实验拓扑:
实验描述:
192.168.1.0 网段为内网.
192.168.0.0为外网.
VPN客户端分配IP地址为手动IP地址 :192.168.2.1
SSG320M的0/3端口为HA连接端口.
实验目的:
实现L2TP+VPN
实现HA主备
实验过程:
L2TP+VPN:
第一步,创建VPN用户:
第二步,建立VPN用户组:
第三步,L2TP默认设置:
第四步。L2TP配置tunnel:
第五步,配置认证网关:
高级:
第六步,配置密钥:
高级:
第七步,配置策略:
第八步,配置默认路由:
以上是L2TP+VPN调试过程完成.
HA调试:
第一步同步系统时间:
第二步创建HA接口:
第三步建立CLISTER ID:
第四步修改优先级:
第五步加入监听端口:
第六步配置RTO:
完成。
320M-A配置:
set clock timezone 8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip 192.168.0.253/24
set interface ethernet0/2 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/2 manage-ip 192.168.0.200
set interface ethernet0/0 ip manageable
unset interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
set interface "ethernet0/2" mip 192.168.0.252 host 192.168.1.2 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp rto-mirror route
set nsrp vsd-group id 0 priority 100
set nsrp vsd-group id 0 monitor interface ethernet0/0
set nsrp vsd-group id 0 monitor interface ethernet0/2
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set user "abc" uid 2
set user "abc" ike-id u-fqdn "abc@123.com" share-limit 1
set user "abc" type
set user "abc" remote ipaddr "192.168.2.200"
set user "abc" password "JlazYevDN5oKXEsAPTCzc+tS0fndEa9c6Q=="
unset user "abc" type auth
set user "abc" "enable"
set user "test" uid 1
set user "test" ike-id u-fqdn "test@126.com" share-limit 1
set user "test" type
set user "test" remote ipaddr "192.168.1.3"
set user "test" remote dns1 "202.96.64.68"
set user "test" password "HgHcuDYUNbvHqas+vMCUnaPL41n+EfKiyA=="
unset user "test" type auth
set user "test" "enable"
set user-group "test_group" id 1
set user-group "test_group" user "abc"
set user-group "test_group" user "test"
set ike gateway "test_ga" dialup "test_group" Main
outgoing-interface "ethernet0/2" seed-preshare
"OYdzoiH5Nn1f6KsxDqCw477g
set ike gateway "test_ga" cert peer-ca-hash
48B76449F3D5FEFA1133AA80
unset ike gateway "test_ga" nat-traversal udp-checksum
set ike gateway "test_ga" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default dns1 202.96.64.68
set l2tp "test_tunnel" id 1 outgoing-interface ethernet0/2 keepalive 60
set l2tp "test_tunnel" remote-setting dns1 202.96.64.68
set l2tp "test_tunnel" auth server "Local" user-group "test_group"
set url protocol websense
exit
set policy id 3 from "Trust" to "Untrust"
set policy id 3
exit
set policy id 2 from "Untrust" to "Trust"
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2 gateway 192.168.0.1 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
320M-B配置:
set clock timezone 8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip 192.168.0.253/24
set interface ethernet0/2 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/2 manage-ip 192.168.0.200
set interface ethernet0/0 ip manageable
unset interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
set interface "ethernet0/2" mip 192.168.0.252 host 192.168.1.2 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp rto-mirror route
set nsrp vsd-group id 0 priority 100
set nsrp vsd-group id 0 monitor interface ethernet0/0
set nsrp vsd-group id 0 monitor interface ethernet0/2
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set user "abc" uid 2
set user "abc" ike-id u-fqdn "abc@123.com" share-limit 1
set user "abc" type
set user "abc" remote ipaddr "192.168.2.200"
set user "abc" password "JlazYevDN5oKXEsAPTCzc+tS0fndEa9c6Q=="
unset user "abc" type auth
set user "abc" "enable"
set user "test" uid 1
set user "test" ike-id u-fqdn "test@126.com" share-limit 1
set user "test" type
set user "test" remote ipaddr "192.168.1.3"
set user "test" remote dns1 "202.96.64.68"
set user "test" password "HgHcuDYUNbvHqas+vMCUnaPL41n+EfKiyA=="
unset user "test" type auth
set user "test" "enable"
set user-group "test_group" id 1
set user-group "test_group" user "abc"
set user-group "test_group" user "test"
set ike gateway "test_ga" dialup "test_group" Main
outgoing-interface "ethernet0/2" seed-preshare
"OYdzoiH5Nn1f6KsxDqCw477g
set ike gateway "test_ga" cert peer-ca-hash
48B76449F3D5FEFA1133AA80
unset ike gateway "test_ga" nat-traversal udp-checksum
set ike gateway "test_ga" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default dns1 202.96.64.68
set l2tp "test_tunnel" id 1 outgoing-interface ethernet0/2 keepalive 60
set l2tp "test_tunnel" remote-setting dns1 202.96.64.68
set l2tp "test_tunnel" auth server "Local" user-group "test_group"
set url protocol websense
exit
set policy id 3 from "Trust" to "Untrust"
set policy id 3
exit
set policy id 2 from "Untrust" to "Trust"
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2 gateway 192.168.0.1 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
Windows XP 需要修改注册表,运行rededit,找到下面这个路径:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,
新增或修改ProhibitIpSec的值为1。如下所示:
重启计算机。
插入表情