H3CMSR路由器配置Word下载.docx
《H3CMSR路由器配置Word下载.docx》由会员分享,可在线阅读,更多相关《H3CMSR路由器配置Word下载.docx(6页珍藏版)》请在冰豆网上搜索。
H3C>
system-view
[H3C]natstaticoutbound192.168.1.248119.57.73.70
[H3C]interfaceGigabitEthernet0/0
[H3C-GigabitEthernet0/0]ipaddress119.57.73.70255.255.255.248sub
[H3C-GigabitEthernet0/0]natstaticenable
[H3C-GigabitEthernet0/0]quit
NAT端口映射
[H3C]interfaceGigabitEthernet0/0
//进入设备公网接口
[H3C-GigabitEthernet0/0]
natserverprotocoltcpglobal119.57.73.675366inside192.168.1.675366
natserverprotocoltcpglobal119.57.73.675367inside192.168.1.675367
natserverprotocoltcpglobal119.57.73.678081inside192.168.1.2448081
natserverprotocoltcpglobal119.57.73.678123inside192.168.1.2508443
natserverprotocoltcpglobal119.57.73.6733890inside192.168.1.883389
L2TPoveripsec
1.开启L2TP功能。
[H3C]l2tpenable
2.配置本地用户名和密码,可配置多个用户
[H3C]local-user
hnjb
classnetwork
//配置拨号用户名
Newlocaluseradded.
[H3C-luser-network-hnjb]passwordsimple
hnjb8013
//配置拨号密码
[H3C-luser-network-hnjb]service-typeppp
[H3C-luser-network-hnjb]quit
3.配置用户认证方式和IP地址池
[H3C]domainsystem
[H3C-isp-system]authenticationppplocal
//配置PPP用户的认证方式为本地认证
[H3C-isp-system]quit
[H3C]ippool1010.1.1.1010.1.1.100
//配置为拨入终端分配的IP地址范围
4.创建虚拟模板接口
[H3C]interfaceVirtual-Template0
[H3C-Virtual-Template0]pppauthentication-mode
chap
//配置本端PPP协议对终端的验证方式为CHAP
[H3C-Virtual-Template0]remoteaddresspool
10
//在虚模板视图下指定为用户分配IP的地址池
[H3C-Virtual-Template0]ipaddress
10.1.1.124
[H3C-Virtual-Template0]pppipcpdns219.141.140.10114.114.114.114配置DNS
[H3C-Virtual-Template0]quit
5.创建并配置L2TP组
[H3C]
l2tp-group1modelns
[H3C-l2tp1]undotunnelauthentication
//取消L2TP隧道验证功能,因为很多终端系统不支持隧道验证功能。
[H3C-l2tp1]allowl2tpvirtual-template
[H3C-l2tp1]quit
配置IPsec功能
A.
创建并进入一个IKEkeychain视图,该视图用于配置IKE对等体的密钥信息。
[H3C]ikekeychain
keychain1
[H3C-ike-keychain-keychain1]pre-shared-keyaddress0.0.0.00.0.0.0
keysimple
hnjb2017
//配置预共享密钥123456。
[H3C-ike-keychain-keychain1]quit
配置IKE对等体
[H3C]ikeprofile
profile1
[H3C-ike-profile-profile1]keychain
[H3C-ike-profile-profile1]local-identityaddress
119.57.73.67
//指定标识本端身份的IP地址。
[H3C-ike-profile-profile1]matchremoteidentityaddress0.0.0.00.0.0.0
//指定对端身份FQDN名称。
[H3C-ike-profile-profile1]proposal123456
[H3C-ike-profile-profile1]quit
配置IPsec安全提议
[H3C]ipsectransform-set
tran1
[H3C-ipsec-transform-set-tran1]espencryption-algorithmdes-cbc
[H3C-ipsec-transform-set-tran1]espauthentication-algorithmmd5
[H3C-ipsec-transform-set-tran1]quit
配置IPSec安全策略模板
[H3C]ipsecpolicy-template
msr
1
[H3C-ipsec-policy-template-msr-1]
ike-profile
profile1
//引用之前配置的IKE对等体
[H3C-ipsec-policy-template-msr-1]transform-set
123456
//引用之前配置的IPsec安全提议
[H3C-ipsec-policy-template-msr-1]quit
创建IPSec安全策略并引用安全策略模板
[H3C]ipsecpolicy
123
1isakmptemplate
msr
在公网接口上应用IPsec安全策略。
[H3C-GigabitEthernet0/0]ipsecapplypolicy
123
ikeproposal1
encryption-algorithmaes-cbc-128
dhgroup2
authentication-algorithmmd5
ikeproposal2
encryption-algorithm3des-cbc
ikeproposal3
ikeproposal4
encryption-algorithmaes-cbc-256
ikeproposal5
ikeproposal6
encryption-algorithmaes-cbc-192
ipsectransform-set1
encapsulation-modetransport
espencryption-algorithm3des-cbc
espauthentication-algorithmmd5
ipsectransform-set2
espencryption-algorithmaes-cbc-128
espauthentication-algorithmsha1
ipsectransform-set3
espencryption-algorithmaes-cbc-256
ipsectransform-set4
espencryption-algorithmdes-cbc
ipsectransform-set5
ipsectransform-set6
espencryption-algorithmaes-cbc-192