华为 SecPath1800F防火墙L2TP双验证方式的 典型配置

一、 组网需求：

验证SecPath1800FL2TP VPN的功能及同 时支持CHAP、PAP两种验证。

二、 组网图

 

    SecPath1800F：Version 3.40, RELEASE 0354(08)；

   PC：安装有L2TP客户端软件。

三、 信息

SecPath1800F防火墙的主要配置

#                                                                               

acl number 3000                                               //定义高级ACL

 rule 0 permit udp destination-port eq 1701               //允许UDP1701端口

#                                                                              

 sysname SecPath1800F                                                          

#                                                                              

 l2tp enable                                                //启用L2TP服务

#                                                                               

 firewall packet-filter default permit interzone local untrust direction outbound                                                                            

#                                                                               

 bypass switch-back auto                                                       

#                                                                              

 firewall mode route                                                            

#                                                                              

 firewall statistic system enable                                              

#                                                                               

Aux0                                                                 

 async mode flow                                                               

 link-protocol ppp                                                             

#                                                                               

interface Ethernet0/0/0                                                        

#                                                                              

interface Ethernet0/0/1                                                        

#                                                                              

interface Ethernet2/0/0                                                        

 ip address 192.168.1.1 255.255.255.0                                          

#                                                                              

interface Ethernet2/0/1                                                        

 ip address 202.38.1.1 255.255.255.0                                            

#                                                                              

interface Ethernet2/0/2                                                        

#                                                                               

interface Ethernet2/0/3                                                        

#                                                                              

interface Ethernet2/0/4                                                         

#                                                                              

interface Ethernet2/0/5                                                        

#                                                                              

interface Ethernet2/0/6                                                        

#                                                                              

interface Ethernet2/0/7                                                        

#                                                                               

interface Virtual-Template1                                   //创建虚模板

 ppp authentication-mode chap pap                           //配置验证模式

 ip address 192.168.253.1 255.255.255.0                                        

 remote address pool 1                                                         

#                                                                               

interface GigabitEthernet1/0/0                                                 

#                                                                              

interface GigabitEthernet1/0/1                                                  

#                                                                              

interface Secp3/0/0                                                            

#                                                                               

interface NULL0                                                                

#                                                                              

firewall zone loc priority 100                                                  

#                                                                              

firewall zone trust                                                            

 set priority 85                                                                

 add interface Ethernet2/0/0                                 //接口加入区域

#                                                                              

firewall zone untrust                                                          

 set priority 5                                                                

 add interface Ethernet2/0/1                                 //接口加入区域

 add interface Virtual-Template1                         //虚模板加入到区域

#                                                                               

firewall zone dmz                                                              

 set priority 50                                                               

#                                                                               

firewall interzl trust                                                         

#                                                                              

firewall interzone local untrust                                                

 packet-filter 3000 inbound                                  //域间启用ACL

#                                                                              

firewall interzone local dmz                                                   

#                                                                               

firewall interzone trust untrust                                               

#                                                                              

firewall interzone trust dmz                                                    

#                                                                              

firewall interzone dmz untrust                                                 

#                                                                               

l2tp-group 1                                                 //创建L2TP组

 undo tunnel authentication                                                    

 allow l2tp virtual-template 1                                                  

#                                                                              

aaa                                                                            

 local-user zhaobiao password simple zhaobiao               //创建L2TP账号

 local-user zhaobiao service-type ppp                                          

 ip pool 1 192.168.253.2 192.168.253.254                       //创建地址池

#                                                                              

 authentication-scheme default                                                  

#                                                                              

 authorization-scheme default                                                  

#                                                                               

 accounting-scheme default                                                     

#                                                                              

 domain default                                                                 

#                                                                              

#                                                                              

 ip route-static 0.0.0.0 0.0.0.0 202.38.1.2                      //配置路由

#                                                                              

user-interface con 0                                                           

 authentication-mode none                                                      

user-interface aux 0                                                           

 authentication-mode none                                                      

user-interface vty 0 4                                                         

#

 

四、 配置关键点

在虚模板下配置PPP验证时，如果先配置PAP，则只能用PAP验证；如果先配置CHAP，则还可以配置PAP参数。

CCIE Security 2009 IOS防火墙合集