目录:
1
PC作为LAC, 直接发起L2TP隧道 ........................................................................... 1 1.1 LNS侧接口地址为公网地址 ...................................................................................... 1 1.2 LNS侧接口地址为私网地址 ...................................................................................... 2 2 PC作为LAC,直接发起L2TP隧道,数据采用IPSEC加密 ............................................ 4
2.1 LNS侧接口地址为公网地址 ..................................................................................... 4 2.2 LNS侧接口地址为私网地址 ........................................................................................ 7 3 PC作为LAC,通过NAT直接发起L2TP隧道,数据采用IPSEC加密................. 10 3.1 LNS侧接口地址为公网地址 .................................................................................... 10 3.2 LNS侧接口地址为私网地址 .................................................................................... 13
以下配置均以VRP3.3为平台
1
PC作为LAC, 直接发起L2TP隧道
1.1 LNS侧接口地址为公网地址
202.38.1.2 202.38.1.1 装有LAC客户端软件的PC机LNS
LNS配置如下: [LNS] l2tp enable 使能L2TP # local-user vpnuser password L2TP用户名和密码
simple vpnuser
# aaa enable 启用AAA # ip pool 1 10.1.2.10 10.1.2.20 给L2TP分配的地址池 # interface Virtual-Template0 使 能L2TP的虚接口 Ip address 10.1.2.1
255.255.255.0
remote address pool 1 给L2TP客户分配地址池1中的地址
ppp authentication-mode pap
【Secpoint主要配置】
# l2tp-group 1 创建L2TP组 undo tunnel authentication 取消隧道验证。默认启用,这时LAC和LNS必须配置隧道验证字。 allow l2tp virtual-template 0 在虚接口0上启用L2TP #
1.2 LNS侧接口地址为私网地址
2.2.2.2 2.2.2.1 202.38.1.2 202.38.1.1 装有LAC客户端软件的PC机NATLNS
202.38.1.0网段为私网网段;2.2.2.0网段为公网网段
LNS配置与1.1中的LNS配置相同 NAT配置如下所示: #
sysname Quidway #
FTP server enable #
interface Aux0 async mode flow #
interface Ethernet0/0
ip address 202.38.1.2 255.255.255.0 #
interface Ethernet0/1 ip address 2.2.2.1 255.255.255.0 nat outbound 3001
nat server protocol udp global 2.2.2.1 any inside 202.38.1.1 any # interface Serial0/0
clock DTECLK1 link-protocol ppp ip address ppp-negotiate
# interface NULL0 # acl number 3001 match-order auto rule 0 permit ip source 202.38.1.0 0.0.0.255 rule 1 deny ip # user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme # return
Secpoint配置如下图所示:
2 PC作为LAC,直接发起L2TP隧道,数据采用IPSEC加密
2.1 LNS侧接口地址为公网地址
202.38.1.2 202.38.1.1 装有LAC客户端软件的PC机LNS
LNS侧配置如下所示: #
sysname Quidway #
FTP server enable #
l2tp enable #
local-user vpnuser password simple vpnuser #
ip pool 1 10.1.2.10 10.1.2.20
#
aaa enable #
ike local-name lns #
ike peer 1
exchange-mode aggressive pre-shared-key 12345 id-type name
remote-name client nat traversal
#
ipsec card-proposal p1 //采用加密卡加密 use encrypt-card 1/0 # ipsec policy-template temp1 1
ppp authentication-mode pap
ike-peer 1 proposal p1 # ipsec policy policy1 1 isakmp template temp1
# interface Virtual-Template0 ip address 10.1.2.1 255.255.255.0
remote address pool 1 # interface Aux0 async mode flow link-protocol ppp # interface Ethernet0/0 ip address 202.38.1.1 255.255.255.0 ipsec policy policy1 # interface Ethernet0/1
# interface Serial0/0
clock DTECLK1 link-protocol ppp # interface Encrypt1/0 # interface NULL0 #
interface LoopBack1 ip address 192.168.1.1 255.255.255.0
# l2tp-group 1 undo tunnel authentication mandatory-lcp allow l2tp virtual-template 0
# ip route-static 0.0.0.0 0.0.0.0 202.38.1.2 preference 60 # user-interface con 0 user-interface aux 0 user-interface vty 0 4
# return
LAC客户端配置:
(建议加上NAT穿越,加NAT穿越会自动检测是否存在NAT转换。若存在NAT
转换则加UDP头后穿越,若不存在则不做任何处理)
2.2 LNS侧接口地址为私网地址
2.2.2.2 2.2.2.1 202.38.1.2 202.38.1.1 装有LAC客户端软件的PC机NATLNS
2.2.2.0网段为公网网段;202.38.1.0网段为私网网段 LNS侧配置与2.1相同
LAC客户端配置如下:
secpoint剩余配置与2.1相同
采用XP自带VPN客户端软件设置:
3 PC作为LAC,通过NAT直接发起L2TP隧道,数据采用IPSEC加密
LNS侧接口地址为公网地址
2.2.2.2 2.2.2.1 202.38.1.2 202.38.1.1 装有LAC客户端软件的PC机NATLNS
2.2.2.0网段为私网网段;202.38.1.0网段为公网网段 LNS侧配置如下所示: #
sysname Quidway #
FTP server enable #
l2tp enable #
local-user vpnuser password simple vpnuser #
ip pool 1 10.1.2.10 10.1.2.20 #
aaa enable #
ike local-name lns #
ike peer 1
exchange-mode aggressive pre-shared-key 12345 id-type name
remote-name client
nat traversal
# ipsec card-proposal p1 use encrypt-card 1/0 # ipsec policy-template temp1 1 ppp authentication-mode pap
ike-peer 1 proposal p1 # ipsec policy policy1 1 isakmp template temp1
# interface Virtual-Template0 ip address 10.1.2.1 255.255.255.0
remote address pool 1 # interface Aux0 async mode flow link-protocol ppp # interface Ethernet0/0 ip address 202.38.1.1 255.255.255.0 ipsec policy policy1 # interface Ethernet0/1
# interface Serial0/0
clock DTECLK1 link-protocol ppp # interface Encrypt1/0 # interface NULL0 # interface LoopBack1 ip address 192.168.1.1 255.255.255.0
# l2tp-group 1 undo tunnel authentication mandatory-lcp allow l2tp virtual-template 0
# ip route-static 0.0.0.0 0.0.0.0 202.38.1.2 preference 60 #
user-interface con 0 user-interface aux 0 user-interface vty 0 4
# return
NAT上的配置
NAT上只需做2.2.2.0私网网段到202.38.1.0公网网段的转换即可。配置省略。
Secpoint上的配置
3.2 LNS侧接口地址为私网地址
10.1.2.2 10.1.2.1 2.2.2.2 2.2.2.1 202.38.1.2 202.38.1.1 NAT1装有LAC客户端软件的PC机NAT2LNS
10.1.2.0网段和202.38.1.0网段是私网网段;2.2.2.0网段是公网网段。
LNS侧的配置与3.1相同
NAT1做10.1.2.0私网网段到2.2.2.0公网网段的转换,配置省略。 NAT2的配置与2.2中NAT的配置相同。 客户端软件配置与2.2.中客户端软件配置相同
因篇幅问题不能全部显示,请点此查看更多更全内容