H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5)

Transcription

1 H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5) Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.

2 Contents Introduction 1 Prerequisites 1 Example: Configuring virtual firewalls for L2TP VPN 1 Network requirements 1 Requirements analysis 2 Software version used 2 Configuration restrictions and guidelines 2 Configuration procedures 2 Configuring the gateway 2 Configuring FW A 9 Configuring FW B 10 Verifying the configuration 11 CLI configuration files 12 Related documentation 17 i

3 Introduction This document provides a configuration example for L2TP VPN virtual firewalls. Prerequisites This document is not restricted to specific software or hardware versions. The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network. This document assumes that you have basic knowledge of L2TP and VD. Example: Configuring virtual firewalls for L2TP VPN Network requirements As shown in Figure 1, remote branches communicate with the headquarters through the Internet. Firewalls FW A and FW B are firewalls of remote branches. The gateway is the firewall on the headquarters network. Configure virtual firewalls and VPN instances for L2TP VPN so that Host A and Host B can access Server A and Server B, respectively. Figure 1 Network diagram 1

4 Table 1 Interfaces and IP address assignment Device Interface IP address Device Interface IP address FW A GE0/ /24 Gateway XGE0/ /24 GE0/ /24 XGE0/ /24 FW B GE0/ /24 XGE0/ /24 GE0/ /24 Server A /24 Host A /24 Server B /24 Host B /24 Requirements analysis To enable devices in the same VPN instance to access each other, create VPN instances and bind interfaces to the VPN instances on the gateway. Software version used This configuration example was created and verified on SecBlade-Release Configuration restrictions and guidelines When you configure virtual firewalls for L2TP VPN, follow these restrictions and guidelines: VPN instances cannot be configured on physical interfaces that forward L2TP traffic. Make sure the remote branch firewalls and the firewall in the corporate network can reach each other. To forward traffic between VPN instances configured on VT interfaces, configure inter-vpn-instance routes. The ppp user bind enable command is mutually exclusive with the l2tpmoreexam enable command (for configuring L2TP for VPNs). For the gateway to accept tunneling requests from branches, configure the same PPP authentication mode on the gateway and branch firewalls. Configuration procedures In this configuration example, the L2TP client feature does not support Web-based configuration. Therefore, all settings are configured at the CLI except for the interzone policy, which can also be configured in the Web interface. Configuring the gateway 1. Configure the IP address and security zone for the public network interface: Configure the subinterface Ten-GigabitEthernet 0/

5 <Gateway> system-view [Gateway] interface Ten-GigabitEthernet 0/0.20 [Gateway-Ten-GigabitEthernet0/0.20] ip address [Gateway-Ten-GigabitEthernet0/0.20] vlan-type dot1q vid 20 [Gateway-Ten-GigabitEthernet0/0.20] quit Enable the system-defined interzone policy to match packets that do not match any other interzone policy. [Gateway] interzone policy default by-priority Create a security zone named Untrust, and add Ten-GigabitEthernet 0/0.20 to the security zone. [Gateway] zone name Untrust [Gateway-zone-untrust] import interface Ten-GigabitEthernet 0/0.20 [Gateway-zone-untrust] quit 2. Configure VPN instances: Create VPN instance VPN1, and configure an RD and route targets for the VPN instance. [Gateway] ip vpn-instance VPN1 [Gateway-vpn-instance-VPN1] route-distinguisher 1:1 [Gateway-vpn-instance-VPN1] vpn-target 1:1 export-extcommunity [Gateway-vpn-instance-VPN1] vpn-target 1:1 import-extcommunity [Gateway-vpn-instance-VPN1] quit Create VPN instance VPN2, and configure an RD and route targets for the VPN instance. [Gateway] ip vpn-instance VPN2 [Gateway-vpn-instance-VPN2] route-distinguisher 2:2 [Gateway-vpn-instance-VPN2] route-distinguisher 2:2 [Gateway-vpn-instance-VPN2] vpn-target 2:2 export-extcommunity [Gateway-vpn-instance-VPN2] vpn-target 2:2 import-extcommunity [Gateway-vpn-instance-VPN2] quit Bind subinterface Ten-GigabitEthernet 0/0.3 to VPN1. [Gateway] interface Ten-GigabitEthernet 0/0.3 [Gateway-Ten-GigabitEthernet0/0.3] ip binding vpn-instance VPN1 [Gateway-Ten-GigabitEthernet0/0.3] vlan-type dot1q vid 3 [Gateway-Ten-GigabitEthernet0/0.3] ip address [Gateway-Ten-GigabitEthernet0/0.3] quit Bind subinterface Ten-GigabitEthernet 0/0.4 to VPN2. [Gateway] interface Ten-GigabitEthernet 0/0.4 [Gateway-Ten-GigabitEthernet0/0.4] ip binding vpn-instance VPN2 [Gateway-Ten-GigabitEthernet0/0.4] vlan-type dot1q vid 4 [Gateway-Ten-GigabitEthernet0/0.4] ip address [Gateway-Ten-GigabitEthernet0/0.4] quit 3. Configure virtual firewalls: Create virtual firewall v1, and add Ten-GigabitEthernet 0/0.3 to it. [Gateway] vd v1 id 2 [Gateway-vd-v1] allocate interface Ten-GigabitEthernet 0/0.3 [Gateway-vd-v1] quit Enter the view of v1. Create a virtual security zone named v1trust, set its priority to 85, and add Ten-GigabitEthernet 0/0.3 to it. 3

