L2TP的LAC拨号模式实验

一，实验拓扑

二，实验配置

L2TP配置

1、建立PPPoE连接，设定拨号接口VT接口

Client

[PPPoE Client]interface Dialer 1
[PPPoE Client-Dialer1]dialer user user1     ----- 设定拨号用户名
[PPPoE Client-Dialer1]dialer-group 1     ---- 创建拨号组
[PPPoE Client-Dialer1]dialer bundle 1     ------ 设定拨号程序捆绑包
[PPPoE Client-Dialer1]ip address ppp-negotiate      ------ 设定IP地址获取方式为PPP邻居分配，PPP邻居通过IPCP协议进行分配，即PPP的NCP协商过程所用协议
[PPPoE Client-Dialer1]ppp chap user user1
[PPPoE Client-Dialer1]ppp chap password cipher Password123

[PPPoE Client]dialer-rule 1 ip permit       ------ 配置拨号访问控制列表，允许所有IPv4报文通过拨号口，数字1必须与拨号组编号相同。

[PPPoE Client]int g 1/0/0
[PPPoE Client-GigabitEthernet1/0/0]pppoe-client dial-bundle-number 1 ---在物理接口上启动PPPoE Client程序，绑定拨号程序包，编号为1
 

 Server

[NAS]interface Virtual-Template 1
[NAS-Virtual-Template1]ppp authentication-mode chap      ----- 修改认证模式
[NAS-Virtual-Template1]ip address 2.2.2.2 24      ---- （配置的IP地址仅是为了激活该接口）

[NAS]firewall zone dmz
[NAS-zone-dmz]add interface Virtual-Template 1

[NAS]interface GigabitEthernet 1/0/0    
[NAS-GigabitEthernet1/0/0]pppoe-server bind virtual-template 1     ----- 将VT接口绑定在物理接口

[NAS]aaa    
[NAS-aaa]domain default 
[NAS-aaa-domain-default]service-type l2tp       ----- 设定认证域的服务类型为L2TP

设定用户名和密码信息：
[NAS]user-manage user user1 domain default 
[NAS-localuser-user1]password Password123
 

2、建立L2TP隧道

NAS(LAC)配置

[NAS]l2tp enable        ----- 启动L2TP协议
[NAS]l2tp-group 1       ----- 设置L2TP组名
[NAS-l2tp-1]tunnel authentication       ----- 开启隧道认证
[NAS-l2tp-1]tunnel password cipher Hello123      ---- 配置隧道密码信息
[NAS-l2tp-1]tunnel name lac     ----- 设置隧道名称
[NAS-l2tp-1]start l2tp ip 20.1.1.2 fullusername user1      ---- 设定LAC模式和LNS地址，以及设置认证用户的方式为“完全用户认证”，并指定用户名
 

LNS配置

[LNS]ip pool l2tp     --- 创建地址池
[LNS-ip-pool-l2tp]section 0 172.16.1.2 172.16.1.100

[LNS]aaa
[LNS-aaa]service-scheme l2tp
[LNS-aaa-service-l2tp]ip-pool l2tp
[LNS-aaa]domain default     
[LNS-aaa-domain-default]service-type l2tp 

[LNS]user-manage user user1 domain default 
[LNS-localuser-user1]password Password123

[LNS]interface Virtual-Template 1
[LNS-Virtual-Template1]ppp authentication-mode chap
[LNS-Virtual-Template1]ip address 172.16.0.1 24
[LNS-Virtual-Template1]remote service-scheme l2tp

[LNS]firewall zone dmz     
[LNS-zone-dmz]add interface Virtual-Template 1

[LNS]l2tp enable 
[LNS]l2tp-group 1
[LNS-l2tp-1]allow l2tp virtual-template 1 remote lac domain default
[LNS-l2tp-1]tunnel authentication 
[LNS-l2tp-1]tunnel password cipher Hello123
 

3、路由补充 

[PPPoE Client]ip route-static 0.0.0.0 0 Dialer 1       ---- 出接口方式

# 将Dialer 1接口划分到dmz区域，方便发包：
[PPPoE Client]firewall zone dmz 
[PPPoE Client-zone-dmz]add interface Dialer 1
 

安全策略配置

NAS

[NAS]security-policy 
[NAS-policy-security]default action deny     ----- 先恢复默认策略为拒绝
[NAS-policy-security]rule name local_to_untrust
  source-zone local
  destination-zone untrust
  source-address 20.1.1.1 mask 255.255.255.255
  destination-address 20.1.1.2 mask 255.255.255.255
  service l2tp
  service protocol udp source-port 0 to 65535 destination-port 1701
  action permit
 

 LNS

[LNS]security-policy     
[LNS-policy-security]default action deny 
[LNS-policy-security]dis this
security-policy
 rule name untrust_to_local
  source-zone untrust
  destination-zone local
  source-address 20.1.1.1 mask 255.255.255.255
  destination-address 20.1.1.2 mask 255.255.255.255
  service l2tp
  service protocol udp destination-port 1701
  action permit
 rule name dmz_to_trust
  source-zone dmz
  destination-zone trust
  source-address 172.16.1.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit