拓撲如圖:l2tp-vpn通過遠程用戶vpnuser加,密碼:Hello來進行驗證
Host_1為遠程用戶地址為10.8.1.34/16
MSR36-20_3為ISP運營商與F1060_1的連接ip為1.1.2.1/24
F1060_1為Z總部防火牆網關外網地址為1.1.2.2/16,內網地址為10.1.0.0/24
總部F1060_1配置信息:
security-zone intra-zone default permit //用於加入同一安全域裡的不同接口進行通信 ,不然下面的終端之間是不能互通的。
#
ip pool aaa 192.168.1.10 192.168.1.20
ip pool aaa gateway 192.168.1.1
#
interface Virtual-Template1
ppp authentication-mode chap domain system
remote address pool aaa
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 1.1.2.2 255.255.255.0
nat outbound 3000
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.1.0.200 255.255.255.0
#
object-policy ip local-trust
rule 0 pass
#
object-policy ip local-untrust
rule 0 pass
#
object-policy ip trust-local
rule 0 pass
#
object-policy ip trust-untrust
rule 0 pass
#
object-policy ip untrust-local
rule 0 pass
#
object-policy ip untrust-trust
rule 0 pass
#
security-zone name Trust
import interface GigabitEthernet1/0/2
import interface Virtual-Template1 //VT口需要加入到Trust域裡
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
#
zone-pair security source Local destination Trust
object-policy apply ip local-trust
#
zone-pair security source Local destination Untrust
object-policy apply ip local-untrust
#
zone-pair security source Trust destination Local
object-policy apply ip trust-local
#
zone-pair security source Trust destination Untrust
object-policy apply ip trust-untrust
#
zone-pair security source Untrust destination Local
object-policy apply ip untrust-local
#
zone-pair security source Untrust destination Trust
object-policy apply ip untrust-trust
#
ip route-static 0.0.0.0 0 1.1.2.1
#
acl advanced 3000
rule 5 permit ip source 10.1.0.0 0.0.0.255
rule 10 permit source 192.168.1.0 0.0.0.255 //l2tp客戶端的網段也需要nat
#
domain system
authentication ppp local
#
local-user vpnuser class network
password simple Hello
service-type ppp
#
l2tp-group 1 mode lns
allow l2tp virtual-template 1
undo tunnel authentication
tunnel name LNS
#
l2tp enable
#
ISP:MSR36-20_3運營商網絡配置:
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 10.8.1.35 255.255.0.0
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 1.1.2.1 255.255.255.0
Host_1:連接物理網卡
給本機物理電腦配置一個與路由器同網段的ip,把網關設置成連接的路由器MSR36-20_3的ip(10.8.1.35)即可,那麼本地的電腦就直接指向了模擬器上的路由器上,就可以模擬出物理電腦撥號上網,進行l2tp_vpn的驗證。
閱讀更多 運維李小木 的文章