亚洲成精品动漫久久精久,九九在线精品视频播放,黄色成人免费观看,三级成人影院,久碰久,四虎成人欧美精品在永久在线

掃一掃
關(guān)注微信公眾號(hào)

VPN及其配置示例
2008-06-24   

  VPN的定義
  虛擬專網(wǎng)(VPN-VIRTUAL PRIVATE NETWORK)指的是在公用網(wǎng)絡(luò)上建立專用網(wǎng)絡(luò)的技術(shù)。之所以稱為虛擬網(wǎng)主要是因?yàn)檎麄€(gè)VPN網(wǎng)絡(luò)的任意兩個(gè)節(jié)點(diǎn)之間的連接并沒(méi)有傳統(tǒng)專網(wǎng)所需的端到端的物理鏈路,而是架構(gòu)在公用網(wǎng)絡(luò)服務(wù)商所提供的網(wǎng)絡(luò)平臺(tái)(如INTERNET,ATM,F(xiàn)RAME RELAY等)之上的邏輯網(wǎng)絡(luò),用戶數(shù)據(jù)在邏輯鏈路中傳輸。
  
  
  VPN的功能
  1、通過(guò)隧道(TUNNEL)或虛電路(VIRTUAL CIRCUIT)實(shí)現(xiàn)網(wǎng)絡(luò)互聯(lián)
  2、支持用戶安全管理
  3、能夠進(jìn)行網(wǎng)絡(luò)監(jiān)控、故障診斷
  
  
  VPN解決方案的優(yōu)點(diǎn)
  1、省錢:它可以節(jié)省長(zhǎng)途電話費(fèi)和長(zhǎng)途專線電話費(fèi)和長(zhǎng)途專線網(wǎng)絡(luò)費(fèi)可以為用戶節(jié)省30-25%的 網(wǎng)絡(luò)應(yīng)用的開銷。
  2、選擇靈活、速度快:通過(guò)vpn網(wǎng)關(guān),用戶可以選擇多種internet連通技術(shù),而且對(duì)于 INTERNET的容量可以實(shí)現(xiàn)按需定制;
  3、安全性好:VPN的認(rèn)證機(jī)制將更好地保證用戶的隱私權(quán)和收發(fā)數(shù)據(jù)的完整性;
  4、實(shí)現(xiàn)投資的保護(hù):VPN技術(shù)的應(yīng)用可以建立在用戶現(xiàn)有的防火墻的基礎(chǔ)上,用戶正在使用的 應(yīng)用軟件也不受影響。
  
  
  VPN技術(shù)原理
  1、 VPN系統(tǒng)使分布在不同地方的專用網(wǎng)絡(luò)在不可信任的公共網(wǎng)絡(luò)上安全的通信。
  2、 VPN設(shè)備根據(jù)網(wǎng)管設(shè)置的規(guī)則,確定是否需要對(duì)數(shù)據(jù)進(jìn)行加密或讓數(shù)據(jù)直接通過(guò)。
  3、 對(duì)需要加密的數(shù)據(jù),VPN設(shè)備對(duì)整個(gè)數(shù)據(jù)包進(jìn)行加密和附上數(shù)字簽名。
  4、 VPN設(shè)備加上新的收據(jù)包頭,其中包括目的地VPN設(shè)備需要的安全信息和一些初始化參數(shù)。
  5、 VPN設(shè)備對(duì)加密后的數(shù)據(jù)、鑒別包以及源IP地址、目標(biāo)VPN設(shè)備IP地址進(jìn)行重新封裝,重新封裝后的數(shù)據(jù)包通過(guò)虛擬通道在公網(wǎng)上傳輸。
  6、 當(dāng)數(shù)據(jù)包到達(dá)目標(biāo)VPN設(shè)備時(shí),數(shù)據(jù)包被解封裝,數(shù)據(jù)包被解封裝,數(shù)字簽名,數(shù)字簽名被 核對(duì)無(wú)誤后,收據(jù)包被解密。
  
  
  VPN配置實(shí)例
  
  Intranet 內(nèi)聯(lián)網(wǎng)配置:
  Figure 3-8: Intranet VPN Scenario Physical Elements
  Headquarters Router 配置
  hq-sanjose# show running-config
  Building configuration...
  
