父亲节的礼物

AR151-S2设置L2TP及ACL策略路由代码

网络环境:

wan1通过PPPOE拨号,IP动态
wan2接入校园网,有固定IP,网关为:172.19.39.1,

要求:
组建VPN,使得在任何地方能够拨入VPN。
VPN账号分组,不同的账号拨入获取不同的IP。
两组VPN IP :192.168.20.0 192.168.10.0
(通过域实验失败)

现在做两组VPN隧道。默认隧道IP为192.168.10.0,通过ACL,走WAN2口(满足所有设备拨入后使图书馆能使)。
计算机名为ASUS的拨入VPN,走另外一隧道,IP为192.168.20.0,走WAN1口。(最新更新:实际上可以曲线救国,不需要让计算机名改成指定ASUS,直接设置好配置后,在设置好的VPN属性内,将TCP/IPV4内IP手动设置IP地址为192.168.20.*,WIN7下,VPN具体配置如下)

 

1 2 3 4 5

 

步骤:
1,设置WAN1口PPPOE
2,设置一个LAN变成WAN2口,然后设置这个WAN2口为固定IP(即我想PING的IP)
3,以上两WAN口均开通了NAT功能。
4,添加了静态路由,0.0.0.0 到WAN1下一跳。优先级1. 0.0.0.0 到WAN2下一跳,优先级60
5,在LAN口处设置开启DHCP.
6,设置静态路由 172.16.0.0 255.240.0.0 下一跳172.19.39.1 出口Gig 0/0/0 (这条是使得所有B类局域网走WAN2口,不然,从校园网PING路由WAN2的IP,会导致返回数据从WAN1口出去(即PING数据由WAN2口进,结果从WAN1口出了,导致PING不通))
7,设置静态路由202.202.0.0,222.198.0.0 掩码255.255.0.0 下一跳同6(校园网内网站IP均走WAN2)
8,暂时华为路由无法设置VPN使得IPHONE接入VPN(网上教程不靠谱。)

Login authentication


Username:
Password:
  -----------------------------------------------------------------------------

  User last login information:
  -----------------------------------------------------------------------------
  Access Type: Web
  IP-Address : 192.168.1.247
  Time       : 2016-06-12 13:40:06+00:00
  -----------------------------------------------------------------------------
sys
Enter system view, return user view with Ctrl+Z.

//L2TP能使
[Huawei]l2tp enable

//设置地址池1
[Huawei]ip pool 1
Info: It's successful to create an IP address pool.
//网关
[Huawei-ip-pool-1]gateway-list 192.168.10.1
//网段,子网掩码
[Huawei-ip-pool-1]network 192.168.10.0 mask 255.255.255.0
[Huawei-ip-pool-1]quit

//设置地址池1
[Huawei]ip pool 2
Info: It's successful to create an IP address pool.
[Huawei-ip-pool-2]gateway-list 192.168.20.1
[Huawei-ip-pool-2]network 192.168.20.0 mask 255.255.255.0
[Huawei-ip-pool-2]quit

//设置账号
[Huawei]aaa
[Huawei-aaa]authentication-scheme lmt
Info: Create a new authentication scheme.
//设置域
[Huawei-aaa-authen-lmt]domain cqnv.com
Info: Success to create a new domain.
[Huawei-aaa-domain-cqnv.com]authentication-scheme lmt
//设置账号1@cqnv.com
[Huawei-aaa-domain-cqnv.com]local-user 1@cqnv.com password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, including lowercase letters, 
uppercase letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.
[Huawei-aaa]local-user 1@cqnv.com privilege level 0
Info: After you change the rights (including the password, access type, FTP directory, and level) of a local user, 
the rights of users already online do not change. The change takes effect to users who go online after the change.
[Huawei-aaa]local-user 1@cqnv.com service-type ppp
Info: After you change the rights (including the password, access type, FTP directory, and level) of a local user, 
the rights of users already online do not change. The change takes effect to users who go online after the change.
[Huawei-aaa]quit


[Huawei]aaa
[Huawei-aaa]authentication-scheme lmt
[Huawei-aaa-authen-lmt]domain cqnv.net
Info: Success to create a new domain.
[Huawei-aaa-domain-cqnv.net]authentication-scheme lmt
[Huawei-aaa-domain-cqnv.net]local-user 1@cqnv.net password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, including lowercase letters, uppercase
 letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.
[Huawei-aaa]local-user 1@cqnv.net privilege level 0
Info: After you change the rights (including the password, access type, FTP directory, and level) of a local user, 
the rights of users already online do not change. The change takes effect to users who go online after the change.
[Huawei-aaa]local-user 1@cqnv.net service-type ppp
Info: After you change the rights (including the password, access type, FTP directory, and level) of a local user, 
the rights of users already online do not change. The change takes effect to users who go online after the change.
[Huawei-aaa]quit

//设置模板1
[Huawei]interface Virtual-Template1
[Huawei-Virtual-Template1]ppp authentication-mode chap domain cqnv.com
[Huawei-Virtual-Template1]remote address pool 1
//设置VPN的DNS,以便拨入用户可以用域名访问网站
[Huawei-Virtual-Template1]ppp ipcp dns 61.128.128.68 8.8.8.8
[Huawei-Virtual-Template1]ip address 192.168.10.1 255.255.255.0
[Huawei-Virtual-Template1]quit

//设置模板2
[Huawei]interface Virtual-Template2
[Huawei-Virtual-Template2]ppp authentication-mode chap domain cqnv.net
[Huawei-Virtual-Template2]remote address pool 2
[Huawei-Virtual-Template2]ppp ipcp dns 202.202.96.33 61.128.128.68
[Huawei-Virtual-Template2]ip address 192.168.20.1 255.255.255.0
[Huawei-Virtual-Template2]quit