6 [Gateway] switchto vd v1 [Gateway-vsys-v1] zone name v1trust id 1 [Gateway-vsys-v1-zone-trust] priority 85 [Gateway-vsys-v1-zone-trust] import interface Ten-GigabitEthernet0/0.3 [Gateway-vsys-v1-zone-trust] quit [Gateway-vsys-v1] quit Create virtual firewall v2, and add Ten-GigabitEthernet 0/0.4 to it. [Gateway] vd v2 id 3 [Gateway-vd-v2] allocate interface Ten-GigabitEthernet 0/0.4 [Gateway-vd-v2] quit Enter the view of v2. Create a virtual security zone named v2trust, set its priority to 85, and add Ten-GigabitEthernet 0/0.4 to it. [Gateway] switchto vd v2 [Gateway-vsys-v2] zone name v2trust id 1 [Gateway-vsys-v2-zone-v2trust] priority 85 [Gateway-vsys-v2-zone-v2trust] allocate interface Ten-GigabitEthernet 0/0.4 [Gateway-vsys-v2-zone-v2trust] quit [Gateway-vsys-v2] quit 4. Configure L2TP: Create a local user named vpnuser1, set the password, and enable the PPP service. [Gateway] local-user vpnuser1 [Gateway-luser-vpnuser] password simple [Gateway-luser-vpnuser] service-type ppp [Gateway-luser-vpnuser] quit Create a local user named vpnuser2, set the password, and enable the PPP service. [Gateway] local-user vpnuser2 [Gateway-luser-vpnuser] password simple [Gateway-luser-vpnuser] service-type ppp [Gateway-luser-vpnuser] quit Configure two L2TP authentication domains to authenticate the different domain users locally, and configure different address pools for the authentication domains. [Gateway] domain domain1 [Gateway-isp-domain1] authentication ppp local [Gateway-isp-domain1] ip pool [Gateway-isp-domain1] quit [Gateway] domain domain2 [Gateway-isp-domain2] authentication ppp local [Gateway-isp-domain2] ip pool [Gateway-isp-domain2] quit Enable L2TP. [Gateway] l2tp enable 5. Configure interface Virtual-Template 1: Create interface Virtual-Template 1, and configure parameters for the interface. [Gateway] interface Virtual-Template 1 [Gateway-Virtual-Template1] ip binding vpn-instance VPN1 [Gateway-Virtual-Template1] ip address [Gateway-Virtual-Template1] ppp authentication-mode pap domain domain1 4

7 [Gateway-Virtual-Template1] remote address pool 1 [Gateway-Virtual-Template1] quit Create L2TP group 1, and specify interface virtual-template 0 for receiving calls. [Gateway] l2tp-group 1 [Gateway-l2tp1] allow l2tp virtual-template 0 Enable tunnel authentication, and set the password. [Gateway-l2tp1] tunnel authentication [Gateway-l2tp1] tunnel password simple [Gateway-l2tp1] quit Add Virtual-Template 1 to virtual firewall v1. [Gateway] vd v1 [Gateway-vd-v1] allocate interface Virtual-Template 1 [Gateway-vd-v1] quit Enter the view of v1. Create a virtual security zone named v1untrust, set its priority to 5, and add Virtual-Template 1 to it. [Gateway] switchto vd v1 [Gateway-vsys-v1] zone name v1untrust id 2 [Gateway-vsys-v1-zone-v1untrust] priority 5 [Gateway-vsys-v1-zone-v1untrust] import interface Virtual-Template 1 [Gateway-vsys-v1-zone-v1untrust] quit [Gateway-vsys-v1] quit 6. Create an interzone policy on v1: In the Web interface: a. Log in to v1 by selecting Device Management > Virtual Device > Device Selection from the navigation tree. Figure 2 Logging in to v1 b. Choose Firewall > Security Policy > Interzone Policy from the navigation tree. Click Add to create an interzone policy from v1untrust to v1trust to permit the traffic from the remote branch to the corporate network through an L2TP tunnel. 5

