命令行用户 VPN StoneOS 5.0R4P3.6 TWNO: TW-CUG-UNI-VPN-5.0R4P3.6-CN-V1.0-Y14M11

命令行用户 VPN StoneOS 5.0R4P3.6 www.hillstonenet.com.cn TWNO: TW-CUG-UNI-VPN-5.0R4P3.6-CN-V1.0-Y14M11

1 IPSec... 1 IPSec... 1 Security Association... 1 SA... 1 SA... 2 SA... 2... 3... 3... 4... 4 IPSec VPN... 4 IPSec VPN... 5 VPN... 5 VPN... 5 IPSec... 5... 5... 6... 6... 6... 7 IP... 7...... 7... 7 IKE VPN... 8 P1... 8 ISAKMP... 10 P2... 13... 16 XAUTH... 20 IPSec... 24... 24 VPN... 24

... 24... 25 IKE VPN... 27... 27... 27 VPN... 31... 31... 31 VPN... 36... 36... 37 XAUTH... 40... 40... 41 20 Secure Connect VPN... 43 Secure Connect VPN... 43 SCVPN... 43... 44... 44... 44 IP... 45 DNS... 46 WINS... 46 SCVPN... 46 UDP... 47 SCVPN... 47... 48... 48 SSL... 49 PKI... 49... 49 AAA... 50 HTTPS... 50... 50... 51... 51... 51 URL... 51

SCVPN... 52 SCVPN... 52 USB Key... 53 USB Key... 53 USB Key CA... 54 USB Key CA... 54... 54... 54... 56... 59... 59... 60... 60... 60 /... 60... 61 /... 61... 62... 62... 62 Profile... 63... 66... 67 SCVPN... 70... 70... 71... 72... 73 SCVPN... 73 SCVPN... 74... 75... 81 Web... 81... 83 GUI... 93... 96 Secure Connect... 98

... 99... 99... 100... 101... 101 SCVPN... 101... 101... 102... 103... 103... 104 URL... 104... 105... 107... 107... 108... 113... 113... 113... 115... 115... 116... 118 21 VPN... 119 VPN... 119 VPN... 119... 119 P1... 119 P1... 119... 120... 120... 120 DH... 121... 121 ISAKMP... 121 ISAKMP... 122 ISAKMP... 122

ISAKMP... 122 IKE... 122... 122 P1... 123... 123 PKI... 123 ID... 123... 124 NAT... 124 DPD... 124... 124 P2... 125 P2... 125... 125... 125... 126 PFS... 126... 126... 127 IKE... 127 IPSec... 127 ISAKMP... 127 P2... 127 ID... 128... 128... 128... 128 Commit... 129... 129... 129... 129... 130... 130... 130... 131 VPN... 131... 131... 131

1... 133 2... 134 22 PnPVPN... 136 PnPVPN... 136 PnPVPN... 136 PnPVPN... 136 CLI PnPVPN... 136... 137... 138 ISAKMP... 138 PnPVPN... 138 WebUI... 139... 139 IKE VPN... 140... 141... 142... 142 PnPVPN... 142 PnPVPN... 143... 143... 145... 145... 147 23 GRE... 149 GRE... 149 GRE... 149 GRE... 149... 149... 150... 150 IPSec VPN... 150 GRE... 151 GRE... 151... 151... 151... 152... 152

... 154 24 L2TP... 156... 156 L2TP... 156 L2TP over IPSec... 157 LNS... 158... 158... 158... 158 IP... 159 L2TP... 160 IP... 161... 161 DNS... 161 WINS... 162... 162 AAA... 162 PPP... 162 Hello... 163... 163... 163 LNS... 164 AVP... 164... 164... 164 IP... 164... 165 IPSec... 165 L2TP... 165 L2TP... 166... 166 L2TP... 166 L2TP... 166 L2TP... 167... 167... 167 LNS... 167... 169

LNS... 173 L2TP over IPSec... 174... 174... 175 LNS... 175... 177 LNS... 178

StoneOS VPN 1 IPSec StoneOS IPSec VPN 2 Secure Connect VPN StoneOS SSL Secure Connect VPN SCVPN 3 VPN StoneOS VPN npvpn StoneOS PnPVPN 5 GRE StoneOS GRE 6 L2TP StoneOS L2TP CLI Hillstone WebUI Hillstone < > WebUI MTU < > CLI { }

[ ] hostname

1 IPSec IPSec IPSec VPN IPSec IP AH Encapsulating Security Payload ESP Internet Key Exchange IKE IPSec AH IPsec IP IP IPsec ESP IPsec ESP IPsec ESP ESP AH ESP AH IKE AH ESP Security Association IPSec IPSec ISAKMP SA IPSec IPSec SA DES 3DES AES-128 AES -192 AES-256 SA SA Manual IKE ISAKMP 1

IPSec IKE IPSec IP IKE IKE IKE SA ISAKMP SA IKE ISAKMP SA IPsec SA SA SA 1. Diffie-Hellman 2. DES 3DES AES -128 AES -192 AES-256 hash MD5 SHA-1 SHA-2 3. DH DH DH 4. DH SA SA SA IPsec IPSec SA SA 1. 2

IPSec AH ESP hash MD5 SHA -1 SHA -2 NULL DES 3DES AES-128 NULL AES-192 AES-256 DEFLATE SA 2. DH IP 3. SA IPSec SA AH ESP IP IPSec IPSec MD5 MD5 128bit SHA-1 SHA-1 2 64 160bit SHA-1 MD5 SHA-2 SHA-2 SHA-256 SHA -384 SHA-512 SHA-256 2 64 256bit SHA -384 2 128 384bit SHA -512 2 128 512bit ESP IP StoneOS DES Data Encryption Standard 56bit 64bit 3DES Triple DES 56bit DES 168bit AES Advanced Encryption Standard StoneOS 128bit 192bit 256bit AES 3

IPComp IP Payload Compression IP IP IP IPComp IPComp IPCA IPComp IPComp IPSec IPCA IPCA ISAKMP Hillstone IPSec IPComp DEFLATE LZ77 Huffman IPComp StoneOS IPSec RFC IPSec IPSec RFC Security Architecture for the Internet Protocol: RFC2401/RFC4301 ESP RFC2406/RFC4303 AH RFC2402/RFC4302 RFC2410 Null Encryption RFC2405 DES-CBC RFC2451 3DES -CBC RFC3602 AES -CBC FIPS180-2 SHA RFC2404 SHA -1 RFC4868 SHA-2 RFC2403 MD5 RFC2393 IPComp RFC2394 DEFLATE IPSec VPN StoneOS VPN VPN Hillstone VPN VPN VPN 4

IPSec VPN StoneOS IPSec VPN VPN IKE VPN WebUI IPSec VPN VPN VPN IPSec / VPN VPN tunnel ipsec name manual name VPN CLI VPN VPN VPN no tunnel ipsec name manual IPSec IPSec VPN mode {transport tunnel} transport IPSec tunnel IPSec no mode Security Parameter Index SPI SA 32 AH ESP SPI VPN VPN SPI VPN spi spi-number out-spi-number spi-number SPI out-spi-number SPI no spi SPI inbo outbound 5

SPI SPI SPI SPI IPSec ESP AH VPN VPN protocol {esp ah} esp ESP ah AH no protocol VPN VPN encryption {3des des aes aes-192 aes-256 null} 3des 3DES 192 des DES 64 aes AES 128 aes-192 192bit AES 192 aes-256 256bit AES 256 null no encryption VPN VPN hash {md5 sha sha256 sha384 sha512 null} md5 MD5 128 sha SHA-1 160 StoneOS sha256 SHA-256 256 sha384 SHA-384 384 sha512 SHA-512 512 null no hash 6

VPN VPN DEFLATE VPN compression deflate no compression IP IP VPN peer ip-address ip-address IP no peer IP VPN hash-key inbound hex-number-string outbound hex-number-string inbound hex-number-string outbound hex-number-string no hash-key VPN encryption-key inbound hex-number-string outbound hex-number-string inbound hex-number-string outbound hex-number-string no encryption-key VPN VPN interface interface-name interface-name no interface VSYS VSYS 7

IKE VPN IKE VPN IKE VPN P1 ISAKMP P2 P1 P1 IKE ISAKMP SA IKE DH P1 P1 IKE isakmp proposal p1-name p1-name P1 CLI P1 P1 no isakmp proposal p1-name P1 IKE VSYS IKE P1 authentication {pre-share rsa-sig dsa-sig} pre-share rsa-sig RSA dsa-sig DSA SHA-1 no authentication StoneOS 3DES DES 128bit AES 192bit AES 256bit AES IKE P1 encryption {3des des aes aes-192 aes-256} 3des 3DES 192 StoneOS 8

des DES 64 aes AES 128 aes-192 192bit AES 192 aes-256 256bit AES 256 no encryption StoneOS MD5 SHA -1 SHA-2 SHA-256 SHA -384 SHA-512 IKE P1 hash {md5 sha sha256 sha384 sha512} md5 MD5 128 sha SHA-1 160 StoneOS sha256 SHA-256 256 sha384 SHA-384 384 sha512 SHA-512 512 no hash DH Diffie-Hellman DH DH DH DH IKE 5 DH 1 768 2 1024 DH SA DH DH DH ISAKMP DH DH DH P1 group {1 2 5} 1 DH 1 768 2 DH 2 1024 2 5 DH 5 1536 no group DH SA ISAKMP SA SA SA SA 9

P1 lifetime time-value time-value SA 86400 300 86400 no lifetime ISAKMP ISAKMP ISAKMP IKE ISAKMP IP IKE PKI ID ISAKMP ISAKMP ISAKMP NAT ISAKMP ISAKMP : isakmp peer peer-name peer-name ISAKMP CLI ISAKMP ISAKMP no isakmp peer peer-name ISAKMP ISAKMP ISAKMP ISAKMP ISAKMP interface interface-name interface-name no interface interface-name IKE IKE main aggressive modemode IKE IP IP IKE ISAKMP mode {main aggressive} main ID aggressive no mode 10

IP ISAKMP IP IP IP ISAKMP type {dynamic static} dynamic IP IP static IP IP no type IP peer ip-address ip-address - IP IP IP no peer IP ID ISAKMP ID ISAKMP accept-all-peer-id no accept-all-peer-id P1 ISAKMP P1 ISAKMP isakmp-proposal p1-proposal1 [p1-proposal2] [p1-proposal3] [p1-proposal4] p1-proposal1 P1 ISAKMP 4 P1 no isakmp-proposal P1 ISAKMP ISAKMP pre-share string string no pre-share PKI PKI ISAKMP PKI ISAKMP trust-domain string string PKI 11

no trust-domain PKI PKI PKI ID ID ISAKMP local-id {fqdn string asn1dn [string] u-fqdn string key-id string ip ip-address } fqdn string FQDN ID string ID asn1dn [string] Asn1dn ID string ID ID ID u-fqdn string U-FQDN ID user1@hillstonenet.com key-id string - Key ID ID XAUTH ip ip-address - IP ID ip-address ID no local-id ID ID ID ISAKMP peer-id {fqdn asn1dn u-fqdn key-id ip } string fqdn FQDN ID string ID asn1dn Asn1dn ID string ID u-fqdn string U-FQDN ID user1@hillstonenet.com key-id - Key ID ID XAUTH ip - IP ID no peer-id ID ISAKMP ISAKMP ISAKMP connection-type {bidirectional initiator-only responder-only} bidirectional ISAKMP 12

initiator-only ISAKMP responder-only ISAKMP no connection-type NAT IPSec IKE VPN NAT NAT VPN NAT IPSec IKE NAT N NAT ISAKMP nat-traversal no nat-traversal NAT DPD DPD Dead Peer Detection DPD ISAKMP DPD ISAKMP dpd [interval seconds] [retry times] interval seconds 0 10 0 DPD retry times ISAKMP 1 10 3 no dpd DPD ISAKMP ISAKMP description string string ISAKMP no description ISAKMP P2 P2 SA P2 13

P2 P2 IPSec ipsec proposal p2-name p2-name P2 CLI P2 P2 no ipsec proposal p2-name IPSec proposal P2 AH ESP P2 P2 protocol {esp ah} esp ESP ah AH no protocol P2 P2 P2 encryption {3des des aes aes-192 aes-256 null} [3des des aes aes-192 aes-256 null] [3des des aes aes-192 aes-256 null] 3des 3DES 192 StoneOS des DES 64 aes AES 128 aes-192 192bit AES 192 aes-256 256bit AES 256 null no encryption P2 P2 P2 hash {md5 sha sha256 sha384 sha512 null} [md5 sha sha256 sha384 sha512 null] [md5 sha sha256 sha384 sha512 null] md5 MD5 128 14

sha SHA-1 160 StoneOS sha256 SHA-256 256 sha384 SHA-384 384 sha512 SHA-512 512 null no hash P2 P2 DEFLATE P2 compression deflate no compression PFS PFS Perfect Forward Security PFS PFS DH P2 PFS P2 group {nopfs 1 2 5} nopfs PFS 1 DH 1 768 2 DH 2 1024 5 DH 5 1536 no group Hillstone SA SA P2 P2 lifetime seconds seconds 28800 lifesize kilobytes kilobytes 0 15

no no lifetime no lifesize IKE IPSec ISAKMP IKE ID IKE IKE tunnel ipsec tunnel-name auto tunnel-name - IKE CLI IKE IKE no tunnel ipsec tunnel-name auto IKE IPSec IKE IKE mode {transport tunnel} transport IPSec tunnel IPSec no mode ISAKMP IKE ISAKMP IKE isakmp-peer peer-name peer-name ISAKMP no isakmp-peer ISAKMP P2 IKE P2 IKE ipsec-proposal p2-name p2-name P2 no ipsec-proposal P2 ID IKE IPSec ID IKE 16

id {auto local ip-address/mask remote ip-address/mask service service-name} auto ID local ip-address/mask local ID remote ip-address/mask remote ID service service-name no id ID ID IKE ID IKE ID accept-all-proxy-id IKE no ID no accept-all-proxy-id SA 60 SA SA IKE auto-connect no auto-connect IKE IKE df-bit {copy clear set} copy IP DF clear set no df-bit anti -replay 17

