配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号(本地认证)
配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号(本地认证)
Call-LNS场景下LAC和LNS之间建立一条永久的L2TP VPN隧道,分支机构员工直接通过L2TP VPN隧道即可访问总部服务器。
组网需求
如图所示,分支机构的出口网关为LAC,公司总部的出口网关为LNS,分支机构的员工需要跨越Internet访问总部服务器。企业需要在LAC和LNS之间建立L2TP VPN隧道,实现分支机构员工通过L2TP VPN隧道访问总部服务器的需求。
USG6307E_2022.10.02.18时57分55秒.txt
(1)拓扑图
配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号(本地认证).zip
(2)基本配置
ISP:
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 100.100.100.254 255.255.255.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 200.200.200.254 255.255.255.0
#
sw1:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 192.168.20.200 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1
FW1:
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 10.12.5.5 255.255.0.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.100.100.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.10.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/0
ip route-static 200.200.200.0 255.255.255.0 100.100.100.254
#配置策略允许所有:
security-policy
default action permit
#配置AAA:
aaa
manager-user admin
password cipher 密码
service-type web
level 15
FW2:
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 10.12.5.6 255.255.0.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 200.200.200.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.20.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/0
ip route-static 100.100.100.0 255.255.255.0 200.200.200.254
#配置策略允许所有:
security-policy
default action permit
#配置AAA:
aaa
manager-user admin
password cipher 密码
service-type web
level 15
(3.1)FW2: 配置认证域及L2TP用户
aaa
service-scheme webServerScheme1664784157072
domain default
service-scheme webServerScheme1664784157072
service-type l2tp
(3.2)FW2: 启用L2TP
l2tp enable
ip pool POOL1
section 0 10.10.10.10 10.10.10.200
aaa
service-scheme l2tpSScheme_1664784465689
ip-pool POOL1
l2tp-group default-lns
tunnel password cipher %$%$rmP}&2OhK$&CH|)D48(GXF7o%$%$
allow l2tp virtual-template 0
#
interface Virtual-Template0
ppp authentication-mode chap
remote service-scheme l2tpSScheme_1664784465689
ip address 10.10.10.1 255.255.255.0
alias L2TP_LNS_0
undo service-manage enable
firewall zone trust
add interface Virtual-Template0
(4.1)FW1: 启用L2TP
l2tp enable
l2tp-group default-lns
tunnel password cipher %$%$,szKH8bC*Rr.e0UqpqjGW-L{%$%$
tunnel name lac
start l2tp ip 200.200.200.1 fullusername u1
#
interface Virtual-Template0
ppp authentication-mode chap pap
ppp chap user u1
ppp chap password cipher %$%$Y78wRaC2+),RPlMG:I{SL)aX%$%$
ppp pap local-user u1 password cipher %$%$%`#ZSK|9T"K$>AX<j<p%R~7s%$%$
ip address ppp-negotiate
call-lns local-user u1 binding l2tp-group default-lns
alias L2TP_LAC_0
undo service-manage enable
firewall zone trust
add interface Virtual-Template0
ip route-static 192.168.20.0 255.255.255.0 Virtual-Template0
(4.2)拔号失败,后来成功,原因不明,防火墙重启后就可以了。
查看FW1的L2TP通道监控列表:没有任何信息
FW1:
FW1:
FW2:(如果拔号成功,这个会话也是这样的)
(5.1)绑定ip地址,让用户获得固定的ip地址
查看:
(5.2)配置静态路由
[FW2]ip route-static 192.168.10.0 255.255.255.0 10.10.10.155
测试:
PC1成功ping通SW2
VPN配置案例汇总、VPN汇总(列表、list、全)vpnlist
http://www.zh-cjh.com/wenzhangguilei/1193.html
文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号(本地认证)
作者: cjh
手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm