H3C low-end firewall L2TPVPN Configuration
<GTECH> sys
System View: return to User View with Ctrl + Z.
[GTECH] dis curr
#
Sysname GTECH
#
L2tp enable // required to enable the L2TP Function
#
Firewall packet-filter enable
Firewall packet-filter default permit
#
Connection-limit enable
Connection-limit default deny
Connection-limit default amount upper-limit 50 lower-limit 20
#
Firewall statistic system enable
#
Radius scheme system
Server-type extended
#
Domain system
Ip pool 1 192.168.10.2 192.168.10.50 // defines the ip address pool obtained after the vpn Client is dialed in.
#
Local-user admin
Password cipher DI :( ZS,:-MYG897 "VPaR91 !!
Service-type telnet
Level 3
Local-user aaa // Add the user name and password to enable vpn Client dialing Verification
Password simple [email = gtech8 @ * % 786] gtech8 @ * % 786 [/email]
Service-type ppp
Local-user bbb
Password simple lqyniq.pdf
Service-type ppp
#
Acl number 2000
Rule 3 permit source 196.168.6.0 0.0.255
Rule 4 deny
#
Interface Virtual-Template0 // define a Virtual interface Board
Ppp authentication-mode pap // verification method. You can select CHAP.
L2tp-auto-client enable //
Ip address 192.168.10.1 255.255.255.0 // you need to set an ip address.
Undo ip fast-forwarding
Remote address pool 1 // address pool used by the VT
#
Interface Ethernet1/0
Description 'inside interface'
Tcp mss 1024
Ip address 192.168.6.1 255.255.255.0
#
Interface Ethernet2/0
Speed 10
Duplex full
Ip address 219. x. y.205 too many requests
Nat outbound 2000
#
Interface NULL0
#
Firewall zone local
Set priority 100
#
Firewall zone trust
Add interface Ethernet1/0
Add interface Virtual-Template0
Set priority 85
#
Firewall zone untrust
Add interface Ethernet2/0
Set priority 5
#
Firewall zone DMZ
Set priority 50
#
Firewall interzone local trust
#
Firewall interzone local untrust
#
Firewall interzone local DMZ
#
Firewall interzone trust untrust
#
Firewall interzone trust DMZ
#
Firewall interzone DMZ untrust
#
L2tp-group 1 // define an L2TP group when group number is 1, any device named can initiate a tunnel request
Undo tunnel authentication // tunnel verification is not required. Optional.
Mandatory-lcp // force LCP to re-negotiate, which may be used when the LNS end (firewall end) also needs to be verified and billed. It needs to force LNS to re-negotiate with users through LCP, proxy authentication information on the NAS side is ignored.
Allow l2tp virtual-template 0 // sets the virtual template interface for receiving calls, peer name and domain name of the channel (VPN tunnel)
#
FTP server enable
#
Dvpn service enable
#
Undo dhcp enable
#
Ip route-static 0.0.0.0 0.0.0.0 219. x. y.193 preference 60
Ip route-static 192.168.6.0 255.255.255.0 Virtual-Template 0 preference 60 // define a static route for accessing the PC machine behind the firewall after the vpn Client logs in
#
Firewall defend ip-spoofing
Firewall defend land
Firewall defend smurf
Firewall defend fraggle
Firewall defend winnuke
Firewall defend icmp-redirect
Firewall defend icmp-unreachable
Firewall defend source-route
Firewall defend route-record
Firewall defend tracert
Firewall defend ping-of-death
Firewall defend tcp-flag
Firewall defend ip-fragment
Firewall defend large-icmp
Firewall defend teardrop
Firewall defend ip-sweep
Firewall defend port-scan
Firewall defend arp-spoofing
Firewall defend arp-reverse-query
Firewall defend arp-flood
Firewall defend frag-flood
Firewall defend syn-flood enable
Firewall defend udp-flood enable
Firewall defend icmp-flood enable
#
User-interface con 0
User-interface vty 0 4
Authentication-mode scheme
#
Return
[GTECH]
After the client VPN connection, in CMD, if the route table shown in route-print does not contain the route entry 0.0.0.0 0.0.0.0 mask 192.168.10.2, use the following command to add
Route-p add 0.0.0.0 0.0.0.0 mask 192.168.10.2
Then you can ping the IP address of the PC after the firewall. Here, I use FTP and 3389 connections from the client to the server to verify that the IP address is correct.
Follow these steps to configure a Windows XP computer to become an L2TP client.
1. Configure the L2TP dial-up connection:
1) Go to "start", "" Settings ", and" Control Panel "of Windows XP, and select" switch to category View ".
2) Select "network and Internet connection ".
3) Select "create a network connection for your work location ".
4) Select "Virtual Private Network Connection" and click "Next ".
5) Enter "l2tp" for the connection and click "Next ".
6) Select "Do not dial this initial connection" and click "Next ".
7) enter the IP address "202.101.35.218" of the L2TP server to be connected, and click "Next ".
8) Click "finish ".
9) double-click the "l2tp" connection. In the l2tp connection window, click "properties ".
10) Select the "Security" attribute page, select "Advanced (custom settings)", and click "Settings ".
11) Select "optional encryption (no encryption or connection)" in "Data Encryption )".
12) Select "Unencrypted Password (PAP)" and "Challenge Handshake Authentication Protocol" in "allow these protocols ".
(CHAP), Microsoft CHAP (MS-CHAP), and click OK ".
13) Select the "network" attribute page, and select "L2TP IPSec VPN" in "VPN type ".
14) confirm that "Internet Protocol (TCP/IP)" is selected.
15) confirm "NWLink IPX/SPX/NetBIOS Compatible Transport Prococol" and "Microsoft Network File
And print shared "," Microsoft Network Customer "protocol is not selected.
16) Click OK to save the changes.
2. Modify the Registry
The default Windows XP L2TP Transmission Policy does not allow L2TP transmission without using IPSec Encryption. You can modify
To disable the default behavior in the Windows XP registry:
Manual modification:
1) Enter "start" and "run" in Windows XP, enter "Regedt32", and open "registry editing ".
", Locate" HKEY_Local_Machine \ System \ CurrentControl Set \ Services \ RasMan \
Parameters "primary key.
2) Add the following key values to the primary key:
Key Value: ProhibitIpSec
Data Type: reg_dword
Value: 1
3) Save the changes and restart the computer for the changes to take effect.
Tip: you must add the "ProhibitIpSec" registry key value to each running Windows XP
Computer Used as a system.