VPN的定義
虛擬專網(wǎng)(VPN-VIRTUAL PRIVATE NETWORK)指的是在公用網(wǎng)絡上建立專用網(wǎng)絡的技術。之所以稱為虛擬網(wǎng)主要是因為整個VPN網(wǎng)絡的任意兩個節(jié)點之間的連接并沒有傳統(tǒng)專網(wǎng)所需的端到端的物理鏈路,而是架構在公用網(wǎng)絡服務商所提供的網(wǎng)絡平臺(如INTERNET,ATM,F(xiàn)RAME RELAY等)之上的邏輯網(wǎng)絡,用戶數(shù)據(jù)在邏輯鏈路中傳輸。
VPN的功能
1、通過隧道(TUNNEL)或虛電路(VIRTUAL CIRCUIT)實現(xiàn)網(wǎng)絡互聯(lián)
2、支持用戶安全管理
3、能夠進行網(wǎng)絡監(jiān)控、故障診斷
VPN解決方案的優(yōu)點
1、省錢:它可以節(jié)省長途電話費和長途專線電話費和長途專線網(wǎng)絡費可以為用戶節(jié)省30-25%的 網(wǎng)絡應用的開銷。
2、選擇靈活、速度快:通過vpn網(wǎng)關,用戶可以選擇多種internet連通技術,而且對于 INTERNET的容量可以實現(xiàn)按需定制;
3、安全性好:VPN的認證機制將更好地保證用戶的隱私權和收發(fā)數(shù)據(jù)的完整性;
4、實現(xiàn)投資的保護:VPN技術的應用可以建立在用戶現(xiàn)有的防火墻的基礎上,用戶正在使用的 應用軟件也不受影響。
VPN技術原理
1、 VPN系統(tǒng)使分布在不同地方的專用網(wǎng)絡在不可信任的公共網(wǎng)絡上安全的通信。
2、 VPN設備根據(jù)網(wǎng)管設置的規(guī)則,確定是否需要對數(shù)據(jù)進行加密或讓數(shù)據(jù)直接通過。
3、 對需要加密的數(shù)據(jù),VPN設備對整個數(shù)據(jù)包進行加密和附上數(shù)字簽名。
4、 VPN設備加上新的收據(jù)包頭,其中包括目的地VPN設備需要的安全信息和一些初始化參數(shù)。
5、 VPN設備對加密后的數(shù)據(jù)、鑒別包以及源IP地址、目標VPN設備IP地址進行重新封裝,重新封裝后的數(shù)據(jù)包通過虛擬通道在公網(wǎng)上傳輸。
6、 當數(shù)據(jù)包到達目標VPN設備時,數(shù)據(jù)包被解封裝,數(shù)據(jù)包被解封裝,數(shù)字簽名,數(shù)字簽名被 核對無誤后,收據(jù)包被解密。
VPN配置實例
Intranet 內聯(lián)網(wǎng)配置:
Figure 3-8: Intranet VPN Scenario Physical Elements
Headquarters Router 配置
hq-sanjose# show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hq-sanjose
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:hq-sanjose-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.24.2.5
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
mode transport
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.24.2.5
set transform-set proposal1
match address 101
!
interface Tunnel0
bandwidth 180
ip address 172.17.3.3 255.255.255.0
no ip directed-broadcast
tunnel source 172.17.2.4
tunnel destination 172.24.2.5
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.3.3 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.6.4 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.17.2.4 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.4.0 255.255.255.0 Tunnel0
!
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Remote Office Router 配置:
ro-rtp# show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ro-rtp
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:ro-rtp-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.17.2.4
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
mode transport
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.17.2.4
set transform-set proposal1
match address 101 #p#分頁標題#e#
!
interface Tunnel1
bandwidth 180
ip address 172.24.3.6 255.255.255.0
no ip directed-broadcast
tunnel source 172.24.2.5
tunnel destination 172.17.2.4
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.4.2 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.24.2.5 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.3.0 255.255.255.0 Tunnel1
ip route 10.1.6.0 255.255.255.0 Tunnel1
!
access-list 101 permit gre host 172.24.2.5 host 172.17.2.4
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Extranet外聯(lián)網(wǎng)配置:
Figure 3-9: Extranet VPN Scenario Physical Elements
Headquarters Router配置:
hq-sanjose# show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname hq-sanjose
!
boot system flash bootflash:
boot bootldr bootflash:c7100-boot-mz.120-1.1.T
boot config slot0:hq-sanjose-cfg-small
no logging buffered
!
crypto isakmp policy 1
authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 172.24.2.5
crypto isakmp key test67890 address 172.23.2.7
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
ode transport
!
crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac
!
!
crypto map s1first local-address Serial1/0
crypto map s1first 1 ipsec-isakmp
set peer 172.24.2.5
set transform-set proposal1
match address 101
!
crypto map s4second local-address Serial2/0
crypto map s4second 2 ipsec-isakmp
set peer 172.23.2.7
set transform-set proposal4
match address 111
!
interface Tunnel0
bandwidth 180
ip address 172.17.3.3 255.255.255.0
no ip directed-broadcast
tunnel source 172.17.2.4
tunnel destination 172.24.2.5
crypto map s1first
!
interface FastEthernet0/0
ip address 10.1.3.3 255.255.255.0
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 10.1.6.4 255.255.255.0
no ip directed-broadcast
ip nat inside
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0