Đang chuẩn bị liên kết để tải về tài liệu:
Firewalls For Dummies 2nd Edition phần 5

Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ

Một phần khó khăn về cấu hình các quy tắc tường lửa L2TP là bạn đã bỏ qua thực tế rằng L2TP đang được sử dụng. Tại sao, bạn yêu cầu? Bởi vì giao thức L2TP được mã hóa bằng cách sử dụng IPSec khi nó đi qua tường lửa của bạn. Các bức tường lửa là không thể xác định giao thức mã hóa trong các gói tin IPSec. | 160 Part II Establishing Rules__ Table 8-7 Firewall Filters to Access a PPTP Tunnel Server Protocol Transport Source IP Protocol Source Port TargetIP Target Port Action PPTP TCP Any Any 172.16.1.211 1723 Allow GRE ID 47 Any 172.16.1.211 Allow Using L2TP lPSec firewall rules The tough part about configuring L2TP firewall rules is that you have to ignore the fact that L2TP is being used. Why you ask Because the L2TP protocol is encrypted using IPSec when it passes through your firewall. The firewall is unable to determine what protocol is actually encrypted in the IPSec packets. The L2TP client and the L2TP server establish an IPSec security association SA that uses the ESP protocol to encrypt all data transmitted from the client to the L2TP server s UDP port 1701. The packets are only decrypted after they are received by the L2TP tunnel server. So what do you do at the firewall to allow the L2TP IPSec packets to pass You simply define the same firewall rules that you use for IPSec. The difference is that you know the endpoint of the tunnel. Table 8-8 shows the rules required to allow L2TP IPSec tunnel connections only to the tunnel server located at IP address 23.23.2.35. Table 8-8 Firewall Rules to Access an L2TP Tunnel Server Protocol Transport Protocol Source IP Source Port Target IP Target Port Action IKE UDP Any 500 23.23.2.35 500 Allow ESP ID 50 Any 23.23.2.35 Allow AH ID 51 Any 23.23.2.35 Allow If the remote access clients and remote access servers support NAT-D and NAT-T then the firewall can allow IPSec connections to both VPN Server 1 and VPN Server 2. In this case the IPSec protocols are encapsulated in UDP packets thus removing the need for the ESP and AH filters shown in Table 8-8. Chapter 8 Designing Advanced Protocol Rules 161 Table 8-9 shows the firewall rules required to allow L2TP IPSec tunnel connections only to the two internal tunnel servers. Table 8-9 Firewall Rules to Access an L2TP .

TÀI LIỆU LIÊN QUAN