一、实验目的及拓扑
实验目的:企业总部与分支通过IPsecVPN建立点对点连接,移动端通过L2TP方式与企业总部连接
二、基本配置
1、如图所示配置接口地址
2、总部接口区域配置
[FW1]dis zone
local
priority is 100
interface of the zone is (0):
#
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/1
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/0
#
dmz
priority is 50
interface of the zone is (1):
Virtual-Template1
#
3、配置防火墙配置安全策略
总部防火墙安全策略配置
[FW1-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 50
service protocol udp destination-port 1701
service protocol udp destination-port 4500
service protocol udp destination-port 500
action permit
rule name DMZ_TO_IN
source-zone dmz
destination-zone trust
source-address 172.16.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
#
分支点防火墙安全策略配置
[FW2-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 50
service protocol udp destination-port 4500
service protocol udp destination-port 500
action permit
#
4、路由配置
FW1:ip route-static 0.0.0.0 0.0.0.0 155.1.121.1
FW2:ip route-static 0.0.0.0 0.0.0.0 155.1.131.1
三、详细配置
1、总部IPsecVPN配置
acl number 3000
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
rule 10 permit udp destination-port eq 1701
#
ipsec proposal LAN_SET
encapsulation-mode auto
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ALL
pre-shared-key HUAWEI
ike-proposal 10
#
ipsec policy-template DY_MAP 10
security acl 3000
ike-peer ALL
proposal LAN_SET
#
ipsec policy LAN_MAP 10 isakmp template DY_MAP
#
ip pool L2TP_POOL
section 0 172.16.12.101 172.16.12.110
#
2、分支点IPsecVPN配置
acl number 3000
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal LAN_SET
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer FW1
pre-shared-key HUAWEI
ike-proposal 10
remote-address 155.1.121.12
#
ipsec policy LAN_MAP 10 isakmp
security acl 3000
ike-peer FW1
proposal LAN_SET
sa trigger-mode auto
#
3、总部VPN拨号:L2TP模式、虚拟接口、拨号用户
#
l2tp enable
l2tp-group default-lns
undo tunnel authentication
allow l2tp virtual-template 1 domain default
#
#
ip pool L2TP_POOL
section 0 172.16.12.101 172.16.12.110
#
#
interface Virtual-Template1
ppp authentication-mode chap
remote service-scheme LOCAL
ip address 172.16.12.12 255.255.255.0
#
aaa
service-scheme LOCAL
ip-pool L2TP_POOL
[FW1]user-manage user USER
[FW1-localuser-user]password Huawei@123
3、移动端VPN拨号配置
四、结果验证
1、站点到站点IPsecVPN
[FW2]dis ike sa
IKE SA information :
Conn-ID Peer VPN Flag(
s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
----------------------------------------------------
23 155.1.121.12:500 RD|ST
|A v2:2 IP 155.1.121.12
19 155.1.121.12:500 RD|ST
|A v2:1 IP 155.1.121.12
Number of IKE SA : 2
--------------------------------------------------------------------------------
----------------------------------------------------
PC>ping 10.1.12.10
Ping 10.1.12.10: 32 data bytes, Press Ctrl_C to break
From 10.1.12.10: bytes=32 seq=1 ttl=253 time=15 ms
From 10.1.12.10: bytes=32 seq=2 ttl=253 time=16 ms
2、移动站点L2TP over IPsecVPN
PS C:\Users\Administrator> ping 10.1.12.10
正在 Ping 10.1.12.10 具有 32 字节的数据:
来自 10.1.12.10 的回复: 字节=32 时间=9ms TTL=254
来自 10.1.12.10 的回复: 字节=32 时间=8ms TTL=254
PS C:\Users\Administrator> route print
IPv4 路由表
===========================================================================
活动路由:
网络目标 网络掩码 网关 接口 跃点数
0.0.0.0 0.0.0.0 155.1.2.100 155.1.2.10 4506
0.0.0.0 0.0.0.0 在链路上 172.16.12.102 2
127.0.0.0 255.0.0.0 在链路上 127.0.0.1 455
127.0.0.1 255.255.255.255 在链路上 127.0.0.1 455
127.255.255.255 255.255.255.255 在链路上 127.0.0.1 455
155.1.2.0 255.255.255.0 在链路上 155.1.2.10 450
155.1.2.10 255.255.255.255 在链路上 155.1.2.10 450
155.1.2.255 255.255.255.255 在链路上 155.1.2.10 450
155.1.121.12 255.255.255.255 155.1.2.100 155.1.2.10 4251
172.16.12.102 255.255.255.255 在链路上 172.16.12.102 28
224.0.0.0 240.0.0.0 在链路上 127.0.0.1 455
224.0.0.0 240.0.0.0 在链路上 155.1.2.10 450
224.0.0.0 240.0.0.0 在链路上 172.16.12.102 2
255.255.255.255 255.255.255.255 在链路上 127.0.0.1 455
255.255.255.255 255.255.255.255 在链路上 155.1.2.10 450
255.255.255.255 255.255.255.255 在链路上 172.16.12.102 28
===========================================================================
3、总部防火墙IPsecVPN建立情况
[FW1]dis ike sa
IKE SA information :
Conn-ID Peer VPN Flag(
s) Phase RemoteType RemoteID
--------------------------------------------------------------------------------
----------------------------------------------------
9 155.1.2.10:500 RD|A
v1:2 IP 155.1.2.10
8 155.1.2.10:500 RD|A
v1:1 IP 155.1.2.10
7 155.1.131.13:500 RD|A
v2:2 IP 155.1.131.13
1 155.1.131.13:500 RD|A
v2:1 IP 155.1.131.13
Number of IKE SA : 4
--------------------------------------------------------------------------------
----------------------------------------------------