  Current configuration:
  !
  version 12.0
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  !
  hostname hq-sanjose
  !
  boot system flash bootflash:
  boot bootldr bootflash:c7100-boot-mz.120-1.1.T
  boot config slot0:hq-sanjose-cfg-small
  no logging buffered
  !
  crypto isakmp policy 1
  authentication pre-share
  lifetime 84600
  crypto isakmp key test12345 address 172.24.2.5
  !
  crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
  mode transport
  !
  !
  crypto map s1first local-address Serial1/0
  crypto map s1first 1 ipsec-isakmp
  set peer 172.24.2.5
  set transform-set proposal1
  match address 101
  !
  interface Tunnel0
  bandwidth 180
  ip address 172.17.3.3 255.255.255.0
  no ip directed-broadcast
  tunnel source 172.17.2.4
  tunnel destination 172.24.2.5
  crypto map s1first
  !
  interface FastEthernet0/0
  ip address 10.1.3.3 255.255.255.0
  no ip directed-broadcast
  no keepalive
  full-duplex
  no cdp enable
  !
  interface FastEthernet0/1
  ip address 10.1.6.4 255.255.255.0
  no ip directed-broadcast
  no keepalive
  full-duplex
  no cdp enable
  !
  interface Serial1/0
  ip address 172.17.2.4 255.255.255.0
  no ip directed-broadcast
  no ip mroute-cache
  no keepalive
  fair-queue 64 256 0
  framing c-bit
  cablelength 10
  dsu bandwidth 44210
  clock source internal
  no cdp enable
  crypto map s1first
  !
  ip route 10.1.4.0 255.255.255.0 Tunnel0
  !
  access-list 101 permit gre host 172.17.2.4 host 172.24.2.5
  !
  line con 0
  transport input none
  line aux 0
  line vty 0 4
  login
  !
  end
  
  Remote Office Router 配置:
  ro-rtp# show running-config
  Building configuration...
  
  Current configuration:
  !
  version 12.0
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  !
  hostname ro-rtp
  !
  boot system flash bootflash:
  boot bootldr bootflash:c7100-boot-mz.120-1.1.T
  boot config slot0:ro-rtp-cfg-small
  no logging buffered
  !
  crypto isakmp policy 1
  authentication pre-share
  lifetime 84600
  crypto isakmp key test12345 address 172.17.2.4
  !
  crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
  mode transport
  !
  !
  crypto map s1first local-address Serial1/0
  crypto map s1first 1 ipsec-isakmp
  set peer 172.17.2.4
  set transform-set proposal1
  match address 101 #p#分頁(yè)標(biāo)題#e#
  !
  interface Tunnel1
  bandwidth 180
  ip address 172.24.3.6 255.255.255.0
  no ip directed-broadcast
  tunnel source 172.24.2.5
  tunnel destination 172.17.2.4
  crypto map s1first
  !
  interface FastEthernet0/0
  ip address 10.1.4.2 255.255.255.0
  no ip directed-broadcast
  no keepalive
  full-duplex
  no cdp enable
  !
  interface Serial1/0
  ip address 172.24.2.5 255.255.255.0
  no ip directed-broadcast
  no ip mroute-cache
  no keepalive
  fair-queue 64 256 0
  framing c-bit
  cablelength 10
  dsu bandwidth 44210
  clock source internal
  no cdp enable
  crypto map s1first
  !
  ip route 10.1.3.0 255.255.255.0 Tunnel1
  ip route 10.1.6.0 255.255.255.0 Tunnel1
  !
  access-list 101 permit gre host 172.24.2.5 host 172.17.2.4
  !
  line con 0
  transport input none
  line aux 0
  line vty 0 4
  login
  !
  end
  Extranet外聯(lián)網(wǎng)配置:
  Figure 3-9: Extranet VPN Scenario Physical Elements
  
  
  Headquarters Router配置:
  hq-sanjose# show running-config
  Building configuration...
  
  Current configuration:
  !
  version 12.0
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  !
  hostname hq-sanjose
  !
  boot system flash bootflash:
  boot bootldr bootflash:c7100-boot-mz.120-1.1.T
  boot config slot0:hq-sanjose-cfg-small
  no logging buffered
  !
  crypto isakmp policy 1
  authentication pre-share
  lifetime 84600
  crypto isakmp key test12345 address 172.24.2.5
  crypto isakmp key test67890 address 172.23.2.7
  !
  crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac
  ode transport
  !
  crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac
  !
  !
  crypto map s1first local-address Serial1/0
  crypto map s1first 1 ipsec-isakmp
  set peer 172.24.2.5
  set transform-set proposal1
  match address 101
  !
  crypto map s4second local-address Serial2/0
  crypto map s4second 2 ipsec-isakmp
  set peer 172.23.2.7
  set transform-set proposal4
  match address 111
  !
  interface Tunnel0
  bandwidth 180
  ip address 172.17.3.3 255.255.255.0
  no ip directed-broadcast
  tunnel source 172.17.2.4
  tunnel destination 172.24.2.5
  crypto map s1first
  !
  interface FastEthernet0/0
  ip address 10.1.3.3 255.255.255.0
  no ip directed-broadcast
  no keepalive
  full-duplex
  no cdp enable
  !
  interface FastEthernet0/1
  ip address 10.1.6.4 255.255.255.0
  no ip directed-broadcast
  ip nat inside
  no keepalive
  full-duplex
  no cdp enable
  !
  interface Serial1/0

熱詞搜索:

上一篇:IP sec的VPN考配置
下一篇:VPN的QoS

分享到: 收藏