路由VPN_分公司的用户如何通过L2TP实现与总部互通

之前有写过一篇文章关于VPN的原理,只是大概介绍了一下VPN,最近答应网友们写一些有关路由的文章。VPN有分好多种,今天给大家分享一篇L2TP VPN的实现方式。

RouterA总部出口路由器的有关L2TP配置文件如下:

<Huawei>sys

Enter system view, return user view with Ctrl+Z.

[Huawei]sysn RouterA

[RouterA]l2tp enable //使能L2TP

[RouterA]ip pool 1 //创建IP地址池1,用于分公司A通过L2TP拨号连接到总部的用户分配IP

Info: Its successful to create an IP address pool.

[RouterA-ip-pool-1]gateway-list 10.1.1.1 //网关

[RouterA-ip-pool-1]network 10.1.1.0 mask 255.255.255.0 //地址池IP范围10.1.1.1~10.1.1.255

[RouterA-ip-pool-1]q

[RouterA]ip pool 2

Info: Its successful to create an IP address pool.

[RouterA-ip-pool-2]gateway-list 10.2.1.1

[RouterA-ip-pool-2]network 10.2.1.0 mask 255.255.255.0

[RouterA-ip-pool-2]q

[RouterA]aaa

[RouterA-aaa]local-user [email protected] password cipher KBxiaowangguan

Info: Add a new user. //创建用户和密码,必须与RouterB上用户密码一致

[RouterA-aaa]local-user [email protected] privilege level 0//给此用户权限为0仅可访问

[RouterA-aaa]local-user [email protected] service-type ppp //接入模式为PPPOE拨号

[RouterA-aaa]local-user [email protected] password cipher KBxiaowangguan

Info: Add a new user.

[RouterA-aaa]local-user [email protected] privilege le 0

[RouterA-aaa]local-user [email protected] service-type ppp

[RouterA-aaa]q

[RouterA]int Virtual-Template 1 //创建虚拟接口模板VT1

Sep 12 2018 00:01:19-08:00 RouterA %%01IFPDT/4/IF_STATE(l)[0]:Interface Virtual-Template1 has turned into UP state.

[RouterA-Virtual-Template1]ppp authentication-mode chap//对接入用户的认证方式为CHAP认证

[RouterA-Virtual-Template1]remote address pool 1 //引入IP地址池,PPP认证通过后,为用户分配IP地址

[RouterA-Virtual-Template1]ip address 10.1.1.1 255.255.255.0

[RouterA-Virtual-Template1]q

[RouterA]int Virtual-Template 2 //创建虚拟接口模板VT2

Sep 12 2018 00:02:26-08:00 RouterA %%01IFPDT/4/IF_STATE(l)[1]:Interface Virtual-Template2 has turned into UP state.

[RouterA-Virtual-Template2]ppp authentication-mode chap

[RouterA-Virtual-Template2]remote address pool 2

[RouterA-Virtual-Template2]ip address 10.2.1.1 255.255.255.0

[RouterA-Virtual-Template2]q

[RouterA]int g0/0/0

[RouterA-GigabitEthernet0/0/0]ip address 202.1.1.1 255.255.255.0

Sep 12 2018 00:04:00-08:00 RouterA %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state.

[RouterA-GigabitEthernet0/0/0]q

[RouterA]int g0/0/1

[RouterA-GigabitEthernet0/0/1]ip address 10.3.1.1 255.255.255.0

Sep 12 2018 00:04:18-08:00 RouterA %%01IFNET/4/LINK_STATE(l)[3]:The line protocol IP on the interface GigabitEthernet0/0/1 has entered the UP state.

[RouterA-GigabitEthernet0/0/1]q

[RouterA]l2tp-group 1

[RouterA-l2tp1]allow l2tp virtual-template 1 remote ? //如果配置命令忘了或者不熟悉,记得用“?”查看命令

STRING<1-30> LAC name of the L2TP tunnel

[RouterA-l2tp1]allow l2tp virtual-template 1 remote lac1 //允许和对端隧道lac1建立L2TP隧道连接,引入VT1的配置参数

[RouterA-l2tp1]tunnel password cipher woyaoyuanchuang

[RouterA-l2tp1]tunnel name lns

[RouterA-l2tp1]q

[RouterA]l2tp-group 2

[RouterA-l2tp2]allow l2tp virtual-template 2 remote lac2 //允许和对端隧道lac2建立L2TP隧道连接,引入VT2的配置参数

[RouterA-l2tp2]tunnel password cipher woyaoyuanchuang

[RouterA-l2tp2]tunnel name lns

[RouterA-l2tp2]q

分公司所在大厦的路由器RouterB有关L2TP配置文件如下:

<Huawei>SYS

Enter system view, return user view with Ctrl+Z.

[Huawei]SYS RouterB

[RouterB]l2tp enable

[RouterB]aaa

[RouterB-aaa]authentication-scheme ?

