L2TP实验

L2TP实验

一.拓扑图

二.端口区域配置

[FW1]firewall zone trust 
[FW1-zone-trust]add int g 1/0/0
[FW1]security-policy 
[FW1-policy-security]default action permit [FW2]int g 1/0/1
[FW2-GigabitEthernet1/0/1]ip add 20.1.1.1 24
[FW2]firewall zone trust 
[FW2-zone-trust]add int g 1/0/0
[FW2]firewall zone untrust 
[FW2-zone-untrust]add int g 1/0/1[FW3]int g 1/0/0
[FW3-GigabitEthernet1/0/0]ip add 20.1.1.2 24
[FW3]int g 1/0/1
[FW3-GigabitEthernet1/0/1]ip add 192.168.1.254 24
[FW3]firewall zone trust 
[FW3-zone-trust]add int g 1/0/1	
[FW3]firewall zone untrust 
[FW3-zone-untrust]add int g 1/0/0

三.建立PPPoE连接，设定拨号接口

[FW1]interface Dialer 1
[FW1-Dialer1]dialer user user1	---设定用户名
[FW1-Dialer1]dialer-group 1	  ---拨号组
[FW1-Dialer1]dialer bundle 1   ---拨号捆绑包
[FW1-Dialer1]ip address ppp-negotiate   ---设定IP地址获取方式为PPP邻居分配，PPP邻居通过IPCP协议进行分配，即PPP的NCP协商过程所用协议
[FW1-Dialer1]ppp chap user user1
[FW1-Dialer1]ppp chap password cipher Password123
[FW1]dialer-rule 1 ip permit  ---配置拨号访问控制列表，允许所有IPv4报文通过拨号口，数字1必须与拨号组编号相同。
[FW1]int g 1/0/0
[FW1-GigabitEthernet1/0/0]pppoe-client dial-bundle-number 1   ---在物理接口上启动PPPoE客户端程序，绑定拨号程序包，编号为1

[FW2]interface Virtual-Template 1	
[FW2-Virtual-Template1]ppp authentication-mode chap	
[FW2-Virtual-Template1]ip address 2.2.2.2 24   ---随便配置一个地址，目的是为了让接口双up
[FW2]firewall zone dmz
[FW2-zone-dmz]add int Virtual-Template 1
[FW2-GigabitEthernet1/0/0]pppoe-server bind virtual-template 1 ---将VT接口绑定在物理接口上
[FW2]aaa
[FW2-aaa]domain default
[FW2-aaa-domain-default]service-type l2tp
[FW2]user-manage user user1 domain default
[FW2-localuser-user1]password Password123

四.建立L2TP通道

[FW2]l2tp enable
[FW2]l2tp-group 1
[FW2-l2tp-1]tunnel authentication
[FW2-l2tp-1]tunnel password cipher Hello123
[FW2-l2tp-1]tunnel name lac ---隧道名称
[FW2-l2tp-1]start l2tp ip 20.1.1.2 fullusername user1 ---设定LAC模式，以及LNS地址，以及认证用户名的方式为“完全用户认证”，并指定用户名

五.LNS配置

[FW3]ip pool l2tp
Info: It is successful to create an IP address pool.
[FW3-ip-pool-l2tp]section 0 172.16.0.2 172.16.0.100
[FW3]aaa
[FW3-aaa]service-scheme l2tp
Info: Create a new service scheme.
[FW3-aaa-service-l2tp]ip-pool l2tp
[FW3-aaa]domain default 
Info: The domain default is for common users.
[FW3-aaa-domain-default]service-type l2tp
[FW3-aaa]q
[FW3]user-manage user user1 domain default 
[FW3-localuser-user1]password Password123
[FW3]interface Virtual-Template1	
[FW3-Virtual-Template1]ppp authentication-mode chap 
[FW3-Virtual-Template1]ip add 172.16.0.1 24
[FW3-Virtual-Template1]remote service-scheme l2tp
[FW3-Virtual-Template1]q
[FW3]firewall zone dmz
[FW3-zone-dmz]add int Virtual-Template 1
[FW3]l2tp enable 
[FW3]l2tp-group 1
[FW3-l2tp-1]allow l2tp virtual-template 1 remote lac domain default	
[FW3-l2tp-1]tunnel authentication
[FW3-l2tp-1]tunnel password cipher Hello123

六.修改LAC和LNS策略

[FW3]l2tp-group 1
[FW3-l2tp-1]mandatory-chap 
[FW3-l2tp-1]mandatory-lcp 
[FW1]ip route-static 0.0.0.0 0 Dialer 1
[FW1]firewall zone dmz 
[FW1-zone-dmz]add int Dialer 1

七.配置安全策略

[FW2]security-policy 
[FW2-policy-security]rule name local-untrust	
[FW2-policy-security-rule-local-untrust]source-zone local	
[FW2-policy-security-rule-local-untrust]destination-zone untrust 
[FW2-policy-security-rule-local-untrust]source-address 20.1.1.1 32
[FW2-policy-security-rule-local-untrust]destination-address 20.1.1.2 32
[FW2-policy-security-rule-local-untrust]service l2tp
[FW2-policy-security-rule-local-untrust]service protocol udp source-port 0 to 5335 destination-port 1701 

[FW3]security-policy 
[FW3-policy-security]rule name untrust-local
[FW3-policy-security-rule-untrust-local]source-zone untrust 
[FW3-policy-security-rule-untrust-local]destination-zone local 
[FW3-policy-security-rule-untrust-local]source-address 20.1.1.1 32
[FW3-policy-security-rule-untrust-local]destination-address 20.1.1.2 32
[FW3-policy-security-rule-untrust-local]service l2tp
[FW3-policy-security-rule-untrust-local]service protocol udp destination-port 17
01	
[FW3-policy-security-rule-untrust-local]action permit 
[FW3-policy-security-rule-untrust-local]rule name icmp
[FW3-policy-security-rule-icmp]source-zone trust 
[FW3-policy-security-rule-icmp]destination-zone local 
[FW3-policy-security-rule-icmp]source-address 192.168.0.20 32
[FW3-policy-security-rule-icmp]destination-address 192.168.0.3 32
[FW3-policy-security-rule-icmp]action permit