09-全部OK后配置了电脑拨号的L2TP~~~H3C F1050

 L2TP配置步骤

l2tp enable

local-user vpnUser class network
　　password cipher 123
　　service-type ppp
　　authorization-attribute user-role network-operator
domain system
　　authentication ppp local
ip pool aaa 192.168.10.10 192.168.10.20
ip pool aaa gateway 192.168.10.1

interface Virtual-Template1
　　ip address 192.168.10.1 255.255.255.0
　　remote address pool aaa
　　ppp authentication-mode chap domain system
security-zone name Untrust
　　import interface Virtual-Template1
acl number 2001
　　rule 0 permit
zone-pair security source Untrust destination Local
　　object-policy apply ip Untrust-Local
　　packet-filter 2001

l2tp-group 1 mode lns
　　allow l2tp virtual-template 1
　　undo tunnel authentication
　　tunnel name LNS
==============================================

<F1050>dis cur
#
version 7.1.054, Ess 9308P05
#
sysname F1050
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
security-zone intra-zone default permit
#
ip pool aaa 192.168.10.10 192.168.10.20 ---------------VPN地址池
ip pool aaa gateway 192.168.10.1 ----------VPN网关
#
dhcp enable
#
password-recovery enable
#
vlan 1
#
dhcp server ip-pool 1
　　gateway-list 192.168.1.1
　　network 192.168.1.0 mask 255.255.255.0
　　dns-list 202.99.166.4
#
dhcp server ip-pool 2
　　gateway-list 192.168.2.1
　　network 192.168.2.0 mask 255.255.255.0
　　dns-list 202.99.166.4
#
dhcp server ip-pool 3
　　gateway-list 192.168.3.1
　　network 192.168.3.0 mask 255.255.255.0
　　dns-list 202.99.166.4
#
interface Virtual-Template1--------------------创建Virtual-Template1接口,此接口IP为地址池的网关,使用aaa地址池为client端分配IP,PPP认证方式为chap
　　ppp authentication-mode chap domain system
　　remote address pool aaa
　　ip address 192.168.10.1 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet1/0/0
　　port link-mode route
　　ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
　　port link-mode route
　　ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
　　port link-mode route
　　ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/3
　　port link-mode route
　　ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet1/0/4
　　port link-mode route
　　ip address 172.16.11.200 255.255.255.0
　　nat outbound
#
interface GigabitEthernet1/0/5
　　port link-mode route
#
interface GigabitEthernet1/0/6
　　port link-mode route
#
interface GigabitEthernet1/0/7
　　port link-mode route
#
interface GigabitEthernet1/0/8
　　port link-mode route
#
interface GigabitEthernet1/0/9
　　port link-mode route
#
interface GigabitEthernet1/0/10
　　port link-mode route
#
interface GigabitEthernet1/0/11
　　port link-mode route
#
interface GigabitEthernet1/0/12
　　port link-mode route
#
interface GigabitEthernet1/0/13
　　port link-mode route
#
interface GigabitEthernet1/0/14
　　port link-mode route
#
interface GigabitEthernet1/0/15
　　port link-mode route
#
interface GigabitEthernet1/0/16
　　port link-mode route
#
interface GigabitEthernet1/0/17
　　port link-mode route
#
interface GigabitEthernet1/0/18
　　port link-mode route
#
interface GigabitEthernet1/0/19
　　port link-mode route
#
interface GigabitEthernet1/0/20
　　port link-mode route
#
interface GigabitEthernet1/0/21
　　port link-mode route
#
interface GigabitEthernet1/0/22
　　port link-mode route
#
interface GigabitEthernet1/0/23
　　port link-mode route
#
object-policy ip Local-Trust----------(1)定义 域间 的策略规则,策略名为Local-Trust(可以随便起,但要记住这个名,因为后面引用时要用到,但按习惯应该这样写) 记住 此处只是用object-policy 定义策略 后面还有应用策略用zone-pair...
　　rule 0 pass
#
object-policy ip Mgt-Local
　　description Now in (zone-pair security source Mgt destination Local) replace packet-filter 2000---用ACL或此处的rule pass是一样的效果
　　rule 0 pass
#
object-policy ip Trust-Local
　　rule 0 pass
#
object-policy ip Trust-Untrust
　　rule 0 pass
#
object-policy ip Untrust-Local---这个可以让外网ping出口或WEB出口OK
　　rule 0 pass
#
security-zone name Local------(2)定义各种域 并在各域中加端口 Local域有点特殊,所有设备接口不配置也都属于Local域
#
security-zone name Trust
　　import interface GigabitEthernet1/0/1
　　import interface GigabitEthernet1/0/2
　　import interface GigabitEthernet1/0/3
#
security-zone name DMZ
#
security-zone name Untrust------------------把前面建的用于VPN的Virtual-Template1接口加入Untrust域
　　import interface GigabitEthernet1/0/4
　　import interface GigabitEthernet1/0/5
　　import interface Virtual-Template1
#
security-zone name Mgt
　　import interface GigabitEthernet1/0/0
#
zone-pair security source Local destination Trust------(3)应用域间策略
　　object-policy apply ip Local-Trust
#
zone-pair security source Mgt destination Local
　　object-policy apply ip Mgt-Local
#
zone-pair security source Trust destination Local
　　object-policy apply ip Trust-Local
#
zone-pair security source Trust destination Untrust
　　object-policy apply ip Trust-Untrust
#
zone-pair security source Untrust destination Local----------------创建Untrust域 到 Local域 的 域间实例,应用包过滤策略,允许匹配的流量通过
　　object-policy apply ip Untrust-Local
　　packet-filter 2001
#
scheduler logfile size 16
#
line class aux
　　user-role network-operator
#
line class console
　　user-role network-admin
#
line class vty
　　user-role network-operator
#
line aux 0
　　user-role network-admin
#
line con 0
　　authentication-mode scheme
　　user-role network-admin
#
line vty 0 4
　　authentication-mode scheme
　　user-role network-admin
#
line vty 5 63
　　user-role network-operator
#
ip route-static 0.0.0.0 0 172.16.11.254
#
undo ssh server compatible-ssh1x enable
#
acl number 2000
　　description use in (zone-pair security source Mgt destination Local)
　　rule 0 permit source 192.168.0.0 0.0.0.255
#
acl number 2001------------------匹配用于VPN的数据流量
　　rule 0 permit
#
domain system---------配置名为system的ISP域,对PPP用户采用本地认证
　　authentication ppp local
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
　　description Predefined level-0 role
#
role name level-1
　　description Predefined level-1 role
#
role name level-2
　　description Predefined level-2 role
#
role name level-3
　　description Predefined level-3 role
#
role name level-4
　　description Predefined level-4 role
#
role name level-5
　　description Predefined level-5 role
#
role name level-6
　　description Predefined level-6 role
#
role name level-7
　　description Predefined level-7 role
#
role name level-8
　　description Predefined level-8 role
#
role name level-9
　　description Predefined level-9 role
#
role name level-10
　　description Predefined level-10 role
#
role name level-11
　　description Predefined level-11 role
#
role name level-12
　　description Predefined level-12 role
#
role name level-13
　　description Predefined level-13 role
#
role name level-14
　　description Predefined level-14 role
#
user-group system
#
local-user admin class manage
　　password hash admin--------------$h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
　　service-type telnet terminal http https
　　authorization-attribute user-role level-3
　　authorization-attribute user-role network-admin
　　authorization-attribute user-role network-operator
#
local-user vpnUser class network-------------------------------建立本机用于VPN拨号的用户名/密码
　　password cipher 123-------------$c$3$2G92EMyTH0TJHpzDzrZdUaCM/Ws/hA==
　　service-type ppp
　　authorization-attribute user-role network-operator
#
l2tp-group 1 mode lns------创建l2tp组,配置隧道名为LNS,指定呼叫虚拟模板接口virtual-template1
　　allow l2tp virtual-template 1
　　undo tunnel authentication
　　tunnel name LNS
#
l2tp enable-----------开启l2tp
#
ip http enable
ip https enable
#
return