IKE IPSec IKE IPSec anti-replay {32 64 128 256 512} 32 32 64 64 128 128 256 256 512 512 no anti-replay VPN Hillstone VPN VPN VPN VPN VPN VPN Hillstone VPN ECMP Hillstone VPN Ping VPN IKE IPSec vpn-track [A.B.C.D] [src-ip A.B.C.D] [interval time-value] [threshold value] A.B.C.D IP HillstoneHillstone IP IP 0.0.0.0 255.255.255.255 src-ip A.B.C.D Ping IP HillstoneHillstone IP IP 0.0.0.0 255.255.255.255 interval time-value Ping 1 255 10 threshold value 18

1 255 10 no vpn-track VPN VPN VPN VPN VPN VPN VPN VPN VPN VPN VPN IKE IPSec track-event-notify {disable enable} disable enable VPN active dead show CLI VPN VPN show ipsec sa {id} VPN show tunnel ipsec {manual auto} {tunnel-name} VPN hostname(config)# show ipsec sa 5 VPN Name: vpn1 Outbound Gateway: 1.1.1.2... VPN track status: alive Inbound Gateway: 1.1.1.2... VPN track status: alive VPN hostname(config)# show tunnel ipsec auto vpn1 Name: vpn1 mode: tunnel... vpn-track: enable tracknotify: enable vpntrack destination 1.1.1.1 19

vpntrack source ip: 2.2.2.2 vpntrack interval: 3 vpntrack threshold: 3 VPN VPN Commit Commit Commit Commit IKE IPSec Commit responder -set-commit Commit no responder-set-commit IKE IKE IPSec description string string IKE no description IKE VSYS VSYS IPSec VSYS Profile tunnel-ipsec max max-num reserve reserve-num max max-num reserve reserve-num VSYS IPSec maxmax-num reserve reserve-num 0 max (capacity*2/max-vsys-num, capacity/10) (capacity*2/max -vsys-num, capacity/10) 0 VSYS Profile no no tunnel-ipsec max max-num reserve reserve-num XAUTH XAUTH IKE RADIUS AAA IPSec VPN VPN XAUTH VPN VPN IP VPN XAUTH 20

XAUTH XAUTH XAUTH IP IP WINS DNS XAUTH XAUTH XAUTH ISAKMP xauth server ISAKMP no XAUTH no xauth server XAUTH XAUTH IP XAUTH IP DNS WINS XAUTH xauth pool pool-name pool-name - XAUTH XAUTH XAUTH XAUTH no XAUTH no xauth pool pool-name XAUTH IP XAUTH address start-ip end-ip netmask mask start-ip - XAUTH IP end-ip - XAUTH IP mask - XAUTH no IP no address IP XAUTH IP XAUTH IP IP XAUTH XAUTH exclude-address start-ip end-ip start-ip - XAUTH IP 21

end-ip - XAUTH IP XAUTH no IP no exclude-address XAUTH XAUTH XAUTH XAUTH XAUTH ISAKMP xauth pool-name pool-name pool-name - ISAKMP no no xauth pool-name IP IP XAUTH IP IP IP IP IP IP IP IP IP IP IP XAUTH IP IP IP 1. IP IP IP IP 2. IP IP IP IP IP XAUTH ip-binding user user-name ip ip-address user user-name - ip ip-address - IP XAUTH no IP no ip-binding user user-name IP XAUTH 22

ip-binding role role-name ip-range start-ip end-ip role role-name - ip-range start-ip end-ip - IP IP start-ip IP end-ip XAUTH no IP no ip-binding role role-name IP IP IP IP IP XAUTH move role-name1 {before role-name2 after role-name2 top bottom} role name1 - IP before role-name2 - IP IP role-name2 after role-name2 - IP IP role-name2 top - IP IP bottom - IP IP WINS/DNS DNS XAUTH dns address1 [address2] address1 - DNS IP 2 DNS XAUTH no DNS no dns WINS XAUTH wins address1 [address2] address1 - WINS IP 2 WINS XAUTH no WINS no wins XAUTH XAUTH XAUTH 23

exec xauth isakmp-peer-name kickout user-name isakmp-peer-name - ISAKMP user-name - IPSec show CLI IPSec P1 show isakmp proposal [p1-name] ISAKMP show isakmp peer [peer-name] P2 show ipsec proposal [proposal-name] VPN show tunnel ipsec manual [tunnel-name] IKE show tunnel ipsec auto [tunnel-name] IKE show isakmp sa [dsp_ip] IPSec show [id active ipsec sainactive] XAUTH show xauth pool [pool-name] XAUTH show xauth client isakmp-peer-name [user user-name] VPN IKE VPN XAUTH VPN VPN HillstoneHillstone A HillstoneHillstone B PC1 HillstoneHillstone A IP 188.1.1.2 188.1.1.1 server1 HillstoneHillstone B IP 10.110.88.210 10.110.88.220 PC1 188.1.1.0/24 Server1 10.110.88.0/24 VPN VPN ESP 3DES SHA1 DEFLATE 1 24

Hillstone Hillstone A hostname(config)# interface ethernet0/0 hostname(config-if-eth0/0)# zone trust hostname(config-if-eth0/0)# ip address 188.1.1.1/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 192.168.1.2/24 hostname(config-if-eth0/1)# exit Hillstone B hostname(config)# interface ethernet0/0 hostname(config-if-eth0/0)# zone trust hostname(config-if-eth0/0)# ip address 10.110.88.220/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 192.168.1.3/24 hostname(config-if-eth0/1)# exit Hillstone A hostname(config)# ip vrouter trust-vr hostname(config-vrouter)# ip route 10.110.88.0/24 192.168.1.3 hostname(config-vrouter)# exit Hillstone B hostname(config)# ip vrouter trust-vr hostname(config-vrouter)# ip route 188.1.1.0/24 192.168.1.2 hostname(config-vrouter)# exit VPN1 Hillstone A hostname(config)# tunnel ipsec vpn1 manual 25

hostname(config-tunnel-ipsec-manual)# interface ethernet0/1 hostname(config-tunnel-ipsec-manual)# protocol esp hostname(config-tunnel-ipsec-manual)# peer 192.168.1.3 hostname(config-tunnel-ipsec-manual)# hash sha hostname(config-tunnel-ipsec-manual)# hash-key inbound 1234 outbound 5678 hostname(config-tunnel-ipsec-manual)# encryption 3des hostname(config-tunnel-ipsec-manual)# encryption-key inbound 00ff outbound 123a hostname(config-tunnel-ipsec-manual)# compression deflate hostname(config-tunnel-ipsec-manual)# spi 6001 6002 hostname(config-tunnel-ipsec-manual)# exit Hillstone B hostname(config)# tunnel ipsec vpn1 manual hostname(config-tunnel-ipsec-manual)# interface ethernet0/1 hostname(config-tunnel-ipsec-manual)# protocol esp hostname(config-tunnel-ipsec-manual)# peer 192.168.1.2 hostname(config-tunnel-ipsec-manual)# hash sha hostname(config-tunnel-ipsec-manual)# hash-key inbound 5678 outbound 1234 hostname(config-tunnel-ipsec-manual)# encryption 3des hostname(config-tunnel-ipsec-manual)# encryption-key inbound 123a outbound 00ff hostname(config-tunnel-ipsec-manual)# compression deflate hostname(config-tunnel-ipsec-manual)# spi 6002 6001 hostname(config-tunnel-ipsec-manual)# exit Hillstone Hillstone A hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone untrust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action fromtunnel vpn1 hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# Hillstone B hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone untrust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action tunnel vpn1 26

IKE VPN hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action fromtunnel vpn1 hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# Hillstone A Hillstone B 188.1.1.0/24 server1 10.110.88.0/24 IKE HillstoneHillstone A HillstoneHillstone B PC1 HillstoneHillstone A IP 10.1.1.1 10.1.1.2 Server1 HillstoneHillstone B IP 192.168.1.1 192.168.1.2 PC1 10.1.1.0/24 server1 192.168.1.0/24 VPN VPN ESP 3DES SHA1 DEFLATE 1 Hillstone Hillstone A hostname(config)# interface ethernet0/0 hostname(config-if-eth0/0)# zone trust hostname(config-if-eth0/0)# ip address 10.1.1.2/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/1 hostname(config-if)# zone untrust hostname(config-if-eth0/1)# ip address 1.1.1.1/24 hostname(config-if-eth0/1)# exit hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone trust hostname(config-if-tun1)# exit Hillstone B 27

hostname(config)# interface ethernet0/0 hostname(config-if-eth0/0)# zone trust hostname(config-if-eth0/0)# ip address 192.168.1.2/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 1.1.1.2/24 hostname(config-if-eth0/1)# exit hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone trust hostname(config-if-tun1)# exit Hillstone Hillstone A hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone untrust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# Hillstone B hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone untrust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any 28

hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# Hillstone A hostname(config)# ip vrouter trust-vr hostname(config-vrouter)# ip route 192.168.1.0/24 tunnel1 hostname(config-vrouter)# exit Hillstone B hostname(config)# ip vrouter trust-vr hostname(config-vrouter)# ip route 10.1.1.0/24 tunnel1 hostname(config-vrouter)# exit P1 Hillstone A hostname(config)# isakmp proposal p1 hostname(config-isakmp-proposal)# authentication pre-share hostname(config-isakmp-proposal)# group 2 hostname(config-isakmp-proposal)# hash sha hostname(config-isakmp-proposal)# encryption 3des hostname(config-isakmp-proposal)# exit Hillstone B hostname(config)# isakmp proposal p1 hostname(config-isakmp-proposal)# authentication pre-share hostname(config-isakmp-proposal)# group 2 hostname(config-isakmp-proposal)# hash sha hostname(config-isakmp-proposal)# encryption 3des hostname(config-isakmp-proposal)# exit ISAKMP Hillstone A hostname(config)# isakmp peer east hostname(config-isakmp-peer)# interface ethernet0/1 hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# peer 1.1.1.2 hostname(config-isakmp-peer)# pre-share hello1 hostname(config-isakmp-peer)# exit Hillstone B hostname(config)# isakmp peer east hostname(config-isakmp-peer)# interface ethernet0/1 hostname(config-isakmp-peer)# isakmp-proposal p1 29

hostname(config-isakmp-peer)# peer 1.1.1.1 hostname(config-isakmp-peer)# pre-share hello1 hostname(config-isakmp-peer)# exit P2 Hillstone A hostname(config)# ipsec proposal p2 hostname(config-ipsec-proposal)# protocol esp hostname(config-ipsec-proposal)# hash sha hostname(config-ipsec-proposal)# encryption 3des hostname(config-ipsec-proposal)# compression deflate hostname(config-ipsec-proposal)# exit Hillstone B hostname(config)# ipsec proposal p2 hostname(config-ipsec-proposal)# protocol esp hostname(config-ipsec-proposal)# hash sha hostname(config-ipsec-proposal)# encryption 3des hostname(config-ipsec-proposal)# compression deflate hostname(config-ipsec-proposal)# exit VPN Hillstone A hostname(config)# tunnel ipsec vpn auto hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# isakmp-peer east hostname(config-tunnel-ipsec-auto)# id local 10.1.1.0/24 remote 192.168.1.0/24 service any hostname(config-tunnel-ipsec-auto)# exit hostname(config)# interface tunnel1 hostname(config-if-tun1)# tunnel ipsec vpn hostname(config-if-tun1)# exit Hillstone B hostname(config)# tunnel ipsec vpn auto hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# isakmp-peer east hostname(config-tunnel-ipsec-auto)# id local 192.168.1.0/24 remote 10.1.1.0/24 service any hostname(config-tunnel-ipsec-auto)# exit hostname(config)# interface tunnel1 hostname(config-if-tun1)# tunnel ipsec vpn hostname(config-if-tun1)# exit Hillstone A Hillstone B 10.1.1.0/24 Server1 192.168.1.0/24 30

