[双机热备]配置L2TP Over IPSec接入L3VPN

发布时间:  2015-02-02 浏览次数:  451 下载次数:  6
问题描述
组网需求
在下图中,两台防火墙提供HRP双机热备,采用主备备份方式。USG对外提供L2TP over IPSec,LNS侧采用AAA本地认证对远程用户进行身份认证。LNS上划分了2个VPN实例vpn1和vpn2,VPN1用户拨号的业务由VPN实例vpn1处理,VPN2用户拨号的业务由VPN实例vpn2处理。










地址规划


配置思路
1. 完成基本配置
2. 完成双机热备配置
3. 完成L2TP与IPSec配置
4. 测试。
操作步骤(以VPN1为例) 
 

告警信息

处理过程
基础配置
<SRG>sy
[SRG]sy FW2
[FW2]ip vpn-instance vpn1
[FW2-vpn-instance-vpn1]route-distinguisher 100:1

创建子接口、绑定vpn
[FW2-vpn-instance-vpn2]int g0/0/6
[FW2-GigabitEthernet0/0/6]ip address 59.231.232.35 255.255.255.240
[FW2-GigabitEthernet0/0/6]int g0/0/5.1
[FW2-GigabitEthernet0/0/5.1]vlan-type dot1q 220
[FW2-GigabitEthernet0/0/5.1]ip binding vpn-instance vpn1
[FW2-GigabitEthernet0/0/5.1] ip address 59.231.232.29 255.255.255.240

将子接口加入虚拟防火墙的安全域,配置包过滤
[FW2]firewall zone trust
[FW2-zone-trust]add int g0/0/6
[FW2]firewall zone vpn-instance vpn1 trust
[FW2-zone-trust-vpn1]add interface GigabitEthernet 0/0/5.1


[FW2]firewall packet-filter default permit all
[FW2]firewall interzone trust vpn-instance vpn1 trust //先配置此命令下能配置下面两条命令
[FW2]firewall packet-filter default permit interzone trust vpn-instance vpn1 trust direction inbound
[FW2]firewall packet-filter default permit interzone trust vpn-instance vpn1 trust direction outbound
[FW2]firewall packet-filter default permit interzone vpn-instance vpn1 local trust direction inbound

配置虚拟防火墙及根防火墙各自的路由
HRP_M[FW2]ip route-static vpn-instance vpn1 59.231.0.0 255.255.255.0 59.231.232.17
HRP_M[FW2]ip route-static 0.0.0.0 0.0.0.0 59.231.232.46

配置VRRP及双机热备
[FW2]interface Eth-Trunk 1
[FW2-Eth-Trunk1]mode lacp-static
[FW2-Eth-Trunk1]ip address 192.168.0.1 30
[FW2-Eth-Trunk1]int g0/0/5.1
[FW2-GigabitEthernet0/0/5.1] vrrp vrid 1 virtual-ip 59.231.232.30 master
[FW2]interface g0/0/6 
[FW2-GigabitEthernet0/0/6] vrrp vrid 2 virtual-ip 59.231.232.33 master

[FW2]hrp interface Eth-Trunk 1
[FW2]hrp mirror session enable
[FW2]hrp enable



配置L2TP
AAA中创建基于域的用户,用户拨号时根据domain区分接入哪个VT接口 
HRP_M[FW2-aaa]domain  vpn1.com
HRP_M[FW2-aaa]local-user test@vpn1.com password cipher test
HRP_M[FW2-aaa]local-user test@vpn1.com service-type ppp

创建虚拟接口模板并配置PPP认证方式为chap、地址池等参数,并绑定vt到VPN
HRP_M[FW2]interface Virtual-Template 1
HRP_M[FW2-Virtual-Template1]ip binding vpn-instance vpn1
HRP_M[FW2-Virtual-Template1]ppp authentication-mode chap
HRP_M[FW2-Virtual-Template1]ip add 59.231.213.1 24
HRP_M[FW2-Virtual-Template1]remote address pool 1

VT接口绑定到对应的VPN
HRP_M[FW2]firewall zone vpn-instance vpn1 trust
HRP_M[FW2-zone-trust-vpn1]add interface Virtual-Template 1


使能L2TP功能及配置l2tp组
HRP_M[FW2]l2tp enable
HRP_M[FW2]l2tp domain suffix-separator @
HRP_M[FW2]l2tp-group 1
HRP_M[FW2-l2tp1]tunnel name LNS1
HRP_M[FW2-l2tp1]tunnel password cipher Admin@123
HRP_M[FW2-l2tp1]allow l2tp virtual-template 1 remote  LAC1


配置l2tp over ipsec所使用的ipsec
HRP_M[FW2]acl 3004
HRP_M[FW2-acl-adv-3004]rule 5 permit udp source-port eq 1701

HRP_M[FW2]ipsec proposal l2tp
HRP_M[FW2-ipsec-proposal-l2tp] encapsulation-mode transport
HRP_M[FW2-ipsec-proposal-l2tp] esp authentication-algorithm sha1
HRP_M[FW2-ipsec-proposal-l2tp] esp encryption-algorithm aes

HRP_M[FW2]ike proposal 300
HRP_M[FW2-ike-proposal-300]encryption-algorithm 3des-cbc
HRP_M[FW2-ike-proposal-300]dh group2

HRP_M[FW2]ike peer l2tp
HRP_M[FW2-ike-peer-l2tp]undo version 2
HRP_M[FW2-ike-peer-l2tp]ike-proposal 300
HRP_M[FW2-ike-peer-l2tp]exchange-mode aggressive
HRP_M[FW2-ike-peer-l2tp]local-id-type fqdn LNS
HRP_M[FW2-ike-peer-l2tp]remote-id-type fqdn LAC
HRP_M[FW2-ike-peer-l2tp]pre-shared-key Admin@123

#配置ipsec安全策略模板vpn_template
HRP_M [FW2]ipsec policy-template vpn_template 1000
HRP_M[FW2-ipsec-policy-template-vpn_template-1000]security acl 3004
HRP_M[FW2-ipsec-policy-template-vpn_template-1000]proposal l2tp
HRP_M[FW2-ipsec-policy-template-vpn_template-1000]ike-peer l2tp
HRP_M[FW2-ipsec-policy-template-vpn_template-1000]quit
HRP_M[FW2]ipsec policy vpn 1000 isakmp template vpn_template
HRP_M[FW2-GigabitEthernet0/0/6]ipsec policy  vpn






测试
在外网PC机安装VPN Client软件,请下载我的连接.cfg文件,导入VPN Client后进行ping测试!


建议与总结

END