 

<F1050>dis l2tp session
No session exists.
<F1050>%Jan 6 15:31:42:614 2022 F1050 IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface Virtual-Access0 changed to up.
%Jan 6 15:31:44:652 2022 F1050 IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface Virtual-Access0 changed to up.

<F1050>dis l2tp session
LocalSID RemoteSID LocalTID State
46887 1 60439 Established
<F1050>dis l2tp tunnel
LocalTID RemoteTID State Sessions RemoteAddress RemotePort RemoteName
60439 8 Established 1 172.16.11.22 1701 User-2021DH
RAIW
<F1050>dis ip p
<F1050>dis ip po
<F1050>dis ip pool ?
> Redirect it to a file
>> Redirect it to a file in append mode
STRING<1-31> IP address pool name
group Specify a group
| Matching output
<cr>

<F1050>dis ip pool aaa ?
> Redirect it to a file
>> Redirect it to a file in append mode
| Matching output
<cr>

<F1050>dis ip pool aaa
Group name: default
Pool name Start IP address End IP address Free In use
aaa 192.168.10.10 192.168.10.20 10 1
In use IP addresses:
IP address Interface
192.168.10.14 VA0
<F1050>dis ip pool aaa ?
> Redirect it to a file
>> Redirect it to a file in append mode
| Matching output
<cr>

<F1050>dis dhcp ser
<F1050>dis dhcp server ?
conflict Information about IP address conflicts
database DHCP database information
expired Lease expiration information
free-ip IP addresses not in use
ip-in-use Addresses assigned
pool DHCP pool information
statistics DHCP server statistics

<F1050>dis dhcp server ip-in
<F1050>dis dhcp server ip-in-use ?
> Redirect it to a file
>> Redirect it to a file in append mode
ip Specify an IP address
pool Specify a DHCP pool
vpn-instance Specify a VPN instance
| Matching output
<cr>

<F1050>dis dhcp server ip-in-use pll
<F1050>dis dhcp server ip-in-use poo
<F1050>dis dhcp server ip-in-use pool ?
STRING<1-63> DHCP pool name

<F1050>dis dhcp server ip-in-use pool aaa
No relevant information available.