配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号（本地认证）

配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号（本地认证）
Call-LNS场景下LAC和LNS之间建立一条永久的L2TP VPN隧道，分支机构员工直接通过L2TP VPN隧道即可访问总部服务器。
组网需求
如图所示，分支机构的出口网关为LAC，公司总部的出口网关为LNS，分支机构的员工需要跨越Internet访问总部服务器。企业需要在LAC和LNS之间建立L2TP VPN隧道，实现分支机构员工通过L2TP VPN隧道访问总部服务器的需求。

FW1_2022.10.03.23时07分19秒.txt

FW2_2022.10.03.23时07分36秒.txt

USG6307E_2022.10.02.18时57分55秒.txt

ISP_2022.10.03.23时07分54秒.txt

SW2_2022.10.03.23时08分25秒.txt

（1）拓扑图

配置Call-LNS场景下的L2TP VPN,即防火墙向防火墙拔号（本地认证）.zip

（2）基本配置

ISP:
#               
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 100.100.100.254 255.255.255.0
#
interface GE1/0/1
 undo portswitch
 undo shutdown
 ip address 200.200.200.254 255.255.255.0
#
sw1:
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 192.168.20.200 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1

FW1:
#
interface GigabitEthernet0/0/0
 undo shutdown                            
 ip binding vpn-instance default
 ip address 10.12.5.5 255.255.0.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 100.100.100.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.10.1 255.255.255.0    
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/0
ip route-static 200.200.200.0 255.255.255.0 100.100.100.254
#配置策略允许所有：
security-policy
 default action permit
#配置AAA：
aaa
   manager-user admin
      password cipher 密码
      service-type web
      level 15

FW2:
#
interface GigabitEthernet0/0/0
 undo shutdown                            
 ip binding vpn-instance default
 ip address 10.12.5.6 255.255.0.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 200.200.200.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.20.1 255.255.255.0    
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/0
ip route-static 100.100.100.0 255.255.255.0 200.200.200.254
#配置策略允许所有：
security-policy
 default action permit
#配置AAA：
aaa
   manager-user admin
      password cipher 密码
      service-type web
      level 15

（3.1）FW2: 配置认证域及L2TP用户

aaa
  service-scheme webServerScheme1664784157072
  domain default
    service-scheme webServerScheme1664784157072
    service-type l2tp

（3.2）FW2: 启用L2TP

l2tp enable
ip pool POOL1
 section 0 10.10.10.10 10.10.10.200
 
aaa
  service-scheme l2tpSScheme_1664784465689
     ip-pool POOL1

l2tp-group default-lns
  tunnel password cipher %$%$rmP}&2OhK$&CH|)D48(GXF7o%$%$
  allow l2tp virtual-template 0
#
interface Virtual-Template0
  ppp authentication-mode chap
  remote service-scheme l2tpSScheme_1664784465689
  ip address 10.10.10.1 255.255.255.0
  alias L2TP_LNS_0
  undo service-manage enable

firewall zone trust                       
 add interface Virtual-Template0

（4.1）FW1: 启用L2TP

l2tp enable

l2tp-group default-lns
 tunnel password cipher %$%$,szKH8bC*Rr.e0UqpqjGW-L{%$%$
 tunnel name lac
 start l2tp ip 200.200.200.1 fullusername u1
#
interface Virtual-Template0
 ppp authentication-mode chap pap
 ppp chap user u1
 ppp chap password cipher %$%$Y78wRaC2+),RPlMG:I{SL)aX%$%$
 ppp pap local-user u1 password cipher %$%$%`#ZSK|9T"K$>AX<j<p%R~7s%$%$
 ip address ppp-negotiate
 call-lns local-user u1 binding l2tp-group default-lns
 alias L2TP_LAC_0
 undo service-manage enable

firewall zone trust
 add interface Virtual-Template0

ip route-static 192.168.20.0 255.255.255.0 Virtual-Template0

（4.2）拔号失败，后来成功，原因不明，防火墙重启后就可以了。
查看FW1的L2TP通道监控列表：没有任何信息

FW1:

FW1:

FW2:（如果拔号成功，这个会话也是这样的)

（5.1）绑定ip地址，让用户获得固定的ip地址

查看：

（5.2）配置静态路由

[FW2]ip route-static 192.168.10.0 255.255.255.0 10.10.10.155

测试：

PC1成功ping通SW2

VPN配置案例汇总、VPN汇总（列表、list、全）vpnlist
http://www.zh-cjh.com/wenzhangguilei/1193.html
文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html