L2TP实验
一.拓扑
二.需求
建立
PPPoE
连接,设定拨号接口
VT
接口
建立
L2TP
隧道
三.配置
FW1:
[Client]firewall zone trust
[Client-zone-trust]add interface g1/0/0
[Client]security-policy
[Client-policy-security]default action permit FW2:
[LAC]int g1/0/1
[LAC-GigabitEthernet1/0/1]ip address 20.1.1.1 24
[LAC]firewall zone trust
[LAC-zone-trust]add interface g1/0/0
[LAC]firewall zone untrust
[LAC-zone-untrust]add interface g1/0/1
[LAC]security-policy
[LAC-policy-security]default action permitFW3:
[LNS]int g1/0/0
[LNS-GigabitEthernet1/0/0]ip add 20.1.1.2 24
[LNS-GigabitEthernet1/0/0]q
[LNS]int g1/0/1
[LNS-GigabitEthernet1/0/1]ip add 192.168.1.1 24
[LNS-GigabitEthernet1/0/1]q
[LNS]firewall zone untrust
[LNS-zone-untrust]add int g1/0/0
[LNS]firewall zone trust
[LNS-zone-trust]add int g1/0/1建立PPPoE连接,设定拨号接口VT接口
CLient:
[Client]interface Dialer 1
[Client-Dialer1]dialer user user1
[Client-Dialer1]dialer-group 1
[Client-Dialer1]dialer bundle 1
[Client-Dialer1]ip address ppp-negotiate
[Client-Dialer1]ppp chap user user1
[Client-Dialer1]ppp chap password cipher Password123
[Client]dialer-rule 1 ip permit
[Client-zone-trust]add int Dialer 1
[Client]firewall zone trust
[Client]interface g1/0/0
[Client-GigabitEthernet1/0/0]pppoe-client dial-bundle-number 1FW2:
[LAC]interface Virtual-Template 1
[LAC-Virtual-Template1]ppp authentication-mode chap
[LAC-Virtual-Template1]ip address 2.2.2.2 24
[LAC]firewall zone dmz
[LAC-zone-dmz]add interface Virtual-Template 1
[LAC-GigabitEthernet1/0/0]pppoe-server bind virtual-template 1
[LAC]aaa
[LAC-aaa]domain default
[LAC-aaa-domain-default]service-type l2tp
[LAC]user-manage user user1 domain default
[LAC-localuser-user1]password Password123建立L2TP隧道:
LAC配置:
[LAC]l2tp enable
[LAC]l2tp-group 1
[LAC-l2tp-1]tunnel authentication
[LAC-l2tp-1]tunnel password cipher Hello123
[LAC-l2tp-1]tunnel name lac
[LAC-l2tp-1]start l2tp ip 20.1.1.2 fullusername user1LNS配置:
[LNS]ip pool l2tp
Info: It is successful to create an IP address pool.
[LNS-ip-pool-l2tp]section 0 172.16.0.2 172.16.0.100
[LNS]aaa
[LNS-aaa]service-scheme l2tp
[LNS-aaa-service-l2tp]ip-pool l2tp
[LNS-aaa]domain default
[LNS-aaa-domain-default]service-type l2tp
[LNS]user-manage user user1 domain default
[LNS-localuser-user1]password Password123
[LNS]interface Virtual-Template1
[LNS-Virtual-Template1]ppp authentication-mode chap
[LNS-Virtual-Template1]ip add 172.16.0.1 24
[LNS-Virtual-Template1]remote service-scheme l2tp
[LNS]firewall zone dmz
[LNS-zone-dmz]add int Virtual-Template 1
[LNS]l2tp enable
[LNS]l2tp-group 1
[LNS-l2tp-1]allow l2tp virtual-template 1 remote lac domain default
[LNS-l2tp-1]tunnel authentication
[LNSl2tp-1]tunnel password cipher Hello123LAC和LNS策略改为permit
[LNS]l2tp-group 1
[LNS-l2tp-1]mandatory-chap
[LNS-l2tp-1]mandatory-lcp
[Client]ip route-static 0.0.0.0 0 Dialer 1
[CLient]firewall zone dmz
[Client-zone-dmz]add int Dialer 1安全策略:
LAC
[LAC]security-policy
[LAC-policy-security]rule name 1
[LAC-policy-security-rule-1]source-zone local
[LAC-policy-security-rule-1]destination-zone untrust
[LAC-policy-security-rule-1]source-address 20.1.1.1 32
[LAC-policy-security-rule-1]destination-address 20.1.1.2 32
[LAC-policy-security-rule-1]service l2tp
[LAC-policy-security-rule-1]service protocol udp source-port 0 to 5335 destination-port 1701 LNS
[LNS]security-policy
[LNS-policy-security]rule name 2
[LNS-policy-security-rule-2]source-zone untrust
[LNS-policy-security-rule-2]destination-zone local
[LNS-policy-security-rule-2]source-address 20.1.1.1 32
[LNS-policy-security-rule-2]destination-address 20.1.1.2 32
[LNS-policy-security-rule-2]service l2tp
[LNS-policy-security-rule-2]service protocol udp destination-port 17
01
[LNS-policy-security-rule-2]action permit
[LNS-policy-security-rule-2]rule name icmp
[LNS-policy-security-rule-icmp]source-zone trust
[LNS-policy-security-rule-icmp]destination-zone local
[LNS-policy-security-rule-icmp]source-address 192.168.0.20 32
[LNS-policy-security-rule-icmp]destination-address 192.168.0.3 32
[LNS-policy-security-rule-icmp]action permit 配置成功
测试:
