VPN的定义 zn%$9  
虚拟专网（VPN-VIRTUAL PRIVATE NETWORK）指的是在公用网络上建立专用网络的技术。之所以称为虚拟网主要是因为整个VPN网络的任意两个节点之间的连接并没有传统专网所需的端到端的物理链路，而是架构在公用网络服务商所提供的网络平台（如INTERNET，ATM，FRAME RELAY等）之上的逻辑网络，用户数据在逻辑链路中传输。 2Exl3f  
&i)NFc]H  

'nKjW
L  
VPN的功能 aAggv+"'  
1、通过隧道（TUNNEL）或虚电路（VIRTUAL CIRCUIT）实现网络互联 z1)JiN  
2、支持用户安全管理 XBnAO6A  
3、能够进行网络监控、故障诊断 LL}yIwIk  
6 w T&;N  
(.^y[]+@?  
VPN解决方案的优点 dGOM^ GZ  
1、省钱：它可以节省长途电话费和长途专线电话费和长途专线网络费可以为用户节省30-25%的 网络应用的开销。 /3 %T L]  
2、选择灵活、速度快：通过vpn网关，用户可以选择多种internet连通技术，而且对于 INTERNET的容量可以实现按需定制； LM0g)`k^  
3、安全性好：VPN的认证机制将更好地保证用户的隐私权和收发数据的完整性； `99dih-7A  
4、实现投资的保护：VPN技术的应用可以建立在用户现有的防火墙的基础上，用户正在使用的 应用软件也不受影响。 8tFyyWrU  
W&hK|5  
6a(z3s2^  
VPN技术原理 K+z`yH,,C  
1、 VPN系统使分布在不同地方的专用网络在不可信任的公共网络上安全的通信。 <q;'I`<p+  
2、 VPN设备根据网管设置的规则，确定是否需要对数据进行加密或让数据直接通过。 !l #Bz`  
3、 对需要加密的数据，VPN设备对整个数据包进行加密和附上数字签名。 J[!PE2X#  
4、 VPN设备加上新的收据包头，其中包括目的地VPN设备需要的安全信息和一些初始化参数。 8$"5} ^b  
5、 VPN设备对加密后的数据、鉴别包以及源IP地址、目标VPN设备IP地址进行重新封装，重新封装后的数据包通过虚拟通道在公网上传输。 JxG)Cak2)m  
6、 当数据包到达目标VPN设备时，数据包被解封装，数据包被解封装，数字签名，数字签名被 核对无误后，收据包被解密。 ?~$3b A:  
$@9 syIfn  
K)H&ck-  
VPN配置实例 D] I_B{

 
K`&U=9Rt}G  
Intranet 内联网配置: Q]M<9Nr  
Figure 3-8: Intranet VPN Scenario Physical Elements okn 8>D|v  
Headquarters Router 配置 Nzb7uK|Z  
hq-sanjose# show running-config #ZlV+x8~  
Building configuration... B?"yq;bIB  
{{=/QKQ;s  
Current configuration: ('Br- "y  
! 6p;_p_2rE  
version 12.0 *!P{<,rW  
service timestamps debug uptime 3}tkPb  
service timestamps log uptime D %UL>  
no service password-encryption Y {Af1\{  
! wd_@We`W  
hostname hq-sanjose krLf0jG2  
! .m*h`z9c  
boot system flash bootflash: )("=IXV  
boot bootldr bootflash:c7100-boot-mz.120-1.1.T /2.O%tdN  
boot config slot0:hq-sanjose-cfg-small >)a{|.@  
no logging buffered #izDgYM  
! W6WtlTW  
crypto isakmp policy 1 f^PelZ7wp  
authentication pre-share 4Mevd#&f  
lifetime 84600 YE56Y{B  
crypto isakmp key test12345 address 172.24.2.5 =1<B^
!+T  
! I~ziXT &  
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac ]Zd[k
mK  
mode transport Wb|rY_t  
! ^nBW$z nK&  
! 75-"+.$xj  
crypto map s1first local-address Serial1/0 .BtvRyp@  
crypto map s1first 1 ipsec-isakmp _o8~$uX  
set peer 172.24.2.5 KEPx4]Cat  
set transform-set proposal1 ^&*@>3s  
match address 101 "oT%eMIe~  
! .-'QnM!  
interface Tunnel0 l/N]\MZdU  
bandwidth 180 Ws.1$k[Xz;  
ip address 172.17.3.3 255.255.255.0 6Vl,2BH(  
no ip directed-broadcast )X`S}XL6  
tunnel source 172.17.2.4 P(^=mxOA  
tunnel destination 172.24.2.5 Ao-sxD) h  
crypto map s1first UC..CG}%5  
! 2C{B:O)  
interface FastEthernet0/0 "^`{[ T  
ip address 10.1.3.3 255.255.255.0 ~'6=tsIv  
no ip directed-broadcast X@0} l!  
no keepalive Yux$+exw  
full-duplex >6+~#k#  
no cdp enable Z6'N.aGh1`  
! q:u $*2  
interface FastEthernet0/1 m1aC9 mVC  
ip address 10.1.6.4 255.255.255.0 ?W'
K4"\S  
no ip directed-broadcast >'|=?BQ  
no keepalive MKQ] r<E  
full-duplex I`)Ec}P  
no cdp enable \T0z8~W@=  
! "u 01+o\  
interface Serial1/0 MV{ix  
ip address 172.17.2.4 255.255.255.0 S:<5 I(Na  
no ip directed-broadcast  ,da^MxO  
no ip mroute-cache /
={(Yo%h  
no keepalive Wo_VT  
fair-queue 64 256 0 Yx0m {LP}  
framing c-bit /IZart:  
cablelength 10 m+F3MPLfM  
dsu bandwidth 44210 g?\[G POB  
clock source internal H'TkTX
  
