这两天帮客户调试ASA5520,网上关于ASA的配置还是很少的,特别是l2tp ××× 这块,下面我就把如何配置windows 2000/2003 /xp 与 pix /asa 建立 l2tp *** 的重点内容写一下:
首先大家可先看下思科网站上的参考文章:
对以windows 2000/2003 client 端的配置,可参考以下这篇文章 :
[url]http://old.nio.name/post/387.htm[/url] 博主已经写的很明白。
对XP我这里写一下,因为我就是用XP 来测试的。
首先,注册表是不用改的(记住)请参考以下这段话:
Complete these steps in order to configure L2TP over IPsec on Windows 2000. For
Windows XP skip steps 1 and 2 and start from step 3:
-
Add this registry value to your Windows 2000 machine:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
-
Add this registry value to this key:
Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1
第一步:确保在“管理工具”--“服务” 里查看:“IPSEC Services”是启动的。
第二:创建×××连接,在“属性”--“安全”--“IPsec设置”里输入与PIX/ASA里设置的pre-share KEY 要一样。
第三:在“属性”--“安全”--“高级(自定义设置)”
第四:请看下图
OK,XP的客户端设置完成。
然后pix/asa 的设置了:
如下配置:asa 8.0
interface GigabitEthernet0/0
speed 100
duplex full
nameif wan
security-level 0
ip address 119.146.*.* 255.255.255.248
speed 100
duplex full
nameif wan
security-level 0
ip address 119.146.*.* 255.255.255.248
interface GigabitEthernet0/2
nameif lan
security-level 100
ip address 192.168.0.1 255.255.255.0
nameif lan
security-level 100
ip address 192.168.0.1 255.255.255.0
ip local pool ***user 10.10.10.1-10.10.10.10 mask 255.255.255.0 (定义×××虚拟IP)
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0 (定义感兴趣流)
nat (lan) 0 access-list nonat 这个命令很重要
××× 配置部分:
crypto ipsec transform-set l2tpipsec esp-3des esp-md5-hmac
crypto ipsec transform-set l2tpipsec mode transport (必须加,l2tp协议所定)
crypto dynamic-map dyn 10 set transform-set l2tpipsec
crypto map l2tpipsec 10 ipsec-isakmp dynamic dyn
crypto map l2tpipsec interface wan
crypto isakmp enable wan
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 10000
crypto ipsec transform-set l2tpipsec mode transport (必须加,l2tp协议所定)
crypto dynamic-map dyn 10 set transform-set l2tpipsec
crypto map l2tpipsec 10 ipsec-isakmp dynamic dyn
crypto map l2tpipsec interface wan
crypto isakmp enable wan
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 10000
group-policy l2tpipsec internal
group-policy l2tpipsec attributes
dns-server value 202.96.128.166
***-tunnel-protocol IPSec l2tp-ipsec (必须要加IPsec,只有l2tp-ipsec的话是拨不通的)
default-domain value inno.com
address-pools value ***user
username cisco password XIAPE6POhu0lQN1OczHpog== nt-encrypted privilege 15
group-policy l2tpipsec attributes
dns-server value 202.96.128.166
***-tunnel-protocol IPSec l2tp-ipsec (必须要加IPsec,只有l2tp-ipsec的话是拨不通的)
default-domain value inno.com
address-pools value ***user
username cisco password XIAPE6POhu0lQN1OczHpog== nt-encrypted privilege 15
username cisco password cisco mschap (这条命令很重要,一定要加,在sh run 里是看不到这个命令 - _ - ! password 是跟上配置的是一样,切记)
tunnel-group DefaultRAGroup general-attributes (这个很重要,一定要使用DefaultRAGroup,因为l2tp是不支持group的)
default-group-policy l2tpoipsec
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key * (这个密码要跟客户端配置的一样)
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
default-group-policy l2tpoipsec
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key * (这个密码要跟客户端配置的一样)
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
配置就以上这么多,有兴趣可试试。
转载于:https://blog.51cto.com/nicklyj/152711