VPN VPN HillstoneHillstone A HillstoneHillstone B IKE VPN VPN1 tunnel VPN2 tunnel server HillstoneHillstone A IP 192.168.100.8 192.168.100.1 PC HillstoneHillstone B IP 172.16.10.8 172.16.10.1 VPN1 tunnel VPN2 tunnel VPN VPN1 tunnel VPN2 tunnel 2 VPN Hillstone A hostname(config)# interface ethernet0/0 hostname(config-if-eth0/0)# zone trust hostname(config-if-eth0/0)# ip address 192.168.100.1/24 hostname(config-if-eth0/0)# exit 31

hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 10.10.10.1/24 hostname(config-if-eth0/1)# manage ping hostname(config-if-eth0/1)# exit hostname(config)# interface ethernet0/4 hostname(config-if-eth0/4)# zone untrust hostname(config-if-eth0/4)# ip address 20.20.20.1/24 hostname(config-if-eth0/4)# manage ping hostname(config-if-eth0/4)# exit P1 hostname(config)# isakmp proposal p1 hostname(config-isakmp-proposal)# authentication pre-share hostname(config-isakmp-proposal)# group 2 hostname(config-isakmp-proposal)# hash md5 hostname(config-isakmp-proposal)# encryption des hostname(config-isakmp-proposal)# exit ISAKMP hostname(config)# isakmp peer gwa-peer-1 hostname(config-isakmp-peer)# interface ethernet0/1 hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# peer 10.10.10.2 hostname(config-isakmp-peer)# pre-share U8FdHNEEBz6sNn5Mvqx3yWuLRWce hostname(config-isakmp-peer)# exit hostname(config)# isakmp peer gwa-peer-2 hostname(config-isakmp-peer)# interface ethernet0/4 hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# peer 20.20.20.2 hostname(config-isakmp-peer)# pre-share i39jnnnicsh9rxb77oga7fg7bnqy hostname(config-isakmp-peer)# exit P2 hostname(config)# ipsec proposal p2 hostname(config-ipsec-proposal)# protocol esp hostname(config-ipsec-proposal)# hash md5 hostname(config-ipsec-proposal)# encryption des hostname(config-ipsec-proposal)# exit VPN hostname(config)# tunnel ipsec vpn1-tunnel auto hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# isakmp-peer gwa-peer-1 32

hostname(config-tunnel-ipsec-auto)# vpn-track interval 3 threshold 9 hostname(config-tunnel-ipsec-auto)# track-event-notify enable hostname(config-tunnel-ipsec-auto)# exit hostname(config)# tunnel ipsec vpn2-tunnel auto hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# isakmp-peer gwa-peer-2 hostname(config-tunnel-ipsec-auto)# vpn-track 172.16.10.1 src-ip 192.168.100.1 interval 3 threshold 9 hostname(config-tunnel-ipsec-auto)# track-event-notify enable hostname(config-tunnel-ipsec-auto)# auto-connect hostname(config-tunnel-ipsec-auto)# exit VPN hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone untrust hostname(config-if-tun1)# ip address 10.1.1.1/24 hostname(config-if-tun1)# tunnel ipsec vpn1-tunnel hostname(config-if-tun1)# exit hostname(config)# interface tunnel2 hostname(config-if-tun2)# zone untrust hostname(config-if-tun2)# ip address 10.2.2.1/24 hostname(config-if-tun2)# tunnel ipsec vpn2-tunnel hostname(config-if-tun2)# exit hostname(config)# ip vrouter trust-vr hostname(config-vrouter)# ip route 172.16.10.0/24 tunnel1 10 hostname(config-vrouter)# ip route 172.16.10.0/24 tunnel2 20 hostname(config-vrouter)# exit hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone untrust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any 33

hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# Hillstone B hostname(config)# interface ethernet0/0 hostname(config-if-eth0/0)# zone trust hostname(config-if-eth0/0)# ip address 172.16.10.1/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 10.10.10.2/24 hostname(config-if-eth0/1)# manage ping hostname(config-if-eth0/1)# exit hostname(config)# interface ethernet0/4 hostname(config-if-eth0/4)# zone untrust hostname(config-if-eth0/4)# ip address 20.20.20.2/24 hostname(config-if-eth0/4)# manage ping hostname(config-if-eth0/4)# exit P1 hostname(config)# isakmp proposal p1 hostname(config-isakmp-proposal)# authentication pre-share hostname(config-isakmp-proposal)# group 2 hostname(config-isakmp-proposal)# hash md5 hostname(config-isakmp-proposal)# encryption des hostname(config-isakmp-proposal)# exit ISAKMP hostname(config)# isakmp peer gwb-peer-1 hostname(config-isakmp-peer)# interface ethernet0/1 hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# peer 10.10.10.1 hostname(config-isakmp-peer)# pre-share U8FdHNEEBz6sNn5Mvqx3yWuLRWce hostname(config-isakmp-peer)# exit hostname(config)# isakmp peer gwb-peer-2 hostname(config-isakmp-peer)# interface ethernet0/4 hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# peer 20.20.20.1 hostname(config-isakmp-peer)# pre-share i39jnnnicsh9rxb77oga7fg7bnqy hostname(config-isakmp-peer)# exit 34

P2 hostname(config)# ipsec proposal p2 hostname(config-ipsec-proposal)# protocol esp hostname(config-ipsec-proposal)# hash md5 hostname(config-ipsec-proposal)# encryption des hostname(config-ipsec-proposal)# exit VPN hostname(config)# tunnel ipsec vpn1-tunnel auto hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# isakmp-peer gwb-peer-1 hostname(config-tunnel-ipsec-auto)# vpn-track interval 3 threshold 9 hostname(config-tunnel-ipsec-auto)# auto-connect hostname(config-tunnel-ipsec-auto)# exit hostname(config)# tunnel ipsec vpn2-tunnel auto hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# isakmp-peer gwb-peer-2 hostname(config-tunnel-ipsec-auto)# vpn-track 192.168.100.1 src-ip 172.16.10.1 interval 3 threshold 9 hostname(config-tunnel-ipsec-auto)# auto-connect hostname(config-tunnel-ipsec-auto)# exit VPN hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone untrust hostname(config-if-tun1)# ip address 10.1.1.2/24 hostname(config-if-tun1)# tunnel ipsec vpn1-tunnel hostname(config-if-tun1)# exit hostname(config)# interface tunnel2 hostname(config-if-tun2)# zone untrust hostname(config-if-tun2)# ip address 10.2.2.2/24 hostname(config-if-tun2)# tunnel ipsec vpn2-tunnel hostname(config-if-tun2)# exit hostname(config)# ip vrouter trust-vr hostname(config-vrouter)# ip route 192.168.100.0/24 tunnel1 1 hostname(config-vrouter)# ip route 192.168.100.0/24 tunnel2 2 hostname(config-vrouter)# exit hostname(config)# policy-global hostname(config-policy)# rule 35

hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone untrust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# VPN Hillstone VPN VPN VPN HillstoneHillstone A HillstoneHillstone B server IP 192.168.100.8 PC IP 172.16.10.8 server PC VPN 3 VPN 36

Hillstone A hostname(config)# interface ethernet0/0 hostname(config-if-eth0/0)# zone trust hostname(config-if-eth0/0)# ip address 192.168.100.1/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 10.10.10.1/24 hostname(config-if-eth0/1)# manage ping hostname(config-if-eth0/1)# exit P1 hostname(config)# isakmp proposal p1 hostname(config-isakmp-proposal)# authentication pre-share hostname(config-isakmp-proposal)# group 2 hostname(config-isakmp-proposal)# hash md5 hostname(config-isakmp-proposal)# encryption des hostname(config-isakmp-proposal)# exit ISAKMP 37

hostname(config)# isakmp peer gwa-peer-1 hostname(config-isakmp-peer)# interface ethernet0/1 hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# peer 10.10.10.2 hostname(config-isakmp-peer)# pre-share U8FdHNEEBz6sNn5Mvqx3yWuLRWce hostname(config-isakmp-peer)# exit P2 hostname(config)# ipsec proposal p2 hostname(config-ipsec-proposal)# protocol esp hostname(config-ipsec-proposal)# hash md5 hostname(config-ipsec-proposal)# encryption des hostname(config-ipsec-proposal)# exit VPN hostname(config)# tunnel ipsec vpn1-tunnel auto hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# isakmp-peer gwa-peer-1 hostname(config-tunnel-ipsec-auto)# vpn-track interval 1 threshold 5 hostname(config-tunnel-ipsec-auto)# track-event-notify enable hostname(config-tunnel-ipsec-auto)# exit hostname(config)# policy-global hostname(config-policy)# rule id 1 hostname(config-policy-rule)# src-ip 192.168.100.8/24 hostname(config-policy-rule)# dst-ip 172.16.10.8/24 hostname(config-policy-rule)# service any hostname(config-policy-rule)# action tunnel vpn1-tunnel hostname(config-policy-rule)# exit hostname(config-policy)# rule id 2 hostname(config-policy-rule)# src-ip 172.16.10.8/24 hostname(config-policy-rule)# dst-ip 192.168.100.8/24 hostname(config-policy-rule)# service any hostname(config-policy-rule)# action fromtunnel vpn1-tunnel hostname(config-policy-rule)# exit hostname(config-policy)# rule id 3 hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# Hillstone B hostname(config)# interface ethernet0/0 38

hostname(config-if-eth0/0)# zone trust hostname(config-if-eth0/0)# ip address 172.16.10.1/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 10.10.10.2/24 hostname(config-if-eth0/1)# manage ping hostname(config-if-eth0/1)# exit P1 hostname(config)# isakmp proposal p1 hostname(config-isakmp-proposal)# authentication pre-share hostname(config-isakmp-proposal)# group 2 hostname(config-isakmp-proposal)# hash md5 hostname(config-isakmp-proposal)# encryption des hostname(config-isakmp-proposal)# exit ISAKMP hostname(config)# isakmp peer gwb-peer-1 hostname(config-isakmp-peer)# interface ethernet0/1 hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# peer 10.10.10.1 hostname(config-isakmp-peer)# pre-share U8FdHNEEBz6sNn5Mvqx3yWuLRWce hostname(config-isakmp-peer)# exit P2 hostname(config)# ipsec proposal p2 hostname(config-ipsec-proposal)# protocol esp hostname(config-ipsec-proposal)# hash md5 hostname(config-ipsec-proposal)# encryption des hostname(config-ipsec-proposal)# exit VPN hostname(config)# tunnel ipsec vpn1-tunnel auto hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# isakmp-peer gwb-peer-1 hostname(config-tunnel-ipsec-auto)# auto-connect hostname(config-tunnel-ipsec-auto)# exit hostname(config)# policy-global hostname(config-policy)# rule id 1 hostname(config-policy-rule)# src-ip 172.16.10.8/24 hostname(config-policy-rule)# dst-ip 192.168.100.8/24 hostname(config-policy-rule)# service any 39

hostname(config-policy-rule)# action fromtunnel vpn1-tunnel hostname(config-policy-rule)# exit hostname(config-policy)# rule id 2 hostname(config-policy-rule)# src-ip 192.168.100.8/24 hostname(config-policy-rule)# dst-ip 172.16.10.8/24 hostname(config-policy-rule)# service any hostname(config-policy-rule)# action tunnel vpn1-tunnel hostname(config-policy-rule)# exit hostname(config-policy)# rule id 3 hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# VPN Hillstone VPN XAUTH XAUTH HillstoneHillstone XAUTH AAA VPN FTP XAUTH 40

4 XAUTU hostname(config)# interface ethernet0/6 hostname(config-if-eth0/7)# zone trust hostname(config-if-eth0/7)# ip address 6.6.6.6 255.255.255.0 hostname(config-if-eth0/7)# manage ping hostname(config-if-eth0/7)# manage ssh hostname(config-if-eth0/7)# manage http hostname(config-if-eth0/7)# exit hostname(config)# interface ethernet0/7 hostname(config-if-eth0/6)# zone untrust hostname(config-if-eth0/6)# ip address 7.7.7.7 255.255.255.0 hostname(config-if-eth0/6)# exit hostname(config)# rule top hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config)# AAA 41

hostname(config)# aaa-server local type local hostname(config-aaa-server)# user xauth hostname(config-user)# password test hostname(config-user)# ike-id key-id xauth hostname(config-user)# end hostname(config)# XAUTH hostname(config)# xauth pool pool hostname(config-xauth-pool)# address 9.9.9.9 9.9.9.99 netmask 255.255.255.0 hostname(config-xauth-pool)# exit hostname(config)# ISAKMP hostname(config)# isakmp peer xauth hostname(config-isakmp-peer)# mode aggresive hostname(config-isakmp-peer)# type usergroup hostname(config-isakmp-peer)# psk-sha-aes128-g2 hostname(config-isakmp-peer)# pre-share XhF44BilJO3b/2HFl5lVqXniqeMByq hostname(config-isakmp-peer)# aaa-server local hostname(config-isakmp-peer)# local-id key-id xauth hostname(config-isakmp-peer)# xauth pool-name pool hostname(config-isakmp-peer)# xauth server hostname(config-isakmp-peer)# interface ethernet0/7 hostname(config-isakmp-peer)# exit hostname(config)# IKE hostname(config)# tunnel ipsec xauth auto hostname(config-tunnel-ipsec-auto)# isakmp-peer xauth hostname(config-tunnel-ipsec-auto)# esp-sha-aes128-g0 hostname(config-tunnel-ipsec-auto)# accept-all-proxy-id hostname(config-tunnel-ipsec-auto)# exit hostname(config)# interface tunnel22 hostname(config-if-tun22)# zone trust hostname(config-if-tun22)# ip address 9.9.9.1 255.255.255.0 hostname(config-if-tun22)# manage telnet hostname(config-if-tun22)# manage ssh hostname(config-if-tun22)# manage ping hostname(config-if-tun22)# manage http hostname(config-if-tun22)# manage https hostname(config-if-tun22)# manage snmp hostname(config-if-tun22)# tunnel ipsec xauth hostname(config-if-tun22)# exit hostname(config)# ios VPN xauth test IPSec / xauth 42

