• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

MSR830如何配置分支VPN(L2TP、L2TP/IPSec、IKEv2/IPSec PSK)

2小时前提问
  • 0关注
  • 0收藏,32浏览
粉丝:0人 关注:0人

问题描述:

配置需求:

当前出口路由器上已配置有业务:1、现有手机移动端L2TP VPN、分支IPSec VPN。

                                                       2、新增手机移动端VPN,类型为:L2TP/IPSec、IKEv2/IPSec PSK。

                                                       3、要在不影响现在业务VPN(第1条件)的情况下完成第2条件需求。

以下为当前路由器配置,但发现新增手机移动端VPN,类型为:L2TP/IPSec、IKEv2/IPSec PSK拔号成功后,会导致内部网络断网无法访问外网,且现有手机移动端L2TP VPN、分支IPSec VPN都会中断。

<Router_ZHXXIE>dis cu
#
 version 7.1.064, Release 0605P18
#
 sysname Router_ZHXXIE
#
 clock timezone Beijing add 08:00:00
 clock protocol ntp
#
 ip pool 1 192.168.100.10 192.168.100.25 
 ip pool 1 gateway 192.168.100.1 
#
 ip load-sharing mode per-flow src-ip global
#
 dhcp enable
 dhcp server always-broadcast
#
 dns server 211.136.192.6
 dns server 120.196.165.24
#
 lldp global enable
#
 password-recovery enable
#
vlan 1         
#
vlan 10
 name Link-to-LAN
#
dhcp server ip-pool Office_LAN
 gateway-list 192.168.0.254
 network 192.168.0.0 mask 255.255.255.0
 dns-list 211.136.192.6 120.196.165.24
 forbidden-ip 192.168.0.237
 forbidden-ip 192.168.0.247
 forbidden-ip 192.168.0.248
 forbidden-ip 192.168.0.249
 forbidden-ip 192.168.0.250
 forbidden-ip 192.168.0.251
 forbidden-ip 192.168.0.252
 forbidden-ip 192.168.0.253
 forbidden-ip 192.168.0.254
#
dhcp server ip-pool Wifi-01
 gateway-list 192.168.1.254
 network 192.168.1.0 mask 255.255.255.0
 dns-list 211.136.192.6 120.196.165.24
 forbidden-ip 192.168.1.253
 forbidden-ip 192.168.1.254
#
dhcp server ip-pool Wifi-02
 gateway-list 192.168.2.254
 network 192.168.2.0 mask 255.255.255.0
 dns-list 211.136.192.6 120.196.165.24
 forbidden-ip 192.168.2.253
 forbidden-ip 192.168.2.254
#
dhcp server ip-pool Wifi-03
 gateway-list 192.168.3.254
 network 192.168.3.0 mask 255.255.255.0
 dns-list 211.136.192.6 120.196.165.24
 forbidden-ip 192.168.3.200
 forbidden-ip 192.168.3.253
 forbidden-ip 192.168.3.254
#
interface Virtual-Template1
 ppp authentication-mode chap domain zhie 
 ip address 192.168.100.1 255.255.255.0
#
interface NULL0
#              
interface LoopBack0
 ip address 10.10.10.1 255.255.255.255
#
interface Vlan-interface10
 description Link-to-LAN
 ip address 192.168.10.253 255.255.255.0
 nat hairpin enable
#
interface GigabitEthernet0/0
 port link-mode route
 description Link-to-CMCC_ISP
 ip address xx.xx.23.23 255.255.255.240
 nat outbound 3000
 nat server protocol tcp global xx.xx.23.23 25 inside 192.168.0.248 25
 nat server protocol tcp global xx.xx.23.23 110 inside 192.168.0.248 110
 nat server protocol tcp global xx.xx.23.23 143 inside 192.168.0.248 143
 nat server protocol tcp global xx.xx.23.23 443 inside 192.168.0.249 443
 nat server protocol tcp global xx.xx.23.23 4430 inside 192.168.0.248 443
 ipsec apply policy ipsec
#
interface GigabitEthernet0/1
 port link-mode route
#              
interface GigabitEthernet0/2
 port link-mode bridge
 port access vlan 10
#
interface GigabitEthernet0/3
 port link-mode bridge
 description Link-to-Core_SW
 port link-type trunk
 port trunk permit vlan all
#
interface GigabitEthernet0/4
 port link-mode bridge
 port access vlan 10
#
interface GigabitEthernet0/5
 port link-mode bridge
 port access vlan 10
#
 scheduler logfile size 16
#
line class console
 user-role network-admin
#              
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line con 0
