进入配置模式
configure
将L2TP通信的防火墙规则添加到本地防火墙策略
注意: 确保不覆盖任何现有的防火墙规则
set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description ike set firewall name WAN_LOCAL rule 30 destination port 500 set firewall name WAN_LOCAL rule 30 log disable set firewall name WAN_LOCAL rule 30 protocol udp set firewall name WAN_LOCAL rule 40 action accept set firewall name WAN_LOCAL rule 40 description esp set firewall name WAN_LOCAL rule 40 log disable set firewall name WAN_LOCAL rule 40 protocol esp set firewall name WAN_LOCAL rule 50 action accept set firewall name WAN_LOCAL rule 50 description nat-t set firewall name WAN_LOCAL rule 50 destination port 4500 set firewall name WAN_LOCAL rule 50 log disable set firewall name WAN_LOCAL rule 50 protocol udp set firewall name WAN_LOCAL rule 60 action accept set firewall name WAN_LOCAL rule 60 description l2tp set firewall name WAN_LOCAL rule 60 destination port 1701 set firewall name WAN_LOCAL rule 60 ipsec match-ipsec set firewall name WAN_LOCAL rule 60 log disable set firewall name WAN_LOCAL rule 60 protocol udp
配置服务器身份验证设置,在此示例中,我们使用 本地 身份验证
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username <username> password <secret>
定义将由VPN客户端使用的IP地址池
注意:如果与路由同子网,请确保它们与DHCP服务器发布的地址不重叠,也可以自起一个IP段,与LAN网关无关的子网段
set vpn l2tp remote-access client-ip-pool start 192.168.100.240 set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
定义VPN客户端将使用的DNS服务器
set vpn l2tp remote-access dns-servers server-1 <address> set vpn l2tp remote-access dns-servers server-2 <address>
定义将接收来自客户端的L2TP请求的WAN接口。仅配置以下语句之一:
# WAN接口通过DHCP接收地址 set vpn l2tp remote-access dhcp-interface eth0 # WAN接口配置了静态地址 set vpn l2tp remote-access outside-address <wan-address> # WAN接口通过PPPoE接收地址 set vpn l2tp remote-access outside-address 0.0.0.0
定义将接收来自客户端的L2TP请求的IPsec接口
set vpn ipsec ipsec-interfaces interface eth0
如果VPN的用户需要再从ER的WAN口访问外网的话,需要配置DNS转发
其中的“192.168.1.1”就是你ER的LAN口网关地址。
set service dns forwarding options "listen-address=192.168.1.1”
客户端拨号成功后,查看状态
通过SSH方式登录到ER5上面可以查看到拨入VPN的客户端的IP地址和相关的信息
show vpn remote-access
提交更改并保存配置
commit ; save
设备MTU
Windows下,单机连光猫,拨号成功后,CMD 执行下如命令
> netsh interface ip show interface Idx Met MTU 状态 名称 --- ---------- ---------- ------------ --------------------------- 24 25 1480 connected 宽带连接 1 4300 4294967295 connected Loopback Pseudo-Interface 1 6 4250 1500 connected 以太网
