）LNS(config-vpdn)#exitLNS(config)#ip local pool pool1 100.1.1.100 100.1.1.254/配置分配给VPN客户端的地址池，并命名LNS(config)#interface Virtual-Template1/创建虚接口LNS(config-if)#encapsulation pppLNS(config-if)#ip unnumbered f0/0 /借用f0/0的IP地址来转发l2tp隧道协议传输的流量，也可以配置一个公网的IP地址，这样就需要花费购买一个公网IP地址LNS(config-if)#peer default ip address pool pool1/在接口上为拨入用户指定地址池LNS(config-if)#ppp authentication chap/使用chap认证LNS(config-if)#end步骤三 L2TP VPN客户端的配置1.参照实验一建立新的连接，连接到我的工作场所：点击完成即可。2.将用户名设为hngy,密码为cisco,需与LNS服务器中配置的客户端和密码一致。3.选择客户端的VPN连接属性，将“安全措施”改为“高级”4需要设置VPN Client的安全协商参数，设置的认证协议必须和LNS上封装的认证协议相同为ms-chap和chap。选择“可选加密（没有加密也可以连接）”，允许“不加密的密码（PAP）、质询握手身份验证协议（CHAP）、Microsoft CHAP（MS-CHAP）”这些协议。点击“确定”。5.将客户端的VPN连接属性中的“网络”改为“第2层隧道协议（L2TP）”。6进入Windows 2003的“开始” “运行”里面输入“Regedit”，打开“注册表编辑器”，定位“HKEY_Local_Machine  System  CurrentControl Set  Services  RasMan Parameters ”主键，选择“编辑” “添加数值”，为该主键添加以下键值： 数值名称：ProhibitIpSec 数据类型：reg_dword 值：1 （这是因为Windows2000/xp/2003的L2TP缺省启动证书方式的IPSEC，因此必须向Windows添加 ProhibitIpSec 注册表值，以防止创建用于 L2TP/IPSec 通信的自动筛选器。ProhibitIpSec 注册表值设置为 1 时，基于 Windows 2000/xp/2003 的计算机不会创建使用 CA 身份验证的自动筛选器，而是检查本地 IPSec 策略或 Active Directory IPSec 策略。8保存所做的修改，重新启动电脑以使改动生效。步骤四 拨号测试四、实验结果及调试1. 粘贴步骤一后，c0到LNS路由器的连通性测试结果：2. 在配置步骤二后，在LNS上运行show vpdn tunnel命令并粘贴结果：3. 在配置步骤二后，在LNS上运行show ip int brief命令，查看Virtual-template1 的IP和F0/0是否一样，并粘帖结果：4. 实验完成后，在VPN客户端使用IPCONFIG命令查看实验结果，并粘贴在下方：5. 实验完成后，在LNS上运行show vpdn tunnel命令并粘贴结果：6. 实验完成后，在LNS上运行show vpdn session命令并粘贴结果：7. VPN客户端进行拨号连接时，使用sniffer截获数据，并粘贴在下方：Acknowledgements My deepest gratitude goes first and foremost to Professor aaa , my supervisor, for her constant encouragement and guidance. She has walked me through all the stages of the writing of this thesis. Without her consistent and illuminating instruction, this thesis could not havereached its present form. Second, I would like to express my heartfelt gratitude to Professor aaa, who led me into the world of translation. I am also greatly indebted to the professors and teachers at the Department of English: Professor dddd, Professor ssss, who have instructed and helped me a lot in the past two years. Last my thanks would go to my beloved family for their loving considerations and great confidence in me all through these years. I also owe my sincere gratitude to my friends and my fellow classmates who gave me their help and time in listening to me and helping me work out my problems during the difficult course of the thesis. My deepest gratitude goes first and foremost to Professor aaa , my supervisor, for her constant encouragement and guidance. She has walked me through all the stages of the writing of this thesis. Without her consistent and illuminating instruction, this thesis could not havereached its present form. Second, I would like to express my heartfelt gratitude to Professor aaa, who led me into the world of translation. I am also greatly indebted to the professors and teachers at the Department of English: Professor dddd, Professor ssss, who have instructed and helped me a lot in the past two years. Last my thanks would go to my beloved family for their loving considerations and great confidence in me all through these years. I also owe my sincere gratitude to my friends and my fellow classmates who gave me their help and time in listening to me and helping me work out my problems during the difficult course of the thesis.