《案例精解企业级网络构建》赠书活动开始啦！　最新活动：“Web安全大家谈”有奖征文

小试华为AR-18配置L2TP VPN接入

2007-08-02 09:19:41

前几天客户从我门这里购买了华为AR-18系列的路由器,客户把管理权限都交给我门管理,自己在参考网上的中低端路由器典型配置实例(3.4VRP)完成L2TP接入,现在拿出来和大家分享,如有不对地方请大家指正,附件是中低端路由器典型配置实例,里面有怎么设置WINXP拨入方法.

[H3C]dis cu
#
sysname H3C
#
l2tp enable 启用L2TP
#
nat address-group 20 x.x.x.x x.x.x.10

nat static 192.168.1.1 x.x.x.1
nat static 192.168.1.5 x.x.x.2
nat static 192.168.1.4 x.x.x3

nat static 192.168.1.3 x.x.x4
nat static 192.168.1.2 x.x.x5

#
DNS resolve
DNS-proxy enable
#
web set-package force flash:/http.zip
#
radius scheme system
#
domain system
ip pool 1 192.168.250.2 192.168.250.3 //l2tp拨入后用户端获得的地址
#
local-user admin
password simple huawei
service-type telnet terminal
level 3
service-type ftp
local-user caolei
password simple caolei
service-type ppp    //创建PPPOE用户
local-user huawei
password simple huawei
service-type telnet
level 3
local-user pppoe
password cipher (Z9S*/B*+TOQ=^Q`MAF4<1!!
service-type ppp
#
dhcp server ip-pool jingliren
network 192.168.1.0 mask 255.255.255.224
gateway-list 192.168.1.1
dns-list 202.106.196.115 202.106.0.20
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.31
rule 2 permit source 192.168.250.0 0.0.0.31 // pppoe用户的NAT,公网地址多的话可以直接做映射
rule 3 deny
#
acl number 3000
rule 0 deny tcp destination-port eq 6667
rule 1 deny tcp destination-port eq 1434
rule 2 deny udp destination-port eq 4444
rule 3 deny tcp destination-port eq 135
rule 4 deny udp destination-port eq 135
rule 5 deny udp destination-port eq netbios-ssn
rule 6 deny tcp destination-port eq 139
rule 7 permit ip
#
interface Virtual-Template0
ppp authentication-mode pap
ip address 192.168.250.1 255.255.255.0 //在虚拟接口下封装PPP为PAP认证方式
#
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.224 //内网地址
ip address X.X.X.10 255.255.255.128 sub //公网管理地址
qos car inbound any cir 4096000 cbs 204800 ebs 1000 green pass red discard
qos car outbound any cir 4096000 cbs 204800 ebs 1000 green pass red discard
#
interface Ethernet1/1
#
interface Ethernet1/2
#
interface Ethernet1/3
#
interface Ethernet1/4
#
interface Ethernet3/0
ip address 192.168.249.22 255.255.255.252
firewall packet-filter 3000 inbound
nat outbound static
nat outbound 2000 address-group 20
#
interface Atm2/0
#
interface Virtual-Ethernet0
#
interface NULL0
#
l2tp-group 1
undo tunnel authentication   //禁止使用通道
mandatory-lcp   //强制使用链路控制协议
allow l2tp virtual-template 0
#
FTP server enable
#
dhcp server forbidden-ip 192.168.1.2 192.168.1.6
#
ip route-static 0.0.0.0 0.0.0.0 192.168.249.21 preference 60 //上端互联地址
#
snmp-agent
snmp-agent local-engineid 7F00000100002893
snmp-agent community read XXXX

snmp-agent sys-info version all
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
return
[H3C]