1. 组网需求
某公司建有自己的VPN网络,内部地址采用私网地址。在公司总部的公网出口处,布置了一台VPN网关(SecPath防火墙)。要求公司办事处人员能够通过L2TP隧道与公司内部其他用户进行数据交换。 LNS侧采用本地验证方式。 2. 组网图
图2-6 L2TP配置典型举例组网图 3. 配置步骤 (1) 用户侧的配置
在用户侧,建一拨号网络,号码为SecPath1的接入号码;接收由LNS服务器端分配的地址。 (2) LAC侧的配置 # 配置防火墙的缺省路由。
[Router] ip route-static 0.0.0.0 0.0.0.0 e4/0/1 其他配置略。 (3) LNS侧的配置 # 使能防火墙的L2TP功能。 [SecPath] l2tp enable
# 配置以太网接口Ethernet2/0/0。 [SecPath] interface Ethernet 2/0/0
[SecPath-Ethernet2/0/0] ip address 2.2.2.1 16 # 配置虚拟接口模板Virtual-Template1。 [SecPath] interface Virtual-Template 1
[SecPath-Virtual-Template1] ppp authentication-mode chap [SecPath-Virtual-Template1] ip address 192.168.1.1 16 [SecPath-Virtual-Template1] remote address pool # 将接口加入到安全区域。 [SecPath] firewall zone trust
[SecPath-zone-trust] add interface virtual-template 1 [SecPath] firewall zone untrust
[SecPath-zone-untrust] add interface Ethernet2/0/0 # 配置防火墙的ACL规则。 [SecPath] acl number 3000
[SecPath-acl-adv-3000] rule 5 permit ip # 在防火墙的安全域间应用ACL规则。
[SecPath] firewall interzone local untrust
[SecPath-interzone-local-untrust] packet-filter 3000 inbound [SecPath-interzone-local-untrust] packet-filter 3000 outbound # 配置防火墙的缺省过滤规则。
[SecPath] firewall packet-filter default permit interzone local trust direction inbound
[SecPath] firewall packet-filter default permit interzone local trust direction outbound
[SecPath] firewall packet-filter default permit interzone local untrust direction inbound
[SecPath] firewall packet-filter default permit interzone local untrust direction outbound
[SecPath] firewall packet-filter default permit interzone local dmz direction inbound
[SecPath] firewall packet-filter default permit interzone local dmz direction outbound
# 建立L2TP组,进行L2TP协商。 [SecPath] l2tp-group 10
[SecPath-l2tp10] allow l2tp virtual-template 1 remote lac [SecPath-l2tp10] tunnel authentication [SecPath-l2tp10] tunnel password simple hello [SecPath-l2tp10] tunnel name lns # 配置本地用户及地址池。 [SecPath] aaa
[SecPath-aaa] local-user pc1 password simple pc1 [SecPath-aaa] local-user pc1 service-type ppp [SecPath-aaa] ip pool 0 192.168.1.2 192.168.1.100 # 对本地用户采用本地认证的方式。
[SecPath-aaa] authentication-scheme l2tp
[SecPath-aaa-authen-l2tp] authentication-mode local # 配置防火墙的缺省路由。
[SecPath] ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
2.4.2 出租SecPath防火墙配置举例
1. 组网需求
SecPath 防火墙部署在电信网内,为专线接入的企业提供L2TP+IPSEC隧道服务,使移动办公用户能够通过防火墙接入本企业私有网络。SecPath防火墙可以采用Radius和local两种认证方式为用户提供认证和计费。配置企业A的私有网络为VLAN100,企业B的私有网络为VLAN110。 2. 组网图
图2-7 出租SecPath防火墙配置举例 3. 配置步骤
# 配置防火墙缺省过滤规则。
[SecPath] firewall packet-filter default permit interzone local trust direction inbound
[SecPath] firewall packet-filter default permit interzone local trust direction outbound
[SecPath] firewall packet-filter default permit interzone local untrust direction inbound
[SecPath] firewall packet-filter default permit interzone local untrust direction outbound
[SecPath] firewall packet-filter default permit interzone local dmz direction inbound
[SecPath] firewall packet-filter default permit interzone local dmz direction outbound
# 配置RADIUS服务器。IP地址为1.1.1.3,共享密钥为H3C,认证和计费端口分别为10000、10001。
[SecPath] radius-server template my_radius
[SecPath-radius-my_radius] radius-server shared-key H3C
[SecPath-radius-my_radius] radius-server authentication 1.1.1.3 10000 [SecPath-radius-my_radius] radius-server accounting 1.1.1.3 10001 # 使能L2TP功能。 [SecPath] l2tp enable
# 配置以太网接口及以太网子接口。 [SecPath] interface ethernet 0/0/1
[SecPath-Ethernet0/0/1] ip address 2.2.2.2 255.255.0.0 [SecPath] interface ethernet 1/0/1.1
