VPN隧道负载均衡配置指南

VPN中的IP地址负载均衡配置指南在VPN网络中，IP地址的负载均衡配置是一项重要的任务。

通过合理地配置IP地址负载均衡，我们可以实现资源的优化分配，提高网络性能和可靠性。

本文将介绍VPN中IP地址负载均衡的概念、配置方法，并提供实用的指南。

请按照以下所述参考进行配置。

一、IP地址负载均衡的概念IP地址负载均衡是一种在网络中分发数据流量的技术。

它通过将流量分散到多个目标IP地址上，以实现资源的均衡利用。

在VPN中，IP 地址负载均衡主要用于分发用户请求到不同的VPN服务器上，以提高响应速度和网络容量。

二、IP地址负载均衡的配置方法1. 配置负载均衡设备首先，我们需要配置专门的负载均衡设备。

负载均衡设备可以是硬件设备，也可以是软件解决方案。

根据实际需求和预算，选择合适的设备进行配置。

2. 设定IP地址池在负载均衡设备上，我们需要设置一个IP地址池。

IP地址池是一组可用的IP地址，用于分发流量。

设置IP地址池时，应根据实际的VPN服务器规模和用户数量进行合理规划。

3. 配置流量分发策略接下来，我们需要配置流量分发策略。

流量分发策略决定了如何将用户请求分发到不同的VPN服务器上。

常见的流量分发策略包括轮询、加权轮询、最少连接等。

选择适合你的网络环境和需求的策略进行配置。

4. 实施负载均衡在完成上述配置后，我们可以实施负载均衡。

此时，负载均衡设备将会开始根据流量分发策略将用户请求分发到不同的VPN服务器上。

由于负载均衡设备在实时监测网络状态并根据负载情况动态调整流量分配，因此可以保证 VPN 网络的高效稳定运行。

三、IP地址负载均衡配置的实用指南1. 预估用户数量在配置IP地址负载均衡之前，我们应该预估实际用户数量。

这有助于确定所需的IP地址数量、负载均衡设备的性能和流量分发策略的设置。

2. 定期监测和调整配置完IP地址负载均衡后，我们应该定期监测网络状态和负载情况。

根据监测结果，及时进行调整和优化，以保持网络的高性能和稳定性。

VPN服务器配置详解展开全文借助VPN，企业外出人员可随时连到企业的VPN服务器，进而连接到企业内部网络。

借助windows2003的“路由和远程访问”服务，可以实现基于软件的VPN。

VPN（Virtual Private Network）即虚拟专用网络，通过一个公用网络（如Internet）建立一个临时的、安全的、模拟的点对点连接。

这是一条穿越公用网络的信息隧道，数据可以通过这条隧道在公用网络中安全地传输。

因此也可形象地称之为“网络中的网络”。

而保证数据安全传输的关键就在于VPN使用了隧道协议，目前常用的隧道协议有PPTP、L2TP和IPSec。

VPN是基于Windows 2003，通过ADSL接入Internet的服务器和客户端，连接方式为客户端通过Internet与服务器建立VPN连接。

VPN服务器需要两块网卡，一个连入内网一个连入外网。

Authentication(验证)：设置哪些用户可以通过VPN访问服务器资源。

在DC上做身份验证。

Authorization（授权）：检查客户端是否可以拨入服务器，是否符合拨入条件（时间，协议……）VPN工作原理：VPN客户端请求VPN服务器（请求拨入服务器）VPN 服务器请求DC进行身份验证，然后得到授权信息VPN 服务器回应VPN客户端拨号请求。

VPN 服务器与客户端建立连接，并开始传送数据。

工作组模型下VPN服务器做身份验证，拨号请求发送至SAM数据库做身份验证。

1. VPN使用的协议（隧道协议）：PPTP，L2TP2. PPTP：点对点传输协议，使用nicrosoft point-to-point encryption（MPPE）加密算法（默认采用协议）针对于internet。

L2TP：默认无加密算法，若想使用加密算法，结合IPsec。

针对于internet、X.25、ATM用户帐号拨入权限：条件、权限、配置文件决定了客户端是否可以拨入VPN网络。

路由器VPN配置手册路由器可以为您提供两种基于PPTP协议的VPN连接。

点对网的VPN：您有一台或多台的电脑在外网，需要拨入总部的网络中来，简单的理解就是外网计算机拨总部网络；网对网的VPN：您外地的分公司的局域网与总部的局域网之间VPN连接，简单的理解就是用外地分公司的网络拨入到总部网络。

网对网VPN的优点在于分部和总部之间，仅需要两端的路由器拨一条VPN隧道就可以实现网对网VPN。

对分部网络的电脑数量没有限制，内网的电脑无需拨号就可以直接通过VPN隧道访问总部的资源。

一、点对端VPN的配置方法1、总部路由器配置路由器支持动态ADSL的VPN拨号，同时也支持静态IP地址的VPN拨号，这里列举动态ADSL的VPN拨号，如果是静态地址则无需设置动态域名。

