一、拓扑
word/media/c4ca4238a0b923820dcc509a6f75849b.
拓扑是模拟公司总部网络,其中有台单独的设备作为VPN的认证网关,即图中的VPN,是旁挂核心交换机的组网方式。
二、前提
出口防火墙上,要做好映射。也就是要将内网中的VPN设备IP(192.168.10.10)映射到公网上,让公网能够访问。此处就是在FW设备上做了一个nat server 0 global 112.54.82.160 inside 192.168.10.10。
总部内网要通,路由要全,出口要有NAT。分支和总部的两个内网不能通(192.168.218.186是不能Ping通192.168.10.0和192.168.200.0网段的)。
三、配置L2TP VPN
sy
interface Virtual-Template1 #新建一个虚拟接口 Virtual-Template1#
authentication-mode chap pap #认证模式用chap,如果对方不支持chap,则用pap#
alias Virtual-Template1 #忽略#
ip address 1.1.1.1 255.255.255.0 #给接口一个IP,此IP不能和其他冲突,随便一个即可#
remote address pool 0 #调用给拨入设备分配的地址池。地址池的定义在AAA内# aaa
ip pool 0 12.12.12.10 12.12.12.100 #定义地址池从12网段的10开始,到100结束#
local-user password ciper test!123
local-user service-type ppp #配置用户名和密码,不多说了#
l2tp-group 2 #配置l2tp组2#
undo tunnel authentication #如果用电脑自带的VPN拨号,电脑是无法起tunnel认证的
#所以此处关闭tunnel的认证#
allow l2tp virtual-template 1 #不多说了,l2tp的配置,关于后面的参数,官方配置文档上
#有解释#
l2tp enable #这条命令是开启L2TP功能的,千万不要忘了#
四、几个注意事项:
1、l2tp分配给客户的地址池pool里的地址用不用和Virtual-Template1的IP地址在一个网段上?
不用必须一致。这两个地址都可以随便定义,但最好不要跟内网地址段相同。如果和内网地址段相同,则需要在VPN上开启虚拟转发功能(自行查资料)。建议定义一个很奇怪的地址段。
2、l2tp分配给客户的地址,没有网关啊,怎么和内网通信?
没网关不要紧。但总部所有网段都要有到12.12.12.0这个网段的路由。不然客户端是不能访问到相应的内网地址的。比如此图Core-SW上就有ip route-static 12.12.12.0 255.255.255.0 192.168.10.10
3、l2tp 设备必须要旁挂么?
不是的。VPN组网方式一般采用直连,在出口路由或出口防火墙上配置。此处我只是模拟一种出口设备不支持VPN而且网络已经不能变动的情况,采用旁挂比较灵活。
4、防火墙的策略要开。
此处由于没用路由器,用防火墙代替的路由器,所以防火墙策略我全开了,只是模拟。实际组网要根据实际情况来做,但一定要记得,把该开的策略要开,接口要放在相应的安全区域内。尤其是Virtual-Template1这个接口一定要放在相应的区域并放行到这个接口的安全策略。
五、电脑端拨号配置
word/media/c4ca4238a0b923820dcc509a6f75849b.
word/media/c4ca4238a0b923820dcc509a6f75849b.
word/media/c4ca4238a0b923820dcc509a6f75849b.
word/media/c4ca4238a0b923820dcc509a6f75849b.
word/media/c4ca4238a0b923820dcc509a6f75849b.
word/media/c4ca4238a0b923820dcc509a6f75849b.
word/media/c4ca4238a0b923820dcc509a6f75849b.
word/media/c4ca4238a0b923820dcc509a6f75849b.
六、设备配置
1、VPN
15:15:51 2015/11/05 # interface Virtual-Template1 ppp authentication-mode chap pap alias Virtual-Template1 ip address 1.1.1.1 255.255.255.0 remote address pool # interface GigabitEthernet0/0/0 alias GE0/MGMT ip address 192.168.0.1 255.255.255.0 dhcp select interface dhcp server gateway-list 192.168.0.1 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 # interface GigabitEthernet0/0/6 # interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 ip address 192.168.10.10 255.255.255.0 # interface NULL0 alias NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet0/0/8 add interface Virtual-Template1 # firewall zone untrust set priority 5 # firewall zone dmz set priority 50 # l2tp-group 2 undo tunnel authentication allow l2tp virtual-template 1 # aaa local-user password cipher %$%$PjwKIZGx.Z-E}F2ceB+G>6-$%$%$ local-user service-type ppp local-user admin password cipher %$%$OMBCN93/(W;iZ:J&'8*F>MD;%$%$ local-user admin service-type web terminal telnet local-user admin level 15 ip pool 0 12.12.12.1 12.12.12.100 # authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # nqa-jitter tag-version 1 # ip route-static 0.0.0.0 0.0.0.0 192.168.10.1 # banner enable # user-interface con 0 authentication-mode none user-interface vty 0 4 authentication-mode none protocol inbound all # slb # right-manager server-group # sysname VPN # l2tp enable l2tp domain suffix-separator @ # firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound # ip df-unreachables enable # firewall ipv6 session link-state check firewall ipv6 statistic system enable # dns resolve # firewall statistic system enable # pki ocsp response cache refresh interval 0 pki ocsp response cache number 0 # undo dns proxy # license-server domain lic.huawei.com # web-manager enable # return 2、Core-SW # sysname Core # vlan batch 10 # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # diffserv domain default # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 ip address 192.168.200.2 255.255.255.0 # interface Vlanif10 ip address 192.168.10.1 255.255.255.0 # interface MEth0/0/1 # interface GigabitEthernet0/0/1 port link-type access # interface GigabitEthernet0/0/2 port link-type access port default vlan 10 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 # interface GigabitEthernet0/0/6 # interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 # interface GigabitEthernet0/0/9 # interface GigabitEthernet0/0/10 # interface GigabitEthernet0/0/11 # interface GigabitEthernet0/0/12 # interface GigabitEthernet0/0/13 # interface GigabitEthernet0/0/14 # interface GigabitEthernet0/0/15 # interface GigabitEthernet0/0/16 # interface GigabitEthernet0/0/17 # interface GigabitEthernet0/0/18 # interface GigabitEthernet0/0/19 # interface GigabitEthernet0/0/20 # interface GigabitEthernet0/0/21 # interface GigabitEthernet0/0/22 # interface GigabitEthernet0/0/23 # interface GigabitEthernet0/0/24 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 192.168.200.1 ip route-static 12.12.12.0 255.255.255.0 192.168.10.10 # user-interface con 0 user-interface vty 0 4 # return 3、FW 15:18:30 2015/11/05 # interface GigabitEthernet0/0/0 alias GE0/MGMT ip address 112.54.82.162 255.255.255.0 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 # interface GigabitEthernet0/0/6 # interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 ip address 192.168.200.1 255.255.255.0 # interface NULL0 alias NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/8 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0 # firewall zone dmz set priority 50 # aaa local-user admin password cipher %$%$`J+vB;%!Y=ZqM.LCB!"Z>d[R%$%$ local-user admin service-type web terminal telnet local-user admin level 15 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # nqa-jitter tag-version 1 # ip route-static 0.0.0.0 0.0.0.0 112.54.82.161 ip route-static 1.1.1.0 255.255.255.0 192.168.200.2 ip route-static 12.12.12.0 255.255.255.0 192.168.200.2 ip route-static 192.168.10.0 255.255.255.0 192.168.200.2 # banner enable # user-interface con 0 authentication-mode none user-interface vty 0 4 authentication-mode none protocol inbound all # slb # right-manager server-group # sysname FW # l2tp domain suffix-separator @ # firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound # nat server 0 global 112.54.82.160 inside 192.168.10.10 # ip df-unreachables enable # firewall ipv6 session link-state check firewall ipv6 statistic system enable # dns resolve # firewall statistic system enable # pki ocsp response cache refresh interval 0 pki ocsp response cache number 0 # undo dns proxy # license-server domain lic.huawei.com # web-manager enable # nat-policy interzone trust untrust outbound policy 1 action source-nat easy-ip GigabitEthernet0/0/0 policy 2 # return 4、分支机构的出口路由配置 [Router]dis cur 15:19:54 2015/11/05 # stp region-configuration region-name 103d15909d active region-configuration # interface GigabitEthernet0/0/0 alias GE0/MGMT # interface GigabitEthernet0/0/1 ip address 10.10.10.2 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 192.168.218.222 255.255.255.0 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 # interface Gigabi interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 # interface NULL0 alias NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0 add interface GigabitEthernet0/0/1 # firewall zone dmz set priority 50 # aaa local-user admin password cipher %$%$y[x_X1F#m1*kz]S6@Ca'>RI@%$%$ local-user admin service-type web terminal telnet local-user admin level 15 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # nqa-jitter tag-version 1 # ip route-static 0.0.0.0 0.0.0.0 112.54.82.162 ip route-static 0.0.0.0 0.0.0.0 10.10.10.1 # banner enable # user-interface con 0 authentication-mode none user-interface vty 0 4 authentication-mode none protocol inbound all # slb # right-manager server-group # sysname Router # l2tp domain suffix-separator @ # firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound # ip df-unreachables enable # firewall ipv6 session link-state check firewall ipv6 statistic system enable # dns resolve # firewall statistic system enable # pki ocsp response cache refresh interval 0 pki ocsp response cache number 0 # undo dns proxy # license-server domain lic.huawei.com # web-manager enable # nat-policy interzone trust untrust outbound policy 1 action source-nat easy-ip GigabitEthernet0/0/1 # return 5、ISP的配置就是接口,没有路由。
Copyright © 2019-2025 51dongshi.net 版权所有
违法及侵权请联系:TEL:177 7030 7066 E-MAIL:11247931@qq.com 本站由北京市万商天勤律师事务所王兴未律师提供法律服务