[SecPath-Ethernet1/0/1.1] vlan-type dot1q 100
[SecPath-Ethernet1/0/1.1] ip address 1.2.2.1 255.255.255.252 [SecPath] interface ethernet 1/0/1.2
[SecPath-Ethernet1/0/1.2] vlan-type dot1q 110
[SecPath-Ethernet1/0/1.2] ip address 1.2.2.2 255.255.255.252 # 设置虚模板,制定和L2TP用户的验证方式,以及担当移动PC和企业网络互联的路由信息发布。
[SecPath] interface Virtual-Template 1
[SecPath-Virtual-Template1] ppp authentication-mode chap [SecPath-Virtual-Template1] ip address 1.2.6.1 255.255.254.0 [SecPath-Virtual-Template1] remote address pool 1 [SecPath] interface Virtual-Template 2
[SecPath-Virtual-Template2] ppp authentication-mode chap [SecPath-Virtual-Template2] ip address 1.3.1.1 255.255.254.0 [SecPath-Virtual-Template2] remote address pool 2 # 配置将接口和虚模板加入安全区域。 [SecPath] firewall zone trust
[SecPath-zone-trust] add interface Ethernet 1/0/1.1 [SecPath-zone-trust] add interface Virtual-Template 1 [SecPath] firewall zone untrust
[SecPath-zone-untrust] add interface Ethernet 0/0/1 [SecPath] firewall zone name trust1
[SecPath-zone-trust1] add interface Ethernet 1/0/1.2 [SecPath-zone-trust1] add interface Virtual-Template 2 [SecPath-zone-trust1] set priority 86 # 指定IKE本地名称,用于IKE协商。 [SecPath] ike local-name SecPath
# 定义IKE PEER,并配置IKE协商的相关属性。 [SecPath] ike peer p100
[SecPath-ike-peer-p100] exchange-mode aggressive [SecPath-ike-peer-p100] pre-shared-key 123456 [SecPath-ike-peer-p100] local-id-type name [SecPath-ike-peer-p100] remote-name pc [SecPath-ike-peer-p100] nat traversal # 配置安全提议。
[SecPath] ipsec proposal p100
[SecPath-ipsec-proposal-p100] esp authentication-algorithm sha1 [SecPath-ipsec-proposal-p100] esp encryption-algorithm 3des # 配置了IPSEC模板,并引用IKE PEER 和安全提议。 [SecPath] ipsec policy-template p100 1
[SecPath-ipsec-policy-templet-p100-1] ike-peer p100 [SecPath-ipsec-policy-templet-p100-1] proposal p100 # 从模板继承安全策略,名称为dialin_。
[SecPath] ipsec policy dialin_ 1 isakmp template p100 # 在接口上应用IPSEC策略。
[SecPath] interface Ethernet 1/0/0
[SecPath-Ethernet1/0/0] ip address 1.1.1.2 255.255.255.0 [SecPath-Ethernet1/0/0] ipsec policy dialin_
# 配置L2TP组,用户接受L2TP拨号请求,进行L2TP协商参数定义。 [SecPath] l2tp-group 1
[SecPath-l2tp1] mandatory-chap
[SecPath-l2tp1] allow l2tp virtual-template 1 remote corpa [SecPath-l2tp1] tunnel authentication [SecPath-l2tp1] tunnel password simple 1234 [SecPath-l2tp1] tunnel name LNS [SecPath] l2tp-group 2
[SecPath-l2tp2] mandatory-chap
[SecPath-l2tp2] allow l2tp virtual-template 2 remote corpb [SecPath-l2tp1] tunnel authentication [SecPath-l2tp2] tunnel password simple 5678
[SecPath-l2tp2] tunnel name LNS2
# 属于A企业的用户登陆(用户名@corpa),使用RADIUS服务器认证和计费,并为企业A的用户分配地址。 [SecPath-aaa] domain corpa
[SecPath-aaa-domain-corpa] authentication-scheme my_auth [SecPath-aaa-domain-corpa] accounting-scheme my_acct [SecPath-aaa-domain-corpa] radius-server my_radius [SecPath-aaa-domain-corpa] ip pool 1 1.1.1.1 1.1.1.254
# 属于B企业的用户登陆(用户名@corpb),使用RADIUS服务器认证和计费。另外一些用户使用本地认证和计费。 [SecPath-aaa] domain corpb
[SecPath-aaa-domain-corpb] authentication-scheme my_auth [SecPath-aaa-domain-corpb] accounting-scheme my_acct [SecPath-aaa-domain-corpb] radius-server my_radius [SecPath-aaa-domain-corpb] ip pool 2 1.1.2.1 1.1.2.254 # 配置用户认证方式和计费方式。 [SecPath] aaa
[SecPath-aaa] authentication-scheme my_auth
[SecPath-aaa-authen-my_auth] authentication-mode radius [SecPath-aaa] accounting-scheme my_acct
[SecPath-aaa-accounting-my_acct] accounting-mode radius
