inter vlan 1
nameif inside
ip address 172.16.1.1 255.255.255.0
inter vlan 2
nameif outside
ip address xx.xx.xx.xx 255.255.255.240
inter eth 0/0
switchport access vlan 1
no shutdown
inter eth 0/1
switchport access vlan 2
no shutdown
//基本配置
ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10
//给***用户的地址池
access-list split extended permit ip host 172.17.1.9 any
//做一个隧道分离列表,实际测试的时候没有效果,用acl限制
group-policy l2tp-ipsec_policy internal //定义一个group-policy
group-policy l2tp-ipsec_policy attributes //设置group-policy的属性
***-tunnel-protocol l2tp-ipsec
< split-tunnel-policy tunnelspecified
split-tunnel-network-list value split >//做隧道分离列表使用
Username cisco password cisco mschap //创建一个用户名和密码和加密方式
username cisco attributes //定义用户属性
***-group-policy l2tp-ipsec_policy //调用group-policy
tunnel-group DefaultRAGroup general-attributes //配置l2tp over ipsec 必须要使用 DefaultRAGroup,定义一般属性
default-group-policy l2tp-ipsec_policy //调用group-policy
address-pool l2tp-ipsec_address //调用地址池
tunnel-group DefaultRAGroup ipsec-attributes //定义ipsec属性
pre-shared-key cisc0 //配置预共享密钥
tunnel-group DefaultRAGroup ppp-attributes //定义ppp的认证方式
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2
crypto isakmp policy 10 //定义第一阶段隧道
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport //配置l2tp必须要配置为transport
crypto dynamic-map dyno 10 set transform-set trans //配置动态加密图
crypto map *** 65535 ipsec-isakmp dynamic dyno
crypto map *** interface outside
crypto isakmp enable outside
win7如果拨不上,请检查ike服务是否开启。本例子不涉及nat,在nat环境自需要把***需要访问的主机nat排除掉。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
