配置需求:
当前出口路由器上已配置有业务:1、现有手机移动端L2TP VPN、分支IPSec VPN。
2、新增手机移动端VPN,类型为:L2TP/IPSec、IKEv2/IPSec PSK。
3、要在不影响现在业务VPN(第1条件)的情况下完成第2条件需求。
以下为当前路由器配置,但发现新增手机移动端VPN,类型为:L2TP/IPSec、IKEv2/IPSec PSK拔号成功后,会导致内部网络断网无法访问外网,且现有手机移动端L2TP VPN、分支IPSec VPN都会中断。
<Router_ZHXXIE>dis cu
#
version 7.1.064, Release 0605P18
#
sysname Router_ZHXXIE
#
clock timezone Beijing add 08:00:00
clock protocol ntp
#
ip pool 1 192.168.100.10 192.168.100.25
ip pool 1 gateway 192.168.100.1
#
ip load-sharing mode per-flow src-ip global
#
dhcp enable
dhcp server always-broadcast
#
dns server 211.136.192.6
dns server 120.196.165.24
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
vlan 10
name Link-to-LAN
#
dhcp server ip-pool Office_LAN
gateway-list 192.168.0.254
network 192.168.0.0 mask 255.255.255.0
dns-list 211.136.192.6 120.196.165.24
forbidden-ip 192.168.0.237
forbidden-ip 192.168.0.247
forbidden-ip 192.168.0.248
forbidden-ip 192.168.0.249
forbidden-ip 192.168.0.250
forbidden-ip 192.168.0.251
forbidden-ip 192.168.0.252
forbidden-ip 192.168.0.253
forbidden-ip 192.168.0.254
#
dhcp server ip-pool Wifi-01
gateway-list 192.168.1.254
network 192.168.1.0 mask 255.255.255.0
dns-list 211.136.192.6 120.196.165.24
forbidden-ip 192.168.1.253
forbidden-ip 192.168.1.254
#
dhcp server ip-pool Wifi-02
gateway-list 192.168.2.254
network 192.168.2.0 mask 255.255.255.0
dns-list 211.136.192.6 120.196.165.24
forbidden-ip 192.168.2.253
forbidden-ip 192.168.2.254
#
dhcp server ip-pool Wifi-03
gateway-list 192.168.3.254
network 192.168.3.0 mask 255.255.255.0
dns-list 211.136.192.6 120.196.165.24
forbidden-ip 192.168.3.200
forbidden-ip 192.168.3.253
forbidden-ip 192.168.3.254
#
interface Virtual-Template1
ppp authentication-mode chap domain zhie
ip address 192.168.100.1 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 10.10.10.1 255.255.255.255
#
interface Vlan-interface10
description Link-to-LAN
ip address 192.168.10.253 255.255.255.0
nat hairpin enable
#
interface GigabitEthernet0/0
port link-mode route
description Link-to-CMCC_ISP
ip address xx.xx.23.23 255.255.255.240
nat outbound 3000
nat server protocol tcp global xx.xx.23.23 25 inside 192.168.0.248 25
nat server protocol tcp global xx.xx.23.23 110 inside 192.168.0.248 110
nat server protocol tcp global xx.xx.23.23 143 inside 192.168.0.248 143
nat server protocol tcp global xx.xx.23.23 443 inside 192.168.0.249 443
nat server protocol tcp global xx.xx.23.23 4430 inside 192.168.0.248 443
ipsec apply policy ipsec
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet0/3
port link-mode bridge
description Link-to-Core_SW
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet0/4
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet0/5
port link-mode bridge
port access vlan 10
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-operator
protocol inbound ssh
#
line vty 5 63
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 xx.xx.23.17
ip route-static 10.10.10.0 24 192.168.10.254
ip route-static 172.16.0.0 16 192.168.10.254
ip route-static 192.168.0.0 24 192.168.10.254
ip route-static 192.168.1.0 24 192.168.10.254
ip route-static 192.168.2.0 24 192.168.10.254
ip route-static 192.168.3.0 24 192.168.10.254
ip route-static 192.168.4.0 24 192.168.10.254
ip route-static 192.168.7.0 24 192.168.100.4
ip route-static 192.168.8.0 24 192.168.100.3
ip route-static 192.168.9.0 24 192.168.100.5
ip route-static 192.168.24.0 24 xx.xx.23.23
ip route-static 192.168.124.0 24 xx.xx.23.23
#
ssh server enable
sftp server enable
ssh user zhiexx service-type all authentication-type password
ssh server acl 2003
#
ntp-service enable
ntp-service unicast-server ***.***
#
acl basic 2003
description SSH_Server
