网络环境:
wan1通过PPPOE拨号,IP动态
wan2接入校园网,有固定IP,网关为:172.19.39.1,
要求:
组建VPN,使得在任何地方能够拨入VPN。
VPN账号分组,不同的账号拨入获取不同的IP。
两组VPN IP :192.168.20.0 192.168.10.0
(通过域实验失败)
现在做两组VPN隧道。默认隧道IP为192.168.10.0,通过ACL,走WAN2口(满足所有设备拨入后使图书馆能使)。
计算机名为ASUS的拨入VPN,走另外一隧道,IP为192.168.20.0,走WAN1口。(最新更新:实际上可以曲线救国,不需要让计算机名改成指定ASUS(目前我家用的RT-AC54U),直接设置好配置后,在设置好的VPN属性内,将TCP/IPV4内IP手动设置IP地址为192.168.20.*,WIN7下,VPN具体配置如下)
步骤:
1,设置WAN1口PPPOE
2,设置一个LAN变成WAN2口,然后设置这个WAN2口为固定IP(即我想PING的IP)
3,以上两WAN口均开通了NAT功能。
4,添加了静态路由,0.0.0.0 到WAN1下一跳。优先级1. 0.0.0.0 到WAN2下一跳,优先级60
5,在LAN口处设置开启DHCP.
6,设置静态路由 172.16.0.0 255.240.0.0 下一跳172.19.39.1 出口Gig 0/0/0 (这条是使得所有B类局域网走WAN2口,不然,从校园网PING路由WAN2的IP,会导致返回数据从WAN1口出去(即PING数据由WAN2口进,结果从WAN1口出了,导致PING不通))
7,设置静态路由202.202.0.0,222.198.0.0 掩码255.255.0.0 下一跳同6(校园网内网站IP均走WAN2)
8,暂时华为路由无法设置VPN使得IPHONE接入VPN(网上教程不靠谱。)
Login authentication Username: Password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: Web IP-Address : 192.168.1.247 Time : 2016-06-12 13:40:06+00:00 ----------------------------------------------------------------------------- sys Enter system view, return user view with Ctrl+Z. //L2TP能使 [Huawei]l2tp enable //设置地址池1 [Huawei]ip pool 1 Info: It's successful to create an IP address pool. //网关 [Huawei-ip-pool-1]gateway-list 192.168.10.1 //网段,子网掩码 [Huawei-ip-pool-1]network 192.168.10.0 mask 255.255.255.0 [Huawei-ip-pool-1]quit //设置地址池1 [Huawei]ip pool 2 Info: It's successful to create an IP address pool. [Huawei-ip-pool-2]gateway-list 192.168.20.1 [Huawei-ip-pool-2]network 192.168.20.0 mask 255.255.255.0 [Huawei-ip-pool-2]quit //设置账号 [Huawei]aaa [Huawei-aaa]authentication-scheme lmt Info: Create a new authentication scheme. //设置域 [Huawei-aaa-authen-lmt]domain cqnv.com Info: Success to create a new domain. [Huawei-aaa-domain-cqnv.com]authentication-scheme lmt //设置账号1@cqnv.com [Huawei-aaa-domain-cqnv.com]local-user 1@cqnv.com password Please configure the login password (8-128) It is recommended that the password consist of at least 2 types of characters, including lowercase letters, uppercase letters, numerals and special characters. Please enter password: Please confirm password: Info: Add a new user. [Huawei-aaa]local-user 1@cqnv.com privilege level 0 Info: After you change the rights (including the password, access type, FTP directory, and level) of a local user, the rights of users already online do not change. The change takes effect to users who go online after the change. [Huawei-aaa]local-user 1@cqnv.com service-type ppp Info: After you change the rights (including the password, access type, FTP directory, and level) of a local user, the rights of users already online do not change. The change takes effect to users who go online after the change. [Huawei-aaa]quit [Huawei]aaa [Huawei-aaa]authentication-scheme lmt [Huawei-aaa-authen-lmt]domain cqnv.net Info: Success to create a new domain. [Huawei-aaa-domain-cqnv.net]authentication-scheme lmt [Huawei-aaa-domain-cqnv.net]local-user 1@cqnv.net password Please configure the login password (8-128) It is recommended that the password consist of at least 2 types of characters, including lowercase letters, uppercase letters, numerals and special characters. Please enter password: Please confirm password: Info: Add a new user. [Huawei-aaa]local-user 1@cqnv.net privilege level 0 Info: After you change the rights (including the password, access type, FTP directory, and level) of a local user, the rights of users already online do not change. The change takes