解决虚拟防火墙环境用手机拨L2TPover IPESC VPN不通问题

发布时间:  2013-03-07 浏览次数:  213 下载次数:  0
问题描述
      某局点客户使用USG5500 配置在虚拟防火墙环境下用手机进行L2TP  OVER IPSEC拨号,连接失败。同用配置IPSEC策略应用在物理接口下手机拨号成功。手机已经使用安卓4.1以上版本(使用安卓4.0版本会存在问题)。
告警信息

隧道建立不起来

[USG5500-GigabitEthernet0/0/1]disp ike sa
13:55:32  2013/03/07
current sa Num :0

处理过程
添加上相应的配置命令后,测试IPSEC VPN已经可以连接。

[USG5500]disp ike sa
14:32:46  2013/03/07
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
41204      117.136.15.97:43884     RD            v1:2  vpn
41203      117.136.15.97:43884     RD            v1:1  vpn


关键配置:

firewall packet-filter default permit interzone vpn-instance vpn trust untrust direction inbound
firewall packet-filter default permit interzone vpn-instance vpn trust untrust direction outbound
//开启虚拟防火墙trust--untrust包过滤开放
 l2tp enable
//开启L2TP功能
ip vpn-instance vpn
route-distinguisher 100:1
//配置虚拟实例
acl number 3003 vpn-instance vpn
rule 5 permit udp source-port eq 1701
//配置开放L2TP的1701端口
ike proposal 1
encryption-algorithm 3des-cbc

dh group2
#
ike peer test1
pre-shared-key %$%$&Mn<T@fDlGof8S>]F3BFa)}t%$%$
ike-proposal 1
sa binding vpn-instance vpn zone untrust
//经验表明,配置手机拨号,DH组选择group2, 配置ike阶段,要绑定虚拟实例及其对应的区域。

#
ipsec proposal prop63145831613
encapsulation-mode transport            
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy-template tpl63145831961 1
security acl 3003
ike-peer test1
proposal prop63145831613
sa duration traffic-based 1843200
sa duration time-based 3600
#
ipsec policy test1 2 isakmp template tpl63145831961

//配置用手机拨号时,要使用ipsec vpn的策略模板来实现。

interface Virtual-Template0
ppp authentication-mode chap pap
ppp timer negotiate 10
ppp ipcp dns 202.99.160.68
alias L2TP_LNS_0
ip binding vpn-instance vpn
ip address 10.66.10.126 255.255.255.240
remote address pool       
//配置虚接口要绑定VPN实例。
interface GigabitEthernet0/0/1
alias VPN(外)
ip binding vpn-instance vpn
ip address 60.2.200.230 255.255.255.252
ipsec policy test1
//配置IPSEC VPN绑定的外网口要绑定VPN实例
#
interface GigabitEthernet0/0/2
alias VPN(内)
ip binding vpn-instance vpn             
ip address 10.66.8.3 255.255.255.248
//配置相应的内网口也要绑定VPN实例

firewall zone vpn-instance vpn trust
set priority 85
add interface GigabitEthernet0/0/2
#
firewall zone vpn-instance vpn untrust
set priority 5
add interface GigabitEthernet0/0/1
add interface Virtual-Template0

l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0 vpn-instance vpn
tunnel name svn
//配置的L2TP组 要绑定虚接口及VPN实例。
            


根因
检查配置,发现Virtual-Template 0   口缺少配置,L2TP-group配置也不完整。

interface Virtual-Template 0                                                                                                  
ppp authentication-mode chap pap                                                                                                 
ppp timer negotiate 10                                                                                                           
ppp ipcp dns 202.99.160.68                                                                                                       
alias L2TP_LNS_0                                                                                                                 
ip binding vpn-instance vpn                                                                                                      
ip address 10.66.10.126 255.255.255.240                                                                                          
remote address pool    


l2tp-group 1                                                                                                                      
undo tunnel authentication                                                                                                       
allow l2tp virtual-template 0 vpn-instance vpn                                                                                   
tunnel name svn

建议与总结

END