华为 Secpath 1000 F 防火墙 L2TP功能的配置

≡放荡痞女 提交于 2019-11-30 11:41:33

一、组网需求:

 

    在公网上的移动用户,需要通过VPN的方式连接到公 司内部,以便使用内部的网络

 

    资源。 可以通过L2TP的方式拨入,满足用户需求。

 

 

二、组网图

 

   

 

 

三、防火墙 配置 方式:

 

         适用防火墙型号:          Secpath1000F 及以下所有型号

         适用防火墙内核版本: 所有防火墙软内核版本

 

#                                                                              

  sysname Quidway                                                               

#                                                                              

  l2tp enable                                                       // 启用L2TP                                          

#                                                                               

  firewall packet-filter enable                                                 

  firewall packet-filter default permit                                         

#                                                                               

  insulate                                                                      

#                                                                              

  undo connection-limit enable                                                   

  connection-limit default deny                                                 

  connection-limit default amount upper-limit 50 lower-limit 20                 

#                                                                               

  firewall statistic system enable                                              

#                                                                              

radius scheme system                                                            

#                                                                              

domain system                                                                  

domain test.com                                                  // 创 建一个新的域用来响应拨入     

  ip pool 99 172.16.1.1 172.16.1.10                       // 创建这个域相应的 地址池

#                                                 

local-user test                                                     // 创建用户用来拨入                                      

  password simple test                                                           

  service-type ppp                                                 // 注意此处的服务类型为 ppp     

#                                                                              

interface Virtual-Template0                               // 创建虚模板用来响应 拨入          

  ppp authentication-mode chap                           // 指定验证方式为 chap                                      

  description ## the test.com domain ##              // 注释                                              

  ip address 172.16.1.254 255.255.255.0             // 配置虚拟模板地址

  remote address pool 99                                     // 指定远程客户端应 获得哪个地址池地址                                      

#                                                                              

interface Aux0                                                                 

  async mode flow                                                               

#                                                                              

interface Ethernet0/0                                                          

#                                                                              

interface Ethernet0/1                                                          

#                                                                               

interface Ethernet0/2                                                          

#                                                                              

interface Ethernet0/3                                                           

  ip address 192.168.1.254 255.255.255.0                                        

#                                                                              

interface Ethernet1/0                                                           

#                                                                              

interface Ethernet1/1                                                          

#                                                                               

interface Ethernet1/2                                                          

  ip address 202.96.199.254 255.255.255.0                                       

#                                                                               

interface NULL0                                                                

#                                                                              

firewall zone local                                                            

  set priority 100                                                              

#                                                                              

firewall zone trust                                                            

  add interface Ethernet0/3                                                     

  set priority 85                                                               

#                                                                              

firewall zone untrust                                                          

  add interface Ethernet1/2                                                     

  add interface Virtual-Template0                      // 把虚拟模板加入域                                 

  set priority 5                                                                 

#                                                                              

firewall zone DMZ                                                              

  set priority 50                                                                

#                                                                              

firewall interzone local trust                                                 

#                                                                               

firewall interzone local untrust                                               

#                                                                              

firewall interzone local DMZ                                                    

#                                                                              

firewall interzone trust untrust                                               

#                                                                               

firewall interzone trust DMZ                                                   

#                                                                              

firewall interzone DMZ untrust                                                  

#                                                                              

l2tp-group 10                                                                   

  undo tunnel authentication                                  // 不使用隧道验证                                     

  allow l2tp virtual-template 0 remote h3csec-test domain test.com    

        // 指定相应的模板响应接入,其中 h3csec-test 为远端 PC 名

#                                                                              

user-interface con 0                                                           

user-interface aux 0                                                            

user-interface vty 0 4

 

客户端设置:

 

1.  取消证书认 证(通过修改注册表的方式,添加一个ProhibitIpSec为1的键值)

 

   位置如下图所示:

 

      

 

     

 

 

      添加的键值如下图所示

 

      

    

 

2. 建立拨号连接(使用微软的连接建立向导):

 

        需要注意的选项如下图所示选择 L2TP IPSec VPN;其他选项使用默认值即可

       

       

 

         注意用户名和密码与 防火墙 上创建的用户名密码匹配

 

        

 

 

通过如下方式查看session和tunnel建立情况:

 

 

<Quidway>dis l2tp session                                                      
 Total session = 1                                                             
 LocalSID  RemoteSID  LocalTID  IdleTimeLeft                                   
  26744     1          1        NOT SET                    

                    
<Quidway>dis l2tp tunn                                                         
 Total tunnel = 1                                                              
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  KeepStanding  
 1        18        202.96.199.100   1701   1        h3csec-test  NO

 

无忧网客联盟专业讨论网络技术,CCNA CCNP CCIE CCSP

文章转载至http://bbs.net527.cn   无忧网客联盟

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!