no cdp enable \=^FxZ1uj  
crypto map s1first @}BJNgg  
! v> |dY A)  
ip route 10.1.4.0 255.255.255.0 Tunnel0 6co$wBBB6  
! J 6pYM_  
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5 hyFPs:bBh  
! ?NFSw|K8  
line con 0 x`0#Z4Ufz  
transport input none ZWAR*(\zK,  
line aux 0 ZLn@prb  
line vty 0 4 Ozv$pO L*  
login 4(n V(8$7}  
! ;Q]n3|gY{  
end 5Vj=x_
 
."JgF  
Remote Office Router 配置: G=&"+F
}B  
ro-rtp# show running-config 22^mG"  
Building configuration... B4c+x_g}  
WEvxB<cp  
Current configuration: Cn>D]
 
! 0G)BS
e  
version 12.0 J0}jCh`J:  
service timestamps debug uptime MDkJ@bBb|  
service timestamps log uptime Ryvo7B!Q  
no service password-encryption {K
 wXu  
! IZG*4H g9Z  
hostname ro-rtp Xati0_eZO  
! {n5^i5o  
boot system flash bootflash: MtniQs4   
boot bootldr bootflash:c7100-boot-mz.120-1.1.T LTDzL)|  
boot config slot0:ro-rtp-cfg-small EbY8lQ>Eb  
no logging buffered c@Sh -xSv  
! D,@SA)xf  
crypto isakmp policy 1 cJf
2gJ1  
authentication pre-share 3ld{nYR:  
lifetime 84600 ~ !Wz^!0W  
crypto isakmp key test12345 address 172.17.2.4 ,L7,fc(hY  
! WX<1WjIp,  
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac ?* 7(RR  
mode transport "[A5  
! "57_c?  
! e6s6bw  
crypto map s1first local-address Serial1/0 $S%>L9>Rz  
crypto map s1first 1 ipsec-isakmp SM0 AnE]/  
set peer 172.17.2.4  _8h@X!f  
set transform-set proposal1 rw}%kQw&-  
match address 101 pmv<E/j6  
! cB1 VcHfxg  
interface Tunnel1 T$%(7>`  
bandwidth 180 /Q 3i=%  
ip address 172.24.3.6 255.255.255.0 Z5[H=*wN  
no ip directed-broadcast ghAi|m^TOa  
tunnel source 172.24.2.5 Pjg yUm  
tunnel destination 172.17.2.4 Ag+3k4|  
crypto map s1first Uj3EReZ !  
! 1<Rxzz$  
interface FastEthernet0/0 %IN6:  
ip address 10.1.4.2 255.255.255.0 Aj-)Y6K  
no ip directed-broadcast t h2. X  
no keepalive ;udxA*  
full-duplex '`CwlX}Q  
no cdp enable F12w$l,vt@  
! 8Z"+lMUH  
interface Serial1/0  9Xaaxk  
ip address 172.24.2.5 255.255.255.0 XmM4T,v  
no ip directed-broadcast 8=8Olm4*  
no ip mroute-cache 0[Bx}^:  
no keepalive c8g5hmto  
fair-queue 64 256 0 2M`Flxt  
framing c-bit 2nd(k1d  
cablelength 10 Ub1LgT/0  
dsu bandwidth 44210 `I gBgU*T9  
clock source internal |4Mlda*  
no cdp enable }z_wMUs  
crypto map s1first jB\{_hRG  
! mU3 Kf`3i  
ip route 10.1.3.0 255.255.255.0 Tunnel1 GqK'mbw-  
ip route 10.1.6.0 255.255.255.0 Tunnel1 )'IU]^  
! HcLW/M7L  
access-list 101 permit gre host 172.24.2.5 host 172.17.2.4 \/2d9Ur[q  
! T^;9_M
F  
line con 0 0%4BP5rn  
transport input none Sd
*Em\G-  
line aux 0 lO)*0NG)%
 
