【正文】 Simulator Dynamic28。 Ipsec Vpn。同窗之誼，終生難忘！參考文獻[1] 謝希仁．計算機網(wǎng)絡(luò)（第五版）[M]．北京：電子工業(yè)出版社，2009，175176．[2] 葛建立，（第一卷）（第二版）[M]．北京：人民郵電出版社，2007，100．[3] 夏俊杰，CCNP ISCW[M]．北京：人民郵電出版社，2008，1011．[4] 周飛菲，張召忠．組網(wǎng)技術(shù)與網(wǎng)絡(luò)管理[M]．北京：清華大學(xué)出版社，2006，3557．[5] Mark Lewls、[M]．北京：人民郵電出版社，2006，2089．[6] 陳宇、[M]．北京：人民郵電出版社，2007．[7] Greg Bastien，Earl Carter．CCSP Cisco安全PIX防火墻認證考試指南[M]．人民郵電出版社，2005．[8] 田國增，劉晶晶，張召賢．組網(wǎng)技術(shù)與網(wǎng)絡(luò)管理[M]．北京：清華大學(xué)出版社，2009，175176．[9] 賀平．網(wǎng)絡(luò)管理與維護[M]．北京：高等教育出版社，2010．[10]孫甲水．VPN路由器在構(gòu)建遠程網(wǎng)絡(luò)互聯(lián)的應(yīng)用[J]．計算機與現(xiàn)代化，2011，12：414．[11]陳曉武，甘郝新．基于MPLS的VPN技術(shù)在珠江委網(wǎng)絡(luò)中的應(yīng)用探討[J]．人民珠江，2011，6：512．[12]嚴學(xué)軍．兩種VPN技術(shù)在Packet Tracer中的實現(xiàn)[J]．科技信息，2011，34：717．The Application Of the VPN Technology In The Enterprise Network.Concord University College Fujian Normal UniversityDepartment of Information Techonology Electronic Information Engineering124132008057 Huang Lin Tutor:Zhang Meiqiong[Abstract] Using the public link to build a private network , the VPN has actually set up a data transmission tunnel with the help of the encryption technology, in which way, fulfills the purpose of remotely accessing to the central network without setting up any individual line and also enables enterprises to massively cut down their expenditures. With the VPN technology, the remote users can access to the correspondence network resources conveniently as long as they have Internet access. To prevent any disclosure of the private information and to guarantee the security and the stability of the data, all that transmitted between the VPN server and the client been encrypted. For the above advantages, VPN has been widely used in many enterprises. as well as in the laboratory prototype built a multicast environment on Multicast Technology Application of certain research verification. In the simulator and laboratory prototype tests are basically achieves the design goal. However, in this design is still there with a lot of technology in campus network and multicast design application to join, if these techniques are applied to the campus network and the multicast technology more perfect. Through the study of this topic, basically realize the expected requirements to be achieved, of course the subject only to the campus network design and multicast applications of some simple research, pared to the reality in the campus network construction, its function is not enough. However, through this research we can make the campus network construction has a certain understanding, for later in the practice of establishing campus network will play a certain role. Of course this subject only to the VPN web design application some simple research, relative to the enterprise VPN nets of actual form for, its function is far from enough. But, through this topic research can make our enterprise nets VPN to form a has an understanding of and for the future in the practice of the VPN form will play a role。