ASA L2TP over IPsec VPN配置(跟图形界面跟命令行,亲测通过)

ASA5500L2TPoverIPsecVPN配置――ZWD1/35ASAL2TPOVERIPSecVPN配置1.ASA防火墙型号和版本信息ASA1(config)#showversionCiscoAdaptiveSecurityApplianceSoftwareVersion8.2(5)DeviceManagerVersion6.4(5)CompiledonFri20-May-1116:00bybuildersSystemimagefileis"disk0:/asa825-k8.bin"Configfileatbootwas"startup-config"ASA1up23hours36minsHardware:ASA5505,512MBRAM,CPUGeode500MHzInternalATACompactFlash,128MBBIOSFlashFirmwareHub@0xffe00000,1024KB2.L2TPoverIPSecVPN测试拓扑与说明1、一台ASA5505防火墙，一台测试PC主机，网线若干；2、公网地址段192.168.1.X/255.255.255.0，模拟Internet环境；3、ASA防火墙内网10.0.0.0/24，Inside接口IP10.0.0.1；4、远程L2TPVPN用户分配10.0.1.0/24地址，与防火墙内部主机交互；ASA5500L2TPoverIPsecVPN配置――ZWD2/353.ASAL2TPoverIPSecVPN配置过程（ASDM图形界面）1、单击菜单Wizards—IPsecvpnWizards...，弹出向导：选择RemoteAccess隧道模式，运行接口为outside，勾选“Enableinbound…”，允许入向IPsec会话不受接口访问控制列表ACL影响，组策略和个人用户认证ACL依然生效。2、选择远程VPN客户端类型：ASA5500L2TPoverIPsecVPN配置――ZWD3/353、输入隧道预共享密钥，L2TPoverIPsec只能使用DefaultRAGroup隧道组：4、选择远程拨号VPN认证类型，本例为本地数据库认证：ASA5500L2TPoverIPsecVPN配置――ZWD4/355、创建认证用户，本例中创建l2tp拨号用户：6、设置远程拨号VPN分配地址池，默认为空，点击New…创建：ASA5500L2TPoverIPsecVPN配置――ZWD5/358、创建l2tp-pool地址池，供远程拨号VPN接入时分配：9、选择好远程拨号VPN地址池后，如下图所示：ASA5500L2TPoverIPsecVPN配置――ZWD6/3510、设置远程拨号VPN的DNS/WINS/默认域名，可选项，可以不用输入：11、指定IKE策略协商类型，按默认值即可：ASA5500L2TPoverIPsecVPN配置――ZWD7/3512、设置免除NAT，允许内部网段与远程VPN直接会话：13、选定内部免除NAT网段，并开启隧道分离（不开启情况下，远程客户端用户无法同时访问其他网络，如Internet），强烈建议开启隧道分离功能。ASA5500L2TPoverIPsecVPN配置――ZWD8/3514、设置完成，弹出所有配置，确认无误后按Finish完成配置。15、ASDM生成配置文件，并给出Warning警告信息。ASA5500L2TPoverIPsecVPN配置――ZWD9/35ASDMIPsecVPN配置向导完成后，需仔细检查Warning警告信息，对于其中的Warning部分要重新进行配置，本例中出现下列警告提示：[WARNING]cryptomapoutside_mapinterfaceoutsidecryptomaphasincompleteentries该警告信息表示加密图配置失败，需手动进行全局命令行配置，补全相关配置：#cryptoipsectransform-setTRANS_ESP_3DES_SHAesp-3desesp-sha-hmac#cryptoipsectransform-setTRANS_ESP_3DES_SHAmodetransport#cryptodynamic-mapoutside_dyn_map10settransform-setTRANS_ESP_3DES_SHA#cryptomapoutside_map10ipsec-isakmpdynamicoutside_dyn_map#cryptoisakmpnat-traversal10//允许L2TPVPN透传(可选)16、L2TPoverIPSecVPN隧道成功创建后，可通过如下界面查看隧道连接信息：17、Configuration—Firewall—NATRules查看免除NAT策略：附ASDM图形界面和CLI命令行配置L2TPoverIPSecVPN设备当前运行配置：4.ASAL2TPoverIPSecVPN后台配置（ASDM图形界面）ASA1(config)#showrun:Saved:ASAVersion8.2(5)!hostnameASA1enablepassword2KFQnbNIdI.2KYOUencryptedASA5500L2TPoverIPsecVPN配置――ZWD10/35passwd2KFQnbNIdI.2KYOUencryptednames!interfaceEthernet0/0switchportaccessvlan2!interfaceEthernet0/1!interfaceEthernet0/2!interfaceEthernet0/3!interfaceEthernet0/4shutdown!interfaceEthernet0/5shutdown!interfaceEthernet0/6shutdown!interfaceEthernet0/7shutdown!interfaceVlan1nameifinsidesecurity-level100ipaddress10.0.0.1255.255.255.0!interfaceVlan2nameifoutsidesecurity-level0ipaddress192.168.1.2255.255.255.0!ftpmodepassiveclocktimezoneCTS8access-listacl-outsideextendedpermiticmpanyanyecho-replyaccess-listDefaultRAGroup_splitTunnelAclstandardpermit10.0.0.0255.255.255.0access-listinside_nat0_outboundextendedpermitip10.0.0.0255.255.255.010.0.1.0ASA5500L2TPoverIPsecVPN配置――ZWD11/35255.255.255.240access-listacl-insideextendedpermiticmpanyanyaccess-listacl-insideextendedpermitipanyanypagerlines24loggingenableloggingbuffereddebuggingloggingasdminformationalmtuinside1500mtuoutside1500iplocalpooll2tp-pool10.0.1.1-10.0.1.10mask255.255.255.0nofailovericmpunreachablerate-limit1burst-size1noasdmhistoryenablearptimeout14400global(outside)1interfacenat(inside)0access-listinside_nat0_outboundnat(inside)10.0.0.00.0.0.0access-groupacl-insideininterfaceinsideaccess-groupacl-outsideininterfaceoutsiderouteoutside0.0.0.00.0.0.0192.168.1.91timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00timeoutsip-provisional-media0:02:00uauth0:05:00absolutetimeouttcp-proxy-reassembly0:01:00timeoutfloating-conn0:00:00dynamic-access-policy-recordDfltAccessPolicyaaaauthenticationtelnetconsoleLOCALaaaauthenticationenableconsoleLOCALaaaauthenticationsshconsoleLOCALaaaauthenticationhttpconsoleLOCALhttpserverenablehttp0.0.0.00.0.0.0insidehttp0.0.0.00.0.0.0outsidenosnmp-serverlocationnosnmp-servercontactsnmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstartcryptoipsectransform-setTRANS_ESP_3DES_SHAesp-3desesp-sha-hmacASA5500L2TPoverIPsecVPN配置――ZWD12/35cryptoipsectransform-setTRANS_ESP_3DES_SHAmodetransportcryptoipsectransform-setESP-AES-256-MD5esp-aes-256esp-md5-hmaccryptoipsectransform-setESP-DES-SHAesp-desesp-sha-hmaccryptoipsectransform-setESP-3DES-SHAesp-3desesp-sha-hmaccryptoipsectransform-setESP-DES-MD5esp-desesp-md5-hmaccryptoipsectransform-setESP-AES-192-MD5esp-aes-192esp-md5-hmaccryptoipsectransform-setESP-3DES-MD5esp-3desesp-md5-hmaccryptoipsectransform-setESP-AES-256-SHAesp-aes-256esp-sha-hmaccryptoipsectransform-setESP-AES-128-SHAesp-aesesp-sha-hmaccryptoipsectransform-setESP-AES-192-SHAesp-aes-192esp-sha-hmaccryptoipsectransform-setESP-AES-128-MD5esp-aesesp-md5-hmaccryptoipsecsecurity-associationlifetimeseconds28800cryptoipsecsecurity-associationlifetimekilobytes4608000cryptodynamic-mapSYSTEM_DEFAULT_CRYPTO_MAP65535setpfscryptodynamic-mapSYSTEM_DEFAULT_CRYPTO_MAP65535settransform-setESP-AES-128-SHAESP-AES-128-MD5ESP-AES-192-SHAESP-AES-192-MD5ESP-AES-256-SHAESP-AES-256-MD5ESP-3DES-SHAESP-3DES-MD5ESP-DES-SHAESP-DES-MD5cryptodynamic-mapoutside_dyn_map10settransform-setTRANS_ESP_3DES_SHAcryptomapoutside_map10ipsec-isakmpdynamicoutside_dyn_mapcryptomapoutside_map65535ipsec-isakmpdynamicSYSTEM_DEFAULT_CRYPTO_MAPcryptomapoutside_mapinterfaceoutsidecryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryption3deshashshagroup2lifetime86400nocryptoisakmpnat-traversaltelnet0.0.0.00.0.0.0insidetelnettimeout5ssh0.0.0.00.0.0.0insidessh0.0.0.00.0.0.0outsidesshtimeout60consoletimeout