VPNL2tp(pc-lac-lns)Lac:l2tp enable /使能l2tp/l2tp domain suffix-separator @ /domain的分隔符为@/domain /创建域/scheme none/认证方式为：不认证。

将验证用户的工作交给LNS来处理，如需认证，则需要配置本地帐号/ppp authentication-mode pap domain /PPP认证域为/l2tp-group 1tunnel password simple quidway /tunnel认证密码为quidway/ tunnel name lac-endstart l2tp ip 202.101.100.1 domain /根据用户域名来发起建立隧道的连接请求/ Lns:l2tp enable /使能l2tp/l2tp domain suffix-separator @ /domain的分隔符为@/domain /创建域/ip pool 1 192.168.0.2 192.168.0.20 /分配给拨号用户的地址/local-user usera /创建用于验证用户的本地帐号/ password simple useraservice-type pppinterface Virtual-Template0ppp authentication-mode pap domain /PPP认证域为/ip address 192.168.0.1 255.255.255.0remote address pool 1 /指定使用ip pool 1给用户分配地址/l2tp-group 1mandatory-lcp /LCP再协商/allow l2tp virtual-template 0 remote lac-end /接受lac-end的l2tp请求，并绑定到VT0/tunnel password simple quidway /tunnel认证密码为quidway/ tunnel name lns-end# 在以太网接口上启用PPPoE Server[LAC]interface Ethernet 0/0[LAC-Ethernet0/0]pppoe-server bind virtual-template 0创建虚拟接口模板，并设置虚拟接口模板的工作参数[LAC]interface Virtual-Template 0[LAC-Virtual-Template0]ppp authentication-mode papl2tp(lac作为客户端自动发起连接)lac：interface Virtual-Template1 /VT1设置/ppp authentication-mode papppp pap local-user huawei password simple hellol2tp-auto-client enable /设置LAC侧自动发起隧道连接/ip address ppp-negotiatel2tp-group 1tunnel password simple 123 /隧道设置/tunnel name LACstart l2tp ip 3.3.3.2 fullusername huaweilns：l2tp-group 1allow l2tp virtual-template 1 remote LACtunnel password simple 123tunnel name LNS检查命令：隧道的建立：[LAC]dis l2tp tunnelLocalTID RemoteTID RemoteAddress Port Sessions RemoteName KeepStanding1 1 3.3.3.2 1701 1 LNS NOTotal tunnel = 1会话的建立：[LAC]dis l2tp sessionLocalSID RemoteSID LocalTID IdleTimeLeft5127 7186 1 NOT SETTotal session = 1【提示】1、隧道两端的用户名和密码及用户类型要配置一致。

2、在LNS侧配置隧道信息时配置的是隧道对端的名字。

3、在LAC侧配置域的时候设置本地不认证。

4、地址池配置在要认证的域内。

GRE:interface Tunnel0 /创建tunnel 0/ip address 192.168.0.1 255.255.255.252/tunnel IP和对方tunnel IP在同一网段/ source 202.101.1.2 /源地址/destination 202.101.2.2 /目的地址/ip route-static 0.0.0.0 0.0.0.0 202.101.1.1 preference 60/到公网的默认路由/ip route-static 192.168.2.0 255.255.255.0 Tunnel 0 preference60 /通过tunnel访问对方私网的路由/【提示】1、不要忘记配置通过tunnel访问对方私网的路由。