由于ADSL的IP地址是动态的，每次重新连接之后公网IP地址都会发生变化，因此用户需要申请一个动态域名。

用户可以通过访问花生壳等提供免费动态域名网站，申请免费的动态域名，在申请完毕之后，登陆路由器，在“高级选项”中的“动态域名”里，填入申请的动态域名并保存设置，如下图：* 点击保存规则设置生效登陆到“虚拟专网”，选择“PPTP服务端”，勾选“启用PPTP服务”在“PPTP服务端设置”中“PPTP客户端地址范围”里，填入拨号到本局域网时，分配给VPN用户的IP地址，此IP地址必须是局域网的内网IP地址段，且未经过使用，点击保存规则设置生效，如下图：进入“PPTP用户管理”点击“添加新规则”，为拨入用户分配账户和密码，点击保存规则设置生效，如下图：路由器的“动态域名”和“VPN服务端配置”完毕，重启路由器配置生效。

2、拨号端的设置方法（以Windows XP操作系统为例）点击“开始”--> “设置”选择“网络连接”中的“创建一个新的连接”（新建连接向导）。

出现新建连接向导，点击“下一步”在选择“连接到我的工作场所的网络”点击“下一步”选择“虚拟专用网络连接”点击“下一步”填入公司的名称，点击“下一步”填入总部申请的动态域名，如果总部是静态的IP地址，可直接填VPN服务端的IP地址。

IPsec VPN 对等体冗余之SLB 负载均衡实验配置SPOKE1路由器和SPOKE2路由器loopback0接口模拟remote端内部网络，VPNHUB1路由器和VPNHUB2路由器模拟VPN gateway，SLB-server路由器模拟SLB服务器，Internal-client 路由器loopback0接口模拟内部服务器,Internet路由器模拟internet。

为了简化配置本实验IPSEC VPN为EZVPN，VPNHUB间的IPSEC VPN配置一定要相同，因为他们无法预知将会端接哪个remote。

为了防止VPNHUB内部网络路由出现非对称路由，VPNHUB内部网络运行动态路由选择协议（OSPF）并且需要将HUBVPN 内的VPN reverse-route redistribute到动态路由选择协议(OSPF)中，这样就可以避免此网络拓扑可能出现的非对称路由。

