asa 5505 調(diào)試l2tp over ipsec實(shí)例

inter vlan 1

nameif inside

ip address 172.16.1.1 255.255.255.0

inter vlan 2

nameif outside

ip address xx.xx.xx.xx 255.255.255.240

inter eth 0/0

switchport access vlan 1

no shutdown

inter eth 0/1

switchport access vlan 2

no shutdown

//基本配置

ip local pool l2tp-ipsec_address 192.168.1.1-192.168.1.10

//給***用戶的地址池

access-list split extended permit ip host 172.17.1.9 any

//做一個隧道分離列表，實(shí)際測試的時候沒有效果，用acl限制

group-policy l2tp-ipsec_policy internal //定義一個group-policy

group-policy l2tp-ipsec_policy attributes //設(shè)置group-policy的屬性

***-tunnel-protocol l2tp-ipsec

< split-tunnel-policy tunnelspecified

split-tunnel-network-list value split >//做隧道分離列表使用

Username cisco password cisco mschap //創(chuàng)建一個用戶名和密碼和加密方式

username cisco attributes //定義用戶屬性

***-group-policy l2tp-ipsec_policy //調(diào)用group-policy

tunnel-group DefaultRAGroup general-attributes //配置l2tp over ipsec 必須要使用 DefaultRAGroup，定義一般屬性

default-group-policy l2tp-ipsec_policy //調(diào)用group-policy

address-pool l2tp-ipsec_address //調(diào)用地址池

tunnel-group DefaultRAGroup ipsec-attributes //定義ipsec屬性

pre-shared-key cisc0 //配置預(yù)共享密鑰

tunnel-group DefaultRAGroup ppp-attributes //定義ppp的認(rèn)證方式

no authentication pap

authentication chap

authentication ms-chap-v1

authentication ms-chap-v2

crypto isakmp policy 10 //定義第一階段隧道

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ipsec transform-set trans esp-3des esp-sha-hmac

crypto ipsec transform-set trans mode transport //配置l2tp必須要配置為transport

crypto dynamic-map dyno 10 set transform-set trans //配置動態(tài)加密圖

crypto map *** 65535 ipsec-isakmp dynamic dyno

crypto map *** interface outside

crypto isakmp enable outside

win7如果撥不上，請檢查ike服務(wù)是否開啟。本例子不涉及nat，在nat環(huán)境自需要把***需要訪問的主機(jī)nat排除掉。