STRING<1-32> Scheme name,can not include invalid character \ / : < > | @%

* " ?

[RouterB-aaa]authentication-scheme ToGroup //身份验证方案名称为 ToGroup

Info: Create a new authentication scheme.

[RouterB-aaa-authen-ToGroup]domain aaa.com

Info: Success to create a new domain.

[RouterB-aaa-domain-aaa.com]q

[RouterB-aaa]authentication-scheme ToGroup

[RouterB-aaa-authen-ToGroup]domain bbb.com

Info: Success to create a new domain.

[RouterB-aaa-domain-bbb.com]q

[RouterB-aaa]dis authentication-scheme

-------------------------------------------------------------------

Authentication-scheme-name Authentication-method

-------------------------------------------------------------------

default Local

ToGroup Local

-------------------------------------------------------------------

Total of authentication scheme: 2

[RouterB-aaa]dis domain

-------------------------------------------------------------------------

index DomainName

-------------------------------------------------------------------------

0 default

1 default_admin

2 aaa.com

3 bbb.com

-------------------------------------------------------------------------

Total: 4

[RouterB-aaa]local-user [email protected] password cipher KBxiaowangguan

Info: Add a new user. //配置PPPoE服务器的本地用户名和类型,用于认证接入的用户

[RouterB-aaa]local-user [email protected] privilege level 0

[RouterB-aaa]local-user [email protected] service-type ? //记得查询命令用法

8021x 802.1x user

bind Bind authentication user

ftp FTP user

http Http user

ppp PPP user

ssh SSH user

sslvpn Sslvpn user

telnet Telnet user

terminal Terminal user

web Web authentication user

x25-pad X25-pad user

[RouterB-aaa]local-user [email protected] service-type ppp

[RouterB-aaa]local-user [email protected] password cipher KBxiaowangguan

Info: Add a new user.

[RouterB-aaa]local-user [email protected] privilege level 0

[RouterB-aaa]local-user [email protected] service-type ppp

[RouterB-aaa]q

[RouterB]int Virtual-Template ?

<0-1023> Virtual template interface number

[RouterB]int Virtual-Template 1 //创建虚拟接口模板

Sep 11 2018 23:50:37-08:00 RouterB %%01IFPDT/4/IF_STATE(l)[0]:Interface Virtual-Template1 has turned into UP state.

[RouterB-Virtual-Template1]ppp authentica

[RouterB-Virtual-Template1]ppp authentication-mode ?

chap Enable CHAP authentication

pap Enable PAP authentication

[RouterB-Virtual-Template1]ppp authentication-mode chap //对接入用户的认证方式为CHAP认证

[RouterB-Virtual-Template1]q

[RouterB]int g0/0/0

[RouterB-GigabitEthernet0/0/0]ip address 202.1.1.2 255.255.255.0

Sep 11 2018 23:51:43-08:00 RouterB %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state.

[RouterB-GigabitEthernet0/0/0]q

[RouterB]int g2/0/0

[RouterB-GigabitEthernet2/0/0]pppoe-server ?

bind Bind virtual-template interface

[RouterB-GigabitEthernet2/0/0]pppoe-server bind virtual-template 1 //接口上启用PPPoE Server功能,引入VT1的配置参数,认证接入的拨号用户

[RouterB-GigabitEthernet2/0/0]int g0/0/1

[RouterB-GigabitEthernet0/0/1]pppoe-server bind virtual-template 1

[RouterB-GigabitEthernet0/0/1]q

[RouterB]l2tp-group 1 //创建L2TP组,为建立L2TP隧道配置参数

[RouterB-l2tp1]tunnel password cipher woyaoyuanchuang//缺省使能隧道认证,配置密文密码为“我要原创”,和对端认证一致

[RouterB-l2tp1]tunnel name lac1 //隧道的名称为lac1,用于被对端LNS识别

[RouterB-l2tp1]start l2tp ip 202.1.1.1 domain aaa.com //如接入用户的域名为aaa.com,则发起到对端的L2TP隧道连接

[RouterB-l2tp1]q

[RouterB]l2tp-group 2

[RouterB-l2tp2]tunnel password cipher woyaoyuanchuang

[RouterB-l2tp2]tunnel name lac2

[RouterB-l2tp2]start l2tp ip 202.1.1.1 domain bbb.com

[RouterB-l2tp2]q

配置成功后,PC1和PC2可以使用系统自带的新建拨号连接。

分公司A PC1

分公司B PC2

以分公司A PC1为例。拨号成功后,其分配到IP应为10.1.1.2 /24,且可以ping通集团总部的PC3

总结:VPN有好几种技术,各个技术对于特定的环境都是非常实用的,不知道省掉了多少专线费用和铺光纤线缆的费用。今天给大家分享的是安全性相对比较低的L2TP。请大家关注KB小网管,每日分享一篇IT实用文章。