effect to users who go online after the change. [Huawei-aaa]local-user 1@cqnv.net service-type ppp Info: After you change the rights (including the password, access type, FTP directory, and level) of a local user, the rights of users already online do not change. The change takes effect to users who go online after the change. [Huawei-aaa]quit //设置模板1 [Huawei]interface Virtual-Template1 [Huawei-Virtual-Template1]ppp authentication-mode chap domain cqnv.com [Huawei-Virtual-Template1]remote address pool 1 //设置VPN的DNS,以便拨入用户可以用域名访问网站 [Huawei-Virtual-Template1]ppp ipcp dns 61.128.128.68 8.8.8.8 [Huawei-Virtual-Template1]ip address 192.168.10.1 255.255.255.0 [Huawei-Virtual-Template1]quit //设置模板2 [Huawei]interface Virtual-Template2 [Huawei-Virtual-Template2]ppp authentication-mode chap domain cqnv.net [Huawei-Virtual-Template2]remote address pool 2 [Huawei-Virtual-Template2]ppp ipcp dns 202.202.96.33 61.128.128.68 [Huawei-Virtual-Template2]ip address 192.168.20.1 255.255.255.0 [Huawei-Virtual-Template2]quit //设置组1 [Huawei]l2tp-group 1 [Huawei-l2tp1]undo tunnel authentication Warning: Tunnel authentication was disabled. There are security risks. [Huawei-l2tp1]allow l2tp virtual-template 1 [Huawei-l2tp1]quit //设置组2 [Huawei]l2tp-group 2 [Huawei-l2tp2]undo tunnel authentication Warning: Tunnel authentication was disabled. There are security risks. //这里remote ABCD默认是可选命令,但超过两条隧道就必须设置。若用PC拨号,"ASUS"必须是PC(或路由器)的计算机名。 [Huawei-l2tp2]allow l2tp virtual-template 2 remote ASUS [Huawei-l2tp2]quit //配置ACL [Huawei]acl 3001 //反掩码为0.0.0.255,表示IP段为192.168.10.1-192.168.10.255 [Huawei-acl-adv-3001]rule 5 permit ip source 192.168.10.0 0.0.0.255 //配置流分类,流分类命令为redirect: [Huawei-acl-adv-3001]traffic classifier redirect operator or [Huawei-classifier-redirect]if-match acl 3001 //配置流行为,命令为redirect [Huawei-classifier-redirect]traffic behavior redirect //重定向下一跳为172.19.39.1(这里的设置优先级大于静态路由优先级。) [Huawei-behavior-redirect]redirect ip-nexthop 172.19.39.1 //配置流策略,命令为reditect,将流分类redirect和流行为redirect关联 [Huawei-behavior-redirect]traffic policy redirect [Huawei-trafficpolicy-redirect]classifier redirect behavior redirect //应用流策略将流策略reditect应用到virtual-template1 (这个是VPN的虚拟接口,应用之。) [Huawei-trafficpolicy-redirect]interface virtual-template1 [Huawei-virtual-template1]traffic-policy redirect inbound [Huawei-virtual-template1]quit //更改WEB管理界面端口,以便腾出443 和80端口 [Huawei]http secure-server port 1080 [Huawei]http server port 8080 [Huawei]quit //查看路由配置 disp cu
此外,需要注意的是:WINDOWS客户端需要配置禁用IPSEC加密,具体方法就是修改注册表:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
下修改ProhibitIPSec,值为,1. 如果没有此键,请自行创建。
具体步骤如下:
Windows客户端设置
Windows2000/xp/2003的L2TP缺省启动证书方式的IPSEC,因此必须向Windows添加 ProhibitIpSec 注册表值,以防止创建用于 L2TP/IPSec 通信的自动筛选器。
ProhibitIpSec 注册表值设置为 1 时,基于 Windows 2000 的计算机不会创建使用 CA 身份验证的自动筛选器,而是检查本地 IPSec 策略或 Active Directory IPSec 策略。
要向Windows添加 ProhibitIpSec 注册表值,请按照下列步骤操作:
1. 单击“开始”,单击“运行”,键入 regedit,然后单击“确定”。
2. 找到下面的注册表子项,然后单击它:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
3. 在该项中新建一个“DWORD值”。
4. 将该值名称修改为“ProhibitIpSec”。
5. 双击该值,将Value data修改为“1”, 然后单击“确定”。
6. 退出注册表编辑器,然后重新启动计算机。
):
版权声明: 若无特殊说明,本文之图文均为原创,任何组织及个人未经同意禁止转载或制作各类出版物,包括但不限于本站图片、文字及影音。
不好意思哈。因为放假。现在才看到你的留言。
理论上WEB端是可以的。但是为什么你要用WEB端呢。我上面已经把完整命令给出来了。
可能你是需要设置VPN吧?华为这个路由设置VPN不支持苹果手机拨号(目前为止,我是从来没能把他们所谓的教程重现的)。
对于双WAN接入,我因为要实现的目的不一样,所以也挺复杂的,我当初拨打了华为客服很多电话,也请教了华为公司高手,基本上只能做到我上文说的那种。
您好,在网上终于找到了一些AR151-S2的资料,头一次接触企业级路由器,简直是完全抓瞎,请问这些配置都能在web端实现吗?如果您有时间能在写一份关于web端的教程吗。我想先由简入难的学习一下,现在看代码一头的雾水。