首先要有一个公网IP,一般现在公网IP都是动态的,电信的是3天更新一次公网IP。
路由器要支持DDNS,DDNS有很多服务商,比较方便的是oray的花生壳。设置好DDNS后,公网IP改变后也可以通过固定域名来访问。
设置好DDNS后,在MSR810中设置L2TP VPN服务器端和登录用户。就可以通过域名使用VPN。
如果局域网内还有NAS,可以设置端口转发,实现域名加端口直接访问NAS。
前面的设置好之后,笔记本电脑可以拨号VPN了,但是iphone不能正常拨入VPN,主要的原因是ios和绝大多数的安卓手机要想使用l2tp的话必须要在路由器上配置成l2tp over ipsec的形式。需要在web上配置好L2TP之后,然后再配置IPsec,具体配置如下:
MSR810 V7 IPSEC VPN配置 2019.5.26配置共享秘钥配置共享秘钥为123[H3C]ike keychain 1[H3C-ike-keychain-1]pre-shared-key address 0.0.0.0 0 key simple 123[H3C-ike-keychain-1]quit配置IKE安全提议配置多个安全提议用于匹配不同的终端认证\加密算法。[H3C]ike proposal 1[H3C-ike-proposal-1]encryption-algorithm aes-cbc-128[H3C-ike-proposal-1]dh group2[H3C-ike-proposal-1]authentication-algorithm md5[H3C-ike-proposal-1]quit[H3C]ike proposal 2[H3C-ike-proposal-2]encryption-algorithm 3des-cbc[H3C-ike-proposal-2]dh group2[H3C-ike-proposal-2]authentication-algorithm md5[H3C-ike-proposal-2]quit[H3C]ike proposal 3[H3C-ike-proposal-3]encryption-algorithm 3des-cbc[H3C-ike-proposal-3]dh group2[H3C-ike-proposal-3]authentication-algorithm sha[H3C-ike-proposal-3]quit[H3C]ike proposal 4[H3C-ike-proposal-4]encryption-algorithm aes-cbc-256[H3C-ike-proposal-4]dh group2[H3C-ike-proposal-4]authentication-algorithm sha[H3C-ike-proposal-4]quit[H3C]ike proposal 5[H3C-ike-proposal-5]encryption-algorithm DES-CBC[H3C-ike-proposal-5]dh group2[H3C-ike-proposal-5]authentication-algorithm sha[H3C-ike-proposal-5]quit[H3C]ike proposal 6[H3C-ike-proposal-6]encryption-algorithm aes-cbc-192[H3C-ike-proposal-6]dh group2[H3C-ike-proposal-6]authentication-algorithm sha[H3C-ike-proposal-6]quit3.3.3 配置IKE安全框架配置IKE安全框架调用创建的6个安全提议。[H3C]ike profile 1[H3C-ike-profile-1]keychain 1[H3C-ike-profile-1]match remote identity address 0.0.0.0 0[H3C-ike-profile-1]proposal 1 2 3 4 5 6[H3C-ike-profile-1]quit3.3.4 配置IPSEC安全提议[H3C]ipsec transform-set 1[H3C-ipsec-transform-set-1]encapsulation-mode transport[H3C-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc[H3C-ipsec-transform-set-1]esp authentication-algorithm MD5[H3C-ipsec-transform-set-1]quit[H3C]ipsec transform-set 2[H3C-ipsec-transform-set-2]encapsulation-mode transport[H3C-ipsec-transform-set-2]esp encryption-algorithm aes-cbc-128[H3C-ipsec-transform-set-2]esp authentication-algorithm sha1[H3C-ipsec-transform-set-2]quit[H3C]ipsec transform-set 3[H3C-ipsec-transform-set-3]encapsulation-mode transport[H3C-ipsec-transform-set-3]esp encryption-algorithm aes-cbc-256[H3C-ipsec-transform-set-3]esp authentication-algorithm sha1[H3C-ipsec-transform-set-3]quit[H3C]ipsec transform-set 4[H3C-ipsec-transform-set-4]encapsulation-mode transport[H3C-ipsec-transform-set-4]esp encryption-algorithm des-cbc[H3C-ipsec-transform-set-4]esp authentication-algorithm sha1[H3C-ipsec-transform-set-4]quit[H3C]ipsec transform-set 5[H3C-ipsec-transform-set-5]encapsulation-mode transport[H3C-ipsec-transform-set-5]esp encryption-algorithm 3des-cbc[H3C-ipsec-transform-set-5]esp authentication-algorithm sha1[H3C-ipsec-transform-set-5]quit[H3C]ipsec transform-set 6[H3C-ipsec-transform-set-6]encapsulation-mode transport[H3C-ipsec-transform-set-6]esp encryption-algorithm aes-cbc-192[H3C-ipsec-transform-set-6]esp authentication-algorithm sha1[H3C-ipsec-transform-set-6]quit3.3.5 配置IPSEC模板配置IPSEC模板并调用之前创建的6个模板[H3C]ipsec policy-template z 1[H3C-ipsec-policy-template-z-1]transform-set 1 2 3 4 5 6[H3C-ipsec-policy-template-z-1]ike-profile 1[H3C-ipsec-policy-template-z-1]quit3.3.6 配置IPSEC策略[H3C]ipsec policy a 10 isakmp template z3.3.7 将IPSEC策略在外网接口和dialer 0调用[H3C]interface GigabitEthernet 0/0[H3C-GigabitEthernet0/0]ipsec apply policy a[H3C-GigabitEthernet0/0]quit[H3C]interface dialer 0 [H3C-Dialer0]ipsec apply policy a [H3C-Dialer0]quit3.3.8 外网接口NAT中添加ACL拒绝掉L2TP数据流量做地址转换。因为在防火墙处理流程上是先进行NAT后进行IPSEC VPN,如果出接口不拒绝掉L2TP数据流会导致回包无法匹配IPSEC兴趣流。[H3C]acl advanced 3000[H3C-acl-ipv4-adv-3000]rule deny udp destination-port eq 1701[H3C-acl-ipv4-adv-3000]rule permit ip source any[H3C-acl-ipv4-adv-3000]quit[H3C]interface GigabitEthernet 0/0 //公网口,WAN口[H3C-GigabitEthernet0/0]nat outbound 3000[H3C-GigabitEthernet0/0]quit添加IPsec配置后,拨入VPN后,不能上网页了,但是能使用QQ,应该是DNS的问题, 之前配置时,分配l2tp地址的时候使用的是ip pool的方式,可以尝试改成dhcp的方式 。
[H3C]dhcp server ip-pool test[H3C-dhcp-pool-test]network 192.168.10.0 mask 255.255.255.0//之前配置时,设置分配给VPN客户端的地址是192.168.10.1网段的[H3C-dhcp-pool-test]gateway-list 192.168.10.1[H3C-dhcp-pool-test]dns-list 114.114.114.114[H3C-dhcp-pool-test]address range 192.168.10.10 192.168.10.254[H3C-dhcp-pool-test]qu[H3C]inter Virtual-Template 1[H3C-Virtual-Template1]ip address 192.168.10.1 24[H3C-Virtual-Template1]remote address pool test[H3C-Virtual-Template1]qu