 user-role network-admin
#
line vty 0 4
 authentication-mode scheme
 user-role network-operator
 protocol inbound ssh
#
line vty 5 63
 authentication-mode scheme
 user-role network-operator
#
 ip route-static 0.0.0.0 0 xx.xx.23.17
 ip route-static 10.10.10.0 24 192.168.10.254
 ip route-static 172.16.0.0 16 192.168.10.254
 ip route-static 192.168.0.0 24 192.168.10.254
 ip route-static 192.168.1.0 24 192.168.10.254
 ip route-static 192.168.2.0 24 192.168.10.254
 ip route-static 192.168.3.0 24 192.168.10.254
 ip route-static 192.168.4.0 24 192.168.10.254
 ip route-static 192.168.7.0 24 192.168.100.4
 ip route-static 192.168.8.0 24 192.168.100.3
 ip route-static 192.168.9.0 24 192.168.100.5
 ip route-static 192.168.24.0 24 xx.xx.23.23
 ip route-static 192.168.124.0 24 xx.xx.23.23
#
 ssh server enable
 sftp server enable
 ssh user zhiexx service-type all authentication-type password
 ssh server acl 2003
#
 ntp-service enable
 ntp-service unicast-server ***.***
#
acl basic 2003
 description SSH_Server
 rule 0 permit source 192.168.0.0 0.0.0.255
 rule 1 permit source 192.168.1.0 0.0.0.255
 rule 2 permit source 192.168.2.0 0.0.0.255
 rule 3 permit source 192.168.3.0 0.0.0.255
 rule 4 permit source 192.168.100.0 0.0.0.255
 rule 5 permit source 192.168.124.0 0.0.0.255
 rule 6 permit source 192.168.24.0 0.0.0.255
 rule 7 permit source 192.168.10.0 0.0.0.255
#
acl advanced 3000
 rule 0 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 2 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 3 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 4 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.24.0 0.0.0.255
 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 6 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.24.0 0.0.0.255
 rule 7 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.124.0 0.0.0.255
 rule 8 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.24.0 0.0.0.255
 rule 9 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 10 deny ip source 192.168.200.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 35 permit ip source 192.168.0.0 0.0.255.255
 rule 36 permit ip source 172.16.0.0 0.0.255.255
 rule 37 permit ip source 10.10.0.0 0.0.255.255
#
acl advanced 3001
 rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 1 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
 rule 2 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 3 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
 rule 4 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 5 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
 rule 6 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 7 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
 rule 8 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
 rule 9 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 10 permit ip source 192.168.124.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
 rule 11 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.124.0 0.0.0.255
 rule 12 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
 rule 13 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
#
domain mate80
 authentication ike local
 authorization ike local
#
domain system
#
domain zhie
 authentication ppp local
 authorization ppp local
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user zkie class manage