SPOKE1 configurationSPOKE1#sh runBuilding configuration...Current configuration : 1243 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname SPOKE1!boot-start-markerboot-end-marker!!no aaa new-modelmemory-size iomem 5!!ip cef!!!!!!!crypto ipsec client ezvpn xinjialove connect manualgroup xinjialove key xinjialovemode network-extensionpeer 172.16.2.1xauth userid mode interactive!!!!interface Loopback0ip address 1.1.1.1 255.255.255.255 crypto ipsec client ezvpn xinjialove inside !interface FastEthernet0/0no ip addressshutdownduplex autospeed auto!interface Serial1/0no ip addressshutdownserial restart-delay 0!interface Serial1/1ip address 172.16.1.1 255.255.255.0 serial restart-delay 0crypto ipsec client ezvpn xinjialove!interface Serial1/2no ip addressshutdownserial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!interface FastEthernet2/0no ip addressduplex autospeed auto!no ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 Serial1/1!!!!control-plane!!!!!!!!!!line con 0logging synchronousline aux 0line vty 0 4!!EndSopke2 configurationSPOKE2#sh runBuilding configuration...Current configuration : 1084 bytes!version 12.4service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption!hostname SPOKE2!boot-start-markerboot-end-marker!!no aaa new-modelip cefno ip domain lookup!!!!!!!crypto ipsec client ezvpn xinjialove connect manualgroup xinjialove key xinjialovemode network-extensionpeer 172.16.2.1xauth userid mode interactive!!!!interface Loopback0ip address 2.2.2.2 255.255.255.255 crypto ipsec client ezvpn xinjialove inside !interface Serial1/0ip address 172.16.3.1 255.255.255.0 serial restart-delay 0crypto ipsec client ezvpn xinjialove!interface Serial1/1no ip addressshutdownserial restart-delay 0!interface Serial1/2no ip addressshutdownserial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 Serial1/0!control-plane!!!!!!!!!!line con 0logging synchronousline aux 0line vty 0 4!!EndVPNHUB1 configurationVPNHUB1#sh runBuilding configuration...Current configuration : 1723 bytes!version 12.4service timestamps debug datetime msec service timestamps log datetime msecno service password-encryption!hostname VPNHUB1!boot-start-markerboot-end-marker!!aaa new-model!!aaa authentication login xinjialove local aaa authorization network xinjialove local !aaa session-id commonmemory-size iomem 5!ip cefno ip domain lookup!!!!!!!!username cisco password 0 cisco!!!crypto isakmp policy 10hash md5authentication pre-sharegroup 2!crypto isakmp client configuration group xinjialovekey xinjialove!!crypto ipsec transform-set xinjialove esp-des esp-md5-hmac !crypto dynamic-map xinjialove 10set transform-set xinjialovereverse-route!!crypto map xinjialove client authentication list xinjialove crypto map xinjialove isakmp authorization list xinjialove crypto map xinjialove 10 ipsec-isakmp dynamic xinjialove !!!!interface FastEthernet0/0ip address 192.168.3.1 255.255.255.0duplex autospeed auto!interface Serial1/0ip address 192.168.1.2 255.255.255.0serial restart-delay 0crypto map xinjialove!interface Serial1/1no ip addressserial restart-delay 0!interface Serial1/2no ip addressshutdownserial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!interface FastEthernet2/0no ip addressshutdownduplex autospeed auto!router ospf 1log-adjacency-changes redistribute static subnetsnetwork 192.168.1.0 0.0.0.255 area 0 network 192.168.3.0 0.0.0.255 area 0 !ip http serverno ip http secure-server!ip route 0.0.0.0 0.0.0.0 Serial1/0!!!!control-plane!!!!!!!!!!line con 0logging synchronousline aux 0line vty 0 4!!SPOKE 2 configurationHUBVPN2#sh runBuilding configuration...Current configuration : 1686 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname HUBVPN2!boot-start-markerboot-end-marker!!aaa new-model!!aaa authentication login xinjialove localaaa authorization network xinjialove local!aaa session-id common!resource policy!ip cef!!!!no ip domain lookup!!!!username cisco password 0 cisco!!!crypto isakmp policy 10hash md5authentication pre-sharegroup 2!crypto isakmp client configuration group xinjialove!crypto ipsec transform-set xinjialove esp-des esp-md5-hmac !crypto dynamic-map xinjialove 10set transform-set xinjialovereverse-route!!crypto map xinjialove client authentication list xinjialove crypto map xinjialove isakmp authorization list xinjialove crypto map xinjialove 10 ipsec-isakmp dynamic xinjialove !!!!interface FastEthernet0/0ip address 192.168.3.2 255.255.255.0duplex half!interface Serial1/0ip address 192.168.2.2 255.255.255.0serial restart-delay 0crypto map xinjialove!interface Serial1/1no ip addressshutdownserial restart-delay 0!interface Serial1/2no ip addressshutdownserial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!interface FastEthernet2/0no ip addressshutdownduplex half!router ospf 1log-adjacency-changesredistribute static subnetsnetwork 192.168.0.0 0.0.255.255 area 0ip route 0.0.0.0 0.0.0.0 Serial1/0no ip http serverno ip http secure-server!!!logging alarm informational!!!!!control-plane!!line con 0logging synchronousstopbits 1line aux 0stopbits 1line vty 0 4!!EndSLB-server configurationSLB-server#sh runBuilding configuration...Current configuration : 1331 bytes!version 12.4service timestamps debug datetime msec service timestamps log datetime msecno service password-encryption!hostname SLB-server!boot-start-markerboot-end-marker!!no aaa new-model!resource policy!ip cefip slb serverfarm IPSECVPNreal 192.168.1.2weight 1maxconns 100inservicereal 192.168.2.2weight 1maxconns 100inservice!ip slb vserver IPSEC-ESPvirtual 172.16.2.1 udp 4500serverfarm IPSECVPNsticky 100 group 1 #sticky 配置用来避免同一个remote的IKE和IPSEC 路径不对称，而将他stick在一起inservice!ip slb vserver IPSEC-ISAKMPvirtual 172.16.2.1 udp 500serverfarm IPSECVPNsticky 100 group 1inservice!!!!!no ip domain lookup!!!!!!!!!!interface FastEthernet0/0no ip addressshutdownduplex half!interface Serial1/0ip address 172.16.2.1 255.255.255.0serial restart-delay 0!interface Serial1/1ip