VPN的定義
虛擬專網(wǎng)(VPN-VIRTUAL PRIVATE NETWORK)指的是在公用網(wǎng)絡(luò)上建立專用網(wǎng)絡(luò)的技術(shù)。之所以稱為虛擬網(wǎng)主要是因?yàn)檎麄€(gè)VPN網(wǎng)絡(luò)的任意兩個(gè)節(jié)點(diǎn)之間的連接并沒(méi)有傳統(tǒng)專網(wǎng)所需的端到端的物理鏈路,而是架構(gòu)在公用網(wǎng)絡(luò)服務(wù)商所提供的網(wǎng)絡(luò)平臺(tái)(如INTERNET,ATM,F(xiàn)RAME RELAY等)之上的邏輯網(wǎng)絡(luò),用戶數(shù)據(jù)在邏輯鏈路中傳輸。
VPN的功能
1、通過(guò)隧道(TUNNEL)或虛電路(VIRTUAL CIRCUIT)實(shí)現(xiàn)網(wǎng)絡(luò)互聯(lián)
2、支持用戶安全管理
3、能夠進(jìn)行網(wǎng)絡(luò)監(jiān)控、故障診斷
VPN解決方案的優(yōu)點(diǎn)
1、省錢:它可以節(jié)省長(zhǎng)途電話費(fèi)和長(zhǎng)途專線電話費(fèi)和長(zhǎng)途專線網(wǎng)絡(luò)費(fèi)可以為用戶節(jié)省30-25%的 網(wǎng)絡(luò)應(yīng)用的開銷。
2、選擇靈活、速度快:通過(guò)vpn網(wǎng)關(guān),用戶可以選擇多種internet連通技術(shù),而且對(duì)于 INTERNET的容量可以實(shí)現(xiàn)按需定制;
3、安全性好:VPN的認(rèn)證機(jī)制將更好地保證用戶的隱私權(quán)和收發(fā)數(shù)據(jù)的完整性;
4、實(shí)現(xiàn)投資的保護(hù):VPN技術(shù)的應(yīng)用可以建立在用戶現(xiàn)有的防火墻的基礎(chǔ)上,用戶正在使用的 應(yīng)用軟件也不受影響。
VPN技術(shù)原理
1、 VPN系統(tǒng)使分布在不同地方的專用網(wǎng)絡(luò)在不可信任的公共網(wǎng)絡(luò)上安全的通信。
2、 VPN設(shè)備根據(jù)網(wǎng)管設(shè)置的規(guī)則,確定是否需要對(duì)數(shù)據(jù)進(jìn)行加密或讓數(shù)據(jù)直接通過(guò)。
3、 對(duì)需要加密的數(shù)據(jù),VPN設(shè)備對(duì)整個(gè)數(shù)據(jù)包進(jìn)行加密和附上數(shù)字簽名。
4、 VPN設(shè)備加上新的收據(jù)包頭,其中包括目的地VPN設(shè)備需要的安全信息和一些初始化參數(shù)。
5、 VPN設(shè)備對(duì)加密后的數(shù)據(jù)、鑒別包以及源IP地址、目標(biāo)VPN設(shè)備IP地址進(jìn)行重新封裝,重新封裝后的數(shù)據(jù)包通過(guò)虛擬通道在公網(wǎng)上傳輸。
6、 當(dāng)數(shù)據(jù)包到達(dá)目標(biāo)VPN設(shè)備時(shí),數(shù)據(jù)包被解封裝,數(shù)據(jù)包被解封裝,數(shù)字簽名,數(shù)字簽名被 核對(duì)無(wú)誤后,收據(jù)包被解密。
VPN配置實(shí)例
Intranet 內(nèi)聯(lián)網(wǎng)配置:
Figure 3-8: Intranet VPN Scenario Physical Elements
Headquarters Router 配置
hq-sanjose# show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hq-sanjose
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:hq-sanjose-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.24.2.5
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
mode transport
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.24.2.5
set transform-set proposal1
match address 101
!
interface Tunnel0
bandwidth 180
ip address 172.17.3.3 255.255.255.0
no ip directed-broadcast
tunnel source 172.17.2.4
tunnel destination 172.24.2.5
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.3.3 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.6.4 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.17.2.4 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.4.0 255.255.255.0 Tunnel0
!
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Remote Office Router 配置:
ro-rtp# show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ro-rtp
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:ro-rtp-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.17.2.4
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
mode transport
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.17.2.4
set transform-set proposal1
match address 101 #p#分頁(yè)標(biāo)題#e#
!
interface Tunnel1
bandwidth 180
ip address 172.24.3.6 255.255.255.0
no ip directed-broadcast
tunnel source 172.24.2.5
tunnel destination 172.17.2.4
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.4.2 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.24.2.5 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.3.0 255.255.255.0 Tunnel1
ip route 10.1.6.0 255.255.255.0 Tunnel1
!
access-list 101 permit gre host 172.24.2.5 host 172.17.2.4
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Extranet外聯(lián)網(wǎng)配置:
Figure 3-9: Extranet VPN Scenario Physical Elements
Headquarters Router配置:
hq-sanjose# show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hq-sanjose
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:hq-sanjose-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.24.2.5
crypto isakmp key test67890 address 172.23.2.7
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
ode transport
!
crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.24.2.5
set transform-set proposal1
match address 101
!
crypto map s4second local-address Serial2/0
crypto map s4second 2 ipsec-isakmp
set peer 172.23.2.7
set transform-set proposal4
match address 111
!
interface Tunnel0
bandwidth 180
ip address 172.17.3.3 255.255.255.0
no ip directed-broadcast
tunnel source 172.17.2.4
tunnel destination 172.24.2.5
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.3.3 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.6.4 255.255.255.0
no ip directed-broadcast
ip nat inside
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0