LNS的配置脚本
#
l2tp enable
l2tp domain suffix-separator @
#
interface GigabitEthernet1/0/1
ip address 1.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 192.168.1.1 255.255.255.0
#
interface Virtual-Template0
ppp authentication-mode chap pap
ip address 10.1.1.1 255.255.255.0
remote address pool 0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface Virtual-template 0
#
l2tp-group 1
allow l2tp Virtual-template 0
undo tunnel authentication
#
aaa
#
authorization-scheme default
authentication-mode local
#
accounting-scheme default
#
domain default
ip pool 0 10.1.1.2 10.1.1.100
#
user-manage user vpdnuser domain default
password %$%$j@p.U.0bwNQv9nE#tf]G-+"v%$%$
#
security-policy
rule name policy_l2tp_1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
destination-address range 10.1.1.2 10.1.1.100
action permit
rule name policy_l2tp_2
source-zone untrust
destination-zone trust
source-address range 10.1.1.2 10.1.1.100
destination-address 192.168.1.0 24
action permit
rule name policy_l2tp_3
source-zone untrust
destination-zone local
destination-address 1.1.1.2 32
action permit
#######################################################################
L2TP over IPSec的配置脚本
#
l2tp enable
#
ike peer ike91165721597
exchange-mode auto
pre-shared-key %$%$Z1}*8w'rH;MD;%$%$
ike negotiate compatible
remote-id-type none
#
acl number 3001
rule 5 permit udp source-port eq 1701
rule 10 permit udp destination-port eq 1701
#
ipsec proposal prop91165721597
encapsulation-mode auto
#
ipsec policy-template tpl91165721597 1
security acl 3001
ike-peer ike91165721597
alias policy_ipsec
scenario point-to-multipoint l2tp-user-access
proposal prop91165721597
local-address 1.1.1.2
sa duration traffic-based 200000000
sa duration time-based 3600
#
ipsec policy ipsec9116572166 10000 isakmp template tpl91165721597
#
interface GigabitEthernet1/0/1
ip address 1.1.1.2 255.255.255.0
ipsec policy ipsec9116572166 auto-neg
#
interface GigabitEthernet1/0/3
ip address 192.168.1.1 255.255.255.0
#
interface Virtual-Template1
ppp authentication-mode chap pap
alias L2TP_LNS_0
remote address pool 1
#
l2tp-group 1
allow l2tp virtual-template 1
#
l2tp domain suffix-separator @
#
aaa
#
authorization-scheme default
authentication-mode local
#
accounting-scheme default
#
domain default
ip pool 1 10.1.1.2 10.1.1.100
#
user-manage user vpdnuser domain default
password %$%$j@p.U.0bwNQv9nE#tf]G-+"v%$%$
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
add interface Virtual-Template1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
security-policy
rule name policy_ipsec_1
source-zone untrust
destination-zone trust
source-address range 10.1.1.2 10.1.1.100
destination-address 192.168.1.0 24
action permit
rule name policy_ipsec_2
source-zone trust
destination-zone untrust
source-address range 192.168.1.0 24
destination-address 10.1.1.2 10.1.1.100
action permit
rule name policy_ipsec_3
source-zone untrust
destination-zone local
destination-address 1.1.1.2 32
action permit
转载于:https://blog.51cto.com/11403002/1910830