0management-accessinsidedhcpdaddress10.0.0.2-10.0.0.10insidedhcpddns202.96.128.86202.96.128.166interfaceinsidedhcpdlease86400interfaceinsideASA5500L2TPoverIPsecVPN配置――ZWD13/35dhcpdenableinside!threat-detectionbasic-threatthreat-detectionstatisticsaccess-listthreat-detectionstatisticstcp-interceptrate-interval30burst-rate400average-rate200webvpngroup-policyDefaultRAGroupinternalgroup-policyDefaultRAGroupattributesdns-servervalue202.96.128.868.8.8.8vpn-tunnel-protocoll2tp-ipsecsplit-tunnel-policytunnelspecifiedsplit-tunnel-network-listvalueDefaultRAGroup_splitTunnelAclusernametestpasswordDLaUiAX3l78qgoB5c7iVNw==nt-encryptedusernameuserpasswordv5P40l1UGvtJa7Nnencryptedprivilege15usernamel2tppassword31XddrF4FUa04JqfYDr2Jw==nt-encryptedprivilege0usernamel2tpattributesvpn-group-policyDefaultRAGrouptunnel-groupDefaultRAGroupgeneral-attributesaddress-pooll2tp-pooldefault-group-policyDefaultRAGrouptunnel-groupDefaultRAGroupipsec-attributespre-shared-key*****tunnel-groupDefaultRAGroupppp-attributesnoauthenticationchapnoauthenticationms-chap-v1authenticationms-chap-v2!class-mapinspection_defaultmatchdefault-inspection-traffic!!policy-maptypeinspectdnspreset_dns_mapparametersmessage-lengthmaximumclientautomessage-lengthmaximum512policy-mapglobal_policyclassinspection_defaultinspectdnspreset_dns_mapASA5500L2TPoverIPsecVPN配置――ZWD14/35inspectftpinspecth323h225inspecth323rasinspectrshinspectrtspinspectesmtpinspectsqlnetinspectskinnyinspectsunrpcinspectxdmcpinspectsipinspectnetbiosinspecttftpinspectip-options!service-policyglobal_policyglobalprompthostnamecontextnocall-homereportinganonymousCryptochecksum:bd96115429f0d19100d986502808bdb5:endASA1(config)#5.ASAL2TPoverIPSecVPN配置过程（CLI命令行）L2TPVPN配置过程：1、创建隧道分离ACL，源地址为防火墙内网access-listvpn-splitstandardpermit10.0.0.0255.255.255.02、配置免除NAT，对防火墙内网和L2TPVPN地址不进行NAT转换access-listno-natextendedpermitip10.0.0.0255.255.255.010.0.1.0255.255.255.0nat(inside)0access-listno-nat3、配置L2TPVPN拨号地址池，为拨号VPN分配IP地址iplocalpoolvpn-pool10.0.1.1-10.0.1.10mask255.255.255.04、配置ipsec变换集，指定ESP加密类型和认证类型为3DES和SHAcryptoipsectransform-setTRANS_ESP_3DES_SHAesp-3desesp-sha-hmacASA5500L2TPoverIPsecVPN配置――ZWD15/355、指定Ipsec协议变换集工作模式，L2TP必须为transport传输模式cryptoipsectransform-setTRANS_ESP_3DES_SHAmodetransport6、引用ipsec协议变换集定义动态加密图cryptodynamic-mapoutside_dyn_map10settransform-setTRANS_ESP_3DES_SHA7、定义静态加密图并应用到外网接口(outside)cryptomapoutside_map10ipsec-isakmpdynamicoutside_dyn_mapcryptomapoutside_mapinterfaceoutside8、配置IKE协商参数cryptoisakmpenableoutside//外网口启用isakmp协商cryptoisakmppolicy10//创建isakmp策略authenticationpre-share//指定认证方式，预共享密钥encryption3des//指定加密算法hashsha//指定哈希算法group2//指定VPN组别lifetime86400//指定存活时间cryptoisakmpnat-traversal10//开启NAT穿越，keepalive保持为10秒9、配置L2TPVPN组策略，指定DNS、VPN空闲时间/协议类型/隧道分离group-policyl2tp-policyinternalgroup-policyl2tp-policyattributesdns-servervalue202.96.128.868.8.8.8vpn-idle-timeoutnonevpn-tunnel-protocoll2tp-ipsecsplit-tunnel-policytunnelspecifiedsplit-tunnel-network-listvaluevpn-split注：在较低版本ASA中，如不能建立L2TP隧道，请增加IPSec协议类型。