IPsec的tunnel方式GRE-Over-IPSec典型配置中心：ike local-name center /中心ike的local-name为：center/ike peer branch1 /配置到分部1的ike peer/exchange-mode aggressive /设置IPSec为野蛮方式/pre-shared-key abc /预共享密钥为abc/id-type name /选择名字作为ike协商过程中使用的ID/remote-name branch1 /分部1的名字为branch1/#ike peer branch2 /配置到分部2的ike peer/exchange-mode aggressivepre-shared-key abcid-type nameremote-name branch2#ipsec proposal 1 /定义ipsec proposal/#ipsec policy center 10 isakmp /配置到分部1的ipsec policy/security acl 3001 /指定安全策略所引用的访问控制列表号/ike-peer branch1 /引用ike peer/proposal 1 /引用ipsec proposal/ipsec policy center 20 isakmp /到分部2的配置和分部1的配置类似/security acl 3002ike-peer branch2proposal 1acl number 3001 /定义从中心到分部1的GRE数据流/rule 0 permit gre source 202.101.1.2 0 destination 202.101.2.2 0acl number 3002 /定义从中心到分部2的GRE数据流/rule 0 permit gre source 202.101.1.2 0 destination 202.101.3.2 0ipsec policy center /在公网出口上应用IPSec policy/分部：ike local-name branch1 /分部1的ike的local-name为：branch1/ike peer center /配置到中心的ike peer/exchange-mode aggressive /设置IPSec为野蛮方式/pre-shared-key abc /预共享密钥为abc/id-type name /选择名字作为ike协商过程中使用的ID/ remote-name center /对端的名字为center/remote-address 202.101.1.2 /对端的地址为202.101.1.2（中心的公网地址）/ #ipsec proposal 1 /定义ipsec proposal/#ipsec policy branch1 10 isakmp /配置到中心的ipsec policy/security acl 3001 /指定安全策略所引用的访问控制列表号/ike-peer center /引用ike peer/proposal 1 /引用ipsec proposal/#acl number 3001 /定义从分部1到中心的GRE数据流/rule 0 permit gre source 202.101.2.2 0 destination 202.101.1.2 0ipsec policy branch1 /在公网出口上应用IPSec policy/【验证】1、中心上的ike sa 状态：disp ike saconnection-id peer flag phase doi----------------------------------------------------------4 202.101.3.2 RD 1 IPSEC5 202.101.3.2 RD 2 IPSEC 2 202.101.2.2 RD 1 IPSEC3 202.101.2.2 RD 2 IPSECflag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT2、中心上的IPSec sa状态：disp ipsec sa===============================Interface: Serial2/0/0path MTU: 1500===============================-----------------------------IPsec policy name: "center"sequence number: 10mode: isakmp-----------------------------connection id: 3encapsulation mode: tunnelperfect forward secrecy: Nonetunnel:local address: 202.101.1.2remote address: 202.101.2.2flow: (72 times matched)sour addr: 202.101.1.2/255.255.255.255 port: 0 protocol: GREdest addr: 202.101.2.2/255.255.255.255 port: 0 protocol: GRE[inbound ESP SAs]spi: 1168206412 (0x45a16a4c)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887434028/3365max received sequence-number: 33udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 2150942891 (0x8034c8ab)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887433260/3365max sent sequence-number: 36udp encapsulation used for nat traversal: N-----------------------------IPsec policy name: "center"sequence number: 20mode: isakmp-----------------------------connection id: 4encapsulation mode: tunnelperfect forward secrecy: Nonetunnel:local address: 202.101.1.2remote address: 202.101.3.2flow: (73 times matched)sour addr: 202.101.1.2/255.255.255.255 port: 0 protocol: GREdest addr: 202.101.3.2/255.255.255.255 port: 0 protocol: GRE[inbound ESP SAs]spi: 2624895419 (0x9c74b9bb)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887433796/3385max received sequence-number: 35udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 1281853764 (0x4c678944)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887432856/3385max sent sequence-number: 39udp encapsulation used for nat traversal: N【提示】1、IPSec-Over-GRE和GRE-Over-IPSec方式配置上的区别为：IPSec-Over-GRE典型配置：总部：ike local-name center /中心ike的local-name为：center/ike peer branch1 /配置到分部1的ike peer/exchange-mode