address 192.168.2.1 255.255.255.0serial restart-delay 0!interface Serial1/2ip address 192.168.1.1 255.255.255.0 serial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!interface FastEthernet2/0no ip addressshutdownduplex half!ip route 0.0.0.0 0.0.0.0 Serial1/0no ip http serverno ip http secure-server!!!logging alarm informational!!!!!control-plane!!line con 0logging synchronousstopbits 1line aux 0stopbits 1line vty 0 4!!EndInternet configurationInternet#sh runBuilding configuration...Current configuration : 921 bytes!version 12.4service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption!hostname Internet!boot-start-markerboot-end-marker!!no aaa new-model!resource policy!ip cef!!!!no ip domain lookup!!!!!!!interface FastEthernet0/0no ip addressshutdownduplex half!interface Serial1/0ip address 172.16.1.2 255.255.255.0 serial restart-delay 0!interface Serial1/1ip address 172.16.2.2 255.255.255.0 serial restart-delay 0!interface Serial1/2ip address 172.16.3.2 255.255.255.0 serial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!interface FastEthernet2/0no ip addressshutdownduplex half!no ip http serverno ip http secure-server!!!logging alarm informational!!!!!control-plane!!line con 0logging synchronousstopbits 1line aux 0stopbits 1line vty 0 4!!End测试1Spoke1 发起对VPNHUB的EZVPN连接SPOKE1#crypto ipsec client ezvpn connect xinjialoveSPOKE1#*Mar 1 00:02:38.235: EZVPN(xinjialove): Pending XAuth Request, Please enter thefollowing command:*Mar 1 00:02:38.239: EZVPN: crypto ipsec client ezvpn xauthSPOKE1#crypto ipsec client ezvpn xauthUsername: ciscoPassword:SPOKE1#*Mar 1 00:02:50.587: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=xinj ialove Client_public_addr=172.16.1.1 Server_public_addr=172.16.2.1 NEM_Remote_Subnets=1.1.1.1/255.255.255.255SPOKE1#sh crypto isakmp sadst src state conn-id slot status172.16.2.1 172.16.1.1 QM_IDLE 1 0 ACTIVESLB-server#sh ip slb connsvserver prot client real state nat-------------------------------------------------------------------------------IPSEC-ESP UDP 172.16.1.1:4500 192.168.1.2 ESTAB S IPSEC-ISAKMP UDP 172.16.1.1:500 192.168.1.2 ESTAB S SLB-server#VPNHUB1#sh crypto isakmp sadst src state conn-id slot status192.168.1.2 172.16.1.1 QM_IDLE 1 0 ACTIVE连通性测试SPOKE1#ping 3.3.3.3 source loop 0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 216/251/288 msVPNHUB1#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is 0.0.0.0 to network 0.0.0.01.0.0.0/32 is subnetted, 1 subnetsS 1.1.1.1 [1/0] via 172.16.1.1 #r HUBVPN1 reverse-route3.0.0.0/32 is subnetted, 1 subnetsO 3.3.3.3 [110/2] via 192.168.3.3, 00:21:59, FastEthernet0/0C 192.168.1.0/24 is directly connected, Serial1/0O 192.168.2.0/24 [110/65] via 192.168.3.2, 00:21:59, FastEthernet0/0C 192.168.3.0/24 is directly connected, FastEthernet0/0S* 0.0.0.0/0 is directly connected, Serial1/0VPNHUB1#Internal-clinet#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set1.0.0.0/32 is subnetted, 1 subnetsO E2 1.1.1.1 [110/20] via 192.168.3.1, 00:21:37, FastEthernet0/0 #redistribute进OSPF 的HUBVPN1 reverse-route3.0.0.0/32 is subnetted, 1 subnetsC 3.3.3.3 is directly connected, Loopback0O 192.168.1.0/24 [110/65] via 192.168.3.1, 00:22:26, FastEthernet0/0O 192.168.2.0/24 [110/65] via 192.168.3.2, 00:22:26, FastEthernet0/0C 192.168.3.0/24 is directly connected, FastEthernet0/0Internal-clinet#测试二SPOKE2发起对VPNHUB的EZVPN连接SPOKE2#crypto ipsec client ezvpn connect xinjialoveSPOKE2#*Mar 1 00:26:16.363: EZVPN(xinjialove): Pending XAuth Request, Please enter thefollowing command:*Mar 1 00:26:16.367: EZVPN: crypto ipsec client ezvpn xauthSPOKE2#crypto ipsec client ezvpn xauthUsername: ciscoPassword:SPOKE2#*Mar 1 00:26:36.827: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=xinjialove Client_public_addr=172.16.3.1 Server_public_addr=172.16.2.1 NEM_Remote_Subnets=2.2.2.2/255.255.255.255SPOKE2#SPOKE2#sh crypto isakmp sadst src state conn-id slot status172.16.2.1 172.16.3.1 QM_IDLE 1 0 ACTIVESPOKE2#SLB-server#sh ip slb connsvserver prot client real state nat-------------------------------------------------------------------------------IPSEC-ESP UDP 172.16.1.1:4500 192.168.1.2 ESTAB SIPSEC-ESP UDP 172.16.3.1:4500 192.168.2.2 ESTAB SIPSEC-ISAKMP UDP 172.16.1.1:500 192.168.1.2 ESTAB SIPSEC-ISAKMP UDP 172.16.3.1:500 192.168.2.2 ESTAB SSLB-server#HUBVPN2#sh crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id slot status192.168.2.2 172.16.3.1 QM_IDLE 1001 0 ACTIVEIPv6 Crypto ISAKMP SAHUBVPN2#连通性测试SPOKE2#ping 3.3.3.3 so loop 0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:Packet sent with a source address of 2.2.2.2!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 336/1065/1604 msSPOKE2#HUBVPN2#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is 0.0.0.0 to network 0.0.0.01.0.0.0/32 is subnetted, 1 subnetsO E2 1.1.1.1 [110/20] via 192.168.3.1, 00:28:45, FastEthernet0/0 #redistribute进OSPF 的HUBVPN1 reverse-route2.0.0.0/32 is subnetted, 1 subnetsS 2.2.2.2 [1/0] via 172.16.3.1 # HUBVPN2 reverse-route3.0.0.0/32 is subnetted, 1 subnetsO 3.3.3.3 [110/2] via 192.168.3.3, 00:29:24, FastEthernet0/0O 192.168.1.0/24 [110/65] via 192.168.3.1, 00:29:24, FastEthernet0/0C 192.168.2.0/24 is directly connected, Serial1/0C 192.168.3.0/24 is directly connected, FastEthernet0/0S* 0.0.0.0/0 is directly connected, Serial1/0Internal-clinet#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set1.0.0.0/32 is subnetted, 1 subnetsO E2 1.1.1.1 [110/20] via 192.168.3.1, 00:29:07, FastEthernet0/0 #redistribute进OSPF 的HUBVPN1 reverse-route2.0.0.0/32 is subnetted, 1 subnetsO E2 2.2.2.2 [110/20] via 192.168.3.2, 00:04:50, FastEthernet0/0 #redistribute进OSPF 的HUBVPN2 reverse-route3.0.0.0/32 is subnetted, 1 subnetsC 3.3.3.3 is directly connected, Loopback0O 192.168.1.0/24 [110/65] via 192.168.3.1, 00:29:56, FastEthernet0/0O 192.168.2.0/24 [110/65] via 192.168.3.2, 00:29:56, FastEthernet0/0 C 192.168.3.0/24 is directly connected, FastEthernet0/0Internal-clinet#。

