V7防火牆 L2TP OVER IPSEC 與iNode進行對接
- 1關注
詳細介紹如圖:PC為分部電腦,通過路由器接入ISP,總部為一台防火牆配置L2TP OVER IPSEC 。現需要PC通過iNode客戶端撥入總部,與服務器進行互訪。 附件為我做的原版配置 配置同時可以適用Windows 係統VPN及手機VPN
詳細配置如下
version 7.1.064, Release 9510P05
#
sysname H3C
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 2 priority 1
#
ip pool pool 10.1.1.2 10.1.1.10 (創建虛服務模板的地址池,暨用戶撥號獲取的IP)
#
dialer-group 1 rule ip permit
#
ip unreachables enable ip ttl-expires enable
#
password-recovery enable
# vlan 1
#
interface Virtual-Template1
ppp authentication-mode
pap remote address pool pool
ip address 10.1.1.1 255.255.255.0
#
object-policy ip 1
rule 0 pass
#
security-zone name Local
#
security-zone name Trust (將端口加入安全區域)
import interface GigabitEthernet2/0/4
import interface Virtual-Template1
#
security-zone name DMZ
#
security-zone name Untrust (將端口加入安全區域)
import interface GigabitEthernet2/0/3 (三口設置為外網口連接ISP)
#
security-zone name Management (將端口加入安全區域)
import interface GigabitEthernet2/0/0
import interface GigabitEthernet2/0/2
#
zone-pair security source Any destination Any (設置安全策略)
object-policy apply ip 1
#
zone-pair security source Any destination Local (設置安全策略)
object-policy apply ip 1
#
zone-pair security source Local destination Any (設置安全策略)
object-policy apply ip 1
#
zone-pair security source Trust destination Trust (設置安全策略)
object-policy apply ip 1
#
zone-pair security source Trust destination Untrust (設置安全策略)
object-policy apply ip 1
#
zone-pair security source Untrust destination Trust (設置安全策略)
object-policy apply ip 1
#
local-user 1 class network (創建PPP用戶,用戶名為1 密碼為1)
password cipher $c$3$Slq/njg/1L0tpkyLJTxtoEW3VsM=
service-type ppp
authorization-attribute user-role network-operator
#
#
ipsec transform-set 1 (設置IPSEC參數)
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec transform-set 2 (設置IPSEC參數)
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set 3 (設置IPSEC參數)
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha1
#
ipsec transform-set 4
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec transform-set 5
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
#
ipsec transform-set 6
esp encryption-algorithm aes-cbc-192
esp authentication-algorithm sha1
#
ipsec policy-template 1 1 (創建IPSEC策略將參數進行綁定)
transform-set 1 2 3 4 5 6
ike-profile 1
#
ipsec policy 1 1 isakmp template 1 (IPSEC 策略與 模板1進行綁定)
#
l2tp-group 1 mode lns (設置L2TP參數 將本端命名為lns)
allow l2tp virtual-template 1
undo tunnel authentication
tunnel name lns
#
l2tp enable
#
ike identity fqdn 123 (設置本端IKE FQDN號為123)
#
#
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn 123 match remote identity address 0.0.0.0 0.0.0.0 (設置遠端接入的IP為全部都可以接入)
match remote identity fqdn 456 (設置對端FQDN號為456)
proposal 1 2 3 4 5 6 (綁定IKE的提要)
#
ike proposal 1
encryption-algorithm aes-cbc-128
dh group2
authentication-algorithm md5
#
ike proposal 2
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike proposal 3
encryption-algorithm 3des-cbc
dh group2
#
ike proposal 4
encryption-algorithm aes-cbc-256
dh group2
#
ike proposal 5
dh group2
#
ike proposal 6
encryption-algorithm aes-cbc-192
dh group2
#
ike keychain 1 pre-shared-key hostname 456 key cipher $c$3$7ingFDpILKQhQ8DxrvyuG6m2AyO2K1nW9Q== (設置IKE的密鑰為aabbcc)
#
ip https enable
webui log enable
#
interface GigabitEthernet2/0/3
port link-mode route
ipsec apply policy 1
(配置公網IP)
nat out (配置NAT)
#
ip route-static 0.0.0.0 0 公網網關 (設置缺省路由)
#
iNode 配置
(輸入用戶名密碼 均為1 點擊屬性)
LNS服務器為防火牆外網口IP
預共享秘鑰為aabbcc
點擊高級
IKE這裏 必須輸入網關名字 就是FQDN號
實際測試係統 XP SP3, win7 64位 ,WIN server 2003 ,win server 2008 R2標準版 ,win server 2012 標準版 均無軟件兼容性問題,建議分部PC選用以上係統,WIN 10部分係統存在兼容性問題,可能會導致 PPP無法建立會話 此時IKE SA和IPSEC SA均無問題。
參照以上配置,將PC的IP與外網口地址設為相同網段,直接接到該外網口後撥號就成功,但將外網口接入互聯網後,在互聯網環境撥號時,在IKE協商成功後提示隧道或會話建立失敗,查看dis ike sa和dis ipsec sa都已正常建立,然後會自動斷開。PC端為WIN11。
- 2022-11-28回複
- 評論(0)
- 舉報
-
(0)
暫無評論
暫無評論