©2010-2026 宁波自信网络信息技术有限公司 版权所有
客服电话:0574-28810668 投诉电话:18658249818
浙ICP备2021020529号-1 | 浙B2-20240490
关注我们 :
1、最近公司需要配置VPN,而用SSL VPN面临授权不够的问题,为了方便大家使用,就选择了L2TP VPN的方式。但在实际模拟操作的过程中,出现了一些疑点,现记录下来。 一、拓扑 拓扑是模拟公司总部网络,其中有台单独的设备作为VPN的认证网关,即图中的VPN,是旁挂核心交换机的组网方式。 二、前提 出口防火墙上,要做好映射。也就是要将内网中的VPN设备IP(192.168.10.10)映射到公网上,让公网能够访问。此处就是在FW设备上做了一个nat server 0 global 112.54.82.160 inside 192.168.10.10。 总部内网要通,路由要全,出口要
2、有NAT。分支和总部的两个内网不能通(192.168.218.186是不能Ping通192.168.10.0和192.168.200.0网段的)。 三、配置L2TP VPN sy interface Virtual-Template1 #新建一个虚拟接口 Virtual-Template1# authentication-mode chap pap #认证模式用chap,如果对方不支持chap,则用pap# alias Virtual-Template1 #忽略#
3、 ip address 1.1.1.1 255.255.255.0 #给接口一个IP,此IP不能和其他冲突,随便一个即可# remote address pool 0 #调用给拨入设备分配的地址池。地址池的定义在AAA内# aaa ip pool 0 12.12.12.10 12.12.12.100 #定义地址池从12网段的10开始,到100结束# local-user vpn password ciper vpntest!123 local-user vpn service-type p
4、pp #配置用户名和密码,不多说了# l2tp-group 2 #配置l2tp组2# undo tunnel authentication #如果用电脑自带的VPN拨号,电脑是无法起tunnel认证的 #所以此处关闭tunnel的认证# allow l2tp virtual-template 1 #不
5、多说了,l2tp的配置,关于后面的参数,官方配置文档上 #有解释# l2tp enable #这条命令是开启L2TP功能的,千万不要忘了# 四、几个注意事项: 1、l2tp分配给客户的地址池pool里的地址用不用和Virtual-Template1的IP地址在一个网段上? 不用必须一致。这两个地址都可以随便定义,但最好不要跟内网地址段相同。如果和
6、内网地址段相同,则需要在VPN上开启虚拟转发功能(自行查资料)。建议定义一个很奇怪的地址段。 2、l2tp分配给客户的地址,没有网关啊,怎么和内网通信? 没网关不要紧。但总部所有网段都要有到12.12.12.0这个网段的路由。不然客户端是不能访问到相应的内网地址的。比如此图Core-SW上就有ip route-static 12.12.12.0 255.255.255.0 192.168.10.10 3、l2tp vpn设备必须要旁挂么? 不是的。VPN组网方式一般采用直连,在出口路由或出口防火墙上配置。此处我只是模拟一种出口设备不支持VPN而且
7、网络已经不能变动的情况,采用旁挂比较灵活。
4、防火墙的策略要开。
此处由于没用路由器,用防火墙代替的路由器,所以防火墙策略我全开了,只是模拟。实际组网要根据实际情况来做,但一定要记得,把该开的策略要开,接口要放在相应的安全区域内。尤其是Virtual-Template1这个接口一定要放在相应的区域并放行到这个接口的安全策略。
五、电脑端拨号配置
六、设备配置
1、VPN
8、tication-mode chap pap alias Virtual-Template1 ip address 1.1.1.1 255.255.255.0 remote address pool # interface GigabitEthernet0/0/0 alias GE0/MGMT ip address 192.168.0.1 255.255.255.0 dhcp select interface dhcp server gateway-list 192.168.0.1 # interface GigabitEthernet0/0/1 # i
9、nterface GigabitEthernet0/0/2 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 # interface GigabitEthernet0/0/6 # interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 ip address 192.168.10.10 255.255.255.0 # interface NULL0
10、 alias NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet0/0/8 add interface Virtual-Template1 # firewall zone untrust set priority 5 # firewall zone dmz set priority 50 # l2tp-
11、group 2 undo tunnel authentication allow l2tp virtual-template 1 # aaa local-user vpn password cipher %$%$PjwKIZGx.Z-E}F2ceB+G>6-$%$%$ local-user vpn service-type ppp local-user admin password cipher %$%$OMBCN93/(W;iZ:J&'8*F>MD;%$%$ local-user admin service-type web terminal telnet l
12、ocal-user admin level 15 ip pool 0 12.12.12.1 12.12.12.100 # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # nqa-jitter tag-version 1 # ip route-static 0.0.0.0 0.0.0.0 192.168.10.1 # banner enable # user-in
13、terface con 0 authentication-mode none user-interface vty 0 4 authentication-mode none protocol inbound all # slb # right-manager server-group # sysname VPN # l2tp enable l2tp domain suffix-separator @ # firewall packet-filter default permit interzone local trust direction inb
14、ound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone
15、 local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter de
16、fault permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound # ip d
17、f-unreachables enable # firewall ipv6 session link-state check firewall ipv6 statistic system enable # dns resolve # firewall statistic system enable # pki ocsp response cache refresh interval 0 pki ocsp response cache number 0 # undo dns proxy # license-server domain # web
18、manager enable
#
return
2、Core-SW
19、eme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 ip address 192.168.200.2 255.255.255.0 # interface Vlanif10 ip address 192.168.10.1 255.255.255.0 # interface MEth0/0/1 # interface Gigabi
20、tEthernet0/0/1 port link-type access # interface GigabitEthernet0/0/2 port link-type access port default vlan 10 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 # interface GigabitEthernet0/0/6 # interface GigabitEthernet0/0/7 #
21、interface GigabitEthernet0/0/8 # interface GigabitEthernet0/0/9 # interface GigabitEthernet0/0/10 # interface GigabitEthernet0/0/11 # interface GigabitEthernet0/0/12 # interface GigabitEthernet0/0/13 # interface GigabitEthernet0/0/14 # interface GigabitEthernet0/0/15 # interface Giga
