之前有寫過一篇文章關於VPN的原理,只是大概介紹了一下VPN,最近答應網友們寫一些有關路由的文章。VPN有分好多種,今天給大家分享一篇L2TP VPN的實現方式。
RouterA總部出口路由器的有關L2TP配置文件如下:
sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysn RouterA
[RouterA]l2tp enable //使能L2TP
[RouterA]ip pool 1 //創建IP地址池1,用於分公司A通過L2TP撥號連接到總部的用戶分配IP
Info: It's successful to create an IP address pool.
[RouterA-ip-pool-1]gateway-list 10.1.1.1 //網關
[RouterA-ip-pool-1]network 10.1.1.0 mask 255.255.255.0 //地址池IP範圍10.1.1.1~10.1.1.255
[RouterA-ip-pool-1]q
[RouterA]ip pool 2
Info: It's successful to create an IP address pool.
[RouterA-ip-pool-2]gateway-list 10.2.1.1
[RouterA-ip-pool-2]network 10.2.1.0 mask 255.255.255.0
[RouterA-ip-pool-2]q
[RouterA]aaa
[RouterA-aaa]local-user [email protected] password cipher KBxiaowangguan
Info: Add a new user. //創建用戶和密碼,必須與RouterB上用戶密碼一致
[RouterA-aaa]local-user [email protected] privilege level 0//給此用戶權限為0僅可訪問
[RouterA-aaa]local-user [email protected] service-type ppp //接入模式為PPPOE撥號
[RouterA-aaa]local-user [email protected] password cipher KBxiaowangguan
Info: Add a new user.
[RouterA-aaa]local-user [email protected] privilege le 0
[RouterA-aaa]local-user [email protected] service-type ppp
[RouterA-aaa]q
[RouterA]int Virtual-Template 1 //創建虛擬接口模板VT1
Sep 12 2018 00:01:19-08:00 RouterA %%01IFPDT/4/IF_STATE(l)[0]:Interface Virtual-Template1 has turned into UP state.
[RouterA-Virtual-Template1]ppp authentication-mode chap//對接入用戶的認證方式為CHAP認證
[RouterA-Virtual-Template1]remote address pool 1 //引入IP地址池,PPP認證通過後,為用戶分配IP地址
[RouterA-Virtual-Template1]ip address 10.1.1.1 255.255.255.0
[RouterA-Virtual-Template1]q
[RouterA]int Virtual-Template 2 //創建虛擬接口模板VT2
Sep 12 2018 00:02:26-08:00 RouterA %%01IFPDT/4/IF_STATE(l)[1]:Interface Virtual-Template2 has turned into UP state.
[RouterA-Virtual-Template2]ppp authentication-mode chap
[RouterA-Virtual-Template2]remote address pool 2
[RouterA-Virtual-Template2]ip address 10.2.1.1 255.255.255.0
[RouterA-Virtual-Template2]q
[RouterA]int g0/0/0
[RouterA-GigabitEthernet0/0/0]ip address 202.1.1.1 255.255.255.0
Sep 12 2018 00:04:00-08:00 RouterA %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state.
[RouterA-GigabitEthernet0/0/0]q
[RouterA]int g0/0/1
[RouterA-GigabitEthernet0/0/1]ip address 10.3.1.1 255.255.255.0
Sep 12 2018 00:04:18-08:00 RouterA %%01IFNET/4/LINK_STATE(l)[3]:The line protocol IP on the interface GigabitEthernet0/0/1 has entered the UP state.
[RouterA-GigabitEthernet0/0/1]q
[RouterA]l2tp-group 1
[RouterA-l2tp1]allow l2tp virtual-template 1 remote ? //如果配置命令忘了或者不熟悉,記得用“?”查看命令
STRING<1-30> LAC name of the L2TP tunnel
[RouterA-l2tp1]allow l2tp virtual-template 1 remote lac1 //允許和對端隧道lac1建立L2TP隧道連接,引入VT1的配置參數
[RouterA-l2tp1]tunnel password cipher woyaoyuanchuang
[RouterA-l2tp1]tunnel name lns
[RouterA-l2tp1]q
[RouterA]l2tp-group 2
[RouterA-l2tp2]allow l2tp virtual-template 2 remote lac2 //允許和對端隧道lac2建立L2TP隧道連接,引入VT2的配置參數
[RouterA-l2tp2]tunnel password cipher woyaoyuanchuang
[RouterA-l2tp2]tunnel name lns
[RouterA-l2tp2]q
分公司所在大廈的路由器RouterB有關L2TP配置文件如下:
SYS
Enter system view, return user view with Ctrl+Z.
[Huawei]SYS RouterB
[RouterB]l2tp enable
[RouterB]aaa
[RouterB-aaa]authentication-scheme ?