10、配置L2TPVPN隧道组（一定要使用DefaultRAGroup组，L2TP不支持其他组），并指定VPN拨号地址池、关联组策略、预共享密钥，L2TP拨号属性（ASA只支持PAP/MS-CHAPv1/MS-CHAPv2），建议选择MS-CHAPv2协议tunnel-groupDefaultRAGroupgeneral-attributesaddress-poolvpn-pooldefault-group-policyl2tp-policytunnel-groupDefaultRAGroupipsec-attributespre-shared-key*****tunnel-groupDefaultRAGroupppp-attributesASA5500L2TPoverIPsecVPN配置――ZWD16/35noauthenticationpapnoauthenticationchapnoauthenticationms-chap-v1authenticationms-chap-v211、配置L2TPVPN拨号用户，指定MS-CHAP验证方式usernameXXXXpasswordXXXXmschap指定L2TPVPN拨号用户属性（可选）usernameXXXXattributesvpn-group-policyl2tp-policyvpn-idle-timeoutnonevpn-tunnel-protocoll2tp-ipsecvpn-framed-ip-address10.0.0.50255.255.255.0//指定L2TP客户端分配IPservice-typenas-prompt6.ASAL2TPoverIPSecVPN后台配置（CLI命令行）ASA1(config)#showrun:Saved:ASAVersion8.2(5)!hostnameASA1enablepassword2KFQnbNIdI.2KYOUencryptedpasswd2KFQnbNIdI.2KYOUencryptednames!interfaceEthernet0/0switchportaccessvlan2!interfaceEthernet0/1!interfaceEthernet0/2!interfaceEthernet0/3!ASA5500L2TPoverIPsecVPN配置――ZWD17/35interfaceEthernet0/4shutdown!interfaceEthernet0/5shutdown!interfaceEthernet0/6shutdown!interfaceEthernet0/7shutdown!interfaceVlan1nameifinsidesecurity-level100ipaddress10.0.0.1255.255.255.0!interfaceVlan2nameifoutsidesecurity-level0ipaddress192.168.1.2255.255.255.0!ftpmodepassiveclocktimezoneCTS8access-listacl-outsideextendedpermiticmpanyanyecho-replyaccess-listno-natextendedpermitip10.0.0.0255.255.255.010.0.1.0255.255.255.0access-listvpn-splitstandardpermit10.0.0.0255.255.255.0access-listacl-insideextendedpermiticmpanyanyaccess-listacl-insideextendedpermitipanyanypagerlines24loggingenableloggingbuffereddebuggingloggingasdminformationalmtuinside1500mtuoutside1500iplocalpoolvpn-pool10.0.1.1-10.0.1.10mask255.255.255.0ipverifyreverse-pathinterfaceinsideipverifyreverse-pathinterfaceoutsidenofailoverASA5500L2TPoverIPsecVPN配置――ZWD18/35icmpunreachablerate-limit1burst-size1noasdmhistoryenablearptimeout14400global(outside)1interfacenat(inside)0access-listno-natnat(inside)10.0.0.00.0.0.0access-groupacl-insideininterfaceinsideaccess-groupacl-outsideininterfaceoutsiderouteoutside0.0.0.00.0.0.0192.168.1.91timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00timeoutsip-provisional-media0:02:00uauth0:05:00absolutetimeouttcp-proxy-reassembly0:01:00timeoutfloating-conn0:00:00dynamic-access-policy-recordDfltAccessPolicyaaaauthenticationtelnetconsoleLOCALaaaauthenticationenableconsoleLOCALaaaauthenticationsshconsoleLOCALaaaauthenticationhttpconsoleLOCALhttpserverenablehttp0.0.0.00.0.0.0insidehttp0.0.0.00.0.0.0outsidenosnmp-serverlocationnosnmp-servercontactsnmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstartcryptoipsectransform-setESP-AES-128-SHAesp-aesesp-sha-hmaccryptoipsectransform-setESP-AES-128-MD5esp-aesesp-md5-hmaccryptoipsectransform-setESP-AES-192-SHAesp-aes-192esp-sha-hmaccryptoipsectransform-setESP-AES-192-MD5esp-aes-192esp-md5-hmaccryptoipsectransform-setESP-AES-256-SHAesp-aes-256esp-sha-hmaccryptoipsectransform-setESP-AES-256-MD5esp-aes-256esp-md5-hmaccryptoipsectransform-setESP-3DES-SHAesp-3desesp-sha-hmaccryptoipsectransform-setESP-3DES-MD5esp-3desesp-md5-hmaccryptoipsectransform-setESP-DES-SHAesp-desesp-sha-hmaccryptoipsectransform-setESP-DES-MD5esp-desesp-md5-hmaccryptoipsectransform-setTRANS_ESP_3DES_SHAesp-3desesp-sha-hmaccryptoipsectransform-setTRANS_ESP_3DES_SHAmodetransportASA5500L2TPoverIPsecVPN配置――ZWD19/35cryptoipsecsecurity-associationlifetimeseconds28800cryptoipsecsecurity-associationlifetimekilobytes4608000cryptodynamic-mapoutside_dyn_map10settransform-setTRANS_ESP_3DES_SHAcryptomapoutside_map10ipsec-isakmpdynamicoutside_dyn_mapcryptomapoutside_mapinterfaceoutsidecryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryption3deshashshagroup2lifetime86400cryptoisakmpnat-traversal10telnet0.0.0.00.0.0.0insidetelnettimeout5ssh0.0.0.00.0.0.0insidessh0.0.0.00.0.0.0outsidesshtimeout60consoletimeout0management-accessinsidedhcpdaddress10.0.0.2-10.0.0.10insidedhcpddns202.96.128.86202.96.128.166interfaceinsidedhcpdlease86400interfaceinsidedhcpdenableinside!threat-detectionbasic-threatthreat-detectionstatisticsaccess-listthreat-detectionstatisticstcp-interceptrate-interval30burst-rate400average-rate200webvpngroup-policyDfltGrpPolicyattributesgroup-policyl2tp-policyinternalgroup-policyl2tp-policyattributesdns-servervalue202.96.128.868.8.8.8vpn-tunnel-protocoll2tp-ipsecsplit-tunnel-policytunnelspecifiedsplit-tunnel-network-listvaluevpn-splitusernametest1passwordqs0S0nyHysj8C4U4rtbwWA==nt-encryptedusernametestpasswordDLaUiAX3l78qgoB5c7iVNw==nt-encryptedASA5500L2TPoverIPsecVPN配置――ZWD20/35usernameuserpasswordv5P40l1UGvtJa7Nnencryptedprivilege15usernamel2tppassword31XddrF4FUa04JqfYDr2Jw==nt-encryptedprivilege0usernamel2tpattributesvpn-group-policyl2tp-policyvpn-idle-timeoutnonevpn-tunnel-protocoll2tp-ipsecvpn-framed-ip-address10.0.1.50255.255.255.0service-typenas-prompttunnel-groupDefaultRAGroupgeneral-attributesaddress-poolvpn-pooldefault-group-policyl2tp-policytunnel-groupDefaultRAGroupipsec-attributespre-shared-key*****tunnel-groupDefaultRAGroupppp-attributesnoauthenticationchapnoauthenticationms-chap-v1authenticationms-chap-v2!class-mapinspection_defaultmatchdefault-inspection-traffic!!policy-maptypeinspectdnspreset_dns_mapparametersmessage-lengthmaximumclientautomessage-lengthmaximum512policy-mapglobal_policyclassinspection_defaultinspectdnspreset_dns_mapinspectftpinspecth323h225inspecth323rasinspectrshinspectrtspinspectesmtpinspectsqlnetinspectskinnyinspectsunrpcinspectxdmcpASA5500L2TPoverIPsecVPN配置――ZWD21/35inspectsipinspectnetbiosinspecttftpinspectip-options!service-policyglobal_policyglobalprompthostnamecontextnocall-homereportinganonymousCryptochecksum:f79cfff50e08a933f4d6b31ff3027c74:endASA1(config)#7.