在此謹向XXX老師表示我最誠摯的敬意和感謝！同時，在我四年的大學(xué)生活期間，深深受益于各位老師的關(guān)心、愛護和諄諄教導(dǎo)。點撥迷津，讓人如沐春風(fēng)；作為長輩，關(guān)懷備至，讓人感念至深。再次，我還應(yīng)該多掌握些網(wǎng)絡(luò)安全的知識，不斷提高自己的能力。首先，最初開始設(shè)計時，對模擬工具小凡的掌握還不算到位，走了不少彎路。但是它的傳輸質(zhì)量能夠得到很好的保證。本設(shè)計分為MPLS VPN和IPSEC VPN兩大功能模塊，其中，IPSEC VPN 是一種現(xiàn)在應(yīng)用較為廣泛的vpn技術(shù)，因為它不需要向運營商申請專線所以它的費用是相對低的，同時它能夠提供數(shù)據(jù)的加密使得數(shù)據(jù)在傳輸?shù)倪^程中的具有強健的安全性。圖630 測試同外網(wǎng)的連通性C路由器模擬C總公司內(nèi)部網(wǎng)絡(luò)去測試是否可以正常訪問外網(wǎng)，可以看到達到預(yù)期效果。CZ(config)interface lo0CZ/[7J+{y$i0CECECE(configif)ip nat inside CZ1]Qh3G0Rk SQq0CC(configif)exit龍城博客ul1J8o
g xb2[6}~CZ(config)interface s0/2龍城博客u$fL1V3s pCZ(configif)ip nat outside CZUHxV
b1l0CE3(configif)exitC(config)interface lo0C/[7J+{y$i0CECECE(configif)ip nat inside C1]Qh3G0Rk SQq0CC(configif)exit龍城博客ul1J8o
g xb2[6}~C(config)interface s0/2龍城博客u$fL1V3s pC(configif)ip nat outside CUHxV
b1l0CE3(configif)exitCZ(config)accesslist 101 deny ip 可以看到，數(shù)據(jù)成功傳輸，達到預(yù)期效果，C和C子公司直接的VPN隧道建立成功由于公司的一些業(yè)務(wù)，需要是內(nèi)部的主機可以訪問外網(wǎng)，所以我們再內(nèi)部主機上面配置nat，但是配置之后原先正常的VPN會不通，這是因為A：數(shù)據(jù)包流入路由器的處置流程：ACL—VPN的解密—NAT—戰(zhàn)略路由—規(guī)范路由B：數(shù)據(jù)包流出路由器的處置流程：NAT—VPN的加密—ACL—戰(zhàn)略路由—規(guī)范路由所以在配置NAT的時分必須要deny 掉定義的VPN數(shù)據(jù)流，不然的話數(shù)據(jù)流會先走NAT，overload之后 VPN將會不通：C(config)accesslist 100 deny ip 631觸發(fā)感興趣流如上圖，我們可以在看在使用感興趣流去ping的時候，會丟失兩個包，這是因為路由正在匹配感興趣流。通過這樣做，它指定了要保護哪些數(shù)據(jù)流，以及向IPSec對等體發(fā)送數(shù)據(jù)流和接收來自該對等體的數(shù)據(jù)流時如何對它們進行加密。C(config)crypto ipsec transformset set10 esp3des espshahmac **//定義變換集C(cfgcryptotrans)mode tunnel **//模式為隧道CZ(config)crypto ipsec transformset set10 esp3des espshahmac **//定義變換集CZ(cfgcryptotrans)mode tunnel **//模式為隧道第四步：配置加密訪問列表，加密訪問列表指定了將被變換集中的IPSec變換保護的數(shù)據(jù)流。C(config) crypto isakmp policy 1 C(configisakmp)authentication preshare C(configisakmp)encryption 3des C(configisakmp)hash md5 C(configisakmp)group 2 C(configisakmp)exit CZ(config) crypto isakmp policy 1 **//設(shè)置定優(yōu)先級CZ(configisakmp)authentication preshare **//設(shè)置密鑰為預(yù)共享密鑰CZconfigisakmp)encryption 3des **//加密方式為3重DES CZ(configisakmp)hash md5 **//哈希為MD5CZ(configisakmp)group 2 **//屬于IPSEC 組2 CZconfigisakmp)exit **//退出這個模式圖629 為isakmp的策略信息第三步：配置IPSec變換集，交換集指定了IKE Phase2期間協(xié)商的IPSec SA使用的加密參數(shù)。IKE策略指定了IKE協(xié)商期間使用的加密參數(shù)。預(yù)共享密鑰應(yīng)是一個數(shù)字字母字符串，在兩臺對等體路由器上必須相同。BZ同B之間模擬B子公司同B公司總部之間的測試：圖627 測試連通性測試結(jié)果如上所示，達到預(yù)期效果。圖625 路由的標簽分配通過命令traceroute命令來查看B_PE同它鄰居標簽的交換。在數(shù)據(jù)傳輸時，會自動運行LDP協(xié)議為每條路由分配一個標簽。