H3C-MSR路由器配置

系统教程770 更新时间：2026-04-04 02:55:22

2023年12月31日发(作者：)

配置(pèizhì)telnet登录(dēnɡ lù)

telnet server enable

创建本地(běndì)账号与密码

local-user admin

password simple hnjb8013

user-interface vty 0 4

authentication-mode schema

user-role level-15

配置(pèizhì)WAN口地址(dìzhǐ)

system-view

[H3C]interface GigabitEthernet 0/0

[H3C-GigabitEthernet0/0]ip address 119.57.73.67 255.255.255.248

//IP地址和掩码配置运营商分配的地址

[H3C-GigabitEthernet0/0]quit

2)

设置内网网关

[H3C]interface GigabitEthernet 0/1

[H3C-GigabitEthernet0/1]ip address 192.168.1.1 24 //内网网关IP地址

[H3C-GigabitEthernet0/1]quit

设置(shèzhì)DHCP

system-view

[H3C]dhcp server ip-pool 1

[H3C-dhcp-pool-1]network 192.168.1.0 mask 255.255.255.0

[H3C-dhcp-pool-1]gateway-list 192.168.1.1

[H3C-dhcp-pool-1] address range 192.168.1.2 192.168.1.200 地址(dìzhǐ)池

[H3C-dhcp-pool-1]dns-list 202.106.0.20 114.114.114.114 //具体(jùtǐ)的运营商DNS地址(dìzhǐ)

[H3C-dhcp-pool-1]quit

4)

在WAN接口(jiē kǒu)配置NAT，实现内网地址上网进行源地址转换。

[H3C]interface GigabitEthernet 0/0

[H3C-GigabitEthernet0/0]nat outbound

5)

配置默认路由

[H3C]ip route-static 0.0.0.0 0.0.0.0 119.57.73.65 //下一跳地址配置运营商分配的网关地址

Nat一对一NAT

system-view

[H3C]nat static outbound 192.168.1.248 119.57.73.70

[H3C]interface GigabitEthernet0/0

[H3C-GigabitEthernet0/0]ip address 119.57.73.70 255.255.255.248

sub

[H3C-GigabitEthernet0/0]nat static enable

[H3C-GigabitEthernet0/0]quit

NAT端口映射

system-view

[H3C]interface GigabitEthernet 0/0 //进入(jìnrù)设备公网接口

[H3C-GigabitEthernet0/0]

nat server protocol tcp global 119.57.73.67 5366 inside 192.168.1.67 5366

nat server protocol tcp global 119.57.73.67 5367 inside 192.168.1.67 5367

nat server protocol tcp global 119.57.73.67 8081 inside 192.168.1.244 8081

nat server protocol tcp global 119.57.73.67 8123 inside 192.168.1.250 8443

nat server protocol tcp global 119.57.73.67 33890 inside 192.168.1.88 3389

L2TP over ipsec

1. 开启(kāiqǐ)L2TP功能(gōngnéng)。

system-view

[H3C]l2tp enable

2.配置本地用户名和密码(mì mǎ)，可配置多个用户

[H3C]local-user hnjb class network //配置(pèizhì)拨号用户名

New local user added.

[H3C-luser-network-hnjb]password simple hnjb8013 //配置拨号密码

[H3C-luser-network-hnjb]service-type ppp

[H3C-luser-network-hnjb]quit

3. 配置用户(yònghù)认证方式和IP地址(dìzhǐ)池

[H3C]domain system

[H3C-isp-system]authentication ppp local //配置(pèizhì)PPP用户的认证方式(fāngshì)为本地认证

[H3C-isp-system]quit

[H3C]ip pool 10 10.1.1.10 10.1.1.100 //配置为拨入终端(zhōnɡ duān)分配的IP地址范围

4. 创建虚拟模板接口

[H3C]interface Virtual-Template0

[H3C-Virtual-Template0]ppp authentication-mode chap //配置本端PPP协议对终端的验证方式为CHAP

[H3C-Virtual-Template0]remote address pool 10 //在虚模板视图下指定为用户分配IP的地址池

[H3C-Virtual-Template0]ip address 10.1.1.1 24

[H3C-Virtual-Template0] ppp ipcp dns 219.141.140.10

114.114.114.114 配置DNS

[H3C-Virtual-Template0]quit

5.创建并配置L2TP组

[H3C]

l2tp-group 1 mode lns

[H3C-l2tp1]undo tunnel authentication //取消L2TP隧道验证功能，因为很多终端系统不支持隧道验证功能。

[H3C-l2tp1]allow l2tp virtual-template 0

[H3C-l2tp1]quit

配置(pèizhì)IPsec功能(gōngnéng)

创建(chuàngjiàn)并进入一个IKE keychain视图(shìtú)，该视图用于配置IKE对等体的密钥信息(xìnxī)。

A.

[H3C]ike keychain keychain1

[H3C-ike-keychain-keychain1]pre-shared-key address 0.0.0.0

0.0.0.0 key simple hnjb2017 //配置预共享密钥123456。

[H3C-ike-keychain-keychain1]quit

配置IKE对等体

[H3C]ike profile profile1

[H3C-ike-profile-profile1]keychain keychain1

[H3C-ike-profile-profile1]local-identity address 119.57.73.67 //指定标识本端身份的IP地址。

[H3C-ike-profile-profile1]match remote identity address 0.0.0.0

0.0.0.0 //指定对端身份FQDN名称。

[H3C-ike-profile-profile1]proposal 1 2 3 4 5 6

[H3C-ike-profile-profile1]quit

配置IPsec安全提议

[H3C]ipsec transform-set tran1

[H3C-ipsec-transform-set-tran1]esp encryption-algorithm des-cbc

[H3C-ipsec-transform-set-tran1]esp authentication-algorithm md5

[H3C-ipsec-transform-set-tran1]quit

配置(pèizhì)IPSec安全策略模板(múbǎn)

[H3C]ipsec policy-template msr 1

[H3C-ipsec-policy-template-msr-1]

ike-profile profile1 //引用之前(zhīqián)配置的IKE对等体

[H3C-ipsec-policy-template-msr-1]transform-set 1 2 3 4 5 6 //引用(yǐnyòng)之前配置的IPsec安全(ānquán)提议

[H3C-ipsec-policy-template-msr-1]quit

创建IPSec安全策略并引用安全策略模板

[H3C]ipsec policy 123 1 isakmp template msr

在公网接口上应用IPsec安全策略。

[H3C]interface GigabitEthernet 0/0

[H3C-GigabitEthernet0/0]ipsec apply policy 123

ike proposal 1

encryption-algorithm aes-cbc-128

dh group2

authentication-algorithm md5

ike proposal 2

encryption-algorithm 3des-cbc

dh group2

authentication-algorithm md5

ike proposal 3

encryption-algorithm 3des-cbc

dh group2

ike proposal 4

encryption-algorithm aes-cbc-256

dh group2

ike proposal 5

dh group2

ike proposal 6

encryption-algorithm aes-cbc-192

dh group2

ipsec transform-set 1

encapsulation-mode transport

esp encryption-algorithm 3des-cbc

esp authentication-algorithm md5

ipsec transform-set 2

encapsulation-mode transport

esp encryption-algorithm aes-cbc-128