line vty 0 4 V)RCZ|q  
login UlMtoE  
! Sj})=[,S  
end 5bq=vF4  
Extranet外联网配置: 2@YRj&v  
Figure 3-9: Extranet VPN Scenario Physical Elements d"
B'#B  
>Q\YX8EFV  
t8:&$@]  
Headquarters Router配置: kd{
R1+  
hq-sanjose# show running-config KTl;d V.  
Building configuration... eZBHcK|W  
\U
s1>j  
Current configuration: ~`z 1}Jn  
! /Mmc<k\e  
version 12.0 Wj{;6cu*  
service timestamps debug uptime <G%s."P  
service timestamps log uptime Tbl/O`s*Z  
no service password-encryption p'@7|l@/Y  
! T.P[Xw   
hostname hq-sanjose #.p}L2wD  
! Fx!Ud Wf6f  
boot system flash bootflash: GkX\}/_  
boot bootldr bootflash:c7100-boot-mz.120-1.1.T Ee uj?  
boot config slot0:hq-sanjose-cfg-small p2b<..d5oq  
no logging buffered 9s$_0LSjS  
! J|13o,3!  
crypto isakmp policy 1 |2_WC@Se  
authentication pre-share /9F-{ub  
lifetime 84600 (tIyV*  
crypto isakmp key test12345 address 172.24.2.5 _` f{.  
crypto isakmp key test67890 address 172.23.2.7 +}I"IEAF  
! hp&$jsh}  
crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac f!9O U/2  
ode transport '8u-n^Xhf  
! m@'J \5[  
crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac L"^Q63:  
! =
S], or  
! 83&|/j  
crypto map s1first local-address Serial1/0 t"6XMH.)  
crypto map s1first 1 ipsec-isakmp va~GDuOaWh  
set peer 172.24.2.5 `U7PO>fpU  
set transform-set proposal1 0P9Gj1xflF  
match address 101
@{J+ .q  
! &v+bsWs(G  
crypto map s4second local-address Serial2/0 Vq0AJhPV  
crypto map s4second 2 ipsec-isakmp LOg(qZTl  
set peer 172.23.2.7 =s%$XHB  
set transform-set proposal4 t$3d/@ A,  
match address 111 oW
DW_/x  
! 6U=)arv  
interface Tunnel0 S dV!Vhh  
bandwidth 180 e Ecn<w  
ip address 172.17.3.3 255.255.255.0 @]deQ;\  
no ip directed-broadcast %T:!' L?K  
tunnel source 172.17.2.4 XJvED  
tunnel destination 172.24.2.5 hULey5  
crypto map s1first `CfW@:#`  
! WT#`2W~1  
interface FastEthernet0/0 *rd8%c3  
ip address 10.1.3.3 255.255.255.0 G;FY9%
k  
no ip directed-broadcast Wwlk(aM  
no keepalive e^1zYV8cR  
full-duplex frdA9h'N  
no cdp enable c&fkjrjvj,  
! $ Agk[ML  
interface FastEthernet0/1 .e;i9  
ip address 10.1.6.4 255.255.255.0 l+Z^\@P  
no ip directed-broadcast m$Z{~?Z~L.  
ip nat inside -! ]+Q@J  
no keepalive -WFF0'NyY  
full-duplex N\y% HA  
no cdp enable DR
!VCK  
! "m@&a|0v  
interface Serial1/0 U~bKD_  
ip address 172.17.2.4 255.255.255.0 6."  
no ip directed-broadcast pBa=@O^r  
no ip mroute-cache c@y~=!Ie  
no keepalive w"rO
?%  
fair-queue 64 256 0 8/ix2Q#:  
framing c-bit .rjNhy  
cablelength 10 e]q~_x|  
dsu bandwidth 44210 TB;GxH(P  
clock source internal E%tOVv  
no cdp enable
Qes)_b  
crypto map s1first @yBUA2h^  
! T*rE !nJ  
interface Serial2/0 q8q^9MHX  
ip address 172.16.2.2 255.255.255.0 9V%_^=mf  
no ip directed-broadcast h)4Y*oDq  
ip nat outside ];@4W@ Q
 
