文章作者:Alien[NBO]
一般VPN网关设备的外网端口地址都会是一个实际的公网地址,如果因情况特殊VPN网关设备被置于内网的话就需要在边界网络设备上对其进行NAT处理,这里做了一个LAB对此情况进行说明:
IP地址段简要说明:
* 192.168.168.0/24为外网接入网段
* 172.16.1.0/24为边界路由器和VPN路由器之间的接入网段
* 内网VPN路由器的outside口地址172.16.1.2被映射为外网地址192.168.168.154
* 172.16.2.0/24网段为内网模拟地址段
* 172.16.0.0/24网段为VPN客户端软件分配得的地址池网段
边界路由器的设置,标准常规设置:
interface FastEthernet0/0
ip address 192.168.168.155 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static 172.16.1.2 192.168.168.154
VPN路由器的设置,设备必须支持IPSec NAT Traversal,同时也做了RRI设置:
aaa new-model
aaa authentication login my_auth local
aaa authorization network group_authen local
username xxx password xxx
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
crypto map my_map
!
interface Loopback0
ip address 172.16.2.1 255.255.255.0
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group my_group
key my_password
pool my_pool
!
crypto isakmp profile vpn_client
match identity group my_group
client authentication list my_auth
isakmp authorization list group_authen
client configuration address initiate
client configuration address respond
!
crypto ipsec transform-set my_set esp-3des esp-sha-hmac
!
crypto dynamic-map my_dyna 1
set transform-set my_set
set isakmp-profile vpn_client
reverse-route
!
crypto map my_map 1 ipsec-isakmp dynamic my_dyna
!
ip local pool my_pool 172.16.0.1 172.16.0.100
VPN_2611XM#sh cry is sa
dst src state conn-id slot
172.16.1.2 192.168.168.168 QM_IDLE 2 0
!---ISAKMP SA状态
VPN_2611XM#sh cry ip sa
interface: FastEthernet0/0
Crypto map tag: my_map, local addr. 172.16.1.2
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.9/255.255.255.255/0/0)
current_peer: 192.168.168.168:4500
PERMIT, flags={}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 44, #pkts decrypt: 44, #pkts verify 44
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.2, remote crypto endpt.: 192.168.168.168
path mtu 1500, media mtu 1500
current outbound spi: 607052BE
inbound esp sas:
spi: 0x4D7653D8(1299600344)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: my_map
sa timing: remaining key lifetime (k/sec): (4596384/3412)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x607052BE(1617973950)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: my_map
sa timing: remaining key lifetime (k/sec): (4596392/3412)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
!---IPSEC SA状态,由“Tunnel UDP-Encaps”处可得知IPSec NAT Traversal已生效
VPN_2611XM# sh ip route st
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.0.9/32 [1/0] via 192.168.168.168
S* 0.0.0.0/0 [1/0] via 172.16.1.1
!---从这里看出RRI也已经生效,一条静态路由已被动态创建出来,192.168.168.168为VPN客户端软件的实际地址,有了静态路由就可以直接在动态路由协议中随便redistribute,看实际情况处理了
下图为VPN客户端软件的statistic窗口截图:
