L2TP的配置
LAC設備是電腦上面的一個VPN客戶端軟件 SecoClient軟件
LNS設備是ensp當中的USG5500設備 S1為S5700設備
第一步:基本配置
LNS設備配置(用USG5500設備模擬)
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 212.1.1.1 255.255.255.0
service-manage enable
service-manage ping permit
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
service-manage enable
service-manage ping permit
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
[LNS]ip route-static 10.1.1.0 255.255.255.0 192.168.1.2
[LNS]firewall packet-filter default permit all ---放行所有安全策略
00:01:39 2020/02/28
Warning:Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Ar
e you sure you want to continue?[Y/N]y
S1設備的配置
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.1.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
ip route-static 172.16.123.0 255.255.255.0 192.168.1.1
#
測試一下LNS的內網服務器的連通
[LNS]ping 10.1.1.100
23:59:06 2020/02/27
PING 10.1.1.100: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.100: bytes=56 Sequence=1 ttl=127 time=260 ms
Reply from 10.1.1.100: bytes=56 Sequence=2 ttl=127 time=90 ms
Reply from 10.1.1.100: bytes=56 Sequence=3 ttl=127 time=220 ms
Reply from 10.1.1.100: bytes=56 Sequence=4 ttl=127 time=60 ms
Reply from 10.1.1.100: bytes=56 Sequence=5 ttl=127 time=150 ms
--- 10.1.1.100 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/156/260 ms
[LNS]
測試一下LNS的外網用戶的連通
[LNS]ping 212.1.1.254
23:59:35 2020/02/27
PING 212.1.1.254: 56 data bytes, press CTRL_C to break
Reply from 212.1.1.254: bytes=56 Sequence=1 ttl=128 time=190 ms
Reply from 212.1.1.254: bytes=56 Sequence=2 ttl=128 time=110 ms
Reply from 212.1.1.254: bytes=56 Sequence=3 ttl=128 time=160 ms
Reply from 212.1.1.254: bytes=56 Sequence=4 ttl=128 time=50 ms
Reply from 212.1.1.254: bytes=56 Sequence=5 ttl=128 time=110 ms
--- 212.1.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/124/190 ms
[LNS]
第二步:在LNS設備上創建驗證用戶名和密碼
配置本地用戶名和密碼,作為VPDN用戶信息保存在設備中,用于驗證接入的遠程用戶 配置本地用戶類型,L2TP協議基于PPP協商,需要指定用戶類型為ppp 用于為遠程用戶分配地址
#
aaa
local-user key password cipher Huawei@123
local-user key service-type ppp
ip pool 1 172.16.123.100 172.16.123.200
#
需要在S1設備上寫到達172.16.123.0網段的靜態路由
ip route-static 172.16.123.0 255.255.255.0 192.168.1.1
第三步:配置L2TP參數
全局使能L2TP功能 創建VT虛擬接口模板 配置PPP認證方式為chap
#
l2tp enable
#
interface Virtual-Template1
ppp authentication-mode chap
alias Virtual-Template1
ip address 1.1.1.1 255.255.255.0
remote address pool 1
#
需要將Virtual-Template1加入到安全區域當中
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
add interface Virtual-Template1
#
第四步:創建L2TP組
- 配置L2TP組作為LNS側,響應LAC發起的連接請求
- 配置L2TP隧道的密碼,需要和LNS保持一致。缺省情況下,L2TP使能了隧道認證功能,未配置隧道認證字
- 配置隧道名稱,用于發起L2TP連接時,LNS根據LAC的隧道名稱接入。缺省情況下,如果未指定隧道名稱,則設備名稱作為隧道名稱
#
l2tp-group 1
allow l2tp virtual-template 1
tunnel password cipher 123456
tunnel name LNS
#
第五步:在外網用戶進行測試
在華為官網上面下載SecoClient軟件
在外網用戶電腦ping公司內網服務器
在LNS設備的G0/0/0接口抓包和G0/0/1接口抓包
