环镜:
AR161-S (LNS):通过PPPOE上网,电信动态公网IP
AR207-S(LAC): 通过移动光猫DHCP上网,无公网IP
LNS配置:
[V200R010C10SPC700]
#
l2tp enable
#
vlan batch 8 10 100
#
dns resolve
dns server 61.128.128.68
dns server 8.8.8.8
#
dhcp enable
#
acl number 3000 //NAT上网
rule 20 permit ip source 192.168.1.0 0.0.0.255
rule 25 permit ip source 192.168.10.0 0.0.0.255
rule 30 permit ip source 10.98.10.0 0.0.0.255
//ipsec 接受端可以不用设ACL定义数据流
#
ddns policy dzh //动态域名
url http://<username>:<password>@members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a> username root password %^%#{xIW+sRf[&;]uZA=g}&)3zW'XQ*^F,(sY_#c"zQM%^%#
#
ipsec proposal lns //ipsec 提议
encapsulation-mode tunnel //封装模式隧道,这里是默认,其实不会显示出来,另一种封装模式transport 传输模式下ipsec 对等体不会协商成功。
esp authentication-algorithm sha2-256 //ESP 认证算法
esp encryption-algorithm aes-256 //ESP加密算法
#
ike proposal 5 //IKE提议 (提议中除了DH,其他都是默认值 )
encryption-algorithm aes-256 //加密算法
dh group5 //DH组,两端要一样
authentication-algorithm sha2-256 //认证算法
authentication-method pre-share //认证方法--共享密钥
integrity-algorithm hmac-sha2-256 //配置IKEv2协商时所使用的完整性算法
prf hmac-sha2-256 //配置IKEv2协商时所使用的伪随机数产生函数的算法
#
ike peer lns // IKE 对等体名称 ,除了关闭V2与共享密钥与引用IKE proposal其他都是默认值
undo version 2 //关闭IKEV2 ,不关也可以
pre-shared-key cipher %^%#pD;q)eu-x7)qCH.\yw:1~JRL'/`jPUhC'9MU3vHM%^%# //共享密钥
ike-proposal 5 //引用IKE提议
rsa encryption-padding oaep // 配置 RSA 加密的填充方式 OAEP
rsa signature-padding pss //配置 RSA 签名的填充方式
ikev2 authentication sign-hash sha2-256 //配置IKEv2使用的证书签名算法
#
ipsec policy-template dzh 10 //ipsec 策略模版
ike-peer lns
proposal lns
#
ipsec policy lns 10 isakmp template dzh //ipsec策略引用策略模版
#
ip pool l2tp //为L2TP分配IP
gateway-list 192.168.100.1
network 192.168.100.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme default
domain default_admin
authentication-scheme default
local-user dzh password irreversible-cipher $1a$vJuyJ)n!#=$t\w"~VnGX9)A@(.@^Az5\&P>N={5WX(t7O9l]<U&$
local-user dzh privilege level 15
local-user dzh ftp-directory flash:
local-user dzh service-type telnet terminal ssh ftp http
local-user admin password irreversible-cipher $1a$E#JjN'k0^1$FT'(De8[F8[1>8,QrV#.7ImS4rpxZ:g3B}OvG[^B$
local-user admin privilege level 15
local-user admin ftp-directory flash:
local-user admin service-type telnet terminal ssh ftp http
local-user dzhgood password cipher %^%#:Y{&"2dCxRkSxNScr3bWzrct;/X0TVg*7K<ZapE3%^%#
local-user dzhgood privilege level 0
local-user dzhgood service-type ppp //L2TP用户
#
interface Dialer1 //PPPOE上网
link-protocol ppp
ppp chap user 12345567
ppp chap password cipher %^%#sc+g9nmw3FaH=A@=5B'UhnSo!a#4a$cU.%342{NS%^%#
ppp pap local-user 02347531360 password cipher %^%#jv4O3#Dr7(lI~*M3%%DI<,El0}BYu<k_kd>]2uZL%^%#
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
ip address ppp-negotiate
dialer user arweb
dialer bundle 1
dialer number 1 autodial
dialer-group 1
nat outbound 3000
ddns apply policy dzh fqdn XXXX.8800.org //绑定动态域名
ipsec policy lns //绑定ipsec 策略
#
interface Vlanif1
ip address 192.168.1.1 255.255.255.0
dhcp select interface
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif100
