L2TP實驗

一、實驗拓撲

二、實驗內容

手工部署IPec VPN

三、實驗步驟

1、配置接口IP和安全區域

[PPPoE Client]firewall zone trust 
[PPPoE Client-zone-trust]add int g 1/0/0[NAS]firewall zone untrust 
[NAS-zone-untrust]add int g 1/0/1	
[NAS]firewall zone trust 
[NAS-zone-trust]add int g 1/0/0[LNS]firewall zone untrust 
[LNS-zone-untrust]add int g 1/0/0
[LNS]firewall zone trust 
[LNS-zone-trust]add int g 1/0/1

2、配置公網路由

[FW1]ip route-static 0.0.0.0 0 1.1.1.2[FW2]ip route-static 0.0.0.0 0 1.1.2.2

3、L2TP配置

（1）PPPoE Client

[PPPoE Client]int Dialer 1
[PPPoE Client-Dialer1]dialer user user1
[PPPoE Client-Dialer1]dialer-group 1
[PPPoE Client-Dialer1]ip address ppp-negotiate 
[PPPoE Client-Dialer1]ppp chap user user1
[PPPoE Client-Dialer1]ppp chap password cipher Password123
[PPPoE Client]dialer-rule 1 ip permit 
[PPPoE Client]int g 1/0/0
[PPPoE Client-GigabitEthernet1/0/0]pppoe-client dial-bundle-number 1

（2）NAS

[LAC]interface Virtual-Template 1	
[LAC-Virtual-Template1]ppp authentication-mode chap The command is used to configure the PPP authentication mode on the local end. 
Confirm that the peer end adopts the corresponding PPP authentication. Continue[
Y/N]:y
[LAC-Virtual-Template1]ip address 2.2.2.2 24
[LAC]firewall zone dmz	
[LAC-zone-dmz]add interface Virtual-Template 1[LAC]int g 1/0/0	
[LAC-GigabitEthernet1/0/0]pppoe-server bind virtual-template 1
[LAC-GigabitEthernet1/0/0]q[LAC]aaa
Info: The domain default is for common users.
[LAC-aaa-domain-default]service-type l2tp[LAC]user-manage user user1 domain default 
[LAC-localuser-user1]password Password123

4、建立L2TP隧道

[LAC]l2tp enable 
[LAC]l2tp-group 1
[LAC-l2tp-1]tunnel authentication 	
[LAC-l2tp-1]tunnel password cipher 
[LAC-l2tp-1]tunnel password cipher Hello123
[LAC-l2tp-1]tunnel name lac
[LAC-l2tp-1]start l2tp ip 20.1.1.2 fullusername user1

5、LNS配置

[LNS]ip pool l2tp
[LNS-ip-pool-l2tp]section 0 172.16.1.2 172.16.1.100 
[LNS-aaa]service-scheme l2tp
Info: Create a new service scheme.
[LNS-aaa-service-l2tp]ip-pool l2tp
[LNS-aaa]domain default 
Info: The domain default is for common users.
[LNS-aaa-domain-default]
[LNS-aaa-domain-default]service-type l2tp
[LNS]user-manage user user1 domain default 
[LNS-localuser-user1]password Password123
[LNS]interface Virtual-Template 1
[LNS-Virtual-Template1]ppp authentication-mode chap
[LNS-Virtual-Template1]ip address 172.16.0.1 24
[LNS-Virtual-Template1]remote service-scheme l2tp
[LNS]firewall zone dmz	
[LNS-zone-dmz]add interface Virtual-Template 1
[LNS]l2tp enable 
[LNS]l2tp-group 1
[LNS-l2tp-1]allow l2tp 
[LNS-l2tp-1]allow l2tp virtual-template 1 remote lac domain default
[LNS-l2tp-1]tunnel authentication 
[LNS-l2tp-1]tunnel password cipher Hello123

6、路由補充

[PPPoE Client]ip route-static 0.0.0.0 0 Dialer 1  出接口方式[PPPoE Client]firewall zone dmz  將Dialer 1接口劃分到dmz區域，方便發包：
[PPPoE Client-zone-dmz]add interface Dialer 1

7、將所有設備的默認安全策略放通

[PPPoE Client]security-policy
[PPPoE Client-policy-security]default action permit[LAC]security-policy
[LAC-policy-security]default action permit[LNS]security-policy	
[LNS-policy-security]default action permit

8、安全策略配置

（1）NAS

[LAC]security-policy
[LAC-policy-security]default action deny   先恢復默認策略為拒絕Warning: Setting the default interzone packet filtering to deny may affect actu
al data traffic. You are advised to configure the security policy based on the a
ctual services. Are you sure you want to continue? [Y/N]y
[LAC-policy-security]rule name local_to_untrust
[LAC-policy-security-rule-local_to_untrust]source-zone local
[LAC-policy-security-rule-local_to_untrust]destination-zone untrust
[LAC-policy-security-rule-local_to_untrust]source-address 20.1.1.1 mask 255.255.
255.255
[LAC-policy-security-rule-local_to_untrust]destination-zone
[LAC-policy-security-rule-local_to_untrust]destination-address 20.1.1.2 mask255.
255.255.255
[LAC-policy-security-rule-local_to_untrust]service l2tp
[LAC-policy-security-rule-local_to_untrust]service protocol udp source-port 0 to65535 destination-port 1701	
[LAC-policy-security-rule-local_to_untrust]action permit

（2）LNS

[LNS]security-policy 	
[LNS-policy-security]default action deny 
[LNS-policy-security]dis this
security-policyrule name untrust_to_localsource-zone untrustdestination-zone localsource-address 20.1.1.1 mask 255.255.255.255destination-address 20.1.1.2 mask 255.255.255.255service l2tpservice protocol udp destination-port 1701action permitrule name dmz_to_trustsource-zone dmzdestination-zone trustsource-address 172.16.1.0 mask 255.255.255.0destination-address 192.168.1.0 mask 255.255.255.0action permit

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/bicheng/74795.shtml
繁體地址，請注明出處：http://hk.pswp.cn/bicheng/74795.shtml
英文地址，請注明出處：http://en.pswp.cn/bicheng/74795.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！