L2TP over IPSEC
1. 创建vpn的地址池
ip local pool vpnpool 10.160.66.1-1.0.160.66.100 mask 255.255.255.0
2. 配置IPsec加密算法为3DES和SHA
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
3. 配置IPsec传输模式为transport,默认是tunnel模式(L2TP只支持transport)
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
4.使用传输组定义动态加密策略
crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_3DES_SHA
5.定义加密映射并应用到外网接口(outside)
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
6.外网口开启isakmp策略支持
crypto isakmp enable outside
7.定义isakmp策略
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
#经过个人测试,好像要支持win7通过L2TP拨入,必须设置为encryption 3des/hash sha。
8.nat穿越
crypto isakmp nat-traversal 10
9.配置默认内部组策略
group-policy DefaultRAGroup internal
10.配置默认内部组策略属性
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec DefaultRAGroup
default-domain value cisco.com
dns-server value 202.106.0.20
注释:
配置L2TP over IPsec为vpn隧道的协议,必须要加IPsec,只有l2tp-ipsec的话是拨不通的
11.创建默认的隧道组,一定要使用defaultRAGroup,L2TP不支持其他组;并且定义认证方式为本地,
tunnel-group DefaultRAGroup general-attributes
authentication-server-group LOCAL
default-group-policy DefaultRAGroup
address-pool vpnpool #使用vpn地址池
12.配置vpn登录用户名和密码,所在组策略
username cisco password cisco mschap
usernamecisco attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol IPSec l2tp-ipsec
13.配置默认隧道组的ipsec属性
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key cisco123
14.配置默认隧道组的ppp认证属性
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2 #配置默认隧道组认证方式为ms-chap-v2
15.客户端配置
winxp修改注册表见:http://support.microsoft.com/kb/818043/
win7修改注册表:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
详见:http://support.microsoft.com/kb/926179
附件:http://down.51cto.com/data/2359795
本文转自netsword 51CTO博客,原文链接:http://blog.51cto.com/netsword/778145