aggressive /设置IPSec为野蛮方式/pre-shared-key abc /预共享密钥为abc/id-type name /选择名字作为ike协商过程中使用的ID/remote-name branch1 /分部1的名字为branch1/#ike peer branch2 /配置到分部2的ike peer/exchange-mode aggressivepre-shared-key abcid-type nameremote-name branch2#ipsec proposal 1 /定义ipsec proposal/#ipsec policy center 10 isakmp /配置到分部1的ipsec policy/security acl 3001 /指定安全策略所引用的访问控制列表号/ike-peer branch1 /引用ike peer/proposal 1 /引用ipsec proposal/#ipsec policy center 20 isakmp /到分部2的配置和分部1的配置类似/security acl 3002ike-peer branch2proposal 1#acl number 3001 /定义从中心到分部1的内网数据流/rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 acl number 3002 /定义从中心到分部2的内网数据流/rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 ipsec policy branch1 /在tunnel 0上应用IPSec policy branch1/分部：ike local-name branch1 /分部1的ike的local-name为：branch1/ike peer center /配置到中心的ike peer/exchange-mode aggressive /设置IPSec为野蛮方式/pre-shared-key abc /预共享密钥为abc/id-type name /选择名字作为ike协商过程中使用的ID/remote-name center /对端的名字为center/remote-address 10.0.0.1 /对端的地址为10.0.0.1（中心的tunnel地址）/#ipsec proposal 1 /定义ipsec proposal/#ipsec policy branch1 10 isakmp /配置到中心的ipsec policy/security acl 3001 /指定安全策略所引用的访问控制列表号/ike-peer center /引用ike peer/proposal 1 /引用ipsec proposal/#acl number 3001 /定义从分部1到中心的内网数据流/rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 ipsec policy branch1 /在tunnel 0上应用IPSec policy branch1/【验证】1、中心上的ike sa 状态：disp ike saconnection-id peer flag phase doi----------------------------------------------------------44 10.0.0.2 RD 1 IPSEC48 10.0.0.6 RD 2 IPSEC47 10.0.0.6 RD 1 IPSEC45 10.0.0.2 RD 2 IPSECflag meaningRD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT2、中心上的IPSec sa状态：disp ipsec sa===============================Interface: Tunnel0path MTU: 64000===============================-----------------------------IPsec policy name: "branch1"sequence number: 10mode: isakmp-----------------------------connection id: 8encapsulation mode: tunnelperfect forward secrecy: Nonetunnel:local address: 10.0.0.1remote address: 10.0.0.2flow: (4 times matched)sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP[inbound ESP SAs]spi: 2701983530 (0xa10cff2a)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436664/2136max received sequence-number: 2udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 2132567950 (0x7f1c678e)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436632/2136max sent sequence-number: 3udp encapsulation used for nat traversal: N===============================Interface: Tunnel1path MTU: 64000===============================-----------------------------IPsec policy name: "branch2"sequence number: 10mode: isakmp-----------------------------connection id: 9encapsulation mode: tunnelperfect forward secrecy: Nonetunnel:local address: 10.0.0.5remote address: 10.0.0.6flow: (18 times matched)sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.3.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs]spi: 1612204948 (0x60184b94)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436188/2886max received sequence-number: 9udp encapsulation used for nat traversal: N[outbound ESP SAs]spi: 3432409622 (0xcc966a16)proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5sa remaining key duration (bytes/sec): 1887436044/2886max sent sequence-number: 10udp encapsulation used for nat traversal: NVRRP：vrrp ping-enable /使能VRRP ping/vrrp vrid 1 virtual-ip 10.0.0.254 /配置虚ip/vrrp vrid 1 priority 120 /设置优先级120，高于100/vrrp vrid 1 track Serial2/0/0 reduced 30/设置监视接口/【验证】正常情况下查看RouterA、RouterB的VRRP状态如下：【提示】1、如不配置vrrp ping-enable，会出现无法ping网关的现象，但是转发正常。