解决虚拟防火墙环境用手机拨L2TPover IPESC VPN不通问题

发布时间:  2014-09-12 浏览次数:  1013 下载次数:  41
问题描述
     某据点客户使用USG5500 配置在虚拟防火墙环境下用手机进行L2TP  OVER IPSEC拨号,连接失败。同用配置IPSEC策略应用在物理接口下手机拨号成功。手机已经使用安卓4.1以上版本(使用安卓4.0版本会存在问题)。
告警信息
隧道建立不起来
[USG5500-GigabitEthernet0/0/1]disp ike sa
13:55:32  2013/03/07
current sa Num :0

处理过程
关键配置:

firewall packet-filter default permit interzone vpn-instance vpn trust untrust direction inbound
firewall packet-filter default permit interzone vpn-instance vpn trust untrust direction outbound

//开启虚拟防火墙trust--untrust包过滤开放
l2tp enable
//开启L2TP功能
ip vpn-instance vpn
route-distinguisher 100:1
//配置虚拟实例
acl number 3003 vpn-instance vpn
rule 5 permit udp source-port eq 1701
//配置开放L2TP的1701端口
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
#
ike peer test1
pre-shared-key %$%$&Mn<T@fDlGof8S>]F3BFa)}t%$%$
ike-proposal 1
sa binding vpn-instance vpn zone untrust
//经验表明,配置手机拨号,DH组选择group2, 配置ike阶段,要绑定虚拟实例及其对应的区域。

#
ipsec proposal prop63145831613
encapsulation-mode transport           
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy-template tpl63145831961 1
security acl 3003
ike-peer test1
proposal prop63145831613
sa duration traffic-based 1843200
sa duration time-based 3600
#
ipsec policy test1 2 isakmp template tpl63145831961

//配置用手机拨号时,要使用ipsec vpn的策略模板来实现。

interface Virtual-Template0
ppp authentication-mode chap pap
ppp timer negotiate 10
ppp ipcp dns 202.99.160.68
alias L2TP_LNS_0
ip binding vpn-instance vpn
ip address 10.66.10.126 255.255.255.240
remote address pool      
//配置虚接口要绑定VPN实例。
interface GigabitEthernet0/0/1
alias VPN(外)
ip binding vpn-instance vpn
ip address 60.2.200.230 255.255.255.252
ipsec policy test1
//配置IPSEC VPN绑定的外网口要绑定VPN实例
#
interface GigabitEthernet0/0/2
alias VPN(内)
ip binding vpn-instance vpn            
ip address 10.66.8.3 255.255.255.248
//配置相应的内网口也要绑定VPN实例

firewall zone vpn-instance vpn trust
set priority 85
add interface GigabitEthernet0/0/2
#
firewall zone vpn-instance vpn untrust
set priority 5
add interface GigabitEthernet0/0/1
add interface Virtual-Template0

l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0 vpn-instance vpn
tunnel name svn
//配置的L2TP组 要绑定虚接口及VPN实例。
            服务器没有到l2tp pool的路由导致拨号上去后无法访问内网的10.66.8.47。

现网做了nat后,拨号用户可以ping通10.66.8.47。

nat-policy interzone vpn-instance vpn trust untrust inbound                                                                        
policy 0                                                                                                                          
  action source-nat                                                                                                                
  policy source 10.66.10.117 0                                                                                                     
  easy-ip GigabitEthernet0/0/2 


根因
检查配置,发现Virtual-Template 0   口缺少配置,L2TP-group配置也不完整。

interface Virtual-Template 0                                                                                               
ppp authentication-mode chap pap                                                                                                
ppp timer negotiate 10                                                                                                          
ppp ipcp dns 202.99.160.68                                                                                                      
alias L2TP_LNS_0                                                                                                                
ip binding vpn-instance vpn                                                                                                     
ip address 10.66.10.126 255.255.255.240                                                                                         
remote address pool   


l2tp-group 1                                                                                                                     
undo tunnel authentication                                                                                                      
allow l2tp virtual-template 0 vpn-instance vpn                                                                                  
tunnel name svn
添加上相应的配置命令后,测试IPSEC VPN已经可以连接。

[USG5500]disp ike sa
14:32:46  2013/03/07
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
41204      117.136.15.97:43884     RD            v1:2  vpn
41203      117.136.15.97:43884     RD            v1:1  vpn


建议与总结
详细内容见附件

END