导图社区华为数通VPN虚拟专用网

华为数通VPN虚拟专用网

华为数通VPN虚拟专用网，VPN虚拟专用网络在不改变现有网络的情况下建立虚拟专用的连接，是一类技术的统称，不同的VPN拥有不同的特性和实现方式。

编辑于2023-07-21 18:03:42 湖北省

路由器
华为数通
VPN虚拟专用网
互联网通讯

peterlau

他的近期作品查看更多>>

华为数通VPN虚拟专用网

社区模板帮助中心，点此进入>>

peterlau

他的近期作品查看更多>>

相似推荐
大纲

安全教育的重要性
- 6.5k
- 854
- 97
- 18
issen
个人日常活动安排思维导图
- 7.2k
- 0
- 78
- 0
少儿栏目外景策划波波老师
西游记主要人物性格分析
- 15.2k
- 1.3k
- 636
- 105
issen
17种头脑风暴法
- 194.9k
- 3.9k
- 11.6k
- 3.9k
MindMaster
如何令自己更快乐
- 2.5k
- 27
- 98
- 6
wxb
头脑风暴法四个原则
- 1.8k
- 192
- 69
- 5
issen
思维导图
- 19.7k
- 2.4k
- 449
- 80
Jason
第二职业规划书
- 2.9k
- 3
- 68
- 0
~九梦离殇~
记一篇有颜又有料的笔记-by babe
- 705
- 9
- 32
- 3
橘大喵
伯赞学习技巧
- 778
- 17
- 47
- 9
安浪

VPN

概述

VPN虚拟专用网络在不改变现有网络的情况下建立虚拟专用的连接

是一类技术的统称，不同的VPN拥有不同的特性和实现方式

优势：安全廉价支持移动业务可扩展性

VPN技术的基本原理是利用隧道（Tunnel）技术，对传输报文进行封装，利用VPN骨干网建立专用数据传输通道，实现报文的安全传输。

技术特点

▫ 身份认证：可用于部署了远程接入VPN的场景，VPN网关对用户的身份进行认证，保证接入网络的都是合法用户而非恶意用户。也可以用于VPN网关之间对对方身份的认证。

▫ 数据加密：将明文通过加密变成密文，使得数据即使被黑客截获，黑客也无法获取其中的信息。

▫ 数据验证：通过数据验证技术对报文的完整性和真伪进行检查，丢弃被伪造和被篡改的报文。

实现层次

数据链路层

L2TP：Layer 2 Tunneling Protocol，二层隧道协议。

LAC 访问集中器

客户端

LNS 网络服务器

服务器端

过程

隧道建立

会话建立

PPP连接建立

数据封装转发

配置

LAC接入拨号用户发起L2TP隧道连接

# sysname LNS # l2tp enable # ip pool 1 network 192.168.1.0 mask 255.255.255.0 gateway-list 192.168.1.1 # aaa local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%# local-user huawei privilege level 0 local-user huawei service-type ppp # interface Virtual-Template1 ppp authentication-mode chap remote address pool 1 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet 1/0/0 ip address 202.1.1.1 255.255.255.0 # l2tp-group 1 allow l2tp virtual-template 1 remote LAC tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@ tunnel name LNS # ip route-static 0.0.0.0 0.0.0.0 202.1.1.2 # return

远程拨号用户发起L2TP隧道连接

# sysname LNS # l2tp enable # interface GigabitEthernet1/0/0 ip address 202.1.1.1 255.255.255.0 # aaa local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%# local-user huawei privilege level 15 local-user huawei service-type ppp # l2tp-group 1 undo tunnel authentication allow l2tp virtual-template 1 # interface Virtual-Template1 ppp authentication-mode chap remote address pool lns ip address 192.168.1.1 255.255.255.0 # ip pool lns network 192.168.1.0 mask 255.255.255.0 gateway-list 192.168.1.1 # ip route-static 0.0.0.0 0.0.0.0 202.1.1.2 # return

LAC接入PPPoE用户发起L2TP隧道连接

# sysname LAC # l2tp enable # aaa local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%# local-user huawei privilege level 15 local-user huawei service-type ppp # interface Virtual-Template1 ppp authentication-mode chap # interface GigabitEthernet1/0/0 ip address 202.1.2.1 255.255.255.0 # interface GigabitEthernet2/0/0 pppoe-server bind Virtual-Template 1 # l2tp-group 1 tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@ tunnel name lac start l2tp ip 202.1.1.1 fullusername huawei # ip route-static 202.1.1.1 255.255.255.255 202.1.2.2 # return

# sysname LNS # l2tp enable # ip pool 1 network 192.168.1.0 mask 255.255.255.0 gateway-list 192.168.1.1 # aaa local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%# local-user huawei privilege level 15 local-user huawei service-type ppp # interface Virtual-Template1 ppp authentication-mode chap remote address pool 1 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 ip address 202.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.2.1 255.255.255.0 # l2tp-group 1 allow l2tp virtual-template 1 remote lac tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@ tunnel name lns # ip route-static 202.1.2.1 255.255.255.255 202.1.1.2 # return

