配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号(本地认证)

配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号(本地认证)
Call-LNS场景下LAC和LNS之间建立一条永久的L2TP VPN隧道,分支机构员工直接通过L2TP VPN隧道即可访问总部服务器。
组网需求
如图所示,分支机构的出口网关为LAC,公司总部的出口网关为LNS,分支机构的员工需要跨越Internet访问总部服务器。企业需要在LAC和LNS之间建立L2TP VPN隧道,实现分支机构员工通过L2TP VPN隧道访问总部服务器的需求。

FW1_2022.10.03.23时07分19秒.txt

FW2_2022.10.03.23时07分36秒.txt

USG6307E_2022.10.02.18时57分55秒.txt

ISP_2022.10.03.23时07分54秒.txt

SW2_2022.10.03.23时08分25秒.txt


(1)拓扑图

配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号(本地认证).zip

图片.png

(2)基本配置

ISP:
#               
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 100.100.100.254 255.255.255.0
#
interface GE1/0/1
 undo portswitch
 undo shutdown
 ip address 200.200.200.254 255.255.255.0
#
sw1:
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 192.168.20.200 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1

FW1:
#
interface GigabitEthernet0/0/0
 undo shutdown                            
 ip binding vpn-instance default
 ip address 10.12.5.5 255.255.0.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 100.100.100.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.10.1 255.255.255.0    
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/0
ip route-static 200.200.200.0 255.255.255.0 100.100.100.254
#配置策略允许所有:
security-policy
 default action permit
#配置AAA:
aaa
   manager-user admin
      password cipher 密码
      service-type web
      level 15

FW2:
#
interface GigabitEthernet0/0/0
 undo shutdown                            
 ip binding vpn-instance default
 ip address 10.12.5.6 255.255.0.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 200.200.200.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.20.1 255.255.255.0    
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/0
ip route-static 100.100.100.0 255.255.255.0 200.200.200.254
#配置策略允许所有:
security-policy
 default action permit
#配置AAA:
aaa
   manager-user admin
      password cipher 密码
      service-type web
      level 15

(3.1)FW2: 配置认证域及L2TP用户

图片.png

aaa
  service-scheme webServerScheme1664784157072
  domain default
    service-scheme webServerScheme1664784157072
    service-type l2tp

(3.2)FW2: 启用L2TP

图片.png

l2tp enable
ip pool POOL1
 section 0 10.10.10.10 10.10.10.200
 
aaa
  service-scheme l2tpSScheme_1664784465689
     ip-pool POOL1

l2tp-group default-lns
  tunnel password cipher %$%$rmP}&2OhK$&CH|)D48(GXF7o%$%$
  allow l2tp virtual-template 0
#
interface Virtual-Template0
  ppp authentication-mode chap
  remote service-scheme l2tpSScheme_1664784465689
  ip address 10.10.10.1 255.255.255.0
  alias L2TP_LNS_0
  undo service-manage enable

firewall zone trust                       
 add interface Virtual-Template0


(4.1)FW1: 启用L2TP

图片.png

图片.png

l2tp enable

l2tp-group default-lns
 tunnel password cipher %$%$,szKH8bC*Rr.e0UqpqjGW-L{%$%$
 tunnel name lac
 start l2tp ip 200.200.200.1 fullusername u1
#
interface Virtual-Template0
 ppp authentication-mode chap pap
 ppp chap user u1
 ppp chap password cipher %$%$Y78wRaC2+),RPlMG:I{SL)aX%$%$
 ppp pap local-user u1 password cipher %$%$%`#ZSK|9T"K$>AX<j<p%R~7s%$%$
 ip address ppp-negotiate
 call-lns local-user u1 binding l2tp-group default-lns
 alias L2TP_LAC_0
 undo service-manage enable

firewall zone trust
 add interface Virtual-Template0

ip route-static 192.168.20.0 255.255.255.0 Virtual-Template0

(4.2)拔号失败,后来成功,原因不明,防火墙重启后就可以了。
查看FW1的L2TP通道监控列表:没有任何信息

图片.png

FW1:

图片.png

FW1:

图片.png

FW2:(如果拔号成功,这个会话也是这样的)

图片.png


(5.1)绑定ip地址,让用户获得固定的ip地址

图片.png

查看:

图片.png

(5.2)配置静态路由

[FW2]ip route-static 192.168.10.0 255.255.255.0 10.10.10.155

测试:

PC1成功ping通SW2

图片.png


VPN配置案例汇总、VPN汇总(列表、list、全)vpnlist
http://www.zh-cjh.com/wenzhangguilei/1193.html
文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html


1、本站资源长期持续更新。
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。

转载请保留出处:  www.zh-cjh.com珠海陈坚浩博客 » 配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号(本地认证)

作者: cjh


手机扫一扫,手机上查看此文章:

一切源于价值!

其他 模板文件不存在: ./template/plugins/comment/pc/index.htm

未雨绸缪、居安思危!

数据安全、有备无患!

注意操作、数据无价!

一切源于价值!