您的当前位置:首页正文

采用SecPoint2.03客户端软件时L2TP+IPSEC+NAT VPN网络的几种组合典型配置

2024-07-04 来源:易榕旅网
 L2TP+IPSEC+NAT VPN网络的几种组合典型配置

目录:

1

PC作为LAC, 直接发起L2TP隧道 ........................................................................... 1 1.1 LNS侧接口地址为公网地址 ...................................................................................... 1 1.2 LNS侧接口地址为私网地址 ...................................................................................... 2 2 PC作为LAC,直接发起L2TP隧道,数据采用IPSEC加密 ............................................ 4

2.1 LNS侧接口地址为公网地址 ..................................................................................... 4 2.2 LNS侧接口地址为私网地址 ........................................................................................ 7 3 PC作为LAC,通过NAT直接发起L2TP隧道,数据采用IPSEC加密................. 10 3.1 LNS侧接口地址为公网地址 .................................................................................... 10 3.2 LNS侧接口地址为私网地址 .................................................................................... 13

以下配置均以VRP3.3为平台

1

PC作为LAC, 直接发起L2TP隧道

1.1 LNS侧接口地址为公网地址

202.38.1.2 202.38.1.1 装有LAC客户端软件的PC机LNS

LNS配置如下: [LNS] l2tp enable 使能L2TP # local-user vpnuser password L2TP用户名和密码

simple vpnuser

# aaa enable 启用AAA # ip pool 1 10.1.2.10 10.1.2.20 给L2TP分配的地址池 # interface Virtual-Template0 使 能L2TP的虚接口 Ip address 10.1.2.1

255.255.255.0

remote address pool 1 给L2TP客户分配地址池1中的地址

ppp authentication-mode pap

【Secpoint主要配置】

# l2tp-group 1 创建L2TP组 undo tunnel authentication 取消隧道验证。默认启用,这时LAC和LNS必须配置隧道验证字。 allow l2tp virtual-template 0 在虚接口0上启用L2TP #

1.2 LNS侧接口地址为私网地址

2.2.2.2 2.2.2.1 202.38.1.2 202.38.1.1 装有LAC客户端软件的PC机NATLNS

202.38.1.0网段为私网网段;2.2.2.0网段为公网网段

LNS配置与1.1中的LNS配置相同 NAT配置如下所示: #

sysname Quidway #

FTP server enable #

interface Aux0 async mode flow #

interface Ethernet0/0

ip address 202.38.1.2 255.255.255.0 #

interface Ethernet0/1 ip address 2.2.2.1 255.255.255.0 nat outbound 3001

nat server protocol udp global 2.2.2.1 any inside 202.38.1.1 any # interface Serial0/0

clock DTECLK1 link-protocol ppp ip address ppp-negotiate

# interface NULL0 # acl number 3001 match-order auto rule 0 permit ip source 202.38.1.0 0.0.0.255 rule 1 deny ip # user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme # return

Secpoint配置如下图所示:

2 PC作为LAC,直接发起L2TP隧道,数据采用IPSEC加密

2.1 LNS侧接口地址为公网地址

202.38.1.2 202.38.1.1 装有LAC客户端软件的PC机LNS

LNS侧配置如下所示: #

sysname Quidway #

FTP server enable #

l2tp enable #

local-user vpnuser password simple vpnuser #

ip pool 1 10.1.2.10 10.1.2.20

#

aaa enable #

ike local-name lns #

ike peer 1

exchange-mode aggressive pre-shared-key 12345 id-type name

remote-name client nat traversal

#

ipsec card-proposal p1 //采用加密卡加密 use encrypt-card 1/0 # ipsec policy-template temp1 1

ppp authentication-mode pap

ike-peer 1 proposal p1 # ipsec policy policy1 1 isakmp template temp1

# interface Virtual-Template0 ip address 10.1.2.1 255.255.255.0

remote address pool 1 # interface Aux0 async mode flow link-protocol ppp # interface Ethernet0/0 ip address 202.38.1.1 255.255.255.0 ipsec policy policy1 # interface Ethernet0/1

# interface Serial0/0

clock DTECLK1 link-protocol ppp # interface Encrypt1/0 # interface NULL0 #

interface LoopBack1 ip address 192.168.1.1 255.255.255.0

# l2tp-group 1 undo tunnel authentication mandatory-lcp allow l2tp virtual-template 0

# ip route-static 0.0.0.0 0.0.0.0 202.38.1.2 preference 60 # user-interface con 0 user-interface aux 0 user-interface vty 0 4

# return

LAC客户端配置:

(建议加上NAT穿越,加NAT穿越会自动检测是否存在NAT转换。若存在NAT

转换则加UDP头后穿越,若不存在则不做任何处理)

2.2 LNS侧接口地址为私网地址

2.2.2.2 2.2.2.1 202.38.1.2 202.38.1.1 装有LAC客户端软件的PC机NATLNS

2.2.2.0网段为公网网段;202.38.1.0网段为私网网段 LNS侧配置与2.1相同

LAC客户端配置如下:

secpoint剩余配置与2.1相同

采用XP自带VPN客户端软件设置:

3 PC作为LAC,通过NAT直接发起L2TP隧道,数据采用IPSEC加密

LNS侧接口地址为公网地址

2.2.2.2 2.2.2.1 202.38.1.2 202.38.1.1 装有LAC客户端软件的PC机NATLNS

2.2.2.0网段为私网网段;202.38.1.0网段为公网网段 LNS侧配置如下所示: #

sysname Quidway #

FTP server enable #

l2tp enable #

local-user vpnuser password simple vpnuser #

ip pool 1 10.1.2.10 10.1.2.20 #

aaa enable #

ike local-name lns #

ike peer 1

exchange-mode aggressive pre-shared-key 12345 id-type name

remote-name client

nat traversal

# ipsec card-proposal p1 use encrypt-card 1/0 # ipsec policy-template temp1 1 ppp authentication-mode pap

ike-peer 1 proposal p1 # ipsec policy policy1 1 isakmp template temp1

# interface Virtual-Template0 ip address 10.1.2.1 255.255.255.0

remote address pool 1 # interface Aux0 async mode flow link-protocol ppp # interface Ethernet0/0 ip address 202.38.1.1 255.255.255.0 ipsec policy policy1 # interface Ethernet0/1

# interface Serial0/0

clock DTECLK1 link-protocol ppp # interface Encrypt1/0 # interface NULL0 # interface LoopBack1 ip address 192.168.1.1 255.255.255.0

# l2tp-group 1 undo tunnel authentication mandatory-lcp allow l2tp virtual-template 0

# ip route-static 0.0.0.0 0.0.0.0 202.38.1.2 preference 60 #

user-interface con 0 user-interface aux 0 user-interface vty 0 4

# return

NAT上的配置

NAT上只需做2.2.2.0私网网段到202.38.1.0公网网段的转换即可。配置省略。

Secpoint上的配置

3.2 LNS侧接口地址为私网地址

10.1.2.2 10.1.2.1 2.2.2.2 2.2.2.1 202.38.1.2 202.38.1.1 NAT1装有LAC客户端软件的PC机NAT2LNS

10.1.2.0网段和202.38.1.0网段是私网网段;2.2.2.0网段是公网网段。

LNS侧的配置与3.1相同

NAT1做10.1.2.0私网网段到2.2.2.0公网网段的转换,配置省略。 NAT2的配置与2.2中NAT的配置相同。 客户端软件配置与2.2.中客户端软件配置相同

因篇幅问题不能全部显示,请点此查看更多更全内容