华为拨号软件l2tp over ipsec 配置

1  拓扑

2  配置

display  current-configuration  
2025-09-18 13:17:47.260 
!Software Version V500R005C10SPC300

sysname fw1

 l2tp enable
 l2tp domain suffix-separator @
 l2tp idle-timeout 1800

 ipsec sha2 compatible enable

undo telnet server enable
undo telnet ipv6 server enable

 update schedule location-sdb weekly Sun 03:04

 firewall defend action discard

 banner enable

 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user

 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable

firewall dataplane to manageplane application-apperceive default-action drop

 undo ips log merge enable

 decoding uri-cache disable

 update schedule ips-sdb daily 22:50
 update schedule av-sdb daily 22:50
 update schedule sa-sdb daily 22:50
 update schedule cnc daily 22:50
 update schedule file-reputation daily 22:50

ip vpn-instance default
 ipv4-family

 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day

ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256

aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 service-scheme webServerScheme1758201089003
 domain default
  service-scheme webServerScheme1758201089003
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin
  password cipher @%@%G\RZLnu|:uC&c#;CFDy84I}l</CHDBN@mY'=<O&XQ87y@%@%
  service-type web terminal
  level 15

 manager-user api-admin
  password cipher @%@%kMz,:9W+d!vZ7NU:[!4LddZn>7VnEv\V*~]R|W4*LoOCdZqd@%@%
  level 15

 manager-user admin
  password cipher @%@%9>H.~EG|s:N9’/:Q8p.+3F{P7XXCGBmlo*`3%TJV:Fc>F{S3@%@%
  service-type web terminal
  level 15

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin

l2tp-group default-lns
l2tp-group lac-lns
 tunnel password cipher %$%$,>kQ9|jPW0OX{Npa+i"KZo^%$%$
 tunnel name lns
 allow l2tp virtual-template 0 remote lac domain default

interface Virtual-Template0
 ppp authentication-mode pap
 remote address 172.16.1.2
 ip address 172.16.1.1 255.255.255.0
 alias L2TP_LNS_0
 undo service-manage enable

interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH

interface GigabitEthernet1/0/0
 undo shutdown
 ip address 192.168.200.250 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit

interface GigabitEthernet1/0/1
 undo shutdown

interface GigabitEthernet1/0/2
 undo shutdown

interface GigabitEthernet1/0/3
 undo shutdown

interface GigabitEthernet1/0/4
 undo shutdown

interface GigabitEthernet1/0/5
 undo shutdown

interface GigabitEthernet1/0/6
 undo shutdown

interface Virtual-if0

interface NULL0

firewall zone local
 set priority 100

firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0

firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
 add interface Virtual-Template0

firewall zone dmz
 set priority 50

undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1

firewall detect ftp

user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20

pki realm default

sa

location

multi-linkif
 mode proportion-of-weight

right-manager server-group

device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group

user-manage server-sync tsm

security-policy
 rule name 192.168.200.0
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  source-address 192.168.200.0 mask 255.255.255.0
  destination-address 192.168.200.0 mask 255.255.255.0
  action permit
 rule name 2
  action permit
 rule name LAC-LNS
  description L2TP策略(lac-lns)引入
  source-zone local
  action permit

auth-policy

traffic-policy

policy-based-route

nat-policy

quota-policy

pcp-policy

dns-transparent-policy

rightm-policy

return

这个可以看到直连网段是通的

web 界面是不是可以登入了

可以看到来l2tp 会话信息

interface Virtual-Template0
 ppp authentication-mode pap
 remote address 172.16.100.1
 ip address 172.16.100.254 255.255.255.0
 alias L2TP_LNS_0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit

return