思科官方配置范例：L2TPoverIPsecVPNsConfigurationExampleforL2TPoverIPsecUsingASA8.2.5ThefollowingexampleshowsconfigurationfilecommandsthatensureASAcompatibilitywithanativeVPNclientonanyoperatingsystem:iplocalpoolsales_addresses209.165.202.129-209.165.202.158group-policysales_policyinternalgroup-policysales_policyattributeswins-servervalue209.165.201.3209.165.201.4dns-servervalue209.165.201.1209.165.201.2vpn-tunnel-protocoll2tp-ipsectunnel-groupDefaultRAGroupgeneral-attributesdefault-group-policysales_policyaddress-poolsales_addressestunnel-groupDefaultRAGroupipsec-attributespre-shared-key*tunnel-groupDefaultRAGroupppp-attributesnoauthenticationpapauthenticationchapauthenticationms-chap-v1authenticationms-chap-v2cryptoipsectransform-settransesp-3desesp-sha-hmaccryptoipsectransform-settransmodetransportcryptodynamic-mapdyno10settransform-setsettransASA5500L2TPoverIPsecVPN配置――ZWD22/35cryptomapvpn20ipsec-isakmpdynamicdynocryptomapvpninterfaceoutsidecryptoisakmpenableoutsidecryptoisakmppolicy10authenticationpre-shareencryption3deshashshagroup2lifetime86400ConfigurationExampleforL2TPoverIPsecUsingASA8.4.1andlaterThefollowingexampleshowsconfigurationfilecommandsthatensureASAcompatibilitywithanativeVPNclientonanyoperatingsystem:iplocalpoolsales_addresses209.165.202.129-209.165.202.158group-policysales_policyinternalgroup-policysales_policyattributeswins-servervalue209.165.201.3209.165.201.4dns-servervalue209.165.201.1209.165.201.2vpn-tunnel-protocoll2tp-ipsectunnel-groupDefaultRAGroupgeneral-attributesdefault-group-policysales_policyaddress-poolsales_addressestunnel-groupDefaultRAGroupipsec-attributespre-shared-key*tunnel-groupDefaultRAGroupppp-attributesnoauthenticationpapauthenticationchapauthenticationms-chap-v1authenticationms-chap-v2cryptoipsecikev1transform-setmy-transform-set-ikev1esp-desesp-sha-hmaccryptoipsecikev1transform-setmy-transform-set-ikev1modetransportcryptodynamic-mapdyno10setikev1transform-settranscryptomapvpn20ipsec-isakmpdynamicdynocryptomapvpninterfaceoutsidecryptoikev1enableoutsidecryptoikev1policy10ASA5500L2TPoverIPsecVPN配置――ZWD23/35authenticationpre-shareencryption3deshashshagroup2lifetime864008.