二层vpn: 配置分支机构与总部之间通过L2TP over Bridge方式建立二层网络互通(可选L2TP + IPSec)
二层vpn: 配置分支机构与总部之间通过L2TP over Bridge方式建立二层网络互通(可选L2TP + IPSec)
注意:两台建立vpn的路由器,双方自己的接口以及双方所在的内网的终端是ping不通对方的内网的接口的ip地址。
如:PC3是ping不通13.13.13.1的。
远端系统(用户端)
远端系统是要接入企业内部网络的远端用户和远端分支机构,通常是一个拨号用户的主机或私有网络中的一台设备。
LAC(L2TP Access Concentrator,L2TP访问集中器)
LAC是具有PPP和L2TP协议处理能力的设备,通常是一个当地ISP的NAS(Network Access Server,网络接入服务器),主要用于为PPP类型的用户提供接入服务。
LAC作为L2TP隧道的端点,位于LNS和远端系统之间,用于在LNS和远端系统之间传递报文。它把从远端系统收到的报文按照L2TP协议进行封装并送往LNS,同时也将从LNS收到的报文进行解封装并送往远端系统。
LNS(L2TP Network Server,L2TP网络服务器)
LNS是具有PPP和L2TP协议处理能力的设备,通常位于企业内部网络的边缘。
LNS作为L2TP隧道的另一侧端点,是LAC通过隧道传输的PPP会话的逻辑终点。L2TP通过在公共网络中建立L2TP隧道,将远端系统的PPP连接由原来的NAS延伸到了企业内部网络的LNS设备。
sw1:
#
sysname sw1
#
vlan batch 13, 22
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 13 #(or 22)
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 13 #(or 22)
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 13 #(or 22)
#
sw2:
#
sysname sw2
#
vlan batch 13
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 13
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 13
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 13
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 13
#
r3-ISP:
<r3>dis current-configuration
[V200R003C00]
#
sysname r3
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
lldp enable
#
dhcp enable
#
ip pool 1
gateway-list 13.13.13.3
network 13.13.13.0 mask 255.255.255.0
excluded-ip-address 13.13.13.1 13.13.13.2
excluded-ip-address 13.13.13.4 13.13.13.150
excluded-ip-address 13.13.13.200 13.13.13.254
lease day 1 hour 1 minute 1
dns-list 223.5.5.5 223.6.6.6
#
interface GigabitEthernet0/0/0
ip address 13.13.13.3 255.255.255.0
dhcp select global
#
return
<r3>
r2-LAC 分支:
<R2-LAC>dis current-configuration
[V200R003C00]
#
sysname R2-LAC
#
l2tp enable //使能L2TP功能
#
lldp enable
#
bridge 1
#分支
interface Virtual-Template1
bridge 1 //创建网桥组1并将VT虚拟接口加入网桥组1
bridge vlan-transmit enable //使能网桥组接口透明传输VLAN ID功能
ppp chap user huawei
ppp chap password cipher huawei
l2tp-auto-client enable
#可选 ppp ipcp dns admit-any
#可选 ppp ipcp dns request
#
interface GigabitEthernet0/0/0 #外联口,vpn互联方向
ip address 12.12.12.2 255.255.255.0
#
interface GigabitEthernet0/0/1 #内联口
bridge 1
bridge vlan-transmit enable #虚拟vlanif接口没有此命令
ip address 22.22.22.2 255.255.255.0
#
#
l2tp-group 1
tunnel password cipher huawei
tunnel name lac_1
start l2tp ip 12.12.12.1 fullusername huawei
return
<R2-LAC>
r1-LNS服务器-总部:
<HQ-R1-LNS>
<HQ-R1-LNS>dis current-configuration
[V200R003C00]
#
sysname HQ-R1-LNS
#
#
l2tp enable
#
bridge 1
#
aaa
local-user huawei password cipher huawei
local-user huawei privilege level 0
local-user huawei service-type ppp
#总部
interface Virtual-Template1
bridge 1
bridge vlan-transmit enable
ppp authentication-mode chap
ppp chap user huawei
ppp chap password cipher huawei
l2tp-auto-client enable
#可选 ppp ipcp dns admit-any
#可选 ppp ipcp dns request
#
interface GigabitEthernet0/0/0 #外联口,vpn互联方向
ip address 12.12.12.1 255.255.255.0
#
interface GigabitEthernet0/0/1 #内联口
bridge 1
bridge vlan-transmit enable
ip address 13.13.13.1 255.255.255.0
#
interface NULL0
#
l2tp-group 1
allow l2tp virtual-template 1
tunnel password cipher huawei
tunnel name lns
#
return
<HQ-R1-LNS>
<HQ-R1-LNS>display l2tp session
LocalSID RemoteSID LocalTID