配置VPN网络VPN(Virtual Private Network，虚拟专用网络)是专用网络的延伸，它包含了类似Internet 的共享或公共网络连接。

通过VPN可以模拟点对点专用连接的方式通过共享或公共网络在两台计算机之间发送数据。

它具有良好的保密和不受干扰性，使双方能进行自由而安全的点对点连接，因此广泛地受到网络管理员们的关注。

一、如何配置VPN服务器1. 开始配置：要想让Win2K计算机能接受客户机的VPN拨入，必须对VPN服务器进行配置。

在左边窗口中选中“SERVER”(服务器名)，在其上单击右键，选“配置并启用路由和远程访问”。

2.如果以前已经配置过这台服务器，现在需要重新开始，则在“SERVER”(服务器名)上单击右键，选“禁用路由和远程访问”，即可停止此服务，以便重新配置。

3. 当进入配置向导之后，在“公共设置”中，点选中“虚拟专用网络(VPN)服务器”，以便让用户能通过公共网络(比如Internet)来访问此服务器。

4. 一般来说，在“远程客户协议”的对话框中，至少应该已经有了TCP/IP协议，则只需直接点选“是，所有可用的协议都在列表上”，再按“下一步”即可。

5. 之后系统会要求你再选择一个此服务器所使用的Internet连接，在其下的列表中选择所用的连接方式(比如已建立好的拨号连接或通过指定的网卡进行连接等)，再按“下一步”。

6. 接着在回答“您想如何对远程客户机分配IP地址”的询问时，除非你已在服务器端安装好了DHCP服务器，否则请在此处选“来自一个指定的IP地址范围”(推荐)。

7. 然后再根据提示输入你要分配给客户端使用的起始IP地址，“添加”进列表中，比如此处为“192.168.0.80～192.168.0.90”(请注意，此IP地址范围要同服务器本身的IP地址处在同一个网段中，即前面的“192.168.0”部分一定要相同！)。