查看防火墙路由信息ASA1(config)#showrouteCodes:C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGPD-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGPi-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea*-candidatedefault,U-per-userstaticroute,o-ODRP-periodicdownloadedstaticrouteGatewayoflastresortis192.168.1.9tonetwork0.0.0.0S10.0.1.1255.255.255.255[1/0]via192.168.1.220,outside//对端VPN连接信息C10.0.0.0255.255.255.0isdirectlyconnected,insideC192.168.1.0255.255.255.0isdirectlyconnected,outsideS*0.0.0.00.0.0.0[1/0]via192.168.1.9,outsideASA1(config)#未连接远程VPN客户端时路由信息ASA1(config)#showrouteCodes:C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGPD-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGPi-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea*-candidatedefault,U-per-userstaticroute,o-ODRP-periodicdownloadedstaticrouteGatewayoflastresortis192.168.1.9tonetwork0.0.0.0C10.0.0.0255.255.255.0isdirectlyconnected,insideC192.168.1.0255.255.255.0isdirectlyconnected,outsideS*0.0.0.00.0.0.0[1/0]via192.168.1.9,outsideASA1(config)#ASA5500L2TPoverIPsecVPN配置――ZWD24/359.查看防火墙IKE信息ASA1(config)#showcryptoisakmpsa//查看IKEPhase1协商信息（isakmp）ActiveSA:1RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)TotalIKESA:11IKEPeer:192.168.1.220//远客VPN客户端外网IPType:userRole:responderRekey:noState:MM_ACTIVE//VPN连接状态ASA1(config)#showcryptoipsecsa//查看IKEPhase2协商信息（IPSec）interface:outsideCryptomaptag:outside_dyn_map,seqnum:10,localaddr:192.168.1.2//加密图、序列号localident(addr/mask/prot/port):(192.168.1.2/255.255.255.255/17/1701)remoteident(addr/mask/prot/port):(192.168.1.220/255.255.255.255/17/1701)current_peer:192.168.1.220,username:l2tp//对端外网IP，拨号用户名dynamicallocatedpeerip:10.0.1.1//L2TPVPN客户端分配IP#pktsencaps:21,#pktsencrypt:21,#pktsdigest:21#pktsdecaps:52,#pktsdecrypt:52,#pktsverify:52#pktscompressed:0,#pktsdecompressed:0#pktsnotcompressed:21,#pktscompfailed:0,#pktsdecompfailed:0#post-fragsuccesses:0,#post-fragfailures:0,#fragmentscreated:0#PMTUssent:0,#PMTUsrcvd:0,#decapsulatedfrgsneedingreassembly:0#senderrors:0,#recverrors:0localcryptoendpt.:192.168.1.2,remotecryptoendpt.:192.168.1.220pathmtu1500,ipsecoverhead58,mediamtu1500currentoutboundspi:6D30D00Ecurrentinboundspi:D6E95FE0inboundespsas:spi:0xD6E95FE0(3605618656)transform:esp-3desesp-sha-hmacnocompressioninusesettings={RA,Transport,}slot:0,conn_id:225280,crypto-map:outside_dyn_mapsatiming:remainingkeylifetime(kB/sec):(212396/3569)IVsize:8bytesASA5500L2TPoverIPsecVPN配置――ZWD25/35replaydetectionsupport:YAntireplaybitmap:0x003FFFFF0xFFFFFFFDoutboundespsas:spi:0x6D30D00E(1831915534)transform:esp-3desesp-sha-hmacnocompressioninusesettings={RA,Transport,}slot:0,conn_id:225280,crypto-map:outside_dyn_mapsatiming:remainingkeylifetime(kB/sec):(212400/3569)IVsize:8bytesreplaydetectionsupport:YAntireplaybitmap:0x000000000x00000001ASA1(config)#showvpn-sessiondb?execmodecommands/options:detailShowdetailedoutputemail-proxyEmail-ProxysessionsfullOutputformattedfordatamanagementprogramsindexIndexofsessionl2lIPsecLAN-to-LANsessionsratioShowVPNSessionprotocolorencryptionratiosremoteIPsecRemoteAccessse