1 1 1
Total session = 1
<HQ-R1-LNS>
<HQ-R1-LNS>display l2tp tunnel
Total tunnel = 1
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
1 1 12.12.12.2 42246 1 lac_1
<HQ-R1-LNS>
总部:
配置分支机构与总部之间通过L2TP over IPSec方式实现安全互通
<HQ-R1-LNS>dis current-configuration
sysname HQ-R1-LNS
#
l2tp enable
#
bridge 1
#
acl number 3001
rule 5 permit ip source 12.12.12.1 0 destination 12.12.12.2 0
#
ipsec proposal lns
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lns v2
pre-shared-key cipher zh-cjh.local:2222
remote-address 12.12.12.2
#
ipsec policy lns 1 isakmp
security acl 3001
ike-peer lns
proposal lns
#
aaa
local-user huawei password cipher huawei
local-user huawei privilege level 0
local-user huawei service-type ppp
#
firewall zone Local
priority 15
#
interface Virtual-Template1
bridge 1
bridge vlan-transmit enable
ppp authentication-mode chap
ppp chap user huawei
ppp chap password cipher huawei
l2tp-auto-client enable
#
interface GigabitEthernet0/0/0
ip address 12.12.12.1 255.255.255.0
ipsec policy lns
#
interface GigabitEthernet0/0/1
bridge 1
bridge vlan-transmit enable
ip address 13.13.13.1 255.255.255.0
#
l2tp-group 1
allow l2tp virtual-template 1
tunnel password cipher huawei
tunnel name lns
return
<HQ-R1-LNS>
[R2-LAC]dis current-configuration
sysname R2-LAC
#
l2tp enable
#
bridge 1
#
acl number 3001
rule 5 permit ip source 12.12.12.2 0 destination 12.12.12.1 0
#
ipsec proposal lns
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lns v2
pre-shared-key cipher zh-cjh.local:2222
remote-address 12.12.12.1
#
ipsec policy lns 1 isakmp
security acl 3001
ike-peer lns
proposal lns
#
ip pool vpn
gateway-list 192.168.22.1
network 192.168.22.0 mask 255.255.254.0
#
#
interface Virtual-Template1
bridge 1
bridge vlan-transmit enable
ppp chap user huawei
ppp chap password ciphe huawei
l2tp-auto-client enable
#
interface GigabitEthernet0/0/0
ip address 12.12.12.2 255.255.255.0
ipsec policy lns
#
interface GigabitEthernet0/0/1
bridge 1
bridge vlan-transmit enable
ip address 22.22.22.2 255.255.255.0
#
l2tp-group 1
tunnel password cipher huawei
tunnel name lac_1
start l2tp ip 12.12.12.1 fullusername huawei
#
return
[R2-LAC]
隧道模式(此系统版本的模式为隧道模式)
ping的测试结果与前面一样。
测试:只在一台路由器的接口上取消应用ipsec policy (l2tp vpn不通)
[HQ-R1-LNS]interface GigabitEthernet0/0/0
[HQ-R1-LNS-GigabitEthernet0/0/0]undo ipsec policy
[HQ-R1-LNS-GigabitEthernet0/0/0]
PC3会一直ping不通网关和PC 13.13.13.100
测试:在2台路由器的接口上都取消应用ipsec policy (l2tp vpn通)
[HQ-R1-LNS]interface GigabitEthernet0/0/0
[HQ-R1-LNS-GigabitEthernet0/0/0]undo ipsec policy
[HQ-R1-LNS-GigabitEthernet0/0/0]
[R2-LAC]int GigabitEthernet 0/0/0
[R2-LAC-GigabitEthernet0/0/0]undo ipsec policy
[R2-LAC-GigabitEthernet0/0/0]
trunk对接,透传vlan, PC6 172.16.1.2 ping PC7 172.16.1.1 是通的。
问题来了,PC2 ping不通路由器R2-LAC的三层接口。
解决方案1:从交换机SW1新接一条网线到路由器R2-LAC。
解决方案2:把路由器R2-LAC的接口g0/0/1修改成trunk中,并起用虚拟接口?
<router>debugging l2tp all
<router>debugging ppp all
在l2tp over bridge 建立起来的时候,在分支的路由器使用web界面查看时,显示l2tp的连接状态不可用,但是使用命令查看时,连接状态正常。而且是总部那边web与从都显示正常。
总部路由器:
VPN配置案例汇总、VPN汇总(列表、list、全)vpnlist
http://www.zh-cjh.com/wenzhangguilei/1193.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 二层vpn: 配置分支机构与总部之间通过L2TP over Bridge方式建立二层网络互通(可选L2TP + IPSec)
作者: cjh
手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm