如果有条件还是用SSLVPN,不要用L2TP VPN。为甚不推荐L2TP VPN?姑且不谈安全问题,有时候会有连接失败的问题,不同的系统版本会出现的不同的问题,而且有时候办公OA系统还有加载内容失败的问题。下面就说说SSLVPN。
公司员工出差需要访问公司内部服务器,但是服务器只允许内部访问,这时就可以通过SSL VPN来访问。如下图所示:
下面是SSLVPN的核心配置(防火墙作为出口路由器配置VPN):
#创建SSLVPN的服务组
object-group service openvpn
0 service tcp destination eq 4433
#创建SSL接口
interface SSLVPN-AC1
description sslvpn
ip address 172.17.1.254 255.255.255.0
quit
#配置SSLVPN 地址池,根据实际需求设置范围
sslvpn ip address-pool SSLPOOL 172.17.1.1 172.17.1.10
#创建安全域,
security-zone name SSLVPN
import interface SSLVPN-AC1
quit
#创建访问目标资源的的ACL,目的地址
acl advanced 3999
rule 0 permit ip destination 10.10.10.0 0.0.0.255
quit
#配置SSL VPN网关及端口(默认是443,运营商拦截而且和防火墙本身的管理端口冲突)
sslvpn gateway SSLVPNGW
ip address 1.1.1.1 port 4433
service enable
quit
#创建vpn用户,绑定SSLVPN策略资源
local-user ceshi class network
password simple ceshi@668
service-type sslvpn
authorization-attribute sslvpn-policy-group SSLVPNZIYUAN
quit
#配置vpn访问实例
sslvpn context SSLVPN
gateway SSLVPNGW
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool SSLPOOL mask 255.255.255.0
ip-tunnel dns-server primary 114.114.114.114
ip-route-list NEIWANG
include 10.10.10.0 255.255.255.0
policy-group SSLVPNZIYUAN
filter ip-tunnel acl 3999
ip-tunnel access-route ip-route-list NEIWANG
service enable
quit
#配置安全策略
#将Untrust到Local域目的端口为TCP4433端口放通
[H3C]security-policy ip
[H3C-security-policy-ip]rule 5 name Untrst-Local
[H3C-security-policy-ip-5-Untrst-Local]action pass
[H3C-security-policy-ip-5-Untrst-Local]source-zone Untrust
[H3C-security-policy-ip-5-Untrst-Local]destination-zone Local
[H3C-security-policy-ip-5-Untrst-Local]service openvpn
[H3C-security-policy-ip-5-Untrst-Local]quit
#配置配置安全策略,放通源安全域为SSLVPN,目前安全域为“Trust”的数据流量
[H3C-security-policy-ip]rule 10 name SSLVPN-Trust
[H3C-security-policy-ip-10-SSLVPN-Trust] action pass
[H3C-security-policy-ip-10-SSLVPN-Trust] source-zone SSLVPN
[H3C-security-policy-ip-10-SSLVPN-Trust] destination-zone Trust
[H3C-security-policy-ip-10-SSLVPN-Trust]quit
最后保存配置 save force