L2TP Client发起L2TP隧道连接

# sysname L2TP Client # l2tp enable # interface Virtual-Template1 ppp chap user huawei ppp chap password cipher %^%#'&=6Q(|7-#|.]EB`mK$(h7[CY`2m}-YT)Q=Oh2~2%^%# ip address ppp-negotiate l2tp-auto-client enable # interface GigabitEthernet1/0/0 ip address 202.1.2.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.10.1 255.255.255.0 # l2tp-group 1 tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@ tunnel name L2TP_Client start l2tp ip 202.1.1.1 fullusername huawei # ip route-static 192.168.2.0 255.255.255.0 Virtual-Template1 ip route-static 202.1.1.1 255.255.255.255 202.1.2.2 # return

多个L2TP Client发起L2TP隧道连接

# sysname L2TP Client_1 # l2tp enable # interface Virtual-Template1 ppp chap user huawei ppp chap password cipher %^%#'&=6Q(|7-#|.]EB`mK$(h7[CY`2m}-YT)Q=Oh2~2%^%# ip address ppp-negotiate l2tp-auto-client enable ospf p2mp-mask-ignore # interface GigabitEthernet1/0/0 ip address 1.1.2.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.1.10.1 255.255.255.0 # l2tp-group 1 tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@ tunnel name L2TP_Client_1 start l2tp ip 1.1.1.1 fullusername huawei # ospf 10 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.1.10.0 0.0.0.255 # ip route-static 1.1.1.1 255.255.255.255 1.1.2.2 # return

# sysname L2TP Client_2 # l2tp enable # interface Virtual-Template1 ppp chap user huawei ppp chap password cipher %^%#'&=6Q(|7-#|.]EB`mK$(h7[CY`2m}-YT)Q=Oh2~2%^%# ip address ppp-negotiate l2tp-auto-client enable ospf p2mp-mask-ignore # interface GigabitEthernet1/0/0 ip address 1.1.3.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.1.20.1 255.255.255.0 # l2tp-group 1 tunnel password cipher %@%@6Za[BAw}f$WX}sX`]:QP1%.t%@%@ tunnel name L2TP_Client_2 start l2tp ip 1.1.1.1 fullusername huawei # ospf 10 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.1.20.0 0.0.0.255 # ip route-static 1.1.1.1 255.255.255.255 1.1.3.2 # return

# sysname LNS # l2tp enable # ip pool 1 gateway-list 10.1.1.1 network 10.1.1.0 mask 255.255.255.0 # aaa local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%# local-user huawei privilege level 15 local-user huawei service-type ppp # interface Virtual-Template1 ppp authentication-mode chap remote address pool 1 ip address 10.1.1.1 255.255.255.0 ospf network-type p2mp ospf timer hello 10 ospf p2mp-mask-ignore # interface GigabitEthernet1/0/0 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.1.2.1 255.255.255.0 # l2tp-group 1 allow l2tp virtual-template 1 tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@ tunnel name lns # ospf 10 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.1.2.0 0.0.0.255 # ip route-static 1.1.2.1 255.255.255.255 1.1.1.2 ip route-static 1.1.3.1 255.255.255.255 1.1.1.2 # return

# sysname LNS # l2tp enable # ip pool 1 network 192.168.1.0 mask 255.255.255.0 gateway-list 192.168.1.1 # aaa local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%# local-user huawei privilege level 15 local-user huawei service-type ppp # interface Virtual-Template1 ppp authentication-mode chap remote address pool 1 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 ip address 202.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.2.1 255.255.255.0 # l2tp-group 1 allow l2tp virtual-template 1 remote L2TP_Client tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@ tunnel name lns # ip route-static 192.168.10.0 255.255.255.0 Virtual-Template1 ip route-static 202.1.2.1 255.255.255.255 202.1.1.2 # return

设备之间通过L2TPv3 over IPSec方式实现安全互通

# sysname LCCE1 # l2tpv3 enable # acl number 3000 rule 5 permit 115 source 10.1.1.2 0 destination 10.1.2.2 0 # ipsec proposal rtb esp authentication-algorithm sha2-256 esp encryption-algorithm aes-192 # ike proposal 1 encryption-algorithm aes-256 authentication-algorithm sha2-256 # ike peer rtb pre-shared-key cipher %^%#`KJ{)J4dRTcJ2eLBf[3SEp3hQbWrGA;#K()Bw*h1%^%# ike-proposal 1 remote-address 10.1.2.2 # ipsec policy rtb 1 isakmp security acl 3000 ike-peer rtb proposal rtb # interface GigabitEthernet0/0/1 ip address 10.1.1.2 255.255.255.0 ipsec policy rtb # interface GigabitEthernet0/0/2 link-bridge Tunnel0/0/1 tagged # interface Tunnel0/0/1 tunnel-protocol svpn encapsulation l2tpv3 l2tpv3 local session-id 1 l2tpv3 remote session-id 4 l2tpv3 local cookie length 4 plain lower-value 11 l2tpv3 remote cookie length 4 plain lower-value 22 tunnel-source 10.1.1.2 tunnel-destination 10.1.2.2 # ip route-static 10.1.2.0 255.255.255.0 10.1.1.3 # return