 password hash $h$6$SDoBI1UpONzFf6iX$G0qF21Y1XdHKRK2iT+3vNf54cdJm3EfCv9CD2s/36zTjsDk2E2P3Fo0E8LhIgHDTtutqTAgTgvVWbFOvz3f0JA==
 service-type ftp
 service-type ssh terminal https
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
#
local-user mate80user class network
 password cipher $c$3$RGlVWU8FixsJvsUU2ZEzAF/iB52GvRlilJFefYI8FBvSeQ=!!=
 service-type ike
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
 authorization-attribute ip-pool mate80
 authorization-attribute primary-dns ip 223.5.5.5
#
local-user zhie class network
 password cipher $c$3$iwvU7SC7HDbeWZXNq8zhbnh+tVLUTP3Tszv5LZpMjw=%=
 service-type ppp
 authorization-attribute user-role network-operator
 authorization-attribute ip-pool 1
#
local-user zhie01 class network
 password cipher $c$3$yXUVakl/+EN8eowmsNR8cBMgighNnMk9l/nZSlP+!#
 access-limit 1
 service-type ppp
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
 authorization-attribute ip 192.168.100.2
#
local-user zhie10 class network
 password cipher $c$3$De1iFufkLzDFKJGbUg4eBhN6Xwvh1Idys6sHJsU=$
 access-limit 1
 service-type ppp
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
 authorization-attribute ip 192.168.100.3
#
local-user zhie11 class network
 password cipher $c$3$lAMh+4PTkbnBs2dliHfMHv6P69IBpdM11LqgC8A=@
 access-limit 1
 service-type ppp
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
 authorization-attribute ip 192.168.100.5
#
local-user zhie12 class network
 password cipher $c$3$GDu26r9TmJpcnXDDgCgSzepIbS8sa94XDdXQEus=!
 access-limit 1
 service-type ppp
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
 authorization-attribute ip 192.168.100.4
#
ipsec transform-set 1
 esp encryption-algorithm aes-cbc-256 
 esp authentication-algorithm sha256 
#
ipsec transform-set mate80
 esp encryption-algorithm aes-cbc-256 
 esp authentication-algorithm sha256 
 pfs dh-group14
#
ipsec policy-template ipsec 1
 transform-set 1 
 security acl 3001 
 ike-profile 1
 sa duration time-based 3600
#
ipsec policy-template ipsec 10
 transform-set mate80 
 local-address xx.xx.23.23
 ikev2-profile mate80
 sa duration time-based 3600
#
ipsec policy ipsec 1 isakmp template ipsec
#
l2tp-group 1 mode lns
 allow l2tp virtual-template 1
 undo tunnel authentication
 tunnel name zhiexx
#
 l2tp enable
#
ike profile 1
 keychain 1
 exchange-mode aggressive
 local-identity address xx.xx.23.23
 match remote identity address 0.0.0.0 0.0.0.0
 proposal 1 
#
ike proposal 1
 encryption-algorithm aes-cbc-256
 dh group14
 authentication-algorithm sha256
#
ike keychain 1
 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$mtADNWW1MGKl1aZS2k5Oopc86gv0PznH1yxd0dgrJA==$#
#
wlan global-configuration
 control-address disable
#
wlan ap-group default-group
#
 ikev2 address-group mate80 192.168.100.70 192.168.100.90 255.255.255.0 
#
ikev2 keychain mate80
 peer mate80
  address 0.0.0.0 0.0.0.0
  pre-shared-key ciphertext $c$3$l2IgnAaWaUzXel9y3080/2QXzlIOH0Io4Gs66mo=!@
#
ikev2 profile mate80
 authentication-method local pre-share
 authentication-method remote pre-share
 keychain mate80
 dpd interval 30 retry 2 on-demand
 nat-keepalive 120
 aaa authorization domain mate80 username mate80user
 match local address xx.xx.23.23
 match remote identity address 0.0.0.0 0.0.0.0
#
ikev2 proposal 10
 encryption 3des-cbc aes-cbc-256 aes-cbc-128 
 integrity sha1 sha256 
 dh group2 group14 group5 group19 
 prf sha1 sha256 
#
ikev2 policy 10
 priority 1
 proposal 10 
#
return