rule 0 permit source 192.168.0.0 0.0.0.255
rule 1 permit source 192.168.1.0 0.0.0.255
rule 2 permit source 192.168.2.0 0.0.0.255
rule 3 permit source 192.168.3.0 0.0.0.255
rule 4 permit source 192.168.100.0 0.0.0.255
rule 5 permit source 192.168.124.0 0.0.0.255
rule 6 permit source 192.168.24.0 0.0.0.255
rule 7 permit source 192.168.10.0 0.0.0.255
#
acl advanced 3000
rule 0 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 2 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 3 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 4 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.24.0 0.0.0.255
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 6 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.24.0 0.0.0.255
rule 7 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.124.0 0.0.0.255
rule 8 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.24.0 0.0.0.255
rule 9 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 10 deny ip source 192.168.200.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 35 permit ip source 192.168.0.0 0.0.255.255
rule 36 permit ip source 172.16.0.0 0.0.255.255
rule 37 permit ip source 10.10.0.0 0.0.255.255
#
acl advanced 3001
rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 1 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 2 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 3 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 4 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 5 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 6 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 7 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 8 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
rule 9 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 10 permit ip source 192.168.124.0 0.0.0.255 destination 172.16.0.0 0.0.255.255
rule 11 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.124.0 0.0.0.255
rule 12 permit ip source 192.168.124.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
rule 13 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.124.0 0.0.0.255
#
domain mate80
authentication ike local
authorization ike local
#
domain system
#
domain zhie
authentication ppp local
authorization ppp local
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user zkie class manage
password hash $h$6$SDoBI1UpONzFf6iX$G0qF21Y1XdHKRK2iT+3vNf54cdJm3EfCv9CD2s/36zTjsDk2E2P3Fo0E8LhIgHDTtutqTAgTgvVWbFOvz3f0JA==
service-type ftp
service-type ssh terminal https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user mate80user class network
password cipher $c$3$RGlVWU8FixsJvsUU2ZEzAF/iB52GvRlilJFefYI8FBvSeQ=!!=
service-type ike
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute ip-pool mate80
authorization-attribute primary-dns ip 223.5.5.5
#
local-user zhie class network
password cipher $c$3$iwvU7SC7HDbeWZXNq8zhbnh+tVLUTP3Tszv5LZpMjw=%=
service-type ppp
authorization-attribute user-role network-operator
authorization-attribute ip-pool 1
#
local-user zhie01 class network
password cipher $c$3$yXUVakl/+EN8eowmsNR8cBMgighNnMk9l/nZSlP+!#
access-limit 1
service-type ppp
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute ip 192.168.100.2
#
local-user zhie10 class network
password cipher $c$3$De1iFufkLzDFKJGbUg4eBhN6Xwvh1Idys6sHJsU=$
access-limit 1
service-type ppp
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute ip 192.168.100.3
#
local-user zhie11 class network
password cipher $c$3$lAMh+4PTkbnBs2dliHfMHv6P69IBpdM11LqgC8A=@
access-limit 1
service-type ppp
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute ip 192.168.100.5
#
local-user zhie12 class network
password cipher $c$3$GDu26r9TmJpcnXDDgCgSzepIbS8sa94XDdXQEus=!
