最近公司需要配置VPN,而用SSL VPN面临授权不够的问题,为了方便大家使用,就选择了L2TP VPN的方式。但在实际模拟操作的过程中,出现了一些疑点,现记录下来。
一、拓扑
拓扑是模拟公司总部网络,其中有台单独的设备作为VPN的认证网关,即图中的VPN,是旁挂核心交换机的组网方式。
二、前提
出口防火墙上,要做好映射。也就是要将内网中的VPN设备IP(192.168.10.10)映射到公网上,让公网能够访问。此处就是在FW设备上做了一个nat server 0 global 112.54.82.160 inside 192.168.10.10。
总部内网要通,路由要全,出口要有NAT。分支和总部的两个内网不能通(192.168.218.186是不能Ping通192.168.10.0和192.168.200.0网段的)。
三、配置L2TP VPN
sy
interface Virtual-Template1 #新建一个虚拟接口 Virtual-Template1#
authentication-mode chap pap #认证模式用chap,如果对方不支持chap,则用pap#
alias Virtual-Template1 #忽略#
ip address 1.1.1.1 255.255.255.0 #给接口一个IP,此IP不能和其他冲突,随便一个即可#
remote address pool 0 #调用给拨入设备分配的地址池。地址池的定义在AAA内# aaa
ip pool 0 12.12.12.10 12.12.12.100 #定义地址池从12网段的10开始,到100结束#
local-user vpn password ciper vpntest!123
local-user vpn service-type ppp #配置用户名和密码,不多说了#
l2tp-group 2 #配置l2tp组2#
undo tunnel authentication #如果用电脑自带的VPN拨号,电脑是无法起tunnel认证的
#所以此处关闭tunnel的认证#
allow l2tp virtual-template 1 #不多说了,l2tp的配置,关于后面的参数,官方配置文档上
#有解释#
l2tp enable #这条命令是开启L2TP功能的,千万不要忘了#
四、几个注意事项:
1、l2tp分配给客户的地址池pool里的地址用不用和Virtual-Template1的IP地址在一个网段上?
不用必须一致。这两个地址都可以随便定义,但最好不要跟内网地址段相同。如果和内网地址段相同,则需要在VPN上开启虚拟转发功能(自行查资料)。建议定义一个很奇怪的地址段。
2、l2tp分配给客户的地址,没有网关啊,怎么和内网通信?
没网关不要紧。但总部所有网段都要有到12.12.12.0这个网段的路由。不然客户端是不能访问到相应的内网地址的。比如此图Core-SW上就有ip route-static 12.12.12.0 255.255.255.0 192.168.10.10
3、l2tp vpn设备必须要旁挂么?
不是的。VPN组网方式一般采用直连,在出口路由或出口防火墙上配置。此处我只是模拟一种出口设备不支持VPN而且网络已经不能变动的情况,采用旁挂比较灵活。
4、防火墙的策略要开。
此处由于没用路由器,用防火墙代替的路由器,所以防火墙策略我全开了,只是模拟。实际组网要根据实际情况来做,但一定要记得,把该开的策略要开,接口要放在相应的安全区域内。尤其是Virtual-Template1这个接口一定要放在相应的区域并放行到这个接口的安全策略。
五、电脑端拨号配置
六、设备配置
1、VPN
<VPN>dis cur
15:15:51 2015/11/05
#
interface Virtual-Template1
ppp authentication-mode chap pap
alias Virtual-Template1
ip address 1.1.1.1 255.255.255.0
remote address pool
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
ip address 192.168.10.10 255.255.255.0
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/8
add interface Virtual-Template1
#
firewall zone untrust
set priority 5
#
firewall zone dmz
set priority 50
#
l2tp-group 2
undo tunnel authentication
allow l2tp virtual-template 1
#
aaa
local-user vpn password cipher %$%$PjwKIZGx.Z-E}F2ceB+G>6-$%$%$
local-user vpn service-type ppp
local-user admin password cipher %$%$OMBCN93/(W;iZ:J&‘8*F>MD;%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
ip pool 0 12.12.12.1 12.12.12.100
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname VPN
#
l2tp enable
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
return
2、Core-SW
<Core>dis cur
#
sysname Core
#
vlan batch 10
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
ip address 192.168.200.2 255.255.255.0
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.200.1
ip route-static 12.12.12.0 255.255.255.0 192.168.10.10
#
user-interface con 0
user-interface vty 0 4
#
return
3、FW
<FW>dis cur
15:18:30 2015/11/05
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 112.54.82.162 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
ip address 192.168.200.1 255.255.255.0
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/8
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher %$%$`J+vB;%!Y=ZqM.LCB!"Z>d[R%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 112.54.82.161
ip route-static 1.1.1.0 255.255.255.0 192.168.200.2
ip route-static 12.12.12.0 255.255.255.0 192.168.200.2
ip route-static 192.168.10.0 255.255.255.0 192.168.200.2
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname FW
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
nat server 0 global 112.54.82.160 inside 192.168.10.10
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
nat-policy interzone trust untrust outbound
policy 1
action source-nat
easy-ip GigabitEthernet0/0/0
policy 2
#
return
4、分支机构的出口路由配置
[Router]dis cur
15:19:54 2015/11/05
#
stp region-configuration
region-name 103d6415909d
active region-configuration
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
#
interface GigabitEthernet0/0/1
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 192.168.218.222 255.255.255.0
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface Gigabi
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher %$%$y[x_X1F#m1*kz][email protected]‘>[email protected]%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 112.54.82.162
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname Router
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
nat-policy interzone trust untrust outbound
policy 1
action source-nat
easy-ip GigabitEthernet0/0/1
#
return
5、ISP的配置就是接口,没有路由。