3 个回答

一定会影响的,分支的参数没有更改。导致两端建立不起来。

建议两端同时更改,并在空闲时段更改。

---------------------------------------------------

备份当前所有配置。准备配置变更脚本,变更前,变更后,回退脚本。

分支参数,总部参数要一样,总部怎么设置,分支就怎么设置,这条哪有啥问题。你差的无非就是配置不清楚。

按照流程一步一步来就行,如果配置失误,测试失败,马上导出配置,然后回退配置。

第二天再次检查配置,查找原因。

参考手册准备脚本

 L2TP over IPsec配置举例

3.10.1 IKEv2预共享密钥认证配置举例

已更新评论

沉鱼落雁_解决问题看主页 发表时间:2小时前 更多>>

分支的参数要如何修改呢?服务端这一侧msr830又要如何修改呢?我都配置测试无数编了,就是两种情况:要么新增的手机端(华为纯血鸿蒙6.0系统)无法拔通vpn,要么拔通了导致现有分支的vpn和总部内网访问互联断网,还有原有的L2TP VPN也断开。

沙漠一棵草 发表时间:2小时前

已更新评论

沉鱼落雁_解决问题看主页 发表时间:2小时前
粉丝:12人 关注:9人

一、L2TP/IPSec配置(兼容原有L2TP)
1. IPSec IKE策略(与原有区分编号)
ike proposal 10 # 新增提案,避免与原有冲突
encryption aes-256
authentication sha1
dh group14
quit
ike peer l2tp-ipsec-peer # 新增对等体
pre-shared-key simple YourPSK123
proposal 10
remote-address 0.0.0.0 # 移动端动态IP
quit
ipsec policy l2tp-ipsec-policy 10 isakmp # 新增IPSec策略
template
security acl 3000 # 匹配L2TP流量
proposal 10
ike-peer l2tp-ipsec-peer
quit
ipsec policy template l2tp-ipsec-template 10 # 模板绑定
quit
2. L2TP组配置(新增组,不影响原有)
l2tp group l2tp-ipsec-group
ipsec policy template l2tp-ipsec-template 10 # 绑定IPSec模板
allow l2tp # 允许L2TP
quit
3. L2TP服务与用户
l2tp enable
local-user mobile-l2tp-ipsec class network
password simple UserPass123
service-type ppp
quit
ppp domain l2tp-ipsec-domain
authentication ppp local
quit
interface Virtual-Template 2 # 新增虚模板,避免与原有VT1冲突
ip address 192.168.30.1 255.255.255.0 # 新地址池
ppp authentication chap pap
ppp domain l2tp-ipsec-domain
quit
l2tp group l2tp-ipsec-group
virtual-template 2
quit
二、IKEv2/IPSec PSK配置
1. IKEv2策略
ikev2 proposal 20 # 新增提案
encryption aes-256
integrity sha256
dh group14
quit
ikev2 policy 20 # 新增IKEv2策略
proposal 20
pre-shared-key simple IKEv2PSK456
quit
2. IPSec策略(IKEv2)
ipsec policy ikev2-policy 20 isakmp
security acl 3001 # 匹配IKEv2流量
proposal 10 # 可复用之前IPSec

他拿的AI评论,别理他

沉鱼落雁_解决问题看主页 发表时间:2小时前 更多>>

L2TP/IPSec配置(兼容原有L2TP)这个不兼容的吧,新增的手机客户端是华为的纯血鸿蒙6.0版本,不支持纯粹的L2TP协议呢,我还打了华为400官方售后呢。所以你说的第二种方案配置IKEv2/IPSec PSK,也测试过了,就是新增手机端一拔通vpn后,原来总部的内网都上不了网了,现有在用的vpn也会中断。