# sysname LCCE2 # l2tpv3 enable # acl number 3000 rule 5 permit 115 source 10.1.2.2 0 destination 10.1.1.2 0 # ipsec proposal rta esp authentication-algorithm sha2-256 esp encryption-algorithm aes-192 # ike proposal 1 encryption-algorithm aes-256 authentication-algorithm sha2-256 # ike peer rta pre-shared-key cipher %^%#`KJ{)J4dRTcJ2eLBf[3SEp3hQbWrGA;#K()Bw*h1%^%# ike-proposal 1 remote-address 10.1.1.2 # ipsec policy rta 1 isakmp security acl 3000 ike-peer rta proposal rta # interface GigabitEthernet0/0/1 ip address 10.1.2.2 255.255.255.0 ipsec policy rta # interface GigabitEthernet0/0/2 link-bridge Tunnel0/0/1 tagged # interface Tunnel0/0/1 tunnel-protocol svpn encapsulation l2tpv3 l2tpv3 local session-id 4 l2tpv3 remote session-id 1 l2tpv3 local cookie length 4 plain lower-value 22 l2tpv3 remote cookie length 4 plain lower-value 11 tunnel-source 10.1.2.2 tunnel-destination 10.1.1.2 # ip route-static 10.1.1.0 255.255.255.0 10.1.2.3 # return

L2TP Client发起L2TP隧道连接

# sysname RouterA # l2tp enable # interface Virtual-Template1 ppp chap user huawei ppp chap password cipher %^%#'&=6Q(|7-#|.]EB`mK$(h7[CY`2m}-YT)Q=Oh2~2%^%# ip address 13.1.1.2 255.255.255.0 l2tp-auto-client enable # interface Cellular0/0/0 link-protocol ppp ip address ppp-negotiate dialer enable-circular dialer-group 1 apn-profile 3GNET dialer timer autodial 60 dialer number *99# autodial # interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255.0 # l2tp-group 1 tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@ tunnel name L2TP_Client start l2tp ip 12.1.1.1 fullusername huawei # dialer-rule dialer-rule 1 ip permit # apn profile 3GNET # ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 ip route-static 192.168.0.0 255.255.255.0 Virtual-Template1 # return

# sysname RouterB # l2tp enable # aaa local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%# local-user huawei privilege level 15 local-user huawei service-type ppp # interface Virtual-Template1 ppp authentication-mode chap ip address 13.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 12.1.1.1 255.255.255.0 # l2tp-group 1 allow l2tp virtual-template 1 remote L2TP_Client tunnel password cipher %@%@5j*=S&AGXK'J}kG])REK]_-o%@%@ tunnel name LNS # ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 ip route-static 192.168.1.0 255.255.255.0 Virtual-Template1 # return

虚拟私有拨号网VPDN隧道协议的一种

扩展点到点协议的PPP的应用，出差员工和分部提供VPN接入

网络的安全性要求高是地，L2TP OVER IPSEC相结合使用起来

网络层

IPSec：Internet Protocol Security，因特网协议安全协议。

只支持IP协议，不支持组播操作

子主题

其中一台设备的配置

对数据包进行加密处理

# ipsec proposal name0 esp encryption-algorithm 3ds ipsec policy name1 10 manual security acl 3000 proplsal name0 tunnel local IP tunnel remote IP sa spi outbound esp 12345 sa spi inbound esp 54321 sa string-key outbound esp simple huawei sa string-key inbound esp simple huawei # 接口下调用 ipsec policy name1 #查看提议配置 dis ipsec proposal dis ipsec policy

提议及名称

封装类型为3ds

策略

关联感兴趣的流

安全提议

隧道本地

隧道对端地址

注，我的出即是对端的进，对端的进即是我的出，密钥要对应好

设置进出密钥安全联盟

功能

来源验证，数据加密，数据完整性，防重放攻击

协议体系

ESP安全载荷

支持认证及加密

AH 认证头部

只支持认证

IKE密钥交换

可以手工来操作

是一种安全联盟协议 IPSec SA

SA三元组

SPI安全参数索引

目的IP地址

安全协议 AH或ESP

GRE：Generic Routing Encapsulation，通用路由封装协议。

封装后的报文能够在另一种网络中传输

IPV6在IPV4里传输配置

int tunnel0/0/0 tunnel-protocol ipv6-ipv4 source 192.168.1.1 destination 192.168.2.1 ipv6 enable ipv6 address 2013::3/64 ipv6 route-static 2001::64 2013::1

int tunnel 0/0/0 tunnel-protocol gre source 192.168.1.1 destination 192.168.2.1

不足；不支持加密和认证

GRE OVER IPSEC结合

具备封装组播报文的能力

要素

乘客协议

IPv6协议本身数据本身

封装协议

是GRE

运输协议

在新的网络中进行传输

应用层

SSL VPN

2.5层

MPLS：Multiprotocol Label Switching，多协议标签交换协议

2.5层

关键技术

tunnel 隧道技术

原始报文

封装

解封装

身份谁，数据加密，验证，

保证是合法用户

数据被获取无法读取其中的信息

报文的完整性和真伪进行检查