access-limit 1
service-type ppp
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute ip 192.168.100.4
#
ipsec transform-set 1
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
#
ipsec transform-set mate80
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
pfs dh-group14
#
ipsec policy-template ipsec 1
transform-set 1
security acl 3001
ike-profile 1
sa duration time-based 3600
#
ipsec policy-template ipsec 10
transform-set mate80
local-address xx.xx.23.23
ikev2-profile mate80
sa duration time-based 3600
#
ipsec policy ipsec 1 isakmp template ipsec
#
l2tp-group 1 mode lns
allow l2tp virtual-template 1
undo tunnel authentication
tunnel name zhiexx
#
l2tp enable
#
ike profile 1
keychain 1
exchange-mode aggressive
local-identity address xx.xx.23.23
match remote identity address 0.0.0.0 0.0.0.0
proposal 1
#
ike proposal 1
encryption-algorithm aes-cbc-256
dh group14
authentication-algorithm sha256
#
ike keychain 1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$mtADNWW1MGKl1aZS2k5Oopc86gv0PznH1yxd0dgrJA==$#
#
wlan global-configuration
control-address disable
#
wlan ap-group default-group
#
ikev2 address-group mate80 192.168.100.70 192.168.100.90 255.255.255.0
#
ikev2 keychain mate80
peer mate80
address 0.0.0.0 0.0.0.0
pre-shared-key ciphertext $c$3$l2IgnAaWaUzXel9y3080/2QXzlIOH0Io4Gs66mo=!@
#
ikev2 profile mate80
authentication-method local pre-share
authentication-method remote pre-share
keychain mate80
dpd interval 30 retry 2 on-demand
nat-keepalive 120
aaa authorization domain mate80 username mate80user
match local address xx.xx.23.23
match remote identity address 0.0.0.0 0.0.0.0
#
ikev2 proposal 10
encryption 3des-cbc aes-cbc-256 aes-cbc-128
integrity sha1 sha256
dh group2 group14 group5 group19
prf sha1 sha256
#
ikev2 policy 10
priority 1
proposal 10
#
return
一定会影响的,分支的参数没有更改。导致两端建立不起来。
建议两端同时更改,并在空闲时段更改。
---------------------------------------------------
备份当前所有配置。准备配置变更脚本,变更前,变更后,回退脚本。
分支参数,总部参数要一样,总部怎么设置,分支就怎么设置,这条哪有啥问题。你差的无非就是配置不清楚。
按照流程一步一步来就行,如果配置失误,测试失败,马上导出配置,然后回退配置。
第二天再次检查配置,查找原因。
参考手册准备脚本
分支的参数要如何修改呢?服务端这一侧msr830又要如何修改呢?我都配置测试无数编了,就是两种情况:要么新增的手机端(华为纯血鸿蒙6.0系统)无法拔通vpn,要么拔通了导致现有分支的vpn和总部内网访问互联断网,还有原有的L2TP VPN也断开。
L2TP/IPSec配置(兼容原有L2TP)这个不兼容的吧,新增的手机客户端是华为的纯血鸿蒙6.0版本,不支持纯粹的L2TP协议呢,我还打了华为400官方售后呢。所以你说的第二种方案配置IKEv2/IPSec PSK,也测试过了,就是新增手机端一拔通vpn后,原来总部的内网都上不了网了,现有在用的vpn也会中断。
MSR830 新增 L2TP/IPSec、IKEv2 PSK 后全网断网故障根治方案
一、故障核心根因(3 个致命配置冲突)
1. 同地址池路由覆盖(最核心)
现有传统 L2TP、新增 IKEv2/IPSec 全部共用192.168.100.0/24地址段:
原有 L2TP 地址池:ip pool 1 192.168.100.10 192.168.100.25
IKEv2 地址池:ikev2 address-group mate80 192.168.100.70 192.168.100.90