沙漠一棵草 发表时间:2小时前

他拿的AI评论,别理他

沉鱼落雁_解决问题看主页 发表时间:2小时前
粉丝:23人 关注:2人

MSR830 新增 L2TP/IPSec、IKEv2 PSK 后全网断网故障根治方案
一、故障核心根因(3 个致命配置冲突)
1. 同地址池路由覆盖(最核心)
现有传统 L2TP、新增 IKEv2/IPSec 全部共用192.168.100.0/24地址段:
原有 L2TP 地址池:ip pool 1 192.168.100.10 192.168.100.25
IKEv2 地址池:ikev2 address-group mate80 192.168.100.70 192.168.100.90
拨号成功后设备自动生成192.168.100.0/24 指向 Virtual-Template1的静态路由,覆盖原有明细路由:
plaintext
ip route-static 192.168.100.4 24 192.168.10.254
ip route-static 192.168.100.3 24 192.168.10.254
ip route-static 192.168.100.5 24 192.168.10.254
路由冲突导致:内网、原有 VPN 流量全部匹配 VPN 隧道路由,无法正常走互联网 / 分支 IPSec 隧道,全网断网、原有 VPN 全部下线。
2. NAT 策略未排除 VPN 网段,VPN 流量被 EasyIP NAT 拦截
外网接口nat outbound 3000,ACL3000 仅放行内网网段,未排除 192.168.100.0/24 VPN 地址段:
分支站点 IPSec 感兴趣流 ACL3001 包含 VPN 网段,NAT 先匹配 3000 做转换,IPSec 加密流量被 NAT 篡改,分支隧道直接断开;
手机 VPN 客户端访问内网时,流量被 NAT 转换为公网地址,内网回程路由失效。
3. IKEv2 策略优先级低于站点 IPSec,协商抢占资源
现有站点 IPSec 策略模板序号 1,新增 IKEv2 策略 10 优先级更低;同时公网接口同时绑定ipsec apply policy ipsec,多类型 IPSec 协商报文争抢 500/4500 端口,隧道会话震荡、频繁重置。
二、分步修复配置(不改动现有业务,兼容 3 类 VPN 共存)
步骤 1:隔离 VPN 地址池(根治路由覆盖,必改)
新增独立 IKEv2/L2TP-IPSec 地址段,严禁和原有 L2TP 共用 192.168.100.0/24
bash
运行
# 1. 新建独立VPN地址池10,分配给L2TP/IPSec、IKEv2
ip pool 10 192.168.101.10 192.168.101.99
ip pool 10 gateway 192.168.101.1
# 2. 修改IKEv2地址池,切换新网段
undo ikev2 address-group mate80
ikev2 address-group mate80 192.168.101.70 192.168.101.90 255.255.255.0
# 3. 新建独立Virtual-Template2,专供L2TP/IPSec使用(原VT1保留纯L2TP)
interface Virtual-Template2
ppp authentication-mode chap domain mate80
ip address 192.168.101.1 255.255.255.0
# 4. 修改L2TP组,双VT区分两种移动端VPN
undo l2tp-group 1
l2tp-group 1 mode lns
allow l2tp virtual-template 1 domain zhie # 原有纯L2TP用户
allow l2tp virtual-template 2 domain mate80 # 新增L2TP/IPSec用户
undo tunnel authentication
tunnel name zhiexx
# 5. 原有静态路由删除冲突的100段,新增101段回程路由(指向内网核心)
undo ip route-static 192.168.100.4 24 192.168.10.254
undo ip route-static 192.168.100.3 24 192.168.10.254
undo ip route-static 192.168.100.5 24 192.168.10.254
# 新增新VPN网段回程路由,访问内网业务
ip route-static 192.168.101.0 24 192.168.10.254
步骤 2:修正 NAT ACL,排除 VPN 网段,避免 IPSec 流量被转换
bash
运行
# 进入ACL3000,在最顶部新增拒绝VPN网段做NAT(规则序号越小越优先)
acl advanced 3000
rule 0 deny ip source 192.168.100.0 0.0.0.255 # 原有L2TP网段禁止NAT
rule 1 deny ip source 192.168.101.0 0.0.0.255 # 新增IKEv2/L2TP-IPSec网段禁止NAT
# 原有rule35及以下内网放行规则保留不变
步骤 3:优化 IKE/IPSec 策略,多 VPN 稳定共存
bash
运行
# 1. 提升IKEv2策略优先级,高于站点IPSec模板
undo ikev2 policy 10
ikev2 policy 5
priority 5
proposal 10
# 2. 站点IPSec模板序号下调,避免协商冲突
undo ipsec policy-template ipsec 10
ipsec policy-template ipsec 5
transform-set mate80
local-address xx.xx.23.23
ikev2-profile mate80
sa duration time-based 3600
# 3. 公网接口IPSec策略重新绑定,刷新会话
interface GigabitEthernet0/0
undo ipsec apply policy ipsec