8 Figure 3 Configuring an interzone policy on v1 At the CLI: Enter the view of v1. Create subnet object /24, and bind the subnet object to subnet /24. [gateway] switchto vd v1 [gateway-vsys-v1] object network subnet / [gateway-vsys-v1-object-network / ] subnet [Gateway-vsys-v1-object-network / ] quit Create subnet object /24, and bind the subnet object to subnet /24. [gateway-vsys-v1] object network subnet / [gateway-vsys-v1-object-network / ] subnet [Gateway-vsys-v1-object-network / ] quit [Gateway-vsys-v1] quit In the view of v1, create an interzone instance from source zone v1untrust to destination zone v1trust. Configure a rule to permit the traffic from subnet /24 to subnet /24 through the L2TP tunnel. [gateway] switchto vd v1 [gateway-vsys-v1] interzone source v1untrust destination v1trust [gateway-vsys-v1-interzone-v1untrust-v1 trust] rule permit logging [gateway-vsys-v1-interzone-v1untrust-v1trust-rule-0] source-ip / [gateway-vsys-v1-interzone-v1untrust-v1trust-rule-0] destination-ip / [gateway-vsys-v1-interzone-v1untrust-v1trust-rule-0] service any_service [gateway-vsys-v1-interzone-v1untrust-v1trust-rule-0] rule enable [gateway-vsys-v1-interzone-v1untrust-v1trust-rule-0] quit [Gateway-vsys-v1] quit 7. Configure interface Virtual-Template 2: Create interface Virtual-Template 2, and configure parameters for the interface. [Gateway] interface Virtual-Template 2 [Gateway-Virtual-Template2] ip binding vpn-instance VPN2 [Gateway-Virtual-Template2] ppp authentication-mode chap domain domain2 [Gateway-Virtual-Template2] ip address

9 [Gateway-Virtual-Template2] remote address pool 1 [Gateway-Virtual-Template2] quit Add Virtual-Template 2 to v2. [Gateway] vd v2 [Gateway-vd-v2] allocate interface Virtual-Template 2 [Gateway-vd-v2] quit Enter the view of v2. Create a virtual security zone named v2untrust, set its priority to 5, and add Virtual-Template 2 to it. [Gateway] switchto vd v2 [Gateway-vsys-v2] zone name v2untrust id 2 [Gateway-vsys-v2-zone-v2untrust] priority 5 [Gateway-vsys-v2-zone-v2untrust] import interface Virtual-Template 2 [Gateway-vsys-v2-zone-v2untrust] quit [Gateway-vsys-v2] quit 8. Create an interzone policy on v2: In the Web interface: a. Log in to v2 by selecting Device Management > Virtual Device > Device Selection from the navigation tree. Figure 4 Logging in to v2 b. Choose Firewall > Security Policy > Interzone Policy from the navigation tree. Click Add to create an interzone policy from v2untrust to v2trust to permit the traffic from the remote branch to the corporate network through an L2TP tunnel. 7

10 Figure 5 Configuring an interzone policy on v2 At the CLI: Enter the view of v2. Create subnet object /24 and bind the subnet object to subnet /24. [gateway] switchto vd v2 [gateway-vsys-v2] object network subnet / [gateway-vsys-v2-object-network / ] subnet [Gateway-vsys-v2-object-network / ] quit Create subnet object /24 and bind the subnet object to subnet /24. [gateway-vsys-v2] object network subnet / [gateway-vsys-v2-object-network / ] subnet [gateway-vsys-v2-object-network / ] quit [Gateway-vsys-v2] quit In the view of v2, create an interzone instance from source zone v2untrust to destination zone v12trust. Configure a rule to permit the traffic from subnet /24 to subnet /24 through the L2TP tunnel. [gateway] switchto vd v2 [gateway-vsys-v2] interzone source v2untrust destination v2trust [gateway-vsys-v2-interzone-v2untrust-v2trust] rule permit logging [gateway-vsys-v2-interzone-v2untrust-v2trust-rule-0] source-ip / [gateway-vsys-v2-interzone-v2untrust-v2trust-rule-0] destination-ip / [gateway-vsys-v2-interzone-v2untrust-v2trust-rule-0] service any_service [gateway-vsys-v2-interzone-v2untrust-v1trust-rule-0] rule enable [gateway-vsys-v2-interzone-v2untrust-v1trust-rule-0] quit [gateway-vsys-v2] quit 9. Create interface Virtual-Template 0. Bind interfaces Virtual-Template 1 and Virtual-Template 2 to domains domain1 and domain2, respectively. [Gateway] interface Virtual-Template 0 [Gateway-Virtual-Template0] ppp user bind enable [Gateway-Virtual-Template0] ppp user bind virtual-template 1 domain domain1 [Gateway-Virtual-Template0] ppp user bind virtual-template 2 domain domain2 [Gateway-Virtual-Template0] quit 8

