数码电子

公网访问

首先要有一个公网IP,一般现在公网IP都是动态的,电信的是3天更新一次公网IP。

路由器要支持DDNS,DDNS有很多服务商,比较方便的是oray的花生壳。设置好DDNS后,公网IP改变后也可以通过固定域名来访问。

设置好DDNS后,在MSR810中设置L2TP VPN服务器端和登录用户。就可以通过域名使用VPN。

如果局域网内还有NAS,可以设置端口转发,实现域名加端口直接访问NAS。

前面的设置好之后,笔记本电脑可以拨号VPN了,但是iphone不能正常拨入VPN,主要的原因是ios和绝大多数的安卓手机要想使用l2tp的话必须要在路由器上配置成l2tp over ipsec的形式。需要在web上配置好L2TP之后,然后再配置IPsec,具体配置如下:

MSR810 V7 IPSEC VPN配置 2019.5.26

配置共享秘钥

配置共享秘钥为123
[H3C]ike keychain 1
[H3C-ike-keychain-1]pre-shared-key address 0.0.0.0 0 key simple 123
[H3C-ike-keychain-1]quit
配置IKE安全提议

配置多个安全提议用于匹配不同的终端认证\加密算法。
[H3C]ike proposal 1
[H3C-ike-proposal-1]encryption-algorithm aes-cbc-128
[H3C-ike-proposal-1]dh group2
[H3C-ike-proposal-1]authentication-algorithm md5
[H3C-ike-proposal-1]quit
[H3C]ike proposal 2
[H3C-ike-proposal-2]encryption-algorithm 3des-cbc
[H3C-ike-proposal-2]dh group2
[H3C-ike-proposal-2]authentication-algorithm md5
[H3C-ike-proposal-2]quit
[H3C]ike proposal 3
[H3C-ike-proposal-3]encryption-algorithm 3des-cbc
[H3C-ike-proposal-3]dh group2
[H3C-ike-proposal-3]authentication-algorithm sha
[H3C-ike-proposal-3]quit
[H3C]ike proposal 4
[H3C-ike-proposal-4]encryption-algorithm aes-cbc-256
[H3C-ike-proposal-4]dh group2
[H3C-ike-proposal-4]authentication-algorithm sha
[H3C-ike-proposal-4]quit
[H3C]ike proposal 5
[H3C-ike-proposal-5]encryption-algorithm DES-CBC
[H3C-ike-proposal-5]dh group2
[H3C-ike-proposal-5]authentication-algorithm sha
[H3C-ike-proposal-5]quit
[H3C]ike proposal 6
[H3C-ike-proposal-6]encryption-algorithm aes-cbc-192
[H3C-ike-proposal-6]dh group2
[H3C-ike-proposal-6]authentication-algorithm sha
[H3C-ike-proposal-6]quit
3.3.3  配置IKE安全框架

配置IKE安全框架调用创建的6个安全提议。
[H3C]ike profile 1
[H3C-ike-profile-1]keychain 1
[H3C-ike-profile-1]match remote identity address 0.0.0.0 0
[H3C-ike-profile-1]proposal 1 2 3 4 5 6
[H3C-ike-profile-1]quit
3.3.4  配置IPSEC安全提议

[H3C]ipsec transform-set 1
[H3C-ipsec-transform-set-1]encapsulation-mode transport
[H3C-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc
[H3C-ipsec-transform-set-1]esp authentication-algorithm MD5
[H3C-ipsec-transform-set-1]quit
[H3C]ipsec transform-set 2
[H3C-ipsec-transform-set-2]encapsulation-mode transport
[H3C-ipsec-transform-set-2]esp encryption-algorithm aes-cbc-128
[H3C-ipsec-transform-set-2]esp authentication-algorithm sha1
[H3C-ipsec-transform-set-2]quit
[H3C]ipsec transform-set 3
[H3C-ipsec-transform-set-3]encapsulation-mode transport
[H3C-ipsec-transform-set-3]esp encryption-algorithm aes-cbc-256
[H3C-ipsec-transform-set-3]esp authentication-algorithm sha1
[H3C-ipsec-transform-set-3]quit
[H3C]ipsec transform-set 4
[H3C-ipsec-transform-set-4]encapsulation-mode transport
[H3C-ipsec-transform-set-4]esp encryption-algorithm des-cbc
[H3C-ipsec-transform-set-4]esp authentication-algorithm sha1
[H3C-ipsec-transform-set-4]quit
[H3C]ipsec transform-set 5
[H3C-ipsec-transform-set-5]encapsulation-mode transport
[H3C-ipsec-transform-set-5]esp encryption-algorithm 3des-cbc
[H3C-ipsec-transform-set-5]esp authentication-algorithm sha1
[H3C-ipsec-transform-set-5]quit
[H3C]ipsec transform-set 6
[H3C-ipsec-transform-set-6]encapsulation-mode transport
[H3C-ipsec-transform-set-6]esp encryption-algorithm aes-cbc-192
[H3C-ipsec-transform-set-6]esp authentication-algorithm sha1
[H3C-ipsec-transform-set-6]quit
3.3.5  配置IPSEC模板

