当前环境:
总部与分部完全独立,各自拥有管理网络、生产网络、办公网络(管理网络、生产网络均禁止连接外网以及访问办公网络)
需求描述:
- 办公网络使用当地ADSL出局
- 分部生产网络走向总部出局
- 总部生产网络需要与分部生产网络互通
解决方案:
1:总部搭建L2TP VPN让分部连接,并且配置策略路由,使办公网段默认出局ADSL,使生产网段默认出局L2TP VPN隧道
总部AR配置
==========基础配置========== # 配置接口IP地址 [LNS] interface gigabitEthernet 1/0/0 [LNS-GigabitEthernet1/0/0] ip address 119.136.19.1 255.255.255.248 [LNS] interface gigabitEthernet 2/0/0 [LNS-GigabitEthernet2/0/0] ip address 30.0.0.0 255.255.255.0 [LNS-GigabitEthernet2/0/0] ip address 10.0.0.254 255.255.255.0 sub [LNS-GigabitEthernet2/0/0] ip address 192.168.0.254 255.255.255.0 sub # 配置默认路由,优先级为10 [LNS] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 preference 10 ==========配置L2TP========== # 创建L2TP用户 [LNS] aaa [LNS-aaa] local-user demon password cipher Huawei@2021 [LNS-aaa] local-user demon service-type ppp # 配置地址池 [LNS] ip pool 1 [LNS-ip-pool-1] network 20.0.0.0 mask 24 [LNS-ip-pool-1] gateway-list 20.0.0.254 # 创建虚拟接口模板并配置ppp协商参数等 [LNS] interface virtual-template 1 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] ip address 20.0.0.254 255.255.255.0 # 使L2TP服务使能,并创建一个L2TP组 [LNS] l2tp enable [LNS] l2tp-group 1 # 配置总部隧道名称及指定分部隧道名称 [LNS-l2tp1] tunnel name lns [LNS-l2tp1] allow l2tp virtual-template 1 remote lac # 启用隧道认证功能并设置隧道认证密码 [LNS-l2tp1] tunnel authentication [LNS-l2tp1] tunnel password cipher huawei
分部AR配置
==========基础配置========== # ADSL出局nat匹配源地址为外网网段地址,仅允许该段IP出局ADSL网关 [LNC] acl 2999 [LNC-acl-adv-2999] rule 5 permit source 10.3.0.0 0.0.0.255 # 配置接口IP地址 [LNC] interface gigabitEthernet 1/0/0 [LNC-GigabitEthernet1/0/0] ip address dhcp-alloc [LNC-GigabitEthernet1/0/0] nat outbound 2999 [LNC] interface gigabitEthernet 2/0/0 [LNC-GigabitEthernet2/0/0] ip address 30.0.3.0 255.255.255.0 [LNC-GigabitEthernet2/0/0] ip address 10.3.0.254 255.255.255.0 sub [LNC-GigabitEthernet2/0/0] ip address 192.171.0.254 255.255.255.0 sub # 配置默认路由,优先级为10 [LNC] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 dhcp preference 10 ==========配置L2TP========== # 全局使能L2TP,并创建L2TP组配置为用户名称为demon的用户建立到达LNS的L2TP连接,设置保活时间为5秒 [LAC] l2tp enable [LAC] l2tp-group 1 [LAC-l2tp1] tunnel name lac [LAC-l2tp1] start l2tp ip 119.136.19.1 fullusername demon [LAC-l2tp1] tunnel timer hello 5 # 启用通道验证并设置通道验证密码 [LAC-l2tp1] tunnel authentication [LAC-l2tp1] tunnel password cipher huawei # 配置虚拟接口的PPP用户的用户名和密码,PPP认证方式以及IP地址 [LAC] interface virtual-template 1 [LAC-Virtual-Template1] ppp chap user demon [LAC-Virtual-Template1] ppp chap password cipher Huawei@2021 [LAC-Virtual-Template1] ip address ppp-negotiate # 在LAC上触发自动拨号建立L2TP隧道 [LAC] interface virtual-template 1 [LAC-Virtual-Template1] l2tp-auto-client enable ==========配置策略路由========== # 禁止办公网络访问管理网络及生产网络(以下简称业务网络) [LAC] acl 3000 [LAC-acl-adv-3000] rule 1 deny ip source 10.3.0.0 0.0.0.255 destination 30.0.3.0 0.0.0.255 [LAC-acl-adv-3000] rule 2 deny ip source 10.3.0.0 0.0.0.255 destination 192.171.0.0 0.0.0.255 # 业务网络互访(否则做完策略路由会导致无法ping通网关以及允许访问的网段) [LAC] acl 3001 [LAC-acl-adv-3001] rule 1 permit ip source 30.0.3.0 0.0.0.255 destination 30.0.3.0 0.0.0.255 [LAC-acl-adv-3001] rule 2 permit ip source 30.0.3.0 0.0.0.255 destination 192.171.0.0 0.0.0.255 [LAC-acl-adv-3001] rule 3 permit ip source 192.171.0.0 0.0.0.255 destination 192.171.0.0 0.0.0.255 [LAC-acl-adv-3001] rule 4 permit ip source 192.171.0.0 0.0.0.255 destination 30.0.3.0 0.0.0.255 # 指定业务网段 [LAC] acl 3002 [LAC-acl-adv-3002] rule 5 permit ip source 30.0.3.0 0.0.0.255 [LAC-acl-adv-3002] rule 10 permit ip source 192.171.0.0 0.0.0.255 # 创建禁止办公网络访问业务网络流分类 [LAC] traffic classifier Drop_Wan-To-Lan operator or [LAC-classifier-Drop_Wan-To-Lan] if-match acl 3000 # 创建流行为 [LAC] traffic behavior Drop_Wan-To-Lan # 创建业务网络流分类 [LAC] traffic classifier Lan operator or [LAC-classifier-Lan] if-match acl 3001 # 创建流行为 [LAC] traffic behavior Lan # 创建与总部互联流分类 [LAC] traffic classifier Branch_Net operator or [LAC-classifier-Branch_Net] if-match acl 3002 # 创建流行为,指定所匹配的网段出局L2TP VPN接口 [LAC] traffic behavior Branch_Net [LAC-behavior-Branch_Net] redirect interface Virtual-Template1 # 创建策略路由,并配置各流行为的优先级 [LAC] traffic policy Route [LAC-trafficpolicy-Route] classifier Drop_Wan-To-Lan behavior Drop_Wan-To-Lan precedence 10 [LAC-trafficpolicy-Route] classifier Lan behavior Lan precedence 20 [LAC-trafficpolicy-Route] classifier Branch_Net behavior Branch_Net precedence 30 # 接口应用策略路由,匹配方向为inbound [LAC] interface Vlanif1 [LAC-Vlanif1] traffice-policy Route inbound
执行display l2tp tunnel命令可看到L2TP隧道及会话建立
2:总部搭建IPSec VPN让分部连接
总部AR配置
# 配置ACL [LNS] acl number 3003 [LNS-acl-adv-3003] rule 1 permit ip source 30.0.0.0 0.0.0.255 destination 30.0.3.0 0.0.0.255 [LNS-acl-adv-3003] rule 2 permit ip source 30.0.0.0 0.0.0.255 destination 192.171.0.0 0.0.0.255 [LNS-acl-adv-3003] rule 3 permit ip source 192.168.0.0 0.0.0.255 destination 30.0.3.0 0.0.0.255 [LNS-acl-adv-3003] rule 4 permit ip source 192.168.0.0 0.0.0.255 destination 192.171.0.0 0.0.0.255 # 配置IPSec安全提议 [LNS] ipsec proposal tran1 [LNS-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [LNS-ipsec-proposal-tran1] esp encryption-algorithm aes-128 # 配置IKE安全提议 [LNS] ike proposal 5 [LNS-ike-proposal-5] encryption-algorithm aes-128 [LNS-ike-proposal-5] authentication-algorithm sha2-256 [LNS-ike-proposal-5] dh group14 [LNS] ike peer spua [LNS-ike-peer-spua] undo version 2 [LNS-ike-peer-spua] ike-proposal 5 [LNS-ike-peer-spua] pre-shared-key cipher Huawei@2021 # 配置IKE动态协商方式安全策略 [LNS] ipsec policy use1 10 isakmp [LNS-ipsec-policy-isakmp-use1-10] ike-peer spua [LNS-ipsec-policy-isakmp-use1-10] proposal tran1 [LNS-ipsec-policy-isakmp-use1-10] security acl 3003 # 在接口上引用安全策略组 [LNS] interface gigabitethernet 1/0/0 [LNS-GigabitEthernet1/0/0] ipsec policy use1
分部AR配置
# 配置ACL [LNS] acl number 3003 [LNS-acl-adv-3003] rule 1 permit ip source 30.0.3.0 0.0.0.255 destination 30.0.0.0 0.0.0.255 [LNS-acl-adv-3003] rule 2 permit ip source 30.0.3.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [LNS-acl-adv-3003] rule 3 permit ip source 192.171.0.0 0.0.0.255 destination 30.0.0.0 0.0.0.255 [LNS-acl-adv-3003] rule 4 permit ip source 192.171.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 # 配置IPSec安全提议 [LAC] ipsec proposal tran1 [LAC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [LAC-ipsec-proposal-tran1] esp encryption-algorithm aes-128 # 配置IKE安全提议 [LAC] ike proposal 5 [LAC-ike-proposal-5] encryption-algorithm aes-128 [LAC-ike-proposal-5] authentication-algorithm sha2-256 [LAC-ike-proposal-5] dh group14 [LAC] ike peer spub [LAC-ike-peer-spub] undo version 2 [LAC-ike-peer-spub] ike-proposal 5 [LAC-ike-peer-spub] pre-shared-key cipher Huawei@1234 [LAC-ike-peer-spub] remote-address 1.1.1.1 # 配置IKE动态协商方式安全策略 [LAC] ipsec policy map1 10 isakmp [LAC-ipsec-policy-isakmp-map1-10] ike-peer spub [LAC-ipsec-policy-isakmp-map1-10] proposal tran1 [LAC-ipsec-policy-isakmp-map1-10] security acl 3003 # 在接口上引用安全策略组 [LAC] interface gigabitethernet 1/0/0 [LAC-GigabitEthernet1/0/0] ipsec policy map1
执行display ike sa命令可以查看当前由IKE建立的安全联盟
执行display ipsec sa命令可以查看当前ipsec连接信息
温馨提示:如果遇到带宽跑不满或断流的情况,修改分部AR流量入接口的TCP最大报文段长度为1200字节即可解决。
# 设置入接口流量TCP最大报文段长度为1200字节(否则可能会导致速率上不去) [LAC] interface Vlanif1 [LAC-Vlanif1] tcp adjust-mss 1200
以下是百兆公网专线测速截图
匿名 says:
太感谢博主了!!解决了我一直头疼的问题,终于不用被老板开除了!!呜呜呜~~~太好了