[i=s] 本帖最后由 network123 于 2026-3-12 09:04 编辑 [/i]
最近做了一个项目,客户的网络环境中,用到多个Virtual Private Network协议,数目之多,令人咋舌,今天把这个案例给大家分享出来,方便大家更好地理解Virtual Private Network的本质。
何谓Virtual Private Network,就是用户的私网原始数据经由某种封装协议进行封装,然后在不安全的公网环境中进行传递。
为了实现不同的功能,就会用到不同的封装协议:
L2TP Virtual Private Network,SSL Virtual Private Network可实现移动办公用户灵活接入公司总部网络
IPSEC Virtual Private Network可实现对用户原始数据的机密性,完整性校验
GRE Virtual Private Network可实现在单播环境中传递组播协议数据
各种Virtual Private Network技术既可以单独使用,也可以根据客户需求,嵌套使用。
今天就通过一个真实案例,给大家介绍下Virtual Private Network技术的嵌套使用。
网络拓扑
1,总部网络出口为安全防火墙,配置对中心路由器业务接口的 L2TP协议的NAT Server映射。
中心设备使用路由器,配置各种Virtual Private Network技术,满足客户业务需求。
2,网点出口路由器,拨入中心路由器设备,实现Client安全访问公司总部的Server。
中心路由器关键配置
ZhongXin#sh running-config
!
hostname ZhongXin
!
aaa new-model
!
!
aaa authentication ppp default local
!
!
ip vrf aa
rd 100:1
route-target export 200:1
route-target import 200:1
!
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
username test password 0 test
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ruijie address 0.0.0.0
!
!
crypto ipsec transform-set aa ah-sha256-hmac
mode transport
!
!
crypto map ipsec 10 ipsec-isakmp
set peer 172.16.10.2
set transform-set aa
match address 100
!
!
interface Loopback1
ip address 172.16.10.1 255.255.255.0
!
interface Tunnel1
ip address 192.168.200.1 255.255.255.0
mpls bgp forwarding
mpls ip
tunnel source 172.16.10.1
tunnel destination 172.16.10.2
!
interface Ethernet0/0
ip address 172.16.99.100 255.255.255.0
duplex auto
!
interface Ethernet0/1
ip vrf forwarding aa
ip address 172.16.200.1 255.255.255.0
duplex auto
!
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp
ppp authentication chap
crypto map ipsec
!
router bgp 100
bgp log-neighbor-changes
neighbor 192.168.200.2 remote-as 200
!
address-family vpnv4
neighbor 192.168.200.2 activate
neighbor 192.168.200.2 send-community both
exit-address-family
!
address-family ipv4 vrf aa
redistribute connected
exit-address-family
!
ip local pool l2tp 172.16.10.2 172.16.10.100
!
!
ip route 0.0.0.0 0.0.0.0 172.16.99.1
!
!
mpls ldp router-id Loopback1 force
!
access-list 100 permit gre host 172.16.10.1 host 172.16.10.2
!
!
网点设备关键配置
WangDian#sh running-config
!
hostname WangDian
!
!
ip vrf aa
rd 100:1
route-target export 200:1
route-target import 200:1
!
!
l2tp-class lac
!
vpdn enable
!
pseudowire-class lac
encapsulation l2tpv2
protocol l2tpv2 lac
ip local interface Ethernet0/0
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ruijie address 172.16.10.1
!
!
crypto ipsec transform-set aa ah-sha256-hmac
mode transport
!
!
crypto map ipsec 10 ipsec-isakmp
set peer 172.16.10.1
set transform-set aa
match address 100
!
!
interface Tunnel1
ip address 192.168.200.2 255.255.255.0
mpls bgp forwarding
mpls ip
tunnel source 172.16.10.2
tunnel destination 172.16.10.1
!
interface Ethernet0/0
ip address 200.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
!
interface Ethernet0/1
ip vrf forwarding aa
ip address 192.168.100.1 255.255.255.0
duplex auto
!
!
interface Virtual-PPP1
ip address 172.16.10.2 255.255.255.0
ppp chap hostname test
ppp chap password 0 test
pseudowire 100.1.1.2 12 encapsulation l2tpv2 pw-class lac
crypto map ipsec
!
router bgp 200
bgp log-neighbor-changes
neighbor 192.168.200.1 remote-as 100
!
address-family vpnv4
neighbor 192.168.200.1 activate
neighbor 192.168.200.1 send-community both
exit-address-family
!
address-family ipv4 vrf aa
redistribute connected
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 200.1.1.1
!
!
mpls ldp router-id Virtual-PPP1 force
!
access-list 100 permit gre host 172.16.10.2 host 172.16.10.1
!
上述配置完成后,网点Client可以正常访问中心的Server,下面是最终的数据封装
通过上面的数据封装可以看出,客户的原始数据在传递时需封装4层Virtual Private Network进行传输,每层Virtual Private Network实现不同的功能需求,这样既增加了配置复杂度,同时传输用户原始数据时,需额外增加100多字节的封装数据,造成带宽利用率比较低。
当然啦,这是一种极端的数据封装,在实际项目中用的很少。