拨号成功后设备自动生成192.168.100.0/24 指向 Virtual-Template1的静态路由,覆盖原有明细路由:
plaintext
ip route-static 192.168.100.4 24 192.168.10.254
ip route-static 192.168.100.3 24 192.168.10.254
ip route-static 192.168.100.5 24 192.168.10.254
路由冲突导致:内网、原有 VPN 流量全部匹配 VPN 隧道路由,无法正常走互联网 / 分支 IPSec 隧道,全网断网、原有 VPN 全部下线。
2. NAT 策略未排除 VPN 网段,VPN 流量被 EasyIP NAT 拦截
外网接口nat outbound 3000,ACL3000 仅放行内网网段,未排除 192.168.100.0/24 VPN 地址段:
分支站点 IPSec 感兴趣流 ACL3001 包含 VPN 网段,NAT 先匹配 3000 做转换,IPSec 加密流量被 NAT 篡改,分支隧道直接断开;
手机 VPN 客户端访问内网时,流量被 NAT 转换为公网地址,内网回程路由失效。
3. IKEv2 策略优先级低于站点 IPSec,协商抢占资源
现有站点 IPSec 策略模板序号 1,新增 IKEv2 策略 10 优先级更低;同时公网接口同时绑定ipsec apply policy ipsec,多类型 IPSec 协商报文争抢 500/4500 端口,隧道会话震荡、频繁重置。
二、分步修复配置(不改动现有业务,兼容 3 类 VPN 共存)
步骤 1:隔离 VPN 地址池(根治路由覆盖,必改)
新增独立 IKEv2/L2TP-IPSec 地址段,严禁和原有 L2TP 共用 192.168.100.0/24
bash
运行
# 1. 新建独立VPN地址池10,分配给L2TP/IPSec、IKEv2
ip pool 10 192.168.101.10 192.168.101.99
ip pool 10 gateway 192.168.101.1
# 2. 修改IKEv2地址池,切换新网段
undo ikev2 address-group mate80
ikev2 address-group mate80 192.168.101.70 192.168.101.90 255.255.255.0
# 3. 新建独立Virtual-Template2,专供L2TP/IPSec使用(原VT1保留纯L2TP)
interface Virtual-Template2
ppp authentication-mode chap domain mate80
ip address 192.168.101.1 255.255.255.0
# 4. 修改L2TP组,双VT区分两种移动端VPN
undo l2tp-group 1
l2tp-group 1 mode lns
allow l2tp virtual-template 1 domain zhie # 原有纯L2TP用户
allow l2tp virtual-template 2 domain mate80 # 新增L2TP/IPSec用户
undo tunnel authentication
tunnel name zhiexx
# 5. 原有静态路由删除冲突的100段,新增101段回程路由(指向内网核心)
undo ip route-static 192.168.100.4 24 192.168.10.254
undo ip route-static 192.168.100.3 24 192.168.10.254
undo ip route-static 192.168.100.5 24 192.168.10.254
# 新增新VPN网段回程路由,访问内网业务
ip route-static 192.168.101.0 24 192.168.10.254
步骤 2:修正 NAT ACL,排除 VPN 网段,避免 IPSec 流量被转换
bash
运行
# 进入ACL3000,在最顶部新增拒绝VPN网段做NAT(规则序号越小越优先)
acl advanced 3000
rule 0 deny ip source 192.168.100.0 0.0.0.255 # 原有L2TP网段禁止NAT
rule 1 deny ip source 192.168.101.0 0.0.0.255 # 新增IKEv2/L2TP-IPSec网段禁止NAT
# 原有rule35及以下内网放行规则保留不变
步骤 3:优化 IKE/IPSec 策略,多 VPN 稳定共存
bash
运行
# 1. 提升IKEv2策略优先级,高于站点IPSec模板
undo ikev2 policy 10
ikev2 policy 5
priority 5
proposal 10
# 2. 站点IPSec模板序号下调,避免协商冲突
undo ipsec policy-template ipsec 10
ipsec policy-template ipsec 5
transform-set mate80
local-address xx.xx.23.23
ikev2-profile mate80
sa duration time-based 3600
# 3. 公网接口IPSec策略重新绑定,刷新会话
interface GigabitEthernet0/0
undo ipsec apply policy ipsec
ipsec apply policy ipsec
# 4. 开启IPSec NAT穿越保活,适配手机4G/5G网络
ike profile 1
nat-keepalive 120
ikev2 profile mate80
nat-keepalive 120
步骤 4:配套 AAA 账号适配新地址池
bash