2 Secure Connect VPN Secure Connect VPN Hillstone SSL Secure Connect VPN SCVPN SCVPN StoneOS SCVPN SCVPN Hillstone IP DNS WINS IPSec Hillstone SCVPN Hillstone Secure Connect PC SCVPN Hillstone VPN SCVPN Hillstone SCVPN UDP SCVPN SCVPN USB Key 43

SCVPN SCVPN IP SCVPN IP DNS WINS SCVPN scvpn pool pool-name pool-name SCVPN SCVPN no SCVPN no scvpn pool pool-name SCVPN IP DNS WINS SCVPN address start-ip end-ip netmask A.B.C.D start-ip IP IP end-ip IP IP netmask A.B.C.D IP SCVPN no IP no address IP IP SCVPN IP IP FTP 44

SCVPN exclude address start-ip end-ip start-ip IP end-ip IP SCVPN no no exclude address IP Hillstone SCVPN IP IP IP IP IP IP IP IP IP IP IP SCVPN IP IP IP 1. IP IP IP IP 2. IP IP IP IP IP IP IP IP SCVPN ip-binding user user-name ip ip-address user user-name ip ip-address IP SCVPN no IP no ip-binding user user-name IP IP SCVPN ip-binding role role-name ip-range start-ip end-ip role role -name ip-range start-ip end-ip IP IP start-ip 45

IP end-ip SCVPN no IP no ip-binding role role-name IP IP IP Hillstone IP IP SCVPN move role-name1 {before role-name2 after role-name2 top bottom} role name1 IP before role-name2 IP IP ( role-name2 ) after role-name2 IP IP ( role-name2 ) top IP IP bottom IP IP DNS DNS SCVPN dns address1 [address2] [address3] [address4] address1 DNS IP 4 DNS SCVPN no DNS no dns WINS WINS SCVPN wins address1 [address2] address1 WINS IP WINS SCVPN no WINS no wins SCVPN SCVPN show scvpn pool [pool-name] 46

pool-name SCVPN SCVPN SCVPN hostname(config)# show scvpn pool pool_test1 Name: pool_test1 Address range: 3.3.3.1-3.3.3.10 IP Exclude range: 3.3.3.1-3.3.3.2 Netmask: 255.255.255.0 Wins server: WINS wins1: 10.1.1.1 Dns server: DNS dns1: 10.10.209.1 IP Binding User: IP test 3.3.3.8 IP Binding Role: IP role1 3.3.3.3 3.3.3.7 SCVPN show scvpn pool pool-name statistics pool-name SCVPN SCVPN hostname(config)# show scvpn pool pool_test1 statistics Total Ip Num Exclude Ip Num Fixed Ip Num Used Ip Num Fixed Used Ip Num Free Ip Num 10 IP 2 IP 6 IP 2 IP 0 IP 8 UDP SCVPN UDP scvpn-udp-port port-number port-number UDP 4433 1 65535 SCVPN UDP no UDP no scvpn-udp-port SCVPN SCVPN 47

tunnel scvpn instance-name instance-name SCVPN SCVPN SCVPN SCVPN no SCVPN no tunnel scvpn instance-name SCVPN SSL PKI AAA HTTPS URL SCVPN SCVPN SCVPN SCVPN pool pool-name pool-name SCVPN SCVPN no no pool HTTPS SCVPN SCVPN interface interface-name interface-name SCVPN no 48

no interface SSL SCVPN SSL SCVPN ssl-protocol {sslv3 tlsv1 any} sslv3 SSLv3 tlsv1 TLSv1 any SSLv2 SSLv3 TLSv1 SCVPN no SSL no ssl-protocol PKI PKI HTTPS SCVPN PKI SCVPN trust-domain trust-domain-name trust-domain-name PKI trust_domain_default SCVPN no no trust-domain PKI PKI SCVPN SCVPN tunnel-cipher encryption {null des 3des aes aes192 aes256} hash {null md5 sha sha256 sha384 sha512} [compression defl] null des 3des aes aes192 aes256 3des null 1 IPSec null md5 sha sha256 sha384 sha512 sha null 1 IPSec compression defl DEFLATE 1 IPSec SCVPN no 49

no tunnel-cipher AAA AAA AAA AAA SCVPN aaa-server aaa-server-name [domain domain-name] aaa-server-name AAA domain domain-name AAA AAA SCVPN no AAA no aaa-server aaa-server-name [domain domain-name] HTTPS HTTPS HTTPS SCVPN https-port port-number port-number HTTPS 4433 1 65535 WebUI HTTPS HTTPS 443 SCVPN HTTPS SCVPN no HTTPS no https-port anti -replay SCVPN anti-replay {32 64 128 256 512} 32 32 64 64 128 128 256 256 512 512 SCVPN no no anti-replay 50

SCVPN df-bit {copy clear set} copy IP DF clear set SCVPN no no df-bit SCVPN idle-time time-value time-value 30 15 120 SCVPN no no idle-time SCVPN allow-multi-logon SCVPN allow-multi-logon number number number 1 99999999 SCVPN no no allow-multi-logon URL URL SCVPN URL URL URL URL SCVPN redirect-url url title-en name title-zh name url URL 1 255 51

HTTP http:// HTTPS https:// URL title-en name URL 1 31 PC title-zh name URL 1 63 PC WebUI SCVPN no URL no redirect-url URL StoneOS URL HTTP URL UTF-8 URL + username=$user&password=$pwd http://www.abc.com/oa/login.do?username=$user&password=$pwd GB2312 URL + username=$gbuser&password=$pwd http://www.abc.com/oa/login.do?username=$gbuser&password=$pwd URL http://www.abc.com URL URL SCVPN SCVPN SCVPN SCVPN SCVPN SCVPN split-tunnel-route ip-address/netmask [metric metric-number] ip-address/netmask metric metric-number 1 1 9999 SCVPN no no split-tunnel-route ip-address/netmask [metric metric-number] SCVPN SCVPN SCVPN tunnel scvpn instance-name 52

instance-name SCVPN no SCVPN no tunnel USB Key Hillstone USB Key USB Key Windows SDK Certificate Store Functions USB Key / + USB Key SCVPN USB Key USB Key USB Key SCVPN USB Key USB Key USB Key USB Key CN OU USB Key USB Key USB Key USB Key CA USB Key CA USB Key USB Key SCVPN USB Key client-cert-authentication [usbkey-only] usbkey-only USB Key USB Key / + USB Key SCVPN no USB Key no client-cert-authentication [usbkey-only] 53

USB Key CA FTP TFTP USB CA import pki trust-domain-name cacert from {ftp server ip-address [user user-name password password] tftp server ip-address usb0 usb1} file-name trust-domain-name PKI ftp server ip-address [user user-name password password] FTP IP tftp server ip-address TFTP IP usb0 usb1 USB usb0 usb1 U CA file-name CA USB Key CA USB Key CA Certification Authority CA SCVPN client-auth-trust-domain trust-domain trust-domain CA PKI 10 SCVPN no PKI no client-auth-trust-domain trust-domain PKI PKI SCVPN Hillstone Hillstone Hillstone GSM SIM GSM Hillstone SIM USB Hillstone USB 54

1 GSM GSM WAVECOM USB MODEM GSM MODEM GSM WAVECOM USB / / SCVPN sms-auth enable sms-auth disable SCVPN AD AD phone phone-number phone-number no no phone AD AD mobile SCVPN SCVPN sms-auth expiration expiration 55

expiration 10 1-10 SCVPN no no sms-auth expiration sms modem {num-per-hour num-per-day} number {num-per-hour num-per-day} number num-per-hour num-per-day 1-1000 no no sms modem {num-per-hour num-per-day} exec sms send test-message to phone-number phone-number show sms modem Hillstone ID 1. Service Provider SP 2. SP SCVPN SP SP sms service-provider sp-name [protocol sgip] sp-name - SP 1 31 protocol sgip - SP SGIP SP SP 56

SP 2 SP no SP no sms service-provider instance-name [protocol sgip] SP ID VRouter SP source-number phone-number phone-number 1 21 SP no no source-number ID ID SP ID device-code code-number code-number - ID 1 4294967295 SP no ID no device-code SP gateway {host hostname ip ip-address} host hostname - 1 31 ip ip-address - IP SP no no gateway {host hostname ip ip-address} VRouter VRouter trust-vr VR SP VRouter 57

SP vrouter {trust-vr vr-name} trust-vr - SP VR VR vr-name VR SP no VR no vrouter {trust-vr vr-name} SP user username password password username 1 64 password 1 64 SP no no user username password password SP {num-per-hour num-per-day} number number numper-hour num-per-day 0-65535 SP no no {num-per-hour num-per-day} exec sms sp sp-name tunnel-name send test-message to phone-number phone-number tunnel-name SP / SP SCVPN SCVPN sms-auth enable sp-name sp-name SP SP 1 31 58

SCVPN no sms-auth disable sp-name show sms service-provider [sp-name] sp-name SP SP show tunnel scvpn scvpn-name smsp-statistice [clear] scvpn-name SCVPN clear SCVPN SCVPN PC SCVPN CPU ID BIOS MD5 32 ID ID SCVPN SCVPN SCVPN ID ID ID SSL SCVPN user-host-verify [allow-multi-host] [allow-shared-host] [auto-approved-first-bind] user-host-verify allow-multi-host 59

allow-shared-host auto-approved-first-bind ID SCVPN no no user-host-verify ID exec scvpn instance-name approve-binding user user-name host host-id scvpn instance-name SCVPN user user-name host host-id ID exec scvpn instance-name no-host-binding-check user user-name scvpn instance-name SCVPN user user-name exec scvpn instance-name host-binding-check user user-name exec scvpn instance-name no-user-binding-check host host-id scvpn instance-name SCVPN host host-id ID ID exec scvpn instance-name user-binding-check host host-id / ID ID ID 60

ID / exec scvpn instance-name increase-host-binding user user-name number scvpn instance-name SCVPN user user-name number 1 32 exec scvpn instance-name decrease-host-binding user user-name number scvpn instance-name SCVPN user user-name number 1 32 exec scvpn instance-name clear-binding [{user user-name [host host-id] host host-id }] scvpn instance-name SCVPN user user-name Host ID host host-id ID / FTP TFTP USB export scvpn user-host-binding to {ftp server ip-address [user user-name password password] tftp server ip-address usb0 usb1} [file-name] ftp server ip-address [user user-name password password] FTP user user-name password password FTP IP tftp server ip-address TFTP ip -address TFTP IP usb0 usb1 U file-name scvpn_bind_file import scvpn user-host-binding from {ftp server ip-address [user user-name password password] tftp server ip-address usb0 usb1} file-name 61

ftp server ip-address [user user-name password password] FTP user user-name password password FTP IP tftp server ip-address TFTP ip-address TFTP IP usb0 usb1 U file-name SCVPN SCVPN IE SCVPN Hillstone 2 Hillstone Windows 2000 Win dows 2003 Win dows XP Windows Vista Service Pack 1 Windows KB958215 Windows IE 62

Hillstone SCVPN Profile WebUI 3 1. 2. Profile 3. Profile 4. 5. Hillstone Profile Profile Profile WebUI CLI Profile Profile WebUI Profile scvpn host-check-profile hostcheck-profile-name hostcheck-profile-name Profile Profile no scvpn host-check-profile hostcheck-profile-name Profile 63

WebUI Profile WebUI Profile WebUI Profile 1. SSL VPN < > 2. < > 3. Profile OS - - - x Windows Profile 5 IE Internet zone IE IE IE Windows < > Windows Windows < > Windows - - 64

- - - - - - x Profile 5 - - - x Profile 5 - - - - x Profile 5 + - - - - x Profile 5 + - 65

- - - x Profile 5 + - - - - 4. Profile SCVPN host-check [role role-name] profile profile-name [guest-role guestrole-name] [periodic-check period-time] role role-name AAA Profile Profile profile profile-name Profile guest-role guestrole-name periodic-check period-time 5 1440 30 SCVPN no host-check [role role-name] profile profile-name [guest-role guestrole-name] [periodic-check period-time] 66

CLI 20-3 3 profile profile profile profile VPN ISP Internet Service Provider ISP VPN Hillstone SCVPN ISP SCVPN Hillstone SCVPN 67