no ip mroute-cache )e>KdWx9  
no keepalive \&x|q?$  
fair-queue 64 256 0 o<J u:='  
framing c-bit q {=)Fj\A  
cablelength 10 ksVs'a  
dsu bandwidth 44210 U#dAwF${"9  
clock source internal yE[5u&zx;  
no cdp enable U8+RC`)J  
crypto map s4second Ak}k5RI  
! = ~OEB Wi  
router bgp 10 +z F>  
network 10.2.2.2 mask 255.255.255.0 jOru_6d#l  
network 172.16.2.0 mask 255.255.255.0 %:^ons4 u  
! N;)5i_*  
ip route 10.1.4.0 255.255.255.0 Tunnel0 W`5.t%r  
! [LUh@DKd  
ip nat inside source static 10.1.6.5 10.2.2.2 W#.b$ngK  
! &4pyYXS}2  
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5 qdxgmFD  
access-list 111 permit ip host 10.2.2.2 host 10.1.5.3 dp~Zq,3-G  
! {j(zJg  
line con 0 Gy,`l
y  
transport input none U9G@*\H  
line aux 0 PMbRY3c6  
line vty 0 4 `>@k/D\  
login Yn8-f  
! }Q}C#q%,X  
end QFHb@oi  
iY(Ddgi  
Business Partner Router 配置: &3O|,I=g5  
bus-ptnr# show running-config %O%ox%_TX  
Building configuration... FKuv,   
amb(URptD  
Current configuration: l32\`'#a.  
! Y_a_{  
version 12.0 (^')
csi  
service timestamps debug uptime +EaCijt  
service timestamps log uptime uP 6g  
no service password-encryption AP o8``  
! 0c)Jqa  
hostname bus-ptnr QcD3BN~E  
! -JGpL@+=  
boot system flash bootflash: @n *?9z?r  
boot bootldr bootflash:c7100-boot-mz.120-1.1.T ^WxBGr2pX  
boot config slot0:bus-ptnr-cfg-small VjKQ}  
no logging buffered P 1iMa$E  
! Gl'5 /F_A  
crypto isakmp policy 1 3'<g:E2W^+  
authentication pre-share aJ'VU hW  
lifetime 84600 )I] lu~H`*  
crypto isakmp key test67890 address 172.16.2.2 7KFfA^u  
! j YDv1  
crypto ipsec transform-set proposal4 ah-sha-hmac esp-des esp-sha-hmac 0\P"`s3:  
! )hx9XOO+  
! 0 za]9  
crypto map s4second local-address Serial1/0 ]?}G1)XR  
crypto map s4second 2 ipsec-isakmp |uERZ^>@&  
set peer 172.16.2.2 )@;|
/H!!  
set transform-set proposal4 {Sc>~,Xt{  
match address 111 Fo{xZ5^T  
! ck1"N@|  
interface FastEthernet0/0 4*}QN}4  
ip address 10.1.5.2 255.255.255.0 %*}iIsQ,  
no ip directed-broadcast 30p&Gk[  
no keepalive DkrTZl#   
full-duplex U)rmbJo  
no cdp enable )0[7u;  
! MvyXwJ  
interface Serial1/0 jE3dd
#M  
ip address 172.23.2.7 255.255.255.0 =cOsCRykEu  
no ip directed-broadcast ypH|j{]Ki  
no ip mroute-cache <}!}"|y{s  
no keepalive n<b1!3r4  
fair-queue 64 256 0 {:t$4z({w  
framing c-bit X88KFY  
cablelength 10 ,u|Gj  
dsu bandwidth 44210 XE:eG(1_+  
clock source internal hx6w2$V[cq  
no cdp enable ; Wl]p 6  
crypto map s4second 8[5}6vm  
! kp?>OH  
router bgp 10 uf5dgC(  
network 10.1.5.0 mask 255.255.255.0 s,WfOU_`9  
network 172.16.2.0 mask 255.255.255.0 x 562bPv  
! 6T|6Y=IF  
access-list 111 permit ip host 10.1.5.3 host 10.2.2.2 +aUI*bV?  
! wQ!iI&  
line con 0 /T%Hf e0W  
transport input none H-}^&i M  
line aux 0 {)?a+C@&  
line vty 0 4 JE1<</3{|  
*=Mg\{I  
)yu,>Nq  
详细配置说明请访问: http://www.cisco.com/univercd/cc/td/doc/product/core/7100/swcg/6342gre.htm#29735

一个小型的公司安装VPN的费用能有多少?

上面说的是配置路由文件， 5|, o].BM  
2000 server 自带vpn功能，启动RAS服务；Linux 下需要编译新内核，基于freeswan的ipsec协议

爽~ 不错

VPN必须用路由器来连接么?有几个节点就需要几个路由起吗?还是Cable Modom也行?(因为路由器成本高,配置也多,所以看有否其他方案?)

除了路由器外，也可用服务器主机替代。

好

大家有空的时候，看看http://www.authcyber.com ，1个5分种可以配置好的VPN产品。价格也便宜。两边ADSL都可以。

2000server中的vpn功能，如何配置，需要什么？

不要這麼?碗s嘛！你用LinkSys 公司的 BEFVP41 這個VPN 路由器就可以解決一切的了！(全Windows 窗口）