ip address 10.98.10.1 255.255.255.0
dhcp select interface
dhcp server static-bind ip-address 10.98.10.252 mac-address 1098-c3e1-aa52
dhcp server dns-list 61.128.128.68 8.8.8.8
#
interface Virtual-Template1 //L2TP虚拟模版接口
ppp authentication-mode chap
remote address pool l2tp
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
pppoe-client dial-bundle-number 1 //绑定PPPOE
#
dialer-rule
dialer-rule 1 ip permit
#
l2tp-group 1 //L2TP组
allow l2tp virtual-template 1
tunnel password cipher %^%#v_7//9e6#FuM=",ae)CF-HMt0[ntZ22YV0J@>}MW%^%#
tunnel name lns
#
set web login-style professional
http secure-server port 8443
http secure-server ssl-policy default_policy
http server enable
http secure-server enable
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
ip route-static 192.168.20.0 255.255.255.0 Virtual-Template1
#
LAC配置:
[V200R010C10SPC700]
#
drop illegal-mac alarm
#
l2tp enable
#
vlan batch 10
#
dns resolve
dns server 222.246.129.80
dns proxy enable
#
dhcp enable
#
acl number 3000
rule 5 deny ip source 192.168.13.0 0.0.0.255
rule 10 permit ip
acl number 3001
rule 5 permit udp destination-port eq 1701
#
ipsec proposal lac
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 5
encryption-algorithm aes-256
dh group5
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer lac
undo version 2
pre-shared-key cipher %^%#!Hk1,<3C\'U9p#Fp%d1&@u[aC03x5KtL]HAb1=>B%^%#
ike-proposal 5
remote-address host-name XXXX.8800.org
rsa encryption-padding oaep
rsa signature-padding pss
ikev2 authentication sign-hash sha2-256
#
ipsec policy lac 10 isakmp //ipsec策略,作为发起方,不能引用模版方式
security acl 3001 //定义数据流
ike-peer lac
proposal lac
route inject dynamic //路由引入,只为知晓有这个命令,公网上面配了也没用。
#
interface Vlanif10
ip address 192.168.20.1 255.255.255.0
dhcp select interface
dhcp server dns-list 222.246.129.80 8.8.8.8
#
interface Ethernet0/0/0 //连接光猫DHCP上网
undo portswitch
mtu 1492
tcp adjust-mss 1400
ip address 192.168.13.2 255.255.255.0
nat outbound 3000
ipsec policy lac //绑定ipsec策略
#
interface Ethernet0/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Virtual-Template1
ppp chap user dzhgood
ppp chap password cipher %^%#d7K.Q@pu|'5'oIYhx}#0JML}VLN=m;wzwy)sQGFN%^%#
ip address ppp-negotiate
l2tp-auto-client enable
nat outbound 3000
#
l2tp-group 1
tunnel password cipher %^%#!&/O%CmcLD<ZkZ:>ER$+1Q$M.pi\,*eLjWV~iO*9%^%#
tunnel name lac //与此处隧道名无关,有看过华为论坛中有人提议这个名字要与IKE PEER 中local-id一致,其实不必,有可能跟软件版本有关。
start l2tp host XXXX.8800.org fullusername dzhgood
#
stelnet server enable
telnet server enable
#
set web login-style simple
http secure-server port 8443
http secure-server ssl-policy default_policy
http server enable
http secure-server enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.13.1
ip route-static 10.98.10.0 255.255.255.0 Virtual-Template1
#
笔记:
上篇文章中提到的问题在这里都没有出现,应该是ENSP问题。
IKE 协商无论是主模式与野蛮模式都可以成功,但IPSEC 封装只能为隧道模式。
IKE peer 中的local-id-type 默认为IP,如果改为FQNS 即可定议为name,华为论坛中有提到要改为FQNS,并指定local-id与remote-id 名称,第一次配置时配了这些命令,后来测试时删除了这些命令,也不影响IPSEC的连通。
NAT 穿越,在ike peer 中配置,默认已开启。命令为nat traversal.