配置IPSEC模板并调用之前创建的6个模板
[H3C]ipsec policy-template z 1
[H3C-ipsec-policy-template-z-1]transform-set 1 2 3 4 5 6
[H3C-ipsec-policy-template-z-1]ike-profile 1
[H3C-ipsec-policy-template-z-1]quit
3.3.6  配置IPSEC策略

[H3C]ipsec policy a 10 isakmp template z
3.3.7  将IPSEC策略在外网接口和dialer 0调用

[H3C]interface GigabitEthernet 0/0
[H3C-GigabitEthernet0/0]ipsec apply policy a
[H3C-GigabitEthernet0/0]quit

[H3C]interface dialer 0 
[H3C-Dialer0]ipsec apply policy a 
[H3C-Dialer0]quit

3.3.8  外网接口NAT中添加ACL拒绝掉L2TP数据流量做地址转换。

因为在防火墙处理流程上是先进行NAT后进行IPSEC VPN,如果出接口不拒绝掉L2TP数据流会导致回包无法匹配IPSEC兴趣流。
[H3C]acl advanced 3000
[H3C-acl-ipv4-adv-3000]rule deny udp destination-port eq 1701
[H3C-acl-ipv4-adv-3000]rule permit ip source any
[H3C-acl-ipv4-adv-3000]quit
[H3C]interface GigabitEthernet 0/0               //公网口,WAN口
[H3C-GigabitEthernet0/0]nat outbound 3000
[H3C-GigabitEthernet0/0]quit

添加IPsec配置后,拨入VPN后,不能上网页了,但是能使用QQ,应该是DNS的问题, 之前配置时,分配l2tp地址的时候使用的是ip  pool的方式,可以尝试改成dhcp的方式 。

[H3C]dhcp server ip-pool test
[H3C-dhcp-pool-test]network 192.168.10.0 mask 255.255.255.0
//之前配置时,设置分配给VPN客户端的地址是192.168.10.1网段的
[H3C-dhcp-pool-test]gateway-list 192.168.10.1
[H3C-dhcp-pool-test]dns-list 114.114.114.114
[H3C-dhcp-pool-test]address range 192.168.10.10 192.168.10.254
[H3C-dhcp-pool-test]qu
[H3C]inter Virtual-Template 1
[H3C-Virtual-Template1]ip address 192.168.10.1 24
[H3C-Virtual-Template1]remote address pool test
[H3C-Virtual-Template1]qu
标签: ·
生成海报 收藏 0 点赞 0

少伯

网站主理人

相关推荐

H3C MSR810 设置IPV6上网
数码电子 2020-08-16

H3C MSR810 设置IPV6上网

之前一直听说移动宽带光纤接入有公网IPV6了,我们楼是LAN接入的,想着不一定有。偶然的机会,用电脑拨号居然发现了获取了IPV ...

OAP单板的内联接口
数码电子 2019-12-07

OAP单板的内联接口

OAP(Open Application Platform,开放应用平台)是基于OAA架构的物理平台。它可以是一台独立的网络设备,也可以是一块插卡 ...

暂无评论

尊敬的用户,您还未登录,登录之后更精彩!

QQ QQ

客服 工作时间:周一至周六 9:30-22:00 QQ:670088886(点击咨询) 直奔主题,别问在不在,谢谢!

 热线 热线

13888888888
公众号 公众号
公众号
微信 微信
微信