ipsec apply policy ipsec
# 4. 开启IPSec NAT穿越保活,适配手机4G/5G网络
ike profile 1
nat-keepalive 120
ikev2 profile mate80
nat-keepalive 120
步骤 4:配套 AAA 账号适配新地址池
bash
运行
# 原有mate80user绑定新地址池10
undo local-user mate80user
local-user mate80user class network
password cipher $c$3$RGlVWU8FixsJvsUU2ZEzAF/iB52GvRlilJFefYI8FBvSeQ=!!=
service-type ike
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute ip-pool 10
authorization-attribute primary-dns ip 223.5.5.5
三、完整新增 L2TP/IPSec、IKEv2 PSK 配置(不改动原有业务)
1. IKEv2 PSK 完整配置(已嵌入上方修复,汇总)
bash
运行
# IKEv2提案
ikev2 proposal 10
encryption 3des-cbc aes-cbc-256 aes-cbc-128
integrity sha1 sha256
dh group2 group14 group5 group19
prf sha1 sha256
# IKEv2策略(高优先级5)
ikev2 policy 5
proposal 10
# IKEv2预共享密钥
ikev2 keychain mate80
peer mate80
address 0.0.0.0 0.0.0.0
pre-shared-key ciphertext $c$3$l2IgnAaWaUzXel9y3080/2QXzlIOH0Io4Gs66mo=!@
# IKEv2配置模板
ikev2 profile mate80
authentication-method local pre-share
authentication-method remote pre-share
keychain mate80
dpd interval 30 retry 2 on-demand
nat-keepalive 120
aaa authorization domain mate80 username mate80user
match local address xx.xx.23.23
match remote identity address 0.0.0.0 0.0.0.0
# IKEv2独立地址池10(192.168.101.0/24)
ikev2 address-group mate80 192.168.101.70 192.168.101.90 255.255.255.0
# 绑定domain mate80
domain mate80
authentication ike local
authorization ike local
2. L2TP/IPSec 配套配置(复用 IKEv2 profile,新增 VT2)
bash
运行
# L2TP全局开启
l2tp enable
# L2TP组双VT区分两种移动端VPN
l2tp-group 1 mode lns
allow l2tp virtual-template 1 domain zhie
allow l2tp virtual-template 2 domain mate80
undo tunnel authentication
tunnel name zhiexx
# 新VT2用于L2TP/IPSec客户端
interface Virtual-Template2
ppp authentication-mode chap domain mate80
ip address 192.168.101.1 255.255.255.0
# 对应domain mate80账号mate80user,分配pool10地址
3. 原有业务保留说明
纯 L2TP 用户:domain zhie、Virtual-Template1、地址池 1(192.168.100.0/24)完全不变;
站点分支 IPSec:ACL3001、ipsec policy-template 1、ike profile1 全部保留,无改动;
内网 DHCP、NAT、静态路由仅新增 VPN 网段规则,原有业务不受影响。
四、验证 & 排错命令
bash
运行
# 1. 查看VPN地址池分配
display ip pool all
display ikev2 address-group
# 2. 查看路由表,确认无192.168.100.0/24汇总路由覆盖明细
display ip routing-table | include 192.168.100
display ip routing-table | include 192.168.101
# 3. 查看IPSec/IKE协商会话
display ikev2 session all
display ipsec sa all
display l2tp session all
# 4. 查看NAT匹配,确认VPN网段拒绝转换
display acl 3000
display nat session source 192.168.101.0
五、极简总结
核心故障根源:新旧 VPN 共用同一 192.168.100.0/24 地址池,拨号自动生成汇总路由覆盖内网明细路由,全网断网;
根治方案:新建独立 192.168.101.0/24 地址池专供 L2TP/IPSec、IKEv2,拆分 Virtual-Template 区分两类移动端 VPN;
配套优化:NAT ACL 顶部拒绝 VPN 网段转换,提升 IKEv2 策略优先级,避免 IPSec 隧道协商冲突;
业务兼容:原有纯 L2TP、分支站点 IPSec 配置零改动,修复后三类 VPN 可同时稳定在线,内网外网正常访问。

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明