STRING<1-32> Scheme name,can not include invalid character \ / : < > | @ ' %
* " ?
[RouterB-aaa]authentication-scheme ToGroup //身份驗證方案名稱為 ToGroup
Info: Create a new authentication scheme.
[RouterB-aaa-authen-ToGroup]domain aaa.com
Info: Success to create a new domain.
[RouterB-aaa-domain-aaa.com]q
[RouterB-aaa]authentication-scheme ToGroup
[RouterB-aaa-authen-ToGroup]domain bbb.com
Info: Success to create a new domain.
[RouterB-aaa-domain-bbb.com]q
[RouterB-aaa]dis authentication-scheme
-------------------------------------------------------------------
Authentication-scheme-name Authentication-method
-------------------------------------------------------------------
default Local
ToGroup Local
-------------------------------------------------------------------
Total of authentication scheme: 2
[RouterB-aaa]dis domain
-------------------------------------------------------------------------
index DomainName
-------------------------------------------------------------------------
0 default
1 default_admin
2 aaa.com
3 bbb.com
-------------------------------------------------------------------------
Total: 4
[RouterB-aaa]local-user [email protected] password cipher KBxiaowangguan
Info: Add a new user. //配置PPPoE服務器的本地用戶名和類型,用於認證接入的用戶
[RouterB-aaa]local-user [email protected] privilege level 0
[RouterB-aaa]local-user [email protected] service-type ? //記得查詢命令用法
8021x 802.1x user
bind Bind authentication user
ftp FTP user
http Http user
ppp PPP user
ssh SSH user
sslvpn Sslvpn user
telnet Telnet user
terminal Terminal user
web Web authentication user
x25-pad X25-pad user
[RouterB-aaa]local-user [email protected] service-type ppp
[RouterB-aaa]local-user [email protected] password cipher KBxiaowangguan
Info: Add a new user.
[RouterB-aaa]local-user [email protected] privilege level 0
[RouterB-aaa]local-user [email protected] service-type ppp
[RouterB-aaa]q
[RouterB]int Virtual-Template ?
<0-1023> Virtual template interface number
[RouterB]int Virtual-Template 1 //創建虛擬接口模板
Sep 11 2018 23:50:37-08:00 RouterB %%01IFPDT/4/IF_STATE(l)[0]:Interface Virtual-Template1 has turned into UP state.
[RouterB-Virtual-Template1]ppp authentica
[RouterB-Virtual-Template1]ppp authentication-mode ?
chap Enable CHAP authentication
pap Enable PAP authentication
[RouterB-Virtual-Template1]ppp authentication-mode chap //對接入用戶的認證方式為CHAP認證
[RouterB-Virtual-Template1]q
[RouterB]int g0/0/0
[RouterB-GigabitEthernet0/0/0]ip address 202.1.1.2 255.255.255.0
Sep 11 2018 23:51:43-08:00 RouterB %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state.
[RouterB-GigabitEthernet0/0/0]q
[RouterB]int g2/0/0
[RouterB-GigabitEthernet2/0/0]pppoe-server ?
bind Bind virtual-template interface
[
RouterB-GigabitEthernet2/0/0]pppoe-server bind virtual-template 1 //接口上啟用PPPoE Server功能,引入VT1的配置參數,認證接入的撥號用戶
[RouterB-GigabitEthernet2/0/0]int g0/0/1
[RouterB-GigabitEthernet0/0/1]pppoe-server bind virtual-template 1
[RouterB-GigabitEthernet0/0/1]q
[RouterB]l2tp-group 1 //創建L2TP組,為建立L2TP隧道配置參數
[RouterB-l2tp1]tunnel password cipher woyaoyuanchuang//缺省使能隧道認證,配置密文密碼為“我要原創”,和對端認證一致
[RouterB-l2tp1]tunnel name lac1 //隧道的名稱為lac1,用於被對端LNS識別
[RouterB-l2tp1]start l2tp ip 202.1.1.1 domain aaa.com //如接入用戶的域名為aaa.com,則發起到對端的L2TP隧道連接
[RouterB-l2tp1]q
[RouterB]l2tp-group 2
[RouterB-l2tp2]tunnel password cipher woyaoyuanchuang
[RouterB-l2tp2]tunnel name lac2
[RouterB-l2tp2]start l2tp ip 202.1.1.1 domain bbb.com
[RouterB-l2tp2]q
配置成功後,PC1和PC2可以使用系統自帶的新建撥號連接。
分公司A PC1
分公司B PC2
以分公司A PC1為例。撥號成功後,其分配到IP應為10.1.1.2 /24,且可以ping通集團總部的PC3
