L2TP over IPSEC

1. 创建vpn的地址池

ip local pool vpnpool 10.160.66.1-1.0.160.66.100 mask 255.255.255.0
 
2. 配置IPsec加密算法为3DES和SHA
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
 
3. 配置IPsec传输模式为transport,默认是tunnel模式(L2TP只支持transport)
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
 
4.使用传输组定义动态加密策略
crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_3DES_SHA
 
5.定义加密映射并应用到外网接口(outside)
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
 
6.外网口开启isakmp策略支持
crypto isakmp enable outside
 
7.定义isakmp策略
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
#经过个人测试,好像要支持win7通过L2TP拨入,必须设置为encryption 3des/hash sha。
 
8.nat穿越
crypto isakmp nat-traversal  10
 
9.配置默认内部组策略
group-policy DefaultRAGroup internal
 
10.配置默认内部组策略属性
group-policy DefaultRAGroup attributes
  vpn-tunnel-protocol IPSec DefaultRAGroup
  default-domain value cisco.com
  dns-server value 202.106.0.20
 
注释:
配置L2TP over IPsec为vpn隧道的协议,必须要加IPsec,只有l2tp-ipsec的话是拨不通的
 
11.创建默认的隧道组,一定要使用defaultRAGroup,L2TP不支持其他组;并且定义认证方式为本地,
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group  LOCAL
 default-group-policy DefaultRAGroup
 address-pool vpnpool    #使用vpn地址池
 
12.配置vpn登录用户名和密码,所在组策略
username cisco password cisco mschap
usernamecisco attributes
 vpn-group-policy DefaultRAGroup
 vpn-tunnel-protocol IPSec l2tp-ipsec
 
13.配置默认隧道组的ipsec属性
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key  cisco123
 
14.配置默认隧道组的ppp认证属性
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2  #配置默认隧道组认证方式为ms-chap-v2
 
15.客户端配置
winxp修改注册表见:http://support.microsoft.com/kb/818043/
 
win7修改注册表:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
 
详见:http://support.microsoft.com/kb/926179