H3C F1060+MSR3260配置l2tp-vpn（Client-Initiated模式）

拓撲如圖：l2tp-vpn通過遠程用戶vpnuser加，密碼：Hello來進行驗證

Host_1為遠程用戶地址為10.8.1.34/16

MSR36-20_3為ISP運營商與F1060_1的連接ip為1.1.2.1/24

F1060_1為Z總部防火牆網關外網地址為1.1.2.2/16，內網地址為10.1.0.0/24

總部F1060_1配置信息：

security-zone intra-zone default permit //用於加入同一安全域裡的不同接口進行通信 ，不然下面的終端之間是不能互通的。

#

ip pool aaa 192.168.1.10 192.168.1.20

ip pool aaa gateway 192.168.1.1

#

interface Virtual-Template1

ppp authentication-mode chap domain system

remote address pool aaa

ip address 192.168.1.1 255.255.255.0

#

interface GigabitEthernet1/0/0

port link-mode route

combo enable copper

ip address 1.1.2.2 255.255.255.0

nat outbound 3000

#

interface GigabitEthernet1/0/2

port link-mode route

combo enable copper

ip address 10.1.0.200 255.255.255.0

#

object-policy ip local-trust

rule 0 pass

#

object-policy ip local-untrust

rule 0 pass

#

object-policy ip trust-local

rule 0 pass

#

object-policy ip trust-untrust

rule 0 pass

#

object-policy ip untrust-local

rule 0 pass

#

object-policy ip untrust-trust

rule 0 pass

#

security-zone name Trust

import interface GigabitEthernet1/0/2

import interface Virtual-Template1 //VT口需要加入到Trust域裡

#

security-zone name Untrust

import interface GigabitEthernet1/0/0

#

zone-pair security source Local destination Trust

object-policy apply ip local-trust

#

zone-pair security source Local destination Untrust

object-policy apply ip local-untrust

#

zone-pair security source Trust destination Local

object-policy apply ip trust-local

#

zone-pair security source Trust destination Untrust

object-policy apply ip trust-untrust

#

zone-pair security source Untrust destination Local

object-policy apply ip untrust-local

#

zone-pair security source Untrust destination Trust

object-policy apply ip untrust-trust

#

ip route-static 0.0.0.0 0 1.1.2.1

#

acl advanced 3000

rule 5 permit ip source 10.1.0.0 0.0.0.255

rule 10 permit source 192.168.1.0 0.0.0.255 //l2tp客戶端的網段也需要nat

#

domain system

authentication ppp local

#

local-user vpnuser class network

password simple Hello

service-type ppp

#

l2tp-group 1 mode lns

allow l2tp virtual-template 1

undo tunnel authentication

tunnel name LNS

#

l2tp enable

#

ISP:MSR36-20_3運營商網絡配置：

interface GigabitEthernet0/0

port link-mode route

combo enable copper

ip address 10.8.1.35 255.255.0.0

#

interface GigabitEthernet0/1

port link-mode route

combo enable copper

ip address 1.1.2.1 255.255.255.0

Host_1:連接物理網卡

給本機物理電腦配置一個與路由器同網段的ip，把網關設置成連接的路由器MSR36-20_3的ip（10.8.1.35）即可，那麼本地的電腦就直接指向了模擬器上的路由器上，就可以模擬出物理電腦撥號上網，進行l2tp_vpn的驗證。

閱讀更多 運維李小木 的文章

關鍵字: 防火牆 配置 模式