运行
# 原有mate80user绑定新地址池10
undo local-user mate80user
local-user mate80user class network
password cipher $c$3$RGlVWU8FixsJvsUU2ZEzAF/iB52GvRlilJFefYI8FBvSeQ=!!=
service-type ike
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
authorization-attribute ip-pool 10
authorization-attribute primary-dns ip 223.5.5.5
三、完整新增 L2TP/IPSec、IKEv2 PSK 配置(不改动原有业务)
1. IKEv2 PSK 完整配置(已嵌入上方修复,汇总)
bash
运行
# IKEv2提案
ikev2 proposal 10
encryption 3des-cbc aes-cbc-256 aes-cbc-128
integrity sha1 sha256
dh group2 group14 group5 group19
prf sha1 sha256
# IKEv2策略(高优先级5)
ikev2 policy 5
proposal 10
# IKEv2预共享密钥
ikev2 keychain mate80
peer mate80
address 0.0.0.0 0.0.0.0
pre-shared-key ciphertext $c$3$l2IgnAaWaUzXel9y3080/2QXzlIOH0Io4Gs66mo=!@
# IKEv2配置模板
ikev2 profile mate80
authentication-method local pre-share
authentication-method remote pre-share
keychain mate80
dpd interval 30 retry 2 on-demand
nat-keepalive 120
aaa authorization domain mate80 username mate80user
match local address xx.xx.23.23
match remote identity address 0.0.0.0 0.0.0.0
# IKEv2独立地址池10(192.168.101.0/24)
ikev2 address-group mate80 192.168.101.70 192.168.101.90 255.255.255.0
# 绑定domain mate80
domain mate80
authentication ike local
authorization ike local
2. L2TP/IPSec 配套配置(复用 IKEv2 profile,新增 VT2)
bash
运行
# L2TP全局开启
l2tp enable
# L2TP组双VT区分两种移动端VPN
l2tp-group 1 mode lns
allow l2tp virtual-template 1 domain zhie
allow l2tp virtual-template 2 domain mate80
undo tunnel authentication
tunnel name zhiexx
# 新VT2用于L2TP/IPSec客户端
interface Virtual-Template2
ppp authentication-mode chap domain mate80
ip address 192.168.101.1 255.255.255.0
# 对应domain mate80账号mate80user,分配pool10地址
3. 原有业务保留说明
纯 L2TP 用户:domain zhie、Virtual-Template1、地址池 1(192.168.100.0/24)完全不变;
站点分支 IPSec:ACL3001、ipsec policy-template 1、ike profile1 全部保留,无改动;
内网 DHCP、NAT、静态路由仅新增 VPN 网段规则,原有业务不受影响。
四、验证 & 排错命令
bash
运行
# 1. 查看VPN地址池分配
display ip pool all
display ikev2 address-group
# 2. 查看路由表,确认无192.168.100.0/24汇总路由覆盖明细
display ip routing-table | include 192.168.100
display ip routing-table | include 192.168.101
# 3. 查看IPSec/IKE协商会话
display ikev2 session all
display ipsec sa all
display l2tp session all
# 4. 查看NAT匹配,确认VPN网段拒绝转换
display acl 3000
display nat session source 192.168.101.0
五、极简总结
核心故障根源:新旧 VPN 共用同一 192.168.100.0/24 地址池,拨号自动生成汇总路由覆盖内网明细路由,全网断网;
根治方案:新建独立 192.168.101.0/24 地址池专供 L2TP/IPSec、IKEv2,拆分 Virtual-Template 区分两类移动端 VPN;
配套优化:NAT ACL 顶部拒绝 VPN 网段转换,提升 IKEv2 策略优先级,避免 IPSec 隧道协商冲突;
业务兼容:原有纯 L2TP、分支站点 IPSec 配置零改动,修复后三类 VPN 可同时稳定在线,内网外网正常访问。
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
已更新评论