11 10. Configure static routes to remote branches through the L2TP tunnel. [Gateway] ip route-static vpn-instance VPN Virtual-Template 1 [Gateway] ip route-static vpn-instance VPN Virtual-Template 2 Configuring FW A 1. Configure IP addresses and security zones for interfaces: Configure interface GigabitEthernet 0/1. <FW A> system-view [FW A] interface GigabitEthernet 0/1 [FW A-GigabitEthernet0/1] ip address [FW A-GigabitEthernet0/1] quit Enable the system-defined interzone policy to match packets that do not match any other interzone policy. [FW A] interzone policy default by-priority Create a security zone named Trust, and add GigabitEthernet 0/1 to the security zone. [FW A] zone name Trust [FW A-zone-trust] import interface GigabitEthernet 0/1 [FW A-zone-trust] quit Configure interface GigabitEthernet 0/3. [FW A] interface GigabitEthernet 0/3 [FW A-GigabitEthernet0/3] ip address [FW A-GigabitEthernet0/3] quit Create a security zone named Untrust, and add GigabitEthernet 03 to the security zone. [FW A] zone name Untrust [FW A-zone-untrust] import interface GigabitEthernet 0/3 [FW A-zone-untrust] quit 2. Configure L2TP: Create a local user named vpnuser1, set the password, and enable the PPP service. <FW A> system-view [FW A] local-user vpnuser1 [FW A-luser-vpnuser1] password simple [FW A-luser-vpnuser1] service-type ppp [FW A-luser-vpnuser1] quit Configure local authentication for users of domain 1. [FW A] domain domain1 [FW A-isp-domain1] authentication ppp local [FW A-isp-domain1] quit Enable L2TP. [FW A] l2tp enable Create an L2TP group. Specify the local tunnel name and the IP address for the peer LNS. [FW A] l2tp-group 1 [FW A-l2tp1] tunnel name lac-1 [FW A-l2tp1] start l2tp ip domain domain1 Enable tunnel authentication and set the password. [FW A-l2tp1] tunnel authentication 9

12 [FW A-l2tp1] tunnel password simple [FW A-l2tp1] quit 3. Configure interface Virtual-Template 1: Create interface Virtual-Template 1, and configure parameters for the interface. [FW A] interface Virtual-Template 1 [FW A-Virtual-Template1] ip address ppp-negotiate [FW A-Virtual-Template1] ppp authentication-mode pap [FW A-Virtual-Template1] ppp pap local-user vpnuser1@domain1 password simple [FW A-Virtual-Template1] quit Add Virtual-Template 1 to security zone Untrust. [FW A] zone name Untrust [FW A-zone-untrust] import interface Virtual-Template 1 [FW A-zone-untrust] quit 4. Configure a static route to Server A with Virtual-Template 1 as the outgoing interface. [FW A] ip route-static Virtual-Template 1 5. Configure the LAC to initiate an L2TP tunnel. [FW A] interface Virtual-Template1 [FW A-Virtual-Template1] l2tp-auto-client enable [FW A-Virtual-Template1] quit Configuring FW B 1. Configure IP addresses and security zones for interfaces: Configure interface GigabitEthernet 0/1. <FW B> system-view [FW B] interface GigabitEthernet 0/1 [FW B-GigabitEthernet0/1] ip address [FW B-GigabitEthernet0/1] quit Enable the system-defined interzone policy to match packets that do not match any other interzone policy. [FW B] interzone policy default by-priority Create a security zone named Trust, and add GigabitEthernet 0/1 to the security zone. [FW B] zone name Trust [FW B-zone-trust] import interface GigabitEthernet 0/1 [FW B-zone-trust] quit Configure interface GigabitEthernet 0/3. [FW B] interface GigabitEthernet 0/3 [FW B-GigabitEthernet0/3] ip address [FW B-GigabitEthernet0/3] quit Create a security zone named Untrust, and add GigabitEthernet 0/3 to the security zone. [FW B] zone name Untrust [FW B-zone-untrust] import interface GigabitEthernet 0/3 [FW B-zone-untrust] quit 2. Configure L2TP: Create a local user named vpnuser2, set the password, and enable the PPP service. 10

