一、实验目的及拓扑

首先在客户端云与NAS（FW2）之间建立PPPoE连接，其次NAS（FW2）与服务端FW1之间通过L2TP方式建立隧道，最后客户端云与服务端FW1之间通过PPP方式建立连接

二、基本配置

（一）根据拓扑设置各接口地址

（二）将两个防火墙外网接口加入untrue，将两个内容接口加入trust，将两个虚拟模板接口加入dmz区域

[FW2]dis zone 
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (2):
    GigabitEthernet0/0/0
    GigabitEthernet1/0/1
#
untrust
 priority is 5
 interface of the zone is (1):
    GigabitEthernet1/0/0
#
dmz
 priority is 50
 interface of the zone is (1):
    Virtual-Template1
#

[FW1]dis zone 
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (2):
    GigabitEthernet0/0/0
    GigabitEthernet1/0/1
#
untrust
 priority is 5
 interface of the zone is (1):
    GigabitEthernet1/0/0
#
dmz
 priority is 50
 interface of the zone is (1):
    Virtual-Template1
#

三、详细配置

（一）在FW2（NAS）上配置PPPoE服务器端和L2TP用户端

[R1]l2tp enable

[FW2-l2tp-1]dis th
#
l2tp-group 1
 tunnel password cipher Huawei@123
 tunnel name LAC
 start l2tp ip 155.1.131.13 domain default
#

[FW2-Virtual-Template1]dis th
#
interface Virtual-Template1
 ppp authentication-mode chap
 remote address 10.1.1.128    //客户端云电脑地址
 ip address 10.1.1.254 255.255.255.0      //指定本端地址
#

[FW2-GigabitEthernet1/0/1]dis th
#
interface GigabitEthernet1/0/1
 pppoe-server bind Virtual-Template 1
#

[FW2]user-manage user USER

  password Huawei@123

（二）在FW1(LNS)上配置

1、配置ppp拨号用户地址池

[FW1-ip-pool-L2TP_POOL]dis th
#
ip pool L2TP_POOL
 section 0 192.168.0.1 192.168.0.10
#

2、设置业务方案

[FW1-aaa]DIS TH
aaa
 service-scheme LOCAL
  ip-pool L2TP_POOL

 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain

3、配置虚拟接口

[FW1-Virtual-Template1]dis th
#
interface Virtual-Template1
 ppp authentication-mode chap
 remote service-scheme LOCAL
 ip address 192.168.0.12 255.255.255.0
#

4、配置L2TP

[FW1]l2tp enable 

[FW1-l2tp-1]DIS TH
#
l2tp-group 1
 tunnel password cipher Huawei@123
 tunnel name LNS
 allow l2tp virtual-template 1 remote LAC domain default
#

5、将虚接口加入dmz区域

[FW1-zone-dmz]dis th
#
firewall zone dmz
 set priority 50
 add interface Virtual-Template1
#

6、配置安全策略

[FW1-policy-security]dis th
2024-07-17 08:23:24.810 
#
security-policy
 rule name LOCAL_TO_ANY
  source-zone local
  action permit
 rule name OUT_TO_LOCAL
  source-zone untrust
  destination-zone local
  service protocol udp destination-port 1701
  action permit
 rule name DMZ_TO_IN
  source-zone dmz
  destination-zone trust
  source-address 192.168.0.0 mask 255.255.255.0
  destination-address 10.1.12.0 mask 255.255.255.0
  action permit
#

四、结果验证

在云终端上拨号用户名：USER，密码：Huawei@123

NAS端FW2上验证结果

[FW2]dis l2tp tunnel 
L2TP::Total Tunnel: 1

 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance
 ------------------------------------------------------------------------------
 1        1         155.1.131.13     1701   1        LNS                     
 ------------------------------------------------------------------------------
  Total 1, 1 printed

LNS服务端FW1上验证结果

[FW1]dis l2tp tunnel 
L2TP::Total Tunnel: 1

 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance
 ------------------------------------------------------------------------------
 1        1         155.1.121.12     65335  1        LAC                     
 ------------------------------------------------------------------------------
  Total 1, 1 printed