一、实验目的及拓扑
实验目的:通过L2TP客户端与LNS服务端建立L2TP隧道并承载在IPSEC网络上。其中L2TPoverIPsec客户端采用windows软终端模式(Cloud3),AR1上将内网LNS(FW1)服务器采用NAT方式向外网进行映射
二、基础配置
(一)如图所示配置相应接口地址
(二)在R1和FW1上建立ospf宣告内网路由,在R1下发缺省路由,在g0/0/0口通过NAT映射宣告防火墙地址
[R1-ospf-1]dis th
#
ospf 1
default-route-advertise
area 0.0.0.0
network 10.1.0.0 0.0.255.255
#
[R1-GigabitEthernet0/0/0]dis th
#
interface GigabitEthernet0/0/0
ip address 155.1.12.1 255.255.255.0
nat server protocol udp global 155.1.12.12 4500 inside 10.1.121.12 4500
nat server protocol udp global 155.1.12.12 500 inside 10.1.121.12 500
#
(三)安全策略
[FW1-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol udp destination-port 4500
service protocol udp destination-port 500
action permit
rule name DMZ_TO_IN
source-zone dmz
destination-zone trust
source-address 192.168.0.0 mask 255.255.255.0
destination-address 10.1.12.0 mask 255.255.255.0
action permit
#
三、详细配置
(一)在FW1(LNS)服务端上配置
1、IPSEC配置(注意必须采用传输模式,注意3des及sha1等算法需与Windows系统一致)
#
ipsec proposal LAN_SET
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ALL
pre-shared-key HUAWEI
ike-proposal 10
#
ipsec policy-template DY_MAP 10
ike-peer ALL
proposal LAN_SET
#
ipsec policy LAN_MAP 10 isakmp template DY_MAP
#
2、L2TP配置
设置L2TP用户地址
[FW1-ip-pool-L2TP_POOL]dis th
#
ip pool L2TP_POOL
section 0 192.168.0.1 192.168.0.10
#
在AAA中设置认证方案并关联地址池
[FW1-aaa]service-scheme LOCAL
[FW1-aaa-service-LOCAL]DIS TH
#
service-scheme LOCAL
ip-pool L2TP_POOL
#
设置虚拟模板接口认证方式和ip地址并关联认证方案
[FW1-Virtual-Template1]DIS TH
#
interface Virtual-Template1
ppp authentication-mode chap
remote service-scheme LOCAL
ip address 192.168.0.12 255.255.255.0
#
在L2TP的default-lns组中关闭隧道认证,关联虚拟模板接口,指定远程域名
[FW1-l2tp-default-lns]dis th
#
l2tp-group default-lns
undo tunnel authentication
allow l2tp virtual-template 1 domain default
#
创建登录账户并设置密码
[FW1]user-manage user USER
[FW1-localuser-user]password Huawei@123
(二)Windows软终端配置
四、结果验证
在FW1(LNS)上验证IPsec,L2TP连接情况
[FW1]dis ike sa
IKE SA information :
Conn-ID Peer VPN Flag(
s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
----------------------------------------------------
12 155.1.2.10:4500 RD|A
v1:2 IP 155.1.2.10
11 155.1.2.10:4500 RD|A
v1:1 IP 155.1.2.10
Number of IKE SA : 2
--------------------------------------------------------------------------------
----------------------------------------------------
[FW1]dis l2tp tunnel
L2TP::Total Tunnel: 1
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName VpnInstance
------------------------------------------------------------------------------
1 3 155.1.2.10 1701 1 WIN-PMUL...
------------------------------------------------------------------------------
Total 1, 1 printed
[FW1]dis l2tp session
L2TP::Total Session: 1
LocalSID RemoteSID LocalTID RemoteTID UserID UserName VpnInstance
------------------------------------------------------------------------------
3 1 1 3 262 USER
------------------------------------------------------------------------------
Total 1, 1 printed
在Windows终端上ping服务器
PS C:\Users\Administrator> ping 10.1.12.10
正在 Ping 10.1.12.10 具有 32 字节的数据:
来自 10.1.12.10 的回复: 字节=32 时间=12ms TTL=254
来自 10.1.12.10 的回复: 字节=32 时间=12ms TTL=254