13 [FW B] local-user vpnuser2 [FW B-luser-vpnuser] password simple [FW B-luser-vpnuser] service-type ppp [FW B-luser-vpnuser] quit Configure local authentication for users of domain 2. [FW B] domain domain2 [FW B-isp-domain2] authentication ppp local [FW B-isp-domain2] quit Enable L2TP. [FW B] l2tp enable Create an L2TP group. Specify the local tunnel name and the IP address for the peer LNS. [FW B] l2tp-group 1 [FW B-l2tp1] tunnel name lac-2 [FW B-l2tp1] start l2tp ip domain domain2 3. Enable tunnel authentication and set the password. [FW B-l2tp1] tunnel authentication [FW B-l2tp1] tunnel password simple [FW B-l2tp1] quit 4. Configure interface Virtual-Template 1: Create interface Virtual-Template 1, and configure parameters for the interface. [FW B] interface Virtual-Template 1 [FW B-Virtual-Template1] ip address ppp-negotiate [FW B-Virtual-Template1] ppp authentication-mode pap [FW B-Virtual-Template1] ppp pap local-user vpnuser2@domain2 password simple [FW B-Virtual-Template1] quit Add Virtual-Template 1 to security zone Untrust. [FW B] zone name Untrust [FW B-zone-untrust] import interface Virtual-Template 1 [FW B-zone-untrust] quit 5. Configure a static route to Server B with Virtual-Template 1 as the outgoing interface. [FW A] ip route-static Virtual-Template 1 6. Configure the LAC to initiate an L2TP tunnel. [FW B] interface Virtual-Template1 [FW B-Virtual-Template1] l2tp-auto-client enable [FW B-Virtual-Template1] quit Verifying the configuration Verify that Server A can be successfully pinged from Host A. C:\Documents and Settings\Administrator> ping Pinging with 32 bytes of data: Reply from : bytes=32 time=8 ms ttl=126 Reply from : bytes=32 time=1 ms ttl=126 Reply from : bytes=32 time=1 ms ttl=126 11

14 Reply from : bytes=32 time=1 ms ttl=126 Ping statistics for : Packets: Sent =4, Received = 4,Lost = 0 (0% loss) Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 8ms, Average = 2ms Verify that Server B can be successfully pinged from Host B. C:\Documents and Settings\Administrator> ping Pinging with 32 bytes of data: Reply from : bytes=32 time=8 ms ttl=126 Reply from : bytes=32 time=1 ms ttl=126 Reply from : bytes=32 time=1 ms ttl=126 Reply from : bytes=32 time=1 ms ttl=126 Ping statistics for : Packets: Sent =4, Received = 4,Lost = 0 (0% loss) Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 8ms, Average = 2ms Display L2TP tunnel information on FW A. <FW A> display l2tp tunnel Total tunnel = 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName lns Display L2TP tunnel information on FW B. <FW B> display l2tp tunnel Total tunnel = 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName lns Display L2TP tunnel information on the gateway. <Gateway> display l2tp tunnel Total tunnel = 2 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName lac lac-2 CLI configuration files Gateway: interzone policy default by-priority l2tp enable 12

15 ip vpn-instance VPN1 route-distinguisher 1:1 vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity ip vpn-instance VPN2 route-distinguisher 2:2 vpn-target 2:2 export-extcommunity vpn-target 2:2 import-extcommunity domain domain1 authentication ppp local ip pool domain domain2 authentication ppp local ip pool local-user vpnuser1 password cipher $c$3$1xwqmuk2d2ansy05mryfvlwgywrm/m/3la== service-type ppp local-user vpnuser2 password cipher $c$3$zdpgi9ns2e6niy2uulccevkk6rgobmve1q== service-type ppp l2tp-group 1 allow l2tp virtual-template 0 tunnel password cipher $c$3$gkyt1jey1otq0dttdcbxzvg9wohf/xyqaq== tunnel name lns interface Virtual-Template0 ppp authentication-mode pap ppp user bind enable ppp user bind virtual-template 1 domain domain1 ppp user bind virtual-template 2 domain domain2 interface Virtual-Template1 ppp authentication-mode pap domain domain1 remote address pool 1 ip binding vpn-instance VPN1 ip address interface Virtual-Template2 ppp authentication-mode pap domain domain2 remote address pool 1 ip binding vpn-instance VPN2 ip address

