L2TP OVER IPSEC
(LNS地址在内网,通过公网映射)
组网
LAC公网地址为,LNS在用户内网地址为,通过映射为公网地址。
用户需求:PC用户通过PPPOE拨号到LAC出发L2TP隧道建立,同时要求做IPSEC加密。 配置: LAC:
version , Release 2512P04 #
sysname lac #
l2tp enable #
domain default enable system # ipv6 #
telnet server enable #
port-security enable #
password-recovery enable #
acl number 3500
rule 5 permit ip source 0 destination 0 rule 10 permit ip source 0 destination 0 # vlan 1 # Ddomain
authentication ppp local access-limit disable state active idle-cut disable self-service-url disable domain system access-limit disable state active idle-cut disable self-service-url disable #
ike peer lac
exchange-mode aggressive
pre-shared-key cipher $c$3$1x8s/6RGe2wayz2b/ilLMlHyJ86Kag==
id-type name remote-name lns
remote-address local-address local-name lac nat traversal #
ipsec transform-set lac encapsulation-mode tunnel transform esp
esp authentication-algorithm sha1 esp encryption-algorithm 3des #
ipsec policy lac 1 isakmp security acl 3500 ike-peer lac transform-set lac #
user-group system
group-attribute allow-guest #
local-user admin
password cipher $c$3$EiAlBrd/gVGFvSMRAmLoJwgze3wHlYa1BQ== authorization-attribute level 3 service-type telnet service-type web local-user test
password cipher $c$3$SQ3SM2FRQoXeMijjRitI72ToSwbJ9f09xw== service-type ppp
#
l2tp-group 1
tunnel password cipher $c$3$TVsHV3HQRBs5eubLlDPrKCp8o8kwnA== tunnel name lac start l2tp ip domain #
interface Aux0 async mode flow link-protocol ppp #
interface Cellular0/0 async mode protocol link-protocol ppp #
interface Virtual-Template1
ppp authentication-mode pap chap domain #
interface NULL0 #
interface Vlan-interface1
pppoe-server bind Virtual-Template 1 ip address GigabitEthernet0/0 port link-mode route ip address ipsec policy lac #
interface GigabitEthernet0/1 port link-mode bridge
#
interface GigabitEthernet0/2 port link-mode bridge #
interface GigabitEthernet0/3 port link-mode bridge #
interface GigabitEthernet0/4 port link-mode bridge #
ip route-static ip route-static #
load xml-configuration #
load tr069-configuration #
user-interface tty 12 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme # return LNS: #
dialer-rule 1 ip permit
l2tpoveripsec(lns地址在内网,通过公网映射)