5 SCVPN SCVPN ISP Internet SCVPN ISP Hillstone ISP SCVPN IP UDP 68

6 NAT SCVPN DNAT SCVPN DNAT SCVPN DNAT ISP Internet DNAT ISP DNAT Hillstone ISP DNAT IP UDP SCVPN SCVPN interface interface-name interface-name SCVPN no no interface interface-name SCVPN link-select [server-detect] [A.B.C.D [https-port port-number]] [A.B.C.D [https-port port-number]] [A.B.C.D [https-port port-number]] [A.B.C.D [https-port port-number]] server-detect A.B.C.D DNAT IP 69

https-port port-number DNAT HTTPS 4433 1 65535 WebUI HTTPS HTTPS 443 SCVPN no link-select SCVPN SCVPN SCVPN exec scvpn instance-name kickout user-name instance-name SCVPN user-name Hillstone SCVPN AAA allow-pwd-change no allow-pwd-change SCVPN 1.2.0.1106 Hillstone Secure Connect 1.2.0.1106 SCVPN SCVPN 1. Hillstone Secure Connect 70

7 2. < > < > < < > < > 8 3. CSV 9 71

Excel CLI export aaa user-password to {tftp server ip-address ftp server ip-address [user user-name password password]} [file-name] ip-address FTP TFTP IP user user-name password password FTP file-name import aaa user-password from {tftp server ip-address ftp server ip-address [user user-name password password]} file-name ip-address FTP TFTP IP user user-name password password FTP file-name Hillstone SCVPN SCVPN 72

10 SCVPN import customize scvpn from {ftp server ip-address [user user-name password password] tftp server ip-address usb0 usb1} file-name ftp server ip-address [user user-name password password] FTP FTP IP tftp server ip-address TFTP TFTP IP usb0 usb1 USB USB0 USB1 U file-name Login_box_bg_e Login_box_bg_cn.gif 624px * 376px zip exec customize scvpn [language {en zh_cn}] default language {en zh_cn} en zh_cn Radius Radius Radius 73

show auth-user username user-name user-name Radius Radius Hillstone-user-policy-dst-ip-begin ipaddr IP IPv4 Hillstone-user-policy-dst-ip-end ipaddr IP IPv4 Radius Radius SCVPN Radius SCVPN show SCVPN SCVPN show tunnel scvpn [scvpn-instance-name] SCVPN HTTP show scvpn session scvpn-instance-name [user user-name] SCVPN show scvpn client scvpn-instance-name [user user-name] SCVPN show auth-user scvpn [interface interface-name vrouter vrouter-name slot slot-no] show scvpn user-host-binding scvpn-instance-name {host [host-id] user [user-name]} SCVPN SCVPN Hillstone Secure Connect Hillstone Secure Connect Windows 2000/2003/XP/Vista/Windows 7 74

PC SCVPN SCVPN / / + USB Key USB Key SCVPN Hillstone Secure Connect / + USB Key / / Hillstone Secure Connect 1. URL https://ip-address:port-number IP- Address Port -Number SCVPN IP interfaceinterface-name HTTPS https -port port-number 2. 11 Hillstone RADIUS + RSA Server RSA SecurID Token RADIUS Token PIN 12 PIN 4 8 0 PIN 13 < > PIN + Token PIN 54321 75

Token 808771 54321808771 RADIUS + RSA Server RSA SecurID Token RADIUS PIN + Token 11 Hillstone Secure Connect 12 PIN 13 76

3. 1 14 3 3 3 1 4. IE Firefox scvpn.exe scvpn.exe Hillstone Secure Connect PC 77

/ + USB Key / + USB Key Hillstone Secure Connect 1. USB Key PC USB 2. URL https://ip-address:port-number IP- Address Port -Number SCVPN IP interfaceinterface-name HTTPS https -port port-number 3. < > 15 < > 16 UKey 1111 15 16 78

Hillstone UKey Hillstone UKey 4. Hillstone 5. 1 6. IE Firefox scvpn.exe scvpn.exe Hillstone Secure Connect PC / + / + Hillstone Secure Connect 1. 2. URL https://ip-address:port-number IP- Address Port -Number SCVPN IP interfaceinterface-name HTTPS https -port port-number 3. < > 4. Hillstone 5. 1 6. IE Firefox scvpn.exe scvpn.exe Hillstone Secure Connect PC 79

USB Key USB Key Hillstone Secure Connect 1. USB Key PC USB 2. URL https://ip-address:port-number IP- Address Port -Number SCVPN IP interfaceinterface-name HTTPS https -port port-number 3. < > < > UKey 1111 4. IE Firefox scvpn.exe scvpn.exe Hillstone Secure Connect PC Hillstone Secure Connect 1. 2. URL https://ip-address:port-number IP- Address Port -Number SCVPN IP interfaceinterface-name HTTPS https -port port-number 3. < > 4. IE Firefox scvpn.exe scvpn.exe Hillstone Secure Connect PC 80

PC SCVPN Hillstone Secure Connect Web Web Web / + USB Key Web / / Web 1. IE URL https://ip-address:port-number 2. 20-7 Hillstone RADIUS + RSA Server RSA SecurID Token RADIUS Token PIN PIN 4 8 0 PIN + Token PIN 54321 Token 808771 54321808771 RADIUS + RSA Server RSA SecurID Token RADIUS PIN + Token 3. 1 VPN SCVPN 81

Web / + USB Key / + USB Key Web 1. USB Key PC USB 2. IE URL https://ip-address:port-number 3. < > < > UKey 1111 4. Hillstone 5. 1 6. <USB Key > UKey 1111 17 USB Key VPN SCVPN Web / + / + Web 1. 2. IE URL https://ip-address:port-number 3. < > 4. Hillstone 5. 82

1 VPN SCVPN Web USB Key USB Key Web 1. USB Key PC USB 2. IE URL https://ip-address:port-number 3. < > < > UKey 1111 4. <USB > Key UKey 1111 VPN SCVPN Web Web 1. 2. IE URL https://ip-address:port-number 3. < > VPN SCVPN / + USB Key / / 83

1. Hillstone Secure Connect Hillstone Secure Connect Hillstone Secure Connect 2. < > < / > 18 3. / 19 Hillstone RADIUS + RSA Server RSA SecurID Token RADIUS Token PIN 20 PIN 4 8 0 PIN 21 + Token PIN 54321 Token 808771 54321808771 RADIUS + RSA Server RSA SecurID Token RADIUS PIN + Token 19 / 84

Secure Connect IP HTTPS 20 PIN 21 4. < > 22 85

1 22 SCVPN / + USB Key / + USB Key 1. USB Key PC USB 2. Hillstone Secure Connect Hillstone Secure Connect Hillstone Secure Connect 3. < > < / + > < > USB Key USB Key USB Key USB Key 23 86

Hillstone Hillstone UKey USB Key USB Key USB Key USB Key USB Key USB Key 4. / + USB Key 24 / + USB Key 87

Secure Connect IP HTTPS PIN USB Key 1111 USB Key 5. < > 1 SCVPN / + / + 1. 2. Hillstone Secure Connect Hillstone Secure Connect Hillstone Secure Connect 3. < > < / + > 88

25 4. / + 26 / + Secure Connect IP 89

HTTPS 5. < > 1 SCVPN USB Key USB Key 1. USB Key PC USB 2. Hillstone Secure Connect Hillstone Secure Connect Hillstone Secure Connect 3. < > < < > USB Key USB Key USB Key USB Key 4. 27 USB Key 90

Secure Connect IP HTTPS PIN USB Key 1111 USB Key SCVPN 1. 2. Hillstone Secure Connect Hillstone Secure Connect Hillstone Secure Connect 3. < > < < > 4. 28 Secure Connect IP 91

HTTPS SCVPN USB Key Hillstone Hillstone UKey USB Key SCVPN Hillstone USB Key SelectUSBKey SelectUSBKey USB Key SelectUSBKey USB Key USB Key CSP Name PC USB Key CSP Name 1. PC USB Key 2. USB Key 3. SelectUSBKey.exe <Select Default Certificate> 29 Select Default Certificate Export USB Key CSP Name.reg Update Close 4. <Certificate List> Export USB Key CSP Name 92

.reg 30 USB Key CSP Name USB Key CSP Name PC PC USB Key SCVPN USB Key GUI Hillstone Secure Connect < > < > 31 93

IP IP IP SCVPN SSL SCVPN SCVPN SSL IP SCVPN SCVPN SCVPN SCVPN 94

SCVPN SCVPN < > 32 SCVPN SCVPN SCVPN SCVPN MAC IP SCVPN IP SCVPN IP SCVPN SCVPN DNS DNS 95

WINS WINS < > 33 Hillstone Secure Connect 34 < > < > Hillstone Secure Connect 96

35 < > < > 36 < Hillstone Secure Connect> Hillstone Secure Connect 37 97

< > <Secure Connect > Secure Connect Hillstone Secure Connect Secure Connect < > <Secure Connect > 38 Secure Connect 98

<Secure Connect > < > SCVPN PC SCVPN VPN SCVPN PC > < > USB Key USB Key 39 Secure Connect > < > 1. <Secure Connect > < > 40 99

2. IP HTTPS < > < PIN> <PIN> < > / < > < > < PIN> / + USB Key < > < > < PIN > PIN <PIN > UKey <PIN> USB Key < PIN > PIN <PIN > UKey 3. 1. <Secure Connect > < > 100

2. < > PC Hillstone Secure Connect Hillstone Secure Connect Uninstall SCVPN SCVPN USB Key PC1 IP 6.6.6.5/24 HillstoneHillstone Server1 IP 10.160.65.52/21 SCVPN 101

41 SCVPN USB Key hostname(config)# aaa-server local hostname(config-aaa-server)# user user1 hostname(config-user)# password 123456 hostname(config-user)# exit hostname(config-aaa-server)# exit hostname(config)# SCVPN hostname(config)# scvpn pool pool1 hostname(config-pool-scvpn)# address 20.1.1.1 20.1.1.100 netmask 255.255.255.0 hostname(config-pool-scvpn)# dns 20.1.1.1 hostname(config-pool-scvpn)# wins 20.1.1.2 hostname(config-pool-scvpn)# exit hostname(config)# SCVPN hostname(config)# tunnel scvpn ssl1 hostname(config-tunnel-scvpn)# pool pool1 hostname(config-tunnel-scvpn)# aaa-server local hostname(config-tunnel-scvpn)# interface ethernet0/5 hostname(config-tunnel-scvpn)# https-port 4433 hostname(config-tunnel-scvpn)# split-tunnel-route 10.160.64.0/21 102

hostname(config-tunnel-scvpn)# exit hostname(config)# SCVPN IP SCVPN IP hostname(config)# zone VPN hostname(config-zone-vpn)# exit hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone VPN hostname(config-if-tun1)# ip address 20.1.1.101/24 hostname(config-if-tun1)# tunnel scvpn ssl1 hostname(config-if-tun1)# exit hostname(config)# VPN trust hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone VPN hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# PC1 https://6.6.6.1:4433 user1 123456 Hillstone Secure Connect Web SCVPN PC1 SCVPN trust USB Key USB Key Windows SDK Certificate Store Functions Hillstone UKey USB Key CA Hillstone UKey Hillstone UKey USB Key 103

# PKI stone terminal hostname(config)# pki trust-domain stone hostname(config-trust-domain)# enrollment terminal hostname(config-trust-domain)# exit hostname(config)# # SCVPN SSL1 USB Key CA hostname(config)# tunnel scvpn ssl1 hostname(config-tunnel-scvpn)# client-cert-auth required hostname(config-tunnel-scvpn)# client-auth-trust-domain stone hostname(config-tunnel-scvpn)# exit hostname(config)# # CA CA hostname(config)# exit hostname# import pki stone cacert from tftp server 192.168.1.2 certnew.cer 1. PC Hillstone UKey 2. USB Key 3. SCVPN 123456 UK PIN USB Key 1111 42 URL OA Hillstone SCVPN 104

SCVPN OA URL 43 URL hostname(config)# aaa-server local hostname(config-aaa-server)# user test hostname(config-user)# password test hostname(config-user)# exit hostname(config-aaa-server)# exit hostname(config)# SCVPN hostname(config)# scvpn pool pool1 hostname(config-pool-scvpn)# address 20.1.1.1 20.1.1.255 netmask 255.255.255.0 hostname(config-pool-scvpn)# dns 20.1.1.1 hostname(config-pool-scvpn)# wins 20.1.1.2 hostname(config-pool-scvpn)# exit hostname(config)# SCVPN URL hostname(config)# tunnel scvpn ssl1 hostname(config-tunnel-scvpn)# pool pool1 hostname(config-tunnel-scvpn)# aaa-server local hostname(config-tunnel-scvpn)# interface ethernet0/5 hostname(config-tunnel-scvpn)# https-port 4433 hostname(config-tunnel-scvpn)# redirect-url http://192.10.5.201/oa/ 105

login.do?username=$user&password=$pwd title-en OA title-zh OA hostname(config-tunnel-scvpn)# split-tunnel-route 10.160.64.0/21 hostname(config-tunnel-scvpn)# exit hostname(config)# SCVPN IP SCVPN IP hostname(config)# zone VPN hostname(config-zone-vpn)# exit hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone VPN hostname(config-if-tun1)# ip address 20.1.1.1/24 hostname(config-if-tun1)# tunnel scvpn ssl1 hostname(config-if-tun1)# exit hostname(config)# VPN trust hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone VPN hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# PC1 https://6.6.6.1:4433 test test Hillstone Secure Connect Web SCVPN OA OA 44 OA 106