16 interface Ten-GigabitEthernet0/0.3 vlan-type dot1q vid 3 ip binding vpn-instance VPN1 ip address interface Ten-GigabitEthernet0/0.4 vlan-type dot1q vid 4 ip binding vpn-instance VPN2 ip address interface Ten-GigabitEthernet0/0.20 vlan-type dot1q vid 20 ip address vd v1 id 2 allocate interface Virtual-Template1 allocate interface Ten-GigabitEthernet0/0.3 vd v2 id 3 allocate interface Virtual-Template2 allocate interface Ten-GigabitEthernet0/0.4 zone name Untrust id 4 priority 5 import interface Ten-GigabitEthernet0/0.20 switchto vd v1 zone name v1trust id 1 priority 85 import interface Ten-GigabitEthernet0/0.3 zone name v1untrust id 2 priority 5 import interface Virtual-Template1 switchto vd v2 zone name v2trust id 1 priority 85 import interface Ten-GigabitEthernet0/0.4 zone name v2untrust id 2 priority 5 import interface Virtual-Template2 switchto vd v1 object network subnet / subnet object network subnet / subnet interzone source v1untrust destination v1trust rule 0 permit logging source-ip / destination-ip / service any_service 14

17 rule enable switchto vd v2 object network subnet / subnet object network subnet / subnet interzone source v2untrust destination v2trust rule 0 permit logging source-ip / destination-ip / service any_service rule enable ip route-static vpn-instance VPN Virtual-Template1 ip route-static vpn-instance VPN Virtual-Template2 FW A: interzone policy default by-priority l2tp enable domain domain1 authentication ppp local local-user vpnuser1 password cipher $c$3$s3dwjkelvqaecpyphln4eco25zmy7nxlga== service-type ppp l2tp-group 1 tunnel password cipher $c$3$anwtmtfjcxy1ubx5vaurhf0hhl2er0ph+w== tunnel name lac-1 start l2tp ip domain domain1 interface Virtual-Template1 ppp authentication-mode pap domain domain1 ppp pap local-user vpnuser1@domain1 password cipher $c$3$qimy9lmpt1rwadhuwxzi6k yfoubb+z6fba== l2tp-auto-client enable ip address ppp-negotiate interface GigabitEthernet0/1 port link-mode route ip address interface GigabitEthernet0/3 port link-mode route ip address

18 zone name Trust id 2 priority 85 import interface GigabitEthernet0/1 zone name Untrust id 4 priority 5 import interface GigabitEthernet0/3 import interface Virtual-Template1 ip route-static Virtual-Template1 FW B: interzone policy default by-priority l2tp enable domain domain2 authentication ppp local access-limit disable state active idle-cut disable self-service-url disable local-user vpnuser2 password cipher $c$3$rgz6/v8hd37025dkfrslhbz8ietjc76/kq== service-type ppp l2tp-group 1 tunnel password cipher $c$3$ohtvipdjhx0u+xlnqihbhraw3jwhirbnqq== tunnel name lac-2 start l2tp ip domain domain2 interface Virtual-Template1 ppp authentication-mode pap domain domain2 ppp pap local-user vpnuser2@domain2 password cipher $c$3$5qj0ylpx5krd4q1ysvnehm RmSM5ppM660Q== l2tp-auto-client enable ip address ppp-negotiate interface GigabitEthernet0/1 port link-mode route ip address interface GigabitEthernet0/3 port link-mode route ip address

19 zone name Trust id 2 priority 85 import interface GigabitEthernet0/1 zone name Untrust id 4 priority 5 import interface GigabitEthernet0/3 import interface Virtual-Template1 ip route-static Virtual-Template1 Related documentation H3C SecPath Series Firewalls and UTM Devices Access Control Configuration Guide H3C SecPath Series Firewalls and UTM Devices Access Control Command Reference H3C SecPath Series Firewalls and UTM Devices VPN Configuration Guide H3C SecPath Series Firewalls and UTM Devices VPN Command Reference 17