22、bitEthernet0/0/16 # interface GigabitEthernet0/0/17 # interface GigabitEthernet0/0/18 # interface GigabitEthernet0/0/19 # interface GigabitEthernet0/0/20 # interface GigabitEthernet0/0/21 # interface GigabitEthernet0/0/22 # interface GigabitEthernet0/0/23 # interface GigabitEthernet0
23、/0/24
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.200.1
ip route-static 12.12.12.0 255.255.255.0 192.168.10.10
#
user-interface con 0
user-interface vty 0 4
#
return
3、FW
24、interface GigabitEthernet0/0/0 alias GE0/MGMT ip address 112.54.82.162 255.255.255.0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 # interface GigabitEthernet0/0/6
25、 interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 ip address 192.168.200.1 255.255.255.0 # interface NULL0 alias NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/8 # firewall zone untrust set pr
26、iority 5 add interface GigabitEthernet0/0/0 # firewall zone dmz set priority 50 # aaa local-user admin password cipher %$%$`J+vB;%!Y=ZqM.LCB!"Z>d[R%$%$ local-user admin service-type web terminal telnet local-user admin level 15 authentication-scheme default # authorization-scheme
27、 default # accounting-scheme default # domain default # # nqa-jitter tag-version 1 # ip route-static 0.0.0.0 0.0.0.0 112.54.82.161 ip route-static 1.1.1.0 255.255.255.0 192.168.200.2 ip route-static 12.12.12.0 255.255.255.0 192.168.200.2 ip route-static 192.168.10.0 255.255.25
28、5.0 192.168.200.2 # banner enable # user-interface con 0 authentication-mode none user-interface vty 0 4 authentication-mode none protocol inbound all # slb # right-manager server-group # sysname FW # l2tp domain suffix-separator @ # firewall packet-filter default permit in
29、terzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packe
30、t-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction out
31、bound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz unt
32、rust direction outbound # nat server 0 global 112.54.82.160 inside 192.168.10.10 # ip df-unreachables enable # firewall ipv6 session link-state check firewall ipv6 statistic system enable # dns resolve # firewall statistic system enable # pki ocsp response cache refresh interval
33、0 pki ocsp response cache number 0 # undo dns proxy # license-server domain # web-manager enable # nat-policy interzone trust untrust outbound policy 1 action source-nat easy-ip GigabitEthernet0/0/0 policy 2 # return 4、分支机构的出口路由配置 [Router]dis cur 15:19:54 2015/11/05
34、 # stp region-configuration region-name 103d6415909d active region-configuration # interface GigabitEthernet0/0/0 alias GE0/MGMT # interface GigabitEthernet0/0/1 ip address 10.10.10.2 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 192.168.218.222 255.255.255.0 # interfa
35、ce GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 # interface Gigabi interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 # interface NULL0 alias NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85
36、 add interface GigabitEthernet0/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0 add interface GigabitEthernet0/0/1 # firewall zone dmz set priority 50 # aaa local-user admin password cipher %$%$y[x_X1F#m1*kz]S6@Ca'>RI@%$%$ local-user admin service-ty
37、pe web terminal telnet local-user admin level 15 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # nqa-jitter tag-version 1 # ip route-static 0.0.0.0 0.0.0.0 112.54.82.162 ip route-static 0.0.0.0 0.0.0.0 10.10.10.
38、1 # banner enable # user-interface con 0 authentication-mode none user-interface vty 0 4 authentication-mode none protocol inbound all # slb # right-manager server-group # sysname Router # l2tp domain suffix-separator @ # firewall packet-filter default permit interzone loca
39、l trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter def
40、ault permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound fire
41、wall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust directi
42、on outbound # ip df-unreachables enable # firewall ipv6 session link-state check firewall ipv6 statistic system enable # dns resolve # firewall statistic system enable # pki ocsp response cache refresh interval 0 pki ocsp response cache number 0 # undo dns proxy # license-server domain # web-manager enable # nat-policy interzone trust untrust outbound policy 1 action source-nat easy-ip GigabitEthernet0/0/1 # return 5、ISP的配置就是接口,没有路由。
©2010-2026 宁波自信网络信息技术有限公司 版权所有
客服电话:0574-28810668 投诉电话:18658249818
浙ICP备2021020529号-1 | 浙B2-20240490
关注我们 :
