L2TP VPN实验之终端到站点

上张贴CrossGrave发表回复

场景说明:Win设备作为终端,与LNS建立L2TP VPN访问VPC,LNS分配地址给终端,Win侧防火墙仅配置SNAT和基础策略, VPC侧防火墙配置L2TP VPN作为LNS对终端进行认证。

LNS配置:

sysname FW-1
#
l2tp enable
l2tp domain suffix-separator @
#
ip pool L2TP_A //创建L2TP VPN使用的地址池
section 0 172.16.10.1 172.16.10.253
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authentication-scheme admin_ldap
authorization-scheme default
accounting-scheme default
service-scheme L2TP //创建L2TP服务方案,绑定相关地址池
ip-pool L2TP_A
domain default
service-type internetaccess ssl-vpn l2tp ike //这里需要给认证域开启l2tp功能
internet-access mode auto-online
reference user current-domain
user-manage group /default/A //创建一个用户组
user-manage user arssra //创建L2TP用户
parent-group /default/A //将用户加入用户组
password arssra //配置用户密码
#
l2tp-group 1 //创建l2tp组
tunnel password cipher %$%$0NR|Ot_>@YQa{.MY2:PT,QSC%$%$ //配置L2TP隧道密码
allow l2tp virtual-template 0 remote A //关联VT接口,以及设置隧道名称
#
interface Virtual-Template0
ppp authentication-mode chap //配置PPP认证方式为CHAP
remote service-scheme L2TP //关联服务方案
ip address 172.16.10.254 255.255.255.0
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.31.201 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.1.1 255.255.255.252
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 192.168.10.254 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/4
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface Virtual-Template0
#
firewall zone dmz
set priority 50
#
security-policy
rule name Trust_Untrust_Permit
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action permit
rule name Untrust_Local_L2TP_Permit
source-zone untrust
destination-zone local
destination-address 100.1.1.1 mask 255.255.255.255
service l2tp
action permit
rule name Untrust_Trust_Permit
source-zone untrust
destination-zone trust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 192.168.10.0 mask 255.255.255.0
action permit
#
return
sysname FW-1 # l2tp enable l2tp domain suffix-separator @ # ip pool L2TP_A //创建L2TP VPN使用的地址池 section 0 172.16.10.1 172.16.10.253 # aaa authentication-scheme default authentication-scheme admin_local authentication-scheme admin_radius_local authentication-scheme admin_hwtacacs_local authentication-scheme admin_ad_local authentication-scheme admin_ldap_local authentication-scheme admin_radius authentication-scheme admin_hwtacacs authentication-scheme admin_ad authentication-scheme admin_ldap authorization-scheme default accounting-scheme default service-scheme L2TP //创建L2TP服务方案,绑定相关地址池 ip-pool L2TP_A domain default service-type internetaccess ssl-vpn l2tp ike //这里需要给认证域开启l2tp功能 internet-access mode auto-online reference user current-domain user-manage group /default/A //创建一个用户组 user-manage user arssra //创建L2TP用户 parent-group /default/A //将用户加入用户组 password arssra //配置用户密码 # l2tp-group 1 //创建l2tp组 tunnel password cipher %$%$0NR|Ot_>@YQa{.MY2:PT,QSC%$%$ //配置L2TP隧道密码 allow l2tp virtual-template 0 remote A //关联VT接口,以及设置隧道名称 # interface Virtual-Template0 ppp authentication-mode chap //配置PPP认证方式为CHAP remote service-scheme L2TP //关联服务方案 ip address 172.16.10.254 255.255.255.0 # interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default ip address 192.168.31.201 255.255.255.0 service-manage http permit service-manage https permit service-manage ping permit # interface GigabitEthernet1/0/1 undo shutdown ip address 100.1.1.1 255.255.255.252 # interface GigabitEthernet1/0/4 undo shutdown ip address 192.168.10.254 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/4 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 add interface Virtual-Template0 # firewall zone dmz set priority 50 # security-policy rule name Trust_Untrust_Permit source-zone trust destination-zone untrust source-address 192.168.10.0 mask 255.255.255.0 action permit rule name Untrust_Local_L2TP_Permit source-zone untrust destination-zone local destination-address 100.1.1.1 mask 255.255.255.255 service l2tp action permit rule name Untrust_Trust_Permit source-zone untrust destination-zone trust source-address 172.16.10.0 mask 255.255.255.0 destination-address 192.168.10.0 mask 255.255.255.0 action permit # return
sysname FW-1
#
 l2tp enable
 l2tp domain suffix-separator @
#
ip pool L2TP_A //创建L2TP VPN使用的地址池
 section 0 172.16.10.1 172.16.10.253
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authentication-scheme admin_ldap
 authorization-scheme default
 accounting-scheme default
 service-scheme L2TP //创建L2TP服务方案,绑定相关地址池
  ip-pool L2TP_A
 domain default
  service-type internetaccess ssl-vpn l2tp ike //这里需要给认证域开启l2tp功能
  internet-access mode auto-online
  reference user current-domain
 user-manage group /default/A //创建一个用户组
 user-manage user arssra //创建L2TP用户
 parent-group /default/A //将用户加入用户组
 password arssra //配置用户密码
#
l2tp-group 1 //创建l2tp组
 tunnel password cipher %$%$0NR|Ot_>@YQa{.MY2:PT,QSC%$%$ //配置L2TP隧道密码
 allow l2tp virtual-template 0 remote A //关联VT接口,以及设置隧道名称
#
interface Virtual-Template0
 ppp authentication-mode chap //配置PPP认证方式为CHAP
 remote service-scheme L2TP //关联服务方案
 ip address 172.16.10.254 255.255.255.0
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.31.201 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 100.1.1.1 255.255.255.252
#
interface GigabitEthernet1/0/4
 undo shutdown
 ip address 192.168.10.254 255.255.255.0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/4
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
 add interface Virtual-Template0
#
firewall zone dmz
 set priority 50
#
security-policy
 rule name Trust_Untrust_Permit
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  action permit
 rule name Untrust_Local_L2TP_Permit
  source-zone untrust
  destination-zone local
  destination-address 100.1.1.1 mask 255.255.255.255
  service l2tp
  action permit
 rule name Untrust_Trust_Permit
  source-zone untrust
  destination-zone trust
  source-address 172.16.10.0 mask 255.255.255.0
  destination-address 192.168.10.0 mask 255.255.255.0
  action permit
#
return

结果:通过VPN客户端可以正常登录到LNS上并访问到VPC

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据