//设置组1
[Huawei]l2tp-group 1
[Huawei-l2tp1]undo tunnel authentication
 Warning: Tunnel authentication was disabled. There are security risks.
[Huawei-l2tp1]allow l2tp virtual-template 1
[Huawei-l2tp1]quit

//设置组2
[Huawei]l2tp-group 2
[Huawei-l2tp2]undo tunnel authentication
 Warning: Tunnel authentication was disabled. There are security risks.
//这里remote ABCD默认是可选命令,但超过两条隧道就必须设置。若用PC拨号,"ASUS"必须是PC(或路由器)的计算机名。
[Huawei-l2tp2]allow l2tp virtual-template 2 remote ASUS
[Huawei-l2tp2]quit






//配置ACL
[Huawei]acl 3001
//反掩码为0.0.0.255,表示IP段为192.168.10.1-192.168.10.255
[Huawei-acl-adv-3001]rule 5 permit ip source 192.168.10.0 0.0.0.255

//配置流分类,流分类命令为redirect:
[Huawei-acl-adv-3001]traffic classifier redirect operator or
[Huawei-classifier-redirect]if-match acl 3001


//配置流行为,命令为redirect
[Huawei-classifier-redirect]traffic behavior redirect
//重定向下一跳为172.19.39.1(这里的设置优先级大于静态路由优先级。)
[Huawei-behavior-redirect]redirect ip-nexthop 172.19.39.1

//配置流策略,命令为reditect,将流分类redirect和流行为redirect关联
[Huawei-behavior-redirect]traffic policy redirect
[Huawei-trafficpolicy-redirect]classifier redirect behavior redirect



//应用流策略将流策略reditect应用到virtual-template1 (这个是VPN的虚拟接口,应用之。)
[Huawei-trafficpolicy-redirect]interface virtual-template1
[Huawei-virtual-template1]traffic-policy  redirect inbound
[Huawei-virtual-template1]quit

//更改WEB管理界面端口,以便腾出443 和80端口
[Huawei]http secure-server port 1080
[Huawei]http server port 8080

[Huawei]quit
//查看路由配置
disp cu 

此外,需要注意的是:WINDOWS客户端需要配置禁用IPSEC加密,具体方法就是修改注册表:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
下修改ProhibitIPSec,值为,1.   如果没有此键,请自行创建。

具体步骤如下:

Windows客户端设置
Windows2000/xp/2003的L2TP缺省启动证书方式的IPSEC,因此必须向Windows添加 ProhibitIpSec 注册表值,以防止创建用于 L2TP/IPSec 通信的自动筛选器。
ProhibitIpSec 注册表值设置为 1 时,基于 Windows 2000 的计算机不会创建使用 CA 身份验证的自动筛选器,而是检查本地 IPSec 策略或 Active Directory IPSec 策略。
要向Windows添加 ProhibitIpSec 注册表值,请按照下列步骤操作:
1. 单击“开始”,单击“运行”,键入 regedit,然后单击“确定”。
2. 找到下面的注册表子项,然后单击它:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
3. 在该项中新建一个“DWORD值”。
4. 将该值名称修改为“ProhibitIpSec”。
5. 双击该值,将Value data修改为“1”, 然后单击“确定”。
6. 退出注册表编辑器,然后重新启动计算机。

):

五岁生日

IMG_1286

老爸大手笔,送给了米仔50部豪车,加上已有的13部,目前有63部风火轮了:

IMG_1237

好朋友:笑笑和米仔

照片传上来,才分析这两家伙穿的衣服花形一样:

IMG_1139 IMG_1141

春游

先逛的油菜花,司机走错了路,绕了很久才到:

IMG_1001

米和鼎儿:

IMG_1006

探险中:

IMG_1010

IMG_1013

先吃饭,三个小朋友:

IMG_1015

到了目的地:

IMG_1020

我们一群人里的妇女和儿童:

IMG_1039

同班同学三人:

IMG_1048

IMG_1053

飞夺泸定桥:

IMG_1066

IMG_1067

年过完了,火炮昨晚也销毁了所有存货

QQ图片20160223163137

昨晚配合有关部门销毁火炮现场:

IMG_0161

下面这种对火炮的销毁方式,就令人不敢苟同:

http://static.video.qq.com/TPout.swf?vid=y0185oxpmci&auto=0

ANYWAY,不管何时你身在何处,都要像下面这位孃孃一样嗨:

http://static.video.qq.com/TPout.swf?vid=z01855s3prg&auto=0

我今天要给你们透露一个秘密,我老汉今后肯定是个秃顶,有图有真相(知道这种照相姿势的缺点了吧o(∩_∩)o 哈哈):

QQ截图20160223175531

新的一年正式开始啰。这个车送你们做座驾,祝一切都好:

QQ截图20160223175800

记得关注我的公众号哦,掏出手机微信,扫一扫试试:

qrcode_for_gh_eae7abcc7619_430 (1)

园博园新年

img_0091

img_0121 img_0137 img_0191

2015年9月至今绘画作品展

IMG_0387

IMG_0386

IMG_0388

IMG_0389

IMG_0390

IMG_0391

IMG_0392

IMG_0393

IMG_0394

IMG_0395

IMG_0396

小米的爸爸:

IMG_0397

小米的妈妈:

IMG_0398

这是弹珠,打弹珠机器内部:

IMG_0399

IMG_0400