本案例采用H3C HCL模拟器来模拟L2TP VPN远程系统两次拨号来访问LNS私网的组网。内网和外网在网络拓扑图已经有了明确的标识,内网1的R1作为本内网的PPPOE拨号服务器,内网1的终端首先需要通过PPPOE宽带拨号来接入网络。内网2的R2作为L2TP VPN的LNS端点,内网1的终端完成PPPOE拨号后,再作为LAC端进行再次的拨号,才能穿越NAT和公网到达LNS内部。
1、按照网络拓扑图正确配置IP地址
2、R1配置NAT地址转换,并配置默认路由指向外网
3、R1开启PPPOE功能,为内网1终端的接入提供基础
4、R2配置NAT地址转换,并配置默认路由指向外网
5、R2配置L2TP VPN,作为LNS端点,为LAC的接入提供VPN的承载
6、在建立L2TP VPN隧道前,内网1和内网2的终端不能互通。
7、在建立L2TP VPN隧道后,内网1和内网2的终端可以互通。
1、第一阶段调试(基础网络配置):
R1:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname R1
[R1]local-user ninglihua class network
New local user added.
[R1-luser-network-ninglihua]password simple ninglihua
[R1-luser-network-ninglihua]service-type ppp
[R1-luser-network-ninglihua]quit
[R1]domain name system
[R1-isp-system]authentication ppp local
[R1-isp-system]quit
[R1]ip pool ninglihua 192.168.10.2 192.168.10.100
[R1]ip pool ninglihua gateway 192.168.10.1
[R1]int Virtual-Template 1
[R1-Virtual-Template1]ip address 192.168.10.1 255.255.255.0
[R1-Virtual-Template1]ppp authentication pap domain system
[R1-Virtual-Template1]remote address pool ninglihua
[R1-Virtual-Template1]quit
[R1]int gi 0/0
[R1-GigabitEthernet0/0]pppoe-server bind virtual-template 1
[R1-GigabitEthernet0/0]quit
[R1]int gi 0/1
[R1-GigabitEthernet0/1]des <connect to ISP>
[R1-GigabitEthernet0/1]ip address 202.1.100.2 30
[R1-GigabitEthernet0/1]nat outbound
[R1-GigabitEthernet0/1]quit
[R1]ip route-static 0.0.0.0 0.0.0.0 202.1.100.1
ISP:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname ISP
[ISP]int gi 0/0
[ISP-GigabitEthernet0/0]des <connect to R1>
[ISP-GigabitEthernet0/0]ip address 202.1.100.1 30
[ISP-GigabitEthernet0/0]quit
[ISP]int gi 0/1
[ISP-GigabitEthernet0/1]des <connect to R2>
[ISP-GigabitEthernet0/1]ip address 202.2.100.1 30
[ISP-GigabitEthernet0/1]quit
R2:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname R2
[R2]vlan 100
[R2-vlan100]quit
[R2]int vlan 100
[R2-Vlan-interface100]ip address 172.16.100.1 24
[R2-Vlan-interface100]quit
[R2]int gi 0/0
[R2-GigabitEthernet0/0]port link-mode bridge
[R2-GigabitEthernet0/0]port link-type access
[R2-GigabitEthernet0/0]port access vlan 100
[R2-GigabitEthernet0/0]quit
[R2]acl basic 2000
[R2-acl-ipv4-basic-2000]rule 0 permit source any
[R2-acl-ipv4-basic-2000]quit
[R2]int gi 0/1
[R2-GigabitEthernet0/1]des <connect to ISP>
[R2-GigabitEthernet0/1]ip address 202.2.100.2 30
[R2-GigabitEthernet0/1]nat outbound 2000
[R2-GigabitEthernet0/1]quit
[R2]ip route-static 0.0.0.0 0.0.0.0 202.2.100.1
第一阶段测试:
内网1终端进行宽带PPPOE拨号:
内网2终端填写IP地址:
内网1终端能PING通内网2的外网地址,PING不同内网2的私网地址:
内网2终端能PING通内网1的外网地址,PING不同内网1的私网地址:
2、第二阶段配置
L2TP VPN LNS关键配置点:
[R2]local-user weijianing class network
New local user added.
[R2-luser-network-weijianing]password simple weijianing
[R2-luser-network-weijianing]service-type ppp
[R2-luser-network-weijianing]quit
[R2]domain name system
[R2-isp-system]authentication ppp local
[R2-isp-system]quit
[R2]ip pool weijianing 172.16.200.2 172.16.200.254
[R2]ip pool weijianing gateway 172.16.200.1
[R2]int Virtual-Template 1
[R2-Virtual-Template1]ip address 172.16.200.1 255.255.255.0
[R2-Virtual-Template1]ppp authentication chap domain system
[R2-Virtual-Template1]remote address pool weijianing
[R2-Virtual-Template1]quit
[R2]l2tp enable
[R2]l2tp-group 1 mode lns
[R2-l2tp1]tunnel name LNS
[R2-l2tp1]undo tunnel authentication
[R2-l2tp1]allow l2tp virtual-template 1
[R2-l2tp1]quit
内网1的终端设置VPN拨号:
输入用户名、密码,点击连接:
VPN拨号连接成功:
内网1终端能PING内网2的终端:
内网2的终端也可以PING通内网1的终端:
由于内网1的终端拨号过来后,LNS为其分配了IP地址,因此内网2终端PING的是分配后的IP地址,根据内网1拨号后获取的IP地址为172.16.200.3,所以内网2的终端PING的是172.16.200.3
当前内网1的终端是经过了PPPOE宽带拨号后再进行L2TP VPN拨号来实现两次拨号来访问L2TP VPN的私网
至此,L2TP典型组网配置3已完成!
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作