45 OA OA OA SCVPN PC HillstoneHillstone SCVPN PC SCVPN IP 10.1. 1.0/24 IP 10.1.2.0/24dl IP 10.1.3.0/24 PC 107

46 SCVPN hostname(config)# aaa-server local type local hostname(config-aaa-server)# user pc1 hostname(config-user)# password xxxfcvg236 hostname(config-user)# exit hostname(config-aaa-server)# user pc2 hostname(config-user)# password xcabuv112 hostname(config-user)# exit hostname(config-aaa-server)# user pc3 hostname(config-user)# password xacfomg763 hostname(config-user)# exit hostname(config-aaa-server)# exit hostname(config)# hostname(config)# role sw 108

hostname(config)# role dl hostname(config)# role-mapping-rule rule1 hostname(config-role-mapping)# match user pc1 role sw hostname(config-role-mapping)# match user pc1 role dl hostname(config-role-mapping)# match user pc2 role dl hostname(config-role-mapping)# exit hostname(config)# aaa-server local type local hostname(config-aaa-server)# role-mapping-rule rule1 hostname(config)# hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 1.1.1.1/24 hostname(config-if-eth0/1)# exit hostname(config)# Profile WebUI Profile hostname(config)# scvpn host-check-profile dl-security-check hostname(config-profile_scvpn)# exit hostname(config)# scvpn host-check-profile sw-security-check hostname(config-profile_scvpn)# exit hostname(config)# WebUI Profile 1. SSL VPN SCVPN 2. < > SCVPN 3. < > dl-security-check OS Win2003 1 KB958215 IE IE6.0 IE 4. 5. 109

6. < > sw-security-check OS WinXP SP3 1 KB921883 IE IE7.0 IE 7. < 1> \Program Files\McAfee\VirusScan\Enterprise.exe 8. SCVPN hostname(config)# scvpn pool pool1 hostname(config-pool-scvpn)# address 11.1.1.10 11.1.1.100 netmask 255.255.255.0 hostname(config-pool-scvpn)# dns 10.1.1.1 hostname(config-pool-scvpn)# wins 10.1.1.2 hostname(config-pool-scvpn)# exit hostname(config)# SCVPN hostname(config)# tunnel scvpn ssl1 hostname(config-tunnel-scvpn)# pool pool1 hostname(config-tunnel-scvpn)# aaa-server local hostname(config-tunnel-scvpn)# interface ethernet0/1 hostname(config-tunnel-scvpn)# https-port 4433 hostname(config-tunnel-scvpn)# split-tunnel-route 10.1.1.0/24 metric 10 hostname(config-tunnel-scvpn)# split-tunnel-route 10.1.2.0/24 metric 5 hostname(config-tunnel-scvpn)# split-tunnel-route 10.1.3.0/24 metric 3 hostname(config-tunnel-scvpn)# host-check role sw profile sw-security-check guest-role dl hostname(config-tunnel-scvpn)# host-check profile dl-security-check periodic-check 50 110

hostname(config-tunnel-scvpn)# exit hostname(config)# SCVPN IP SCVPN IP ostname(config)# zone VPN hostname(config-zone-vpn)# exit hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone VPN hostname(config-if-tun1)# ip address 11.1.1.1/24 hostname(config-if-tun1)# tunnel scvpn ssl1 hostname(config-if-tun1)# exit hostname(config)# hostname(config)# address sw hostname(config-addr)# ip 10.1.1.0/24 hostname(config-addr)# exit hostname(config)# address dl hostname(config-addr)# ip 10.1.2.0/24 hostname(config-addr)# exit hostname(config)# address public hostname(config-addr)# ip 10.1.3.0/24 hostname(config-addr)# exit hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone VPN hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr sw hostname(config-policy-rule)# service any hostname(config-policy-rule)# role sw hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone VPN hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr dl hostname(config-policy-rule)# service any hostname(config-policy-rule)# role dl hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone VPN hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr public 111

hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# PC SCVPN 4 sw pc1 profile sw-security-check dl 30 30 30 CLI host-check role sw profile sw-security-check guest-role dl default dl pc2 pc3 profile dl -security-check 50 50 CLI host-check profile dl-security-check periodic-check 50 profile dl -security-check 50 50 CLI host-check profile dl-security-check periodic-check 50 112

SCVPN Hillstone SCVPN ISP1 ethernet0/1 IP 202. 2.3.1/24 ISP2 ethernet0/3 IP 196.1.2.3/24 Internet PC IP 64.2.3.1 Server IP 10.1.1.2 47 SCVPN hostname(config)# aaa-server local type local hostname(config-aaa-server)# user user1 hostname(config-user)# password drgrhrgerg231 hostname(config-user)# exit hostname(config-aaa-server)# exit hostname(config)# hostname(config)# interface ethernet0/0 113

hostname(config-if-eth0/0)# zone trust hostname(config-if-eth0/0)# ip address 10.1.1.0/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 202.2.3.1/24 hostname(config-if-eth0/1)# exit hostname(config)# interface ethernet0/3 hostname(config-if-eth0/3)# zone untrust hostname(config-if-eth0/3)# ip address 196.1.2.3/24 hostname(config-if-eth0/3)# exit hostname(config)# SCVPN hostname(config)# scvpn pool pool1 hostname(config-pool-scvpn)# address 11.1.1.10 11.1.1.100 netmask 255.255.255.0 hostname(config-pool-scvpn)# dns 10.1.1.1 hostname(config-pool-scvpn)# wins 10.1.1.2 hostname(config-pool-scvpn)# exit hostname(config)# SCVPN SCVPN hostname(config)# tunnel scvpn ssl1 hostname(config-tunnel-scvpn)# pool pool1 hostname(config-tunnel-scvpn)# aaa-server local hostname(config-tunnel-scvpn)# interface ethernet0/1 hostname(config-tunnel-scvpn)# interface ethernet0/3 hostname(config-tunnel-scvpn)# https-port 4433 hostname(config-tunnel-scvpn)# split-tunnel-route 10.1.1.0/24 metric 10 hostname(config-tunnel-scvpn)# link-select server-detect hostname(config-tunnel-scvpn)# exit hostname(config)# SCVPN IP SCVPN IP hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone untrust hostname(config-if-tun1)# ip address 11.1.1.1/24 hostname(config-if-tun1)# tunnel scvpn ssl1 hostname(config-if-tun1)# exit hostname(config)# hostname(config)# address dst hostname(config-addr)# ip 10.1.1.0/24 hostname(config-addr)# exit hostname(config)# policy-global 114

48 SCVPN hostname(config)# aaa-server local type local hostname(config-aaa-server)# user user1 hostname(config-user)# password drgrhrgerg231 hostname(config-user)# exit hostname(config-aaa-server)# exit hostname(config)# hostname(config)# interface ethernet0/0 hostname(config-if-eth0/0)# zone trust hostname(config-if-eth0/0)# ip address 10.1.1.0/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone dmz hostname(config-if-eth0/1)# ip address 192.168.1.2/24 hostname(config-if-eth0/1)# exit hostname(config)# SCVPN 116

hostname(config)# scvpn pool pool1 hostname(config-pool-scvpn)# address 11.1.1.10 11.1.1.100 netmask 255.255.255.0 hostname(config-pool-scvpn)# dns 10.1.1.1 hostname(config-pool-scvpn)# wins 10.1.1.2 hostname(config-pool-scvpn)# exit hostname(config)# SCVPN SCVPN hostname(config)# tunnel scvpn ssl1 hostname(config-tunnel-scvpn)# pool pool1 hostname(config-tunnel-scvpn)# aaa-server local hostname(config-tunnel-scvpn)# interface ethernet0/1 hostname(config-tunnel-scvpn)# https-port 4433 hostname(config-tunnel-scvpn)# split-tunnel-route 10.1.1.0/24 metric 10 hostname(config-tunnel-scvpn)# link-select server-detect 202.2.3.1 https-port 2234 196.1.2.3 https-port 3367 hostname(config-tunnel-scvpn)# exit hostname(config)# SCVPN IP SCVPN IP hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone untrust hostname(config-if-tun1)# ip address 11.1.1.1/24 hostname(config-if-tun1)# tunnel scvpn ssl1 hostname(config-if-tun1)# exit hostname(config)# dmz trust hostname(config)# address dst hostname(config-addr)# ip 10.1.1.0/24 hostname(config-addr)# exit hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone dmz hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr dst hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# ISP hostname(config)# isp-network isp1 hostname(config-isp)# subnet 202.2.3.0/24 117

hostname(config-isp)# subnet 64.2.3.0/24 hostname(config-isp)# exit hostname(config)# PC ISP2 DNAT DNAT 196.1.2.3:3367 SCVPN 192.168.1.2:4433 PC IP DNAT IP 202.2.3.1/24 ISP1 DNAT IP PC ISP1 Server SCVPN SCVPN hostname(config)# tunnel scvpn ssl1 hostname(config-tunnel-scvpn)# link-select 202.2.3.1 https-port 2234 196.1.2.3 https-port 3367 PC ISP2 DNAT 196.1.2.3:3367 SCVPN 192.168.1.2:4433 DNAT IP UDP 118

3 VPN VPN VPN VPN VPN VPN IKE VPN VPN VPN StoneOS VPN VPN Hillstone VPN VPN Hub-and-spoke VPN VPN P1 ISAKMP P2 P1 P1 IKE ISAKMP SA IKE DH P1 P1 IKE 119

isakmp proposal p1-name p1-name P1 CLI P1 P1 no isakmp proposal p1-name P1 IKE IKE P1 authentication {pre-share rsa-sig dsa-sig} pre-share rsa-sig RSA dsa-sig DSA SHA-1 no authentication StoneOS 3DES DES 128bit AES 192bit AES 256bit AES IKE P1 encryption {3des des aes aes-192 aes-256} 3des 3DES 192 StoneOS des DES 64 aes AES 128 aes-192 192bit AES 192 aes-256 256bit AES 256 no encryption StoneOS MD5 SHA-1 SHA-2 SHA-256 SHA-384 SHA-512 IKE P1 hash {md5 sha sha256 sha384 sha512} md5 MD5 128 sha SHA-1 160 StoneOS 120

sha256 SHA-256 256 sha384 SHA-384 384 sha512 SHA-512 512 no hash DH Diffie-Hellman DH DH DH DH IKE 5 DH 1 768 2 1024 DH SA DH DH DH ISAKMP DH DH DH P1 group {1 2 5} 1 DH 1 768 2 DH 2 1024 2 5 DH 5 1536 no group SA ISAKMP SA SA SA SA P1 lifetime time-value time-value SA 86400 300 86400 no lifetime ISAKMP ISAKMP ISAKMP IKE ISAKMP IP IKE PKI ID ISAKMP ID ISAKMP ISAKMP NAT 121

ISAKMP ISAKMP : isakmp peer peer-name peer-name ISAKMP CLI ISAKMP ISAKMP no isakmp peer peer-name ISAKMP ISAKMP ISAKMP ISAKMP aaa-server server-name server-name local Radius ISAKMP no no aaa-server ISAKMP ISAKMP ISAKMP ISAKMP interface interface-name interface-name no interface IKE IKE main aggressive modemode IKE IP IP IKE ISAKMP mode {main aggressive} main ID aggressive no mode ISAKMP ISAKMP 122

type usergroup ISAKMP no no type P1 ISAKMP P1 ISAKMP isakmp-proposal p1-proposal1 [p1-proposal2] [p1-proposal3] [p1-proposal3] p1-proposal1 P1 ISAKMP 4 P1 no isakmp-proposal P1 ISAKMP ISAKMP pre-share string string no pre-share PKI PKI ISAKMP PKI ISAKMP trust-domain string string PKI no trust-domain PKI PKI PKI ID StoneOS FQDN Asn1dn ID ISAKMP local-id {fqdn string asn1dn [string] u-fqdn string} fqdn string FQDN ID string ID asn1dn [string] Asn1dn ID string ID ID ID u-fqdn string U-FQDN ID 123

user1@hillstonenet.com no local-id ID ISAKMP ISAKMP connection-type {bidirectional initiator-only responder-only} bidirectional ISAKMP initiator-only ISAKMP responder-only ISAKMP VPN bidirectional responder-only no connection-type NAT IPSec IKE VPN NAT NAT VPN NAT IPSec IKE NAT N NAT ISAKMP nat-traversal no nat-traversal NAT DPD DPD Dead Peer Detection DPD ISAKMP DPD ISAKMP dpd [interval seconds] [retry times] interval seconds 0 10 0 DPD retry times ISAKMP 1 10 3 ISAKMP no dpd DPD 124

