L2TP VPN为用户分配固定的IP地址
(独立LAC+AAA认证)
作者:余志彬 yfw0576 时间:2014-06-22
1、 组网需求
由于L2TP VPN客户端特殊,需要LNS给其分配固定的IP地址。要求每次拨号都会获取同一个IP地址。
2、 组网简易拓扑
3、 配置思路
3.1 全网IP路由可达
3.2 LNS侧开启L2TP
3.3 配置L2TP-Group组
3.4 配置Virtual-Template1
3.5 配置AAA
3.6 AAA上相关接入配置
4、 配置步骤
4.1 LNS开启l2tp
l2tp enable
#
4.2 LNS配置L2TP-Group
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
tunnel name LNS
#
4.3 LNS配置Virtual-Template1
interface Virtual-Template1
ppp authentication-mode chap domain system
ip address 200.200.200.1 255.255.255.0
#
4.4 LNS配置AAA
radius scheme l2tp
primary authentication 20.20.20.2
primary accounting 20.20.20.2
key authentication 123456
key accounting 123456
user-name-format without-domain
nas-ip 20.20.20.1
accounting-on enable
#
domain system
authentication ppp radius-scheme l2tp
authorization ppp radius-scheme l2tp
accounting ppp radius-scheme l2tp
access-limit disable
state active
idle-cut disable
self-service-url disable
#
4.5 AAA相关接入配置
设置接入设备:
设置接入策略:
设置接入服务:
设置接入用户:
5、 配置文件
LNS配置:
version 5.20, Release 1808
#
l2tp enable
#
radius scheme l2tp
primary authentication 20.20.20.2
primary accounting 20.20.20.2
key authentication 123456
key accounting 123456
user-name-format without-domain
nas-ip 20.20.20.1
accounting-on enable
#
domain system
authentication ppp radius-scheme l2tp
authorization ppp radius-scheme l2tp
accounting ppp radius-scheme l2tp
access-limit disable
state active
idle-cut disable
self-service-url disable
#
local-user admin
password simple admin
service-type ppp
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
tunnel name LNS
#
interface Ethernet0/0
port link-mode route
ip address 20.20.20.1 255.255.255.0
undo ipv6 fast-forwarding
#
interface Ethernet0/1
port link-mode route
ip address 10.10.10.1 255.255.255.252
undo ipv6 fast-forwarding
#
interface Virtual-Template1
ppp authentication-mode chap domain system
ip address 200.200.200.1 255.255.255.0
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.2
#
LAC配置:
version 5.20, Release 2512P01
#
l2tp enable
#
domain default enable system
#
domain system
authentication ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
#
local-user admin
password cipher $c$3$PV0WotbEpnLvJSqArWEy7JEVAxbP60SY
authorization-attribute level 3
service-type telnet
service-type ppp
local-user yzb
password cipher $c$3$5IKzaZ/PdCq8jmv8Ixc/rZmDbYBi0w==
service-type ppp
#
l2tp-group 1
undo tunnel authentication
tunnel name LAC
start l2tp ip 10.10.10.1 domain system
#
interface Ethernet0/0
port link-mode route
pppoe-server bind Virtual-Template 1
#
interface Ethernet0/1
port link-mode route
ip address 10.10.10.6 255.255.255.252
#
interface Virtual-Template1
ppp authentication-mode chap domain system
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.5
#
Internet模拟配置:
#
interface Vlan-interface10
ip address 10.10.10.2 255.255.255.252
#
interface Vlan-interface20
ip address 10.10.10.5 255.255.255.252
#
#
interface GigabitEthernet1/0/20
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/21
port link-mode bridge
#
interface GigabitEthernet1/0/22
port link-mode bridge
port access vlan 20
#
6、 业务验证
5.1 用户名yzb密码yzb进行PPPOE拨号认证,认证成功,获取到指定的IP地址:
Radius报文中可以看到AAA给用户下发的IP地址:
5.2 使用yzb2,密码yzb2进行认证:
提示691错误,为什么?
因为LAC上没有对应的用户。
在LAC上增加对应的用户:
local-user yzb2
password cipher yzb2
service-type ppp
#
Radius报文中可以看到AAA给用户下发的IP地址:
图片看不到
(0)
参考站内这个链接即可https://zhiliao.h3c.com/Theme/details/196619
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
参考站内这个链接即可https://zhiliao.h3c.com/Theme/details/196619