1676540634,

组网及说明

防火墙是总部出口，MSR路由器是分部出口拨号上网，两台设备跨越公网建立L2TP over IPSec隧道实现总部分部私网互通。 

配置步骤

路由器作为LAC，重要配置如下：

#

 dialer-group 1 rule ip permit # apn-profile profile69  apn dynamic # controller Cellular1/ 0  description Multiple_Line1-OTHER  eth-channel 0 # interface Virtual-PPP1  ppp pap local-user 1 password cipher $c$ 3 $x0r+TQIoJ9wZVbtdmucB3BAfjJMfHL0=  ip address 10 . 0 . 0 . 5 255 . 255 . 255 . 252  l2tp-auto-client l2tp-group 1 # interface LoopBack0  ip address 10 . 0 . 0 . 1 255 . 255 . 255 . 255 # interface Vlan-interface1  description LAN-interface  ip address 191.167.0.1 255.255.254.0  tcp mss 1280 # interface GigabitEthernet0/ 0  port link-mode route  pppoe-server bind virtual-template 1 # interface Eth-channel1/ 0 : 0  dialer circular enable  dialer-group 1  dialer timer idle 0  dialer timer wait-carrier 10  dialer timer autodial 5  dialer number * 99 # autodial  ip address cellular-alloc  tcp mss 1280  nat outbound 3001  apn-profile apply profile69  ipsec apply policy l2tp #  ip route-static 0 . 0 . 0 . 0 0 Eth-channel1/ 0 : 0  ip route-static 171 .23 . 0 . 0 16 10 . 0 . 0 . 6 # acl advanced 3000  rule 5 permit ip source 10 . 0 . 0 . 1 0 destination 10 . 0 . 0 . 2 0 # acl advanced 3001  rule 0 deny ip source 10 . 0 . 0 . 1 0 destination 10 . 0 . 0 . 2 0  rule 1 permit ip # domain lac # domain system  authentication ppp local # local-user admin class network  password cipher $c$ 3 $iGOVfiv/NNJQMCvixXldgAlPltGVRPkThYWxFQQ=  service-type ppp  authorization-attribute user-role network-operator # ipsec transform-set l2tp  esp encryption-algorithm 3des-cbc  esp authentication-algorithm md5 # ipsec policy l2tp 1 isakmp  transform-set l2tp  security acl 3000  remote-address x.x.x.x                     //////(x.x.x.x为总部防火墙出口地址)  ike-profile l2tp # l2tp-group 1 mode lac  lns-ip 10 . 0 . 0 . 2  source-ip 10 . 0 . 0 . 1  undo tunnel authentication  tunnel name lac #  l2tp enable #  ike identity fqdn admin # ike profile l2tp  keychain l2tp  exchange-mode aggressive  local-identity fqdn admin  match remote identity fqdn fw # ike keychain l2tp  pre-shared-key address x.x.x.x   255 . 255 . 255 . 255 key simple 123456         //////(x.x.x.x为总部防火墙出口地址)
防火墙作为LNS，重要配置如下： # ​ ​ interface Virtual-Template1  ppp authentication-mode pap domain system  remote address 10.0.0.5  ip address 10.0.0.6 255.255.255.252 #               interface LoopBack0  ip address 10.0.0.2 255.255.255.255 # interface GigabitEthernet1/0/0  description Wan Interface  ip address x.x.x.x 255.255.255.248  nat outbound 3001  ipsec apply policy l2tp # security-zone name Untrust  import interface GigabitEthernet1/0/0  import interface Virtual-Template1 #  ip route-static 0.0.0.0 0 58.221.232.193  ip route-static 191.167.0.0 23 10.0.0.5     //////到分部的路由 # acl advanced 3001  rule 0 deny ip source 10.0.0.2 0 destination 10.0.0.1 0  rule 1 permit ip #               acl advanced 3100  rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0 # domain system  authentication ppp local #  domain default enable system # local-user 1 class network  password cipher $c$3$PqnMSMl/vI4ZQk+HvRfYcSiOv+u226I=  service-type ppp  authorization-attribute user-role network-operator # ipsec transform-set l2tp  esp encryption-algorithm 3des-cbc  esp authentication-algorithm md5 # ipsec policy-template l2tp 1  transform-set l2tp  local-address x.x.x.x       //////(x.x.x.x为总部防火墙出口地址)  ike-profile l2tp # ipsec policy l2tp 1 isakmp template l2tp # l2tp-group 1 mode lns  allow l2tp virtual-template 1 remote lac  undo tunnel authentication  tunnel name lns #  l2tp enable #  ike identity fqdn FW # ike profile l2tp  keychain l2tp  exchange-mode aggressive  local-identity fqdn fw  match remote identity fqdn admin # ike keychain l2tp  pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 # security-policy ip  rule 1 name Any_Any_1_IPv4   action pass
查看ike sa、ipsec sa建立情况、l2tp建立情况

<MSR>dis ike sa

    Connection-ID   Local               Remote              Flag      DOI   

-------------------------------------------------------------------------

            23           10.164.118.x          x.x.x.x                 RD        IPsec 

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

<MSR>dis ipsec sa

-------------------------------

Interface: Eth-channel1/0:0

-------------------------------

 

  -----------------------------

  IPsec policy: l2tp

  Sequence number: 1

  Mode: ISAKMP

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect Forward Secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Transmitting entity: Initiator

    Path MTU: 1436

    Tunnel:

        local  address: 10.164.118.x

        remote address: x.x.x.x

    Flow:

        sour addr: 10.0.0.1/255.255.255.255  port: 0  protocol: ip

        dest addr: 10.0.0.2/255.255.255.255  port: 0  protocol: ip

              

    [Inbound ESP SAs]

      SPI: 883318680 (0x34a65f98)

[MSR]dis l2tp tunnel 

 LocalTID   RemoteTID     State          Sessions    RemoteAddress   RemotePort RemoteName 

  53451      12731        Established         1                x.x.x.x                 1701              lns  

配置关键点

l2tp隧道建议起loopback口，用loopback口地址建立。

ipsec野蛮模式两端都用地址或者fqdn建立隧道。

CRM论坛（CRMbbs.com）——一个让用户更懂CRM的垂直性行业内容平台,CRM论坛致力于互联网、客户管理、销售管理、SCRM私域流量内容输出5年。 如果您有好的内容，欢迎向我们投稿，共建CRM多元化生态体系，创建CRM客户管理一体化生态解决方案。本文来源：知了社区基于知识共享署名-相同方式共享3.0中国大陆许可协议,V7 MSR路由器对接V7 F1000防火墙 L2TP over IPSec典型配置