ISAKMP ISAKMP description string string ISAKMP no description ISAKMP P2 P2 SA P2 P2 P2 IPSec ipsec proposal p2-name p2-name P2 CLI P2 P2 no ipsec proposal p2-name IPSec proposal P2 AH ESP P2 P2 protocol {esp ah} esp ESP ah AH no protocol ESP P2 P2 P2 encryption {3des des aes aes-192 aes-256 null} [3des des aes aes-192 aes-256 null] [3des des aes aes-192 aes-256 null] 3des 3DES 192 StoneOS des DES 64 aes AES 128 aes-192 192bit AES 192 aes-256 256bit AES 256 125

null no encryption P2 P2 P2 hash {md5 sha sha256 sha384 sha512 null} [md5 sha sha256 sha384 sha512 null] [md5 sha sha256 sha384 sha512 null] md5 MD5 128 sha SHA-1 160 StoneOS sha256 SHA-256 256 sha384 SHA-384 384 sha512 SHA-512 512 null no hash PFS PFS Perfect Forward Security PFS PFS DH P2 PFS P2 group {nopfs 1 2 5} nopfs PFS 1 DH 1 768 2 DH 2 1024 5 DH 5 1536 no group Hillstone SA SA P2 P2 lifetime seconds 126

seconds 28800 lifesize kilobytes kilobytes 0 no no lifetime no lifesize IKE IPSec ISAKMP IKE ID IKE IKE tunnel ipsec tunnel-name auto tunnel-name - IKE CLI IKE IKE no tunnel ipsec tunnel-name auto IKE IPSec IKE IKE mode tunnel no mode ISAKMP IKE ISAKMP IKE isakmp-peer peer-name peer-name ISAKMP no isakmp-peer ISAKMP P2 IKE P2 IKE ipsec-proposal p2-name p2-name P2 no ipsec-proposal p2-name P2 127

ID IKE IPSec ID IKE id {auto local ip-address/mask remote ip-address/mask service service-name} auto ID local ip-address/mask local ID remote ip-address/mask remote ID VPN ID ID 0.0.0.0/0 service service-name no id SA 60 SA SA IKE auto-connect no auto-connect IKE IKE df-bit {copy clear set} copy IP DF clear set no df-bit anti -replay IKE IPSec IKE IPSec anti-replay {32 64 128 256 512} 32 32 128

64 64 128 128 256 256 512 512 no anti-replay Commit Commit Commit Commit IKE IPSec Commit responder -set-commit Commit no responder-set-commit IKE IPSec idle-time time-value time-value 120 3000 IKE IPSec no no idle-time IKE IKE IPSec description string string IKE no description IKE VPN PnPVPN PnPVPN IP ISAKMP 129

generate-route VPN local ID IP IP ID PnPVPN DHCP IP DHCP dhcp-pool-addr-start & dhcp-pool-netmask IP IP DHCP CLI PnPVPN no generate-route VPN local ID 0.0.0.0/0 no reverse-route user user-name aaa-server local user-name IKE ID ike_id {fqdn string asn1dn string} fqdn string FQDN IKE ID string ID asn1dn string Asn1dn ID string ID no IKE ID no ike_id IKE ID exec generate-user-key rootkey pre-share-key userid string pre-share-key string IKE ID 130

P1 P2 ISAKMP ISAKMP ID VPN VPN User1 User2 2.2.2.1/24 VPN PC PC1 PC2 Server1 49 VPN hostname(config)# zone vpnzone hostname(config-zone-vpnzone)# exit hostname(config)# interface ethernet0/0 hostname(config-if-eth0/0)# zone vpnzone hostname(config-if-eth0/0)# ip address 2.2.2.1/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/5 131

hostname(config-if-eth0/5)# zone trust hostname(config-if-eth0/5)# ip address 192.168.1.1/24 hostname(config-if-eth0/5)# exit hostname(config)# hostname(config)# aaa-server local hostname(config-aaa-server)# user user1 hostname(config-user)# ike_id fqdn hillstone1 hostname(config-user)# exit hostname(config-aaa-server)# user user2 hostname(config-user)# ike_id fqdn hillstone2 hostname(config-user)# exit hostname(config-aaa-server)# exit hostname(config)# exit hostname# exec generate-user-key rootkey 123456 userid hillstone1 userkey: 3zPNDY6MmI8Wejk5fa3jhPU39p8= hostname# exec generate-user-key rootkey 123456 userid hillstone2 userkey: tafw+48hcar15+ncism6tzjzzgu= hostname# configure hostname(config)# IKE VPN hostname(config)# isakmp proposal p1 hostname(config-isakmp-proposal)# exit hostname(config)# ipsec proposal p2 hostname(config-ipsec-proposal)# exit hostname(config)# isakmp peer test hostname(config-isakmp-peer)# aaa-server local hostname(config-isakmp-peer)# interface ethernet0/0 hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# mode aggressive hostname(config-isakmp-peer)# pre-share 123456 hostname(config-isakmp-peer)# type usergroup hostname(config-isakmp-peer)# exit hostname(config)# tunnel ipsec vpn auto hostname(config-tunnel-ipsec-auto)# isakmp-peer test hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# id local 192.168.1.2/24 remote 0.0.0.0/0 service any hostname(config-tunnel-ipsec-auto)# exit hostname(config)# hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust 132

hostname(config-policy-rule)# dst-zone vpnzone hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action tunnel vpn hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone vpnzone hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action fromtunnel vpn hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# 1 hostname(config)# interface ethernet0/1 hostname(config-if-eth0/0)# zone untrust hostname(config-if-eth0/0)# ip address 3.3.3.2/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/4 hostname(config-if-eth0/5)# zone trust hostname(config-if-eth0/5)# ip address 192.168.2.1/24 hostname(config-if-eth0/5)# exit hostname(config)# IKE VPN hostname(config)# isakmp proposal p1 hostname(config-isakmp-proposal)# exit hostname(config)# ipsec proposal p2 hostname(config-ipsec-proposal)# exit hostname(config)# isakmp peer test hostname(config-isakmp-peer)# interface ethernet0/1 hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# mode aggressive hostname(config-isakmp-peer)# peer 2.2.2.1 hostname(config-isakmp-peer)# pre-share 3zPNDY6MmI8Wejk5fa3jhPU39p8= hostname(config-isakmp-peer)# local-id fqdn hillstone1 hostname(config-isakmp-peer)# exit hostname(config)# tunnel ipsec vpn auto hostname(config-tunnel-ipsec-auto)# isakmp-peer test hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# id local 192.168.2.2/24 remote 192.168.1.2/24 service any hostname(config-tunnel-ipsec-auto)# exit 133

hostname(config)# hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone untrust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action tunnel vpn hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action fromtunnel vpn hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# 2 hostname(config)# interface ethernet0/1 hostname(config-if-eth0/0)# zone untrust hostname(config-if-eth0/0)# ip address 4.4.4.2/24 hostname(config-if-eth0/0)# exit hostname(config)# interface ethernet0/4 hostname(config-if-eth0/5)# zone trust hostname(config-if-eth0/5)# ip address 192.168.3.1/24 hostname(config-if-eth0/5)# exit hostname(config)# IKE VPN hostname(config)# isakmp proposal p1 hostname(config-isakmp-proposal)# exit hostname(config)# ipsec proposal p2 hostname(config-ipsec-proposal)# exit hostname(config)# isakmp peer test hostname(config-isakmp-peer)# interface ethernet0/1 hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# mode aggressive hostname(config-isakmp-peer)# peer 2.2.2.1 hostname(config-isakmp-peer)# pre-share tafw+48hcar15+ncism6tzjzzgu= hostname(config-isakmp-peer)# local-id fqdn hillstone2 hostname(config-isakmp-peer)# exit 134

hostname(config)# tunnel ipsec vpn auto hostname(config-tunnel-ipsec-auto)# isakmp-peer test hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2 hostname(config-tunnel-ipsec-auto)# id local 192.168.3.2/24 remote 192.168.1.2/24 service any hostname(config-tunnel-ipsec-auto)# exit hostname(config)# hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone untrust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action tunnel vpn hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action fromtunnel vpn hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# 135

4 PnPVPN PnPVPN IPSec VPN Hillstone VPN PnPVPN VPN PnPVPN PnPVPN Server PnPVPN Client PnPVPN Server IT PnPVPN Server Hillstone Hillstone PnPVPN Server PnPVPN Client ID IP Server Server DNS WINS DHCP PnPVPN Client Hillstone SR Hillstone PnPVPN Server PnPVPN Client Server VPN PnPVPN PnPVPN 1. ID 2. ID DHCP DHCP DHCP WINS DNS 3. 4. PC IP IP VPN PnPVPN PnPVPN CLI WebUI CLI PnPVPN PnPVPN IPSec VPN PnPVPN 136

PnPVPN VPN DNS WINS DHCP DNS WINS IKE IKE IKE DNS WINS aaa-server aaa-server-name type local AAA user user-name user-name DHCP DHCP dns A.B.C.D [A.B.C.D] [A.B.C.D] [A.B.C.D] A.B.C.D DNS IP 1 DNS 3 no dns wins A.B.C.D [A.B.C.D] A.B.C.D WINS IP WINS WINS no wins split-tunnel-route A.B.C.D/Mask A.B.C.D/Mask A.B.C.D IP Mask 128 no split-tunnel-route A.B.C.D/Mask dhcp-pool-address start-ipaddr end-ipaddr start-ipaddr end-ipaddr DHCP IP IP no dhcp-pool-address dhcp-pool-netmask A.B.C.D A.B.C.D DHCP no dhcp-pool-netmask dhcp-pool-gateway A.B.C.D A.B.C.D DHCP PnPVPN IP PC PC IP DHCP 137

DHCP no dhcp-pool-gateway DNS WINS IKE DNS WINS IKE tunnel ipsec tunnel-name auto tunnel-name IKE DNS WINS dns A.B.C.D [A.B.C.D] [A.B.C.D] [A.B.C.D] A.B.C.D DNS IP 1 DNS 3 no dns wins A.B.C.D [A.B.C.D] A.B.C.D WINS IP WINS WINS no wins split-tunnel-route A.B.C.D/Mask A.B.C.D/Mask A.B.C.D IP Mask 128 no split-tunnel-route A.B.C.D/Mask ISAKMP PnPVPN Server Radius ISAKMP Hillstone VPN ISAKMP PnPVPN Server Hillstone PnPVPN Server Radius ISAKMP ISAKMP peer-id fqdn wildcard string fqdn FQDN wildcard string ID abc.com no peer-id PnPVPN StoneOS PnPVPN IP SNAT PnPVPN Hillstone SR 138

SR PnPVPN aaa-server aaa-server-name type local AAA user user-name user-name PnPVPN tunnel-ip-address A.B.C.D [snat] A.B.C.D IP IP snat SNAT SNAT no PnPVPN no tunnel-ip-address WebUI WebUI IKE VPN PnPVPN Local Radius Radius Radius 1. < > < 2. < > < > < > 3. < > 4. < > < > 5. IKE ID <IKE > <FQDN> <IKE > ID PnPVPN Client ID 139

6. <PnPVPN > DHCP DNS WINS DNS WINS 7. 8. IKE VPN IKE VPN P1 P2 P1 1. IPSec VPN IPSec VPN P1 2. P1 < 1 > 3. P1 < > P1 4. pre -share 5. DH Group2 6. 7. P2 1. IPSec VPN IPSec VPN P2 2. P2 < 2 > 3. P2 < > P2 4. PFS 5. 6. 1. IPSec VPN IPSec VPN VPN 2. <VPN > 3. < > 4. < > 140

5. < > < > 6. <AAA > 7. P1 < 1> P1 8. < > 9. 10. <> ID < > PnPVPN Client 11. Radius 1. IPSec VPN IPSec VPN IPSec VPN IPSec 2. IKE VPN <IKE VPN > 3. < 1 > < > ISAKMP 4. < 2 > 5. < > 6. <tunnel> 7. <p2 > 8. 9. DNS WINS DNS WINS 10. 11. 12. DNS WINS 1. 2. > 141

3. < > <tunnel> 4. < > < > 5. < > 6. < > <IPSec VPN> <VPN > VPN 7. 1. 2. < > 3. IP < > < > IP 4. < > < > < VPN < > IP 5. 6. PnPVPN PnPVPN WebUI WebUI PnPVPN 1. IPSec VPN IPSec VPN 2. < > PnPVPN <PnPVPN > 3. IP ID IKE 142

< > PnPVPN DHCP WINS VPN VPN Internet VPN VPN PC PnPVPN < > < > PnPVPN <bgroup > <bgroup > bgroup < > < > < > 4. IPSec VPN PnPVPN PnPVPN Internet VPN VPN VPN PnPVPN 22-1 Hillstone PnPVPN Server Hillstone PnPVPN Client VPN 143

50 PnPVPN 192.168.1.0/24 ethernet0/0 trust 192.168.200.0/24 ethernet0/2 trust Hillstone ethernet0/1 IP 202.106.6.208 Internet untrust Internet IP 61.170.6.208 Internet IP 59.42.6.208 PnPVPN Server 192.168.2.0/24 192.168.3.0/24 144

