Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
Các khách hàng L2TP và máy chủ L2TP thiết lập một hiệp hội bảo mật IPSec (SA) có sử dụng giao thức ESP mã hóa tất cả dữ liệu truyền từ máy khách đến máy chủ ảo của L2TP UDP port 1701. Các gói tin là chỉ giải mã sau khi họ nhận được bởi các máy chủ L2TP đường hầm. | 204 Part III Designing Network Configurations Table 12-4 External Firewall Filters to Access an L2TP Tunnel Server Protocol Transport Protocol Source IP Source Port TargetIP Target Port Action IKE UDP Any 500 23.16.18.17 500 Allow AH ID 51 Any 23.16.18.17 Allow ESP ID 50 Any 23.16.18.17 Allow AH is required only if the IPSec SA for the L2TP tunnel requires AH protection. After the L2TP tunnel clients connect to the L2TP server the RADIUS server located on the private network at IP address 192.168.222.3 authenticates the client. After the tunnel client is successfully authenticated the tunnel client is assigned an IP address in the 23.16.18.128 25 address range. To allow this access the firewall rules shown in Table 12-5 must be configured at the internal firewall. Table 12-5 Internal Firewall Rules to Access an L2TP Tunnel Server Protocol Transport Protocol Source IP Source Port Target IP Target Port Action RADIUS Authentication UDP 23.16.18.17 Any 192.168.222.3 1812 Allow RADIUS Accounting UDP 23.16.18.17 Any 192.168.222.3 1813 Allow Internal Access Any 23.16.18. 128 25 Any 192.168.222. 0 24 Any Allow Deploying firewall rules for clients that support NAT-T If the tunnel clients and tunnel server support NAT traversal NAT-T you can deploy private network addressing in the DMZ as shown in Figure 12-4. Chapter 12 Designing Demilitarized Zones with Multiple Firewalls 205 I Internet I Figure 12-4 A two-firewall DMZ for L2TP services that support nAt-T I Private Network I I DMZ Tunnel Internal Radius server server server 192.168.223.22 Client 192 168 222 3 192.168.223.0 24 23.16.16.5 Client Client 192.168.222.0 24 External client As with a PPTP tunnel server you must first define static address mappings at the external firewall to ensure that the NAT discovery NAT-D and NAT-T traffic are redirected to the tunnel server in the DMZ. These static address mappings are shown in Table 12-6. Table 12-6 L2TP with NAT-T S tatic Address Mapping External IP Address Transport .
