基于L2TP隧道部署Call-LNS方式接入

一、实验目的及拓扑

首先在站点（FW1）至站点(FW2）之间建立L2TP隧道，其中FW1是NAS、FW2是LNS；其次在建立的L2TP隧道上建立PPP连接实现远程认证和连接

二、基本配置

（一）按拓扑图配置相应接口

（二）将相应端口加入trust和untrust，并将默认的虚模板0加入dmz区域

[FW2]dis zone 
2024-07-18 07:47:52.790 
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (2):
    GigabitEthernet0/0/0
    GigabitEthernet1/0/1
#
untrust
 priority is 5
 interface of the zone is (1):
    GigabitEthernet1/0/0
#
dmz
 priority is 50
 interface of the zone is (1):
    Virtual-Template0
#

（三）设置静态路由

FW1设置

ip route-static 0.0.0.0 0.0.0.0 155.1.121.1
ip route-static 10.1.13.0 255.255.255.0 Virtual-Template0

FW2设置

ip route-static 0.0.0.0 0.0.0.0 155.1.131.1

三、详细配置

（一）LNS（FW2）服务端配置

l2tp enable
#

#
ip pool L2TP_POOL
 section 0 192.168.0.1 192.168.0.10
#

#
l2tp-group default-lns
l2tp-group lns
 tunnel password cipher Huawei@123
 tunnel name LNS
 allow l2tp virtual-template 0 remote LAC domain default
#

aaa
 service-scheme l2tpSScheme_1721288647251
  ip-pool L2TP_POOL

#

interface Virtual-Template0
 ppp authentication-mode chap
 remote service-scheme l2tpSScheme_1721288647251
 ip address 192.168.0.12 255.255.255.0
#

用户配置

（二）设置NAS用户端

在客户端设置NAT转换，用于内网地址从虚模板接口出去后服务器端能够对客户端虚模板包进行回应，并使两个内网主机能够ping通

[FW1-policy-nat]dis th
2024-07-18 08:53:51.450 
#
nat-policy
 rule name EASY_IP
  source-zone trust
  destination-zone dmz
  source-address 10.1.12.0 mask 255.255.255.0
  action source-nat easy-ip
#

四、结果验证

[FW1]dis l2tp tunnel 
L2TP::Total Tunnel: 1

 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance
 ------------------------------------------------------------------------------
 1        1         155.1.131.13     1701   1        LNS                     
 ------------------------------------------------------------------------------
  Total 1, 1 printed

[FW1]dis l2tp session 
L2TP::Total Session: 1

  LocalSID  RemoteSID  LocalTID   RemoteTID  UserID  UserName    VpnInstance
 ------------------------------------------------------------------------------
  1         1          1          1                  USER                      
 ------------------------------------------------------------------------------
  Total 1, 1 printed

[FW1]dis l2tp-group 
----------------------------------------- 
  L2TP-GROUP ID    GROUP NAME 
----------------------------------------- 
              1   default-lns                        
             22   lac                                
----------------------------------------- 
  Total 2,printed 2  

[FW2]dis l2tp tunnel 
L2TP::Total Tunnel: 1

 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance
 ------------------------------------------------------------------------------
 1        1         155.1.121.12     65335  1        LAC                     
 ------------------------------------------------------------------------------
  Total 1, 1 printed

[FW1]ping 10.1.13.10
  PING 10.1.13.10: 56  data bytes, press CTRL_C to break
    Reply from 10.1.13.10: bytes=56 Sequence=1 ttl=254 time=10 ms
    Reply from 10.1.13.10: bytes=56 Sequence=2 ttl=254 time=9 ms

PC>ping 10.1.13.10

Ping 10.1.13.10: 32 data bytes, Press Ctrl_C to break
From 10.1.13.10: bytes=32 seq=1 ttl=253 time=16 ms
From 10.1.13.10: bytes=32 seq=2 ttl=253 time=16 ms