8. 最后再选“不，我现在不想设置此服务器使用RADIUS”即可完成最后的设置。

Quick Note 054 Digi TransPort to Cisco VPN Tunnel using OpenSSL certificates.February 20211 Introduction (3)1.1 Outline (3)1.2 Assumptions (3)1.3 Corrections (3)2 Version (3)3 certificates creation (4)If you already have certificates available, you can skip to section 3.2 (4)3.1 Generate Test certificates using OpenSSL and XCA (4)3.1.1 Create a Root CA Certificate (4)3.1.2 Create a CA-Signed Host Certificate (Cisco Router, Responder) (7)3.1.3 Create a CA-Signed Client Certificate (Digi TransPort WR, initiator) (9)3.1.4 Export the certificates and keys in .PEM format (11)4 Digi transport configuration (14)4.1 Upload SSL certificates to the Digi TransPort WR (initiator) (14)4.1.1 Upload the certificates via FTP (14)4.1.2 Upload the certificates via the Web GUI (15)4.2 Configure the VPN Tunnel settings on the Digi TransPort WR (Initiator). (16)5 Cisco configuration (19)5.1 Import the certificates and private key (19)5.1.1 Create a trustpoint for the CA root certificate (19)5.1.2 Import the CA root certificate in the previously created trustpoint with copy and paste (19)5.1.3 Create a trustpoint for the public certificate and the private key (20)5.1.4 Import the public certificate in the previously created trustpoint with copy and paste (20)5.2 Configure the tunnel (21)6 Testing (22)6.1 Confirm Traffic Traverses the IPSec Tunnels (23)7 Configuration files (24)1.1 OutlineServer DigiTransportWRThis document describes how to create, upload SSL certificates and configure Digi TransPort WR and Cisco routers to build an IPsec VPN tunnel. 1.2 AssumptionsThis guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product and of the requirements for their specific application. It also assumes a basic ability to access and navigate a Digi TransPort router.This application note applies only to:Model: DIGI TransPort WR41/44/21Digi TransPort WR41 routers must have the “Encryption ” optionDigi TransPort WR21 routers must run Enterprise firmwareFirmware versions: 5169 and laterModel: Cisco router running Advanced Enterprise Image.Firmware versions: 15.9Please note : This application note has been specifically rewritten for firmware release 5169 and later and will not work on earlier versions of firmware. Please contact ********************* if your require assistance in upgrading the firmware of the TransPort router.1.3 CorrectionsRequests for corrections or amendments to this application note are welcome and should be addressed to: *********************Requests for new application notes can be sent to the same address.If you already have certificates available, you can skip to section 3.23.1Generate Test certificates using OpenSSL and XCADownload and install the latest release of XCA which can be found at: /projects/xca/3.1.1Create a Root CA CertificateOpen the XCA application1.Click the File menu and select New Database, chose a name and click Save.2.Chose a password and click OK3.Click the Certificates tab4.Click the New Certificate button5.Under “Template for the new certificate”, select default CA and click Apply all6.Go to the Subject tab, fill in all the information then click the Generate a new key button andclick OK7. The certificate should now appear in the window with the CA : YES confirmation. If it does notsay CA: YES, verify that you selected CA in the template and clicked Apply All.3.1.2Create a CA-Signed Host Certificate (Cisco Router, Responder)1.Click the Certificates tab2.Click the New Certificate button3.Under Signing, make sure to select “Use this Certificate for signing” and chose the previouslycreated CA.4.Under “Template for the new certificate”, select default HTTPS_server and click Apply all5.Go to the Subject tab, fill in all the information then click the Generate a new key button andclick OK7.The certificate should now appear in the window under the CA certificate.3.1.3Create a CA-Signed Client Certificate (Digi TransPort WR, initiator)1.Click the Certificates tab2.Click the New Certificate button3.Under Signing, make sure to select “Use this Certificate for signing” and chose the previouslycreated CA.4.Under “Template for the new certificate”, select default HTTPS_client and click Apply all5. Go to the Subject tab, fill in all the information then click the Generate a new key button andclick OK1.The certificate should now appear in the window under the CA certificate.3.1.4Export the certificates and keys in .PEM format1.Select the Certificates Tab.2.Highlight the DigiCA certificate and click the Export button3.In the Certificate export window, select PEM as the export format and change the filename tocacert.pem and click OK4.Repeat the previous step for the Client and Host certificate. Rename them certh.pem andcertcl.pem .5.Select the Private Keys tab.6.Highlight the host certificate and click the Export button7.In the Key export window, select PEM as the export format, check the box “Export the privatepart of the key too” and change the filename to privh.pem and click OKPlease note: Cisco routers require the private key to be encrypted. Make sure to check the box “Encrypt the key with a password” when export the key for the Cisco device (privh.pem below) and specify a passphrase.In the next step, we will convert the private key, which is encrypted in AES by default (in the case of XCA software), and for Cisco we need DES or DES3. Therefore, you have to convert. Let's do it on the nearest Linux server with openssl installed with the following command.openssl rsa -in privh.pem -out privh.pem -des38.Repeat the previous step for the Client key and name it privcl.pem.The following files should now be available:- cacert.pem : CA root certificate- certh.pem : Cisco (responder) certificate- certcl.pem : TransPort WR (initiator) certificate- privh.pem : Cisco (responder) private key (password encrypted)- privcl.pem : TransPort WR (initiator) private keyPlease note: It is important that the file name do not exceed the 8.3 file format and to keep the file type and naming as the TransPort router will be searching for these and load them in the certificate management automatically.4.1Upload SSL certificates to the Digi TransPort WR (initiator)4.1.1Upload the certificates via FTPOpen an FTP connection to the TransPort router that you wish to update. In this example, using FileZilla.Transfer the certificates file to the root directory of the TransPort.4.1.2Upload the certificates via the Web GUIOpen a web browser to the IP address of the Digi TransPort router A (initiator) Administration > X.509 Certificate Management > Certificate Authorities (CAs)Click the browse button and select the file location where cacert.pem is located and click UploadThe CA Certificate should now appear under the Installed Certificate Authority CertificatesAdministration > X.509 Certificate Management > IPSec/SSH/HTTPS CertificatesClick the browse button and select the file location where certcl.pem is located and click UploadThe Certificate should now appear under the Installed CertificatesAdministration > X.509 Certificate Management > Key FilesClick the browse button and select the file location where privcl.pem is located.Under filename, type privcl.pem and click Upload.4.2Configure the VPN Tunnel settings on the Digi TransPort WR (Initiator). Enable IPSec on PPP 1 (mobile interface) :Configuration – Network > Interfaces > MobileConfiguration – Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec 0-9 > IPsec 0Click Apply and Save to save the settings.Configuration – Network > Virtual Private Networking (VPN) > IPsec > IKE > IKE 1Click Apply and Save to save the settings.Configuration – Network > Virtual Private Networking (VPN) > IPsec > IKE > IKE 1 > Advanced Enter the private key file nameClick Apply and Save to save the settings.5.1Import the certificates and private key5.1.1Create a trustpoint for the CA root certificatecisco (config)#crypto ca trustpoint digirootcisco (ca-trustpoint)#enrollment terminal pemcisco (ca-trustpoint)#exit5.1.2Import the CA root certificate in the previously created trustpoint with copyand pastecisco (config)#crypto ca authenticate digirootEnter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXXXXXXXXXXXXXXX-----END CERTIFICATE-----quitCertificate has the following attributes:Fingerprint: xxxxxxx% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.% Certificate successfully importedMake sure that the certificate starts and ends like shown.5.1.3Create a trustpoint for the public certificate and the private keycisco (config)#crypto ca trustpoint digitestcisco (ca-trustpoint)#enrollment terminal pemcisco (ca-trustpoint)#exit5.1.4Import the public certificate in the previously created trustpoint with copyand pastecisco (config)#crypto pki import digitest pem terminal password digi% Enter PEM-formatted CA certificate.% End with a blank line or "quit" on a line by itself.-----BEGIN CERTIFICATE-----xxxxxx-----END CERTIFICATE-----quit% Enter PEM-formatted encrypted private General Purpose key.% End with "quit" on a line by itself.-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,XXXXXXXXXXXXX-----BEGIN CERTIFICATE-----xxxxx-----END CERTIFICATE-----quit% Enter PEM-formatted General Purpose certificate.% End with a blank line or "quit" on a line by itself.-----BEGIN CERTIFICATE-----xxxxx-----END CERTIFICATE-----quit% PEM files import succeeded.The last part of the command is the password used for the private key during certificates creation.First, re-enter the CA certificate. Second, enter the private key . Third, enter the public certificate .5.2Configure the tunnelSet “our ID” type and configure use for IKE.cisco (config)#crypto pki trustpoint digirootcisco (ca-trustpoint)# enrollment terminal pemcisco (ca-trustpoint)# usage ikecisco (ca-trustpoint)# revocation-check noneSet Phase 1 and Phase 2 policy to match the configuration of the TransPortcisco (config)#crypto isakmp policy 1cisco (config-isakmp)# encr aes 256cisco (config-isakmp)# hash sha256cisco (config-isakmp)# group 2cisco (config-isakmp)#crypto isakmp identity hostnamecisco3 (config)#crypto isakmp keepalive 10Tunnel Mode and phase 2 setcisco (config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac cisco (cfg-crypto-trans)# mode tunnelConfigure SA timers and create dynamic mapcisco (cfg-crypto-trans)#crypto call admission limit ike sa 6000cisco (config)#crypto call admission limit ike in-negotiation-sa 3000cisco (config)#crypto dynamic-map mydynmap 1cisco (config-crypto-map)# set security-association lifetime seconds 86400 cisco (config-crypto-map)# set security-association idle-time 28200cisco (config-crypto-map)# set transform-set mysetcisco (config-crypto-map)#set pfs group2cisco (config-crypto-map)#crypto map mymap1 10 ipsec-isakmp dynamic mydynmap Configure the WAN interface and enable IPseccisco (config)#interface FastEthernet0/1cisco (config-if)# ip address 192.168.10.254 255.255.255.248cisco (config-if)# speed autocisco (config-if)# duplex autocisco (config-if)# crypto map mymap1Configure the default routeip route 0.0.0.0 0.0.0.0 82.82.182.182Configuring Certificate Security Attribute-Based Access Controlcisco (config)#crypto pki certificate map digitest 10cisco (ca-certificate-map)# subject-name co o = digicisco (ca-certificate-map)#subject-name co ou = supportcisco (ca-certificate-map)# subject-name co cn = wrdigiukThe cisco is now configured and the tunnel should come up.This section will show that the IPSec tunnel has been established.The Event log will show the IPSec tunnel is up.Management – Event Log14:49:48, 25 Feb 2014,(2) IKE SA Removed. Peer: wrdigiuk,Successful Negotiation 14:49:18, 25 Feb 2014,Eroute 0 VPN up peer: wrdigiuk14:49:18, 25 Feb 2014,New IPSec SA created by wrdigiukMANAGEMENT - CONNECTIONS > VIRTUAL PRIVATE NETWORKING (VPN) > IPSEC > IPSECTUNNELS > IPSEC TUNNELS 0 - 9 > IPSEC TUNNELS 0 - 9Navigate to the above link where the status of the newly established IPSec tunnel/s can be seen. The first column shows which tunnel number the tunnel is connected to.6.1Confirm Traffic Traverses the IPSec TunnelsThis section will show traffic passing across the tunnel. To test this easily, an ICMP Echo Request/Reply (or PING) will pass from the Router A lan (initiator) to Router B Ethernet interface side (responder)Administration > Execute a commandPing 192.168.10.254 –e0Using –e0 specifies that the source address is taken from Ethernet 0 which is the negociated LAN settings in the IPSec tunnel.Command: ping 192.168.10.254 -e0Command resultPinging Addr [192.168.10.254]sent PING # 1PING receipt # 1 : response time 0.26 secondsIface: PPP 1Ping StatisticsSent : 1Received : 1Success : 100 %Average RTT : 0.26 secondsOKDigi TransPort WR 21eroute 1 descr "Cert Tunnel"eroute 1 peerip "1.2.3.4"eroute 1 peerid "wrdigiuk"eroute 1 ourid "wrdigide"eroute 1 locip "192.168.1.0"eroute 1 locmsk "255.255.255.0"eroute 1 remip "192.168.10.0"eroute 1 remmsk "255.255.255.0"eroute 1 ESPauth "MD5"eroute 1 ESPenc "AES"eroute 1 authmeth "RSA"eroute 1 nosa "TRY"eroute 1 autosa 2eroute 1 ikecfg 1eroute 1 dhgroup 2eroute 1 enckeybits 256eroute 1 privkey "privcl.pem"eroute 1 debug ONike 1 encalg "AES"ike 1 keybits 256ike 1 ikegroup 2ike 1 privrsakey "privcl.pem"ike 1 delmode 3Ciscoversion 15.9service timestamps debug datetime msec service timestamps log datetime msec!hostname cisco!boot-start-markerboot-end-marker!!enable password cisco!!!!!!!!!multilink bundle-name authenticated!crypto pki trustpoint digirootenrollment terminal pemusage ikerevocation-check none!crypto pki trustpoint digitestenrollment pkcs12revocation-check nonersakeypair digitestmatch certificate digitest!!!crypto pki certificate map digitest 10subject-name co o = digisubject-name co ou = supportsubject-name co cn = wrdigiuk!crypto pki certificate chain digirootcertificate ca 01xxxxxquitcrypto pki certificate chain digitestcertificate 02xxxxquitcertificate ca 01xxxquit!!!!!!!!!!ip tcp synwait-time 5!!crypto isakmp policy 1encr aes 256hash sha256group 2crypto isakmp identity hostnamecrypto isakmp keepalive 10!crypto ipsec security-association lifetime seconds 900 crypto ipsec security-association idle-time 910!crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac mode tunnel!!!crypto call admission limit ike sa 6000!crypto call admission limit ike in-negotiation-sa 3000!crypto dynamic-map mydynmap 1set security-association lifetime seconds 86400set security-association idle-time 28200set transform-set mysetset pfs group2!!!crypto map mymap1 10 ipsec-isakmp dynamic mydynmap!!!!!interface Loopback0ip address 10.100.0.1 255.255.255.255!interface FastEthernet0/0ip address 10.0.0.1 255.255.255.0speed autoduplex auto!interface FastEthernet0/1ip address 192.168.10.0 255.255.255.248 speed autoduplex autocrypto map mymap1!ip forward-protocol nd!!no ip http serverno ip http secure-serverip route 0.0.0.0 0.0.0.0 82.82.182.182!!!!!!!control-plane!!line con 0exec-timeout 0 0privilege level 15logging synchronousstopbits 1line aux 0exec-timeout 0 0privilege level 15logging synchronousstopbits 1line vty 0 4password ciscologinline vty 5 10password ciscologin!!end。