AAA hostname(config)# aaa-server test type local hostname(config-aaa-server)# exit hostname(config)# hostname(config)# aaa-server test type local hostname(config-aaa-server)# user shanghai hostname(config-user)# password shanghaiuser hostname(config-user)# ike-id fqdn shanghai hostname(config-user)# dhcp-pool-address 192.168.2.1 192.168.2.100 hostname(config-user)# dhcp-pool-netmask 255.255.255.0 hostname(config-user)# dhcp-pool-gateway 192.168.2.101 hostname(config-user)# split-tunnel-route 192.168.200.0/24 hostname(config-user)# split-tunnel-route 192.168.1.0/24 hostname(config-user)# split-tunnel-route 192.168.3.0/24 hostname(config-user)# exit hostname(config-aaa-server)# exit hostname(config)# hostname(config)# aaa-server test type local hostname(config-aaa-server)# user guangzhou hostname(config-user)# password guangzhouuser hostname(config-user)# ike-id fqdn guangzhou hostname(config-user)# dhcp-pool-address 192.168.3.1 192.168.3.100 hostname(config-user)# dhcp-pool-netmask 255.255.255.0 hostname(config-user)# dhcp-pool-gateway 192.168.3.101 hostname(config-user)# split-tunnel-route 192.168.200.0/24 hostname(config-user)# split-tunnel-route 192.168.1.0/24 hostname(config-user)# split-tunnel-route 192.168.2.0/24 hostname(config-user)# exit hostname(config-aaa-server)# exit hostname(config)# PnPVPN Server hostname(config)# isakmp proposal test1 hostname(config-isakmp-proposal)# group 2 hostname(config-isakmp-proposal)# exit hostname(config)# ipsec proposal test2 hostname(config-ipsec-proposal)# exit hostname(config)# isakmp peer test1 hostname(config-isakmp-peer)# type usergroup hostname(config-isakmp-peer)# mode aggressive hostname(config-isakmp-peer)# interface ethernet0/1 hostname(config-isakmp-peer)# aaa-server test hostname(config-isakmp-peer)# isakmp-proposal test1 hostname(config-isakmp-peer)# pre-share 123456 hostname(config-isakmp-peer)# exit 145

hostname(config)# tunnel ipsec test auto hostname(config-tunnel-ipsec-auto)# ipsec-proposal test2 hostname(config-tunnel-ipsec-auto)# isakmp-peer test1 hostname(config-tunnel-ipsec-auto)# mode tunnel hostname(config-tunnel-ipsec-auto)# id auto hostname(config-tunnel-ipsec-auto)# dns 192.168.200.1 192.168.200.11 hostname(config-tunnel-ipsec-auto)# wins 192.168.200.2 192.168.200.12 hostname(config-tunnel-ipsec-auto)# exit hostname(config)# hostname(config)# exec generate-user-key rootkey 123456 userid shanghai userkey: kyzakmlwcc5nz75fsedim2r+4vg= hostname(config)# exec generate-user-key rootkey 123456 userid guangzhou userkey: SdqhY4+dPThTtpipW2hs2OMB5Ps= hostname(config)# zone VPN hostname(config-zone-vpn)# exit hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone VPN hostname(config-if-tun1)# tunnel ipsec test hostname(config-if-tun1)# exit hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone VPN hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone VPN hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone VPN hostname(config-policy-rule)# dst-zone VPN hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# 146

hostname(config)# ip vrouter trust-vr hostname(config-vrouter)# ip route 192.168.2.0/24 tunnel1 61.170.6.208 hostname(config-vrouter)# ip route 192.168.3.0/24 tunnel1 59.42.6.208 hostname(config)# 1. WebUI IPSec VPN IPSec VPN 2. < > PnPVPN <PnPVPN > 202.106.6.208 ID shanghai kyzakmlwcc5nz75fsedim2r+4vg= kyzakmlwcc5nz75fsedim2r+4vg= VPN ethernet0/0 VPN ethernet0/3 3. 1. WebUI IPSec VPN IPSec VPN 2. < > PnPVPN <PnPVPN > 202.106.6.208 ID guangzhou SdqhY4+dPThTtpipW2hs2OMB5Ps= SdqhY4+dPThTtpipW2hs2OMB5Ps= VPN ethernet0/0 VPN ethernet0/3 147

3. 148

5 GRE GRE GRE Generic Routing Encapsulation StoneOS GRE over IPSec GRE StoneOS GRE GRE GRE GRE GRE GRE GRE tunnel gre gre-tunnel-name gre-tunnel-name GRE GRE GRE GRE no GRE no tunnel gre gre-tunnel-name GRE GRE / IPSec VPN GRE GRE 149

source {interface interface-name ip-address } interface interface-name IP GRE interface-name ip-address GRE GRE no no source GRE GRE destination ip-address ip-address GRE GRE no no destination GRE GRE interface interface-name interface-name GRE no no interface IPSec VPN GRE over IPSec IPSec VPN IPSec IPSec VPN GRE next-tunnel ipsec tunnel-name tunnel-name IPSec VPN GRE no IPSec VPN no next-tunnel GRE GRE key key-value key-value 0 4294967295 GRE no no key 150

GRE GRE GRE tunnel gre gre-tunnel-name [gw ip-address] gre-tunnel-name GRE GRE gw ip-address GRE IP IP 0.0.0.0 no GRE no tunnel gre gre-tunnel-name GRE GRE show tunnel gre [gre-tunnel-name] gre-tunnel-name GRE Hillstone GRE over IPSec with OSPF Center Branch1 Internet OSPF GRE over IPSec 51 GRE over IPSec 151

Center Branch1 IPSec VPN OSPF hostname(config)# interface ethernet0/0 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 202.106.1.1/24 hostname(config-if-eth0/1)# exit hostname(config)# hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone trust hostname(config-if-eth0/1)# ip address 192.168.1.1/24 hostname(config-if-eth0/1)# exit hostname(config)# IPSec VPN hostname(config)# isakmp proposal branch1 hostname(config-isakmp-proposal)# exit hostname(config)# ipsec proposal branch1 hostname(config-ipsec-proposal)# exit hostname(config)# isakmp peer branch1 hostname(config-isakmp-peer)# interface ethernet0/0 152

hostname(config-isakmp-peer)# peer 202.106.2.1 hostname(config-isakmp-peer)# pre-share 111111 hostname(config-isakmp-peer)# isakmp branch1 hostname(config-isakmp-peer)# exit hostname(config)# tunnel ipsec branch1 auto hostname(config-tunnel-ipsec-auto)# isakmp-peer branch1 hostname(config-tunnel-ipsec-auto)# ipsec-proposal branch1 hostname(config-tunnel-ipsec-auto)# exit hostname(config)# GRE hostname(config)# tunnel gre center-branch1 hostname(config-tunnel-gre)# source 202.106.1.1 hostname(config-tunnel-gre)# destination 202.106.2.1 hostname(config-tunnel-gre)# interface ethernet0/0 hostname(config-tunnel-gre)# next-tunnel ipsec branch1 hostname(config-tunnel-gre)# exit hostname(config)# GRE hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone trust hostname(config-if-tun1)# ip address 172.16.1.1/24 hostname(config-if-tun1)# tunnel gre center-branch1 gw 172.16.1.2 hostname(config-if-tun1)# exit hostname(config)# OSPF hostname(config)# ip vrouter trust-vr hostname(config-vrouter)# router ospf hostname(config-router)# router-id 172.16.1.1 hostname(config-router)# network 172.16.1.1/24 area 0 hostname(config-router)# network 192.168.1.1/24 area 0 hostname(config-router)# exit hostname(config-vrouter)# exit hostname(config)# hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit 153

hostname(config-policy)# rule hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 202.106.2.1/24 hostname(config-if-eth0/1)# exit hostname(config)# hostname(config)# interface ethernet0/0 hostname(config-if-eth0/1)# zone trust hostname(config-if-eth0/1)# ip address 192.168.2.1/24 hostname(config-if-eth0/1)# exit hostname(config)# IPSec VPN hostname(config)# isakmp proposal center hostname(config-isakmp-proposal)# exit hostname(config)# ipsec proposal center hostname(config-ipsec-proposal)# exit hostname(config)# isakmp peer center hostname(config-isakmp-peer)# interface ethernet0/0 hostname(config-isakmp-peer)# peer 202.106.1.1 hostname(config-isakmp-peer)# pre-share 111111 hostname(config-isakmp-peer)# isakmp center hostname(config-isakmp-peer)# exit hostname(config)# tunnel ipsec center auto hostname(config-tunnel-ipsec-auto)# isakmp-peer center hostname(config-tunnel-ipsec-auto)# ipsec-proposal center hostname(config-tunnel-ipsec-auto)# exit hostname(config)# GRE hostname(config)# tunnel gre branch1 hostname(config-tunnel-gre)# source 202.106.2.1 hostname(config-tunnel-gre)# destination 202.106.1.1 hostname(config-tunnel-gre)# interface ethernet0/0 154

hostname(config-tunnel-gre)# next-tunnel ipsec center hostname(config-tunnel-gre)# exit hostname(config)# GRE hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone trust hostname(config-if-tun1)# ip address 172.16.1.2/24 hostname(config-if-tun1)# tunnel gre branch1 gw 172.16.1.1 hostname(config-if-tun1)# exit hostname(config)# OSPF hostname(config)# ip vrouter trust-vr hostname(config-vrouter)# router ospf hostname(config-router)# router-id 172.16.1.2 hostname(config-router)# network 172.16.1.2/24 area 0 hostname(config-router)# network 192.168.2.1/24 area 0 hostname(config-router)# exit hostname(config-vrouter)# exit hostname(config)# hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone trust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# rule hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# 155

6 L2TP L2TP Layer Two Tunneling Protocol L2TP L2TP L2TP LAC VPN PPP L2TP LNS IP Hillstone L2TP LNS L2TP LAC IP DNS WINS L2TP RFC2661 L2TP L2TP 52 L2TP Hillstone LN S L2TP L2TP LNS Windows 2000/2003/XP/Vista Linux L2TP 156

53 LAC Hillstone LNS L2TP PSTN/ISDN LAC LAC LNS VPN LAC LNS LAC PPP LNS L2TP L2TP over IPSec L2TP L2TP IPSec IPsec L2TP L2TP over IPSec 1. L2TP IPSec Windows L2TP XP L2TP over IPSec 2. IPSec VPN 1 IPSec 3. L2TP IPSec 4. Windows L2TP Windows L2TP IKE LNS IKE accept-all-peer-id ISAKMP ID LNS IPSec VPN IP L2TP Windows IPSec transport LNS IPSec 157

LNS LNS L2TP L2TP L2TP LNS IP LNS LNS IP DNS WINS L2TP l2tp pool pool-name pool-name L2TP L2TP no L2TP no l2tp pool pool-name L2TP IP L2TP address start-ip end-ip start-ip IP IP end-ip IP IP 60000 IP L2TP no IP no address IP IP LNS IP 158

IP FTP L2TP exclude-address start-ip end-ip start-ip IP end-ip IP L2TP no no exclude address IP L2TP IP IP IP IP -IP IP IP IP -IP IP LNS IP IP IP 1. IP IP IP IP 2. -IP IP IP IP -IP IP IP IP L2TP ip-binding user user-name ip-address user user-name ip-address IP L2TP no IP no ip-binding user user-name -IP -IP L2TP ip-binding role role-name ip-range start-ip end-ip role role-name 159

ip-range start-ip end-ip IP IP start-ip IP end-ip L2TP no -IP no ip-binding role role-name -IP -IP -IP Hillstone -IP IP L2TP move role-name1 {before role-name2 after role-name2 top bottom} role name1 -IP before role-name2 -IP - IP ( role-name2 ) after role-name2 -IP - IP ( role-name2 ) top -IP -IP bottom -IP -IP L2TP L2TP tunnel l2tp tunnel-name tunnel-name L2TP L2TP L2TP L2TP no L2TP no tunnel l2tp tunnel-name L2TP IP DNS WINS 160

AAA PPP Hello LNS AVP IP IP LNS AAA IP DNS LNS IP L2TP IP L2TP assign-client-ip from { pool aaa-server } pool IP DNS aaa-server AAA IP DNS L2TP L2TP L2TP pool pool-name pool-name L2TP L2TP no no pool DNS DNS L2TP dns address1 [address2] address1 DNS IP 2 DNS L2TP no DNS no dns 161

WINS WINS L2TP wins address1 [address2] address1 WINS IP 2 WINS L2TP no WINS no wins L2TP interface interface-name interface-name L2TP no no interface AAA AAA LNS L2TP AAA AAA L2TP aaa-server aaa-server-name [domain domain-name [keep-domain-name]] aaa-server-name AAA domain domain-name AAA AAA keep-domain-name L2TP no AAA no aaa-server aaa-server-name [domain domain-name] PPP LNS LAC PPP PAP CHAP PPP L2TP ppp-auth {pap chap any} pap PPP PAP chap PPP CHAP any CHAP PAP L2TP no no ppp-auth LCP Echo PPP LNS LCP Echo LCP Echo 162

L2TP ppp-lcp-echo interval time time LCP Echo 0 1000 0 LCP Echo 30 L2TP no no ppp-lcp-echo interval Hello L2TP Hello LNS L2TP LAC Hello Hello L2TP keepalive time time Hello 60 1800 60 L2TP no no keepalive LNS LAC L2TP tunnel-authentication L2TP no no tunnel-authentication LNS L2TP secret secret-string [peer-name name] secret-string 1 31 peer-name name LAC LAC LNS LAC LAC L2TP no no secret secret-string [peer-name name] 163

LNS LNS L2TP local-name name name LNS 1 31 LNS L2TP no no local-name AVP L2TP AVP attribute value pair L2TP AVP AVP L2TP AVP AVP avp-hidden AVP no vp-hidden a AVP L2TP tunnel-receive-window window-size window-size 8 4 800 L2TP no no tunnel-receive-window L2TP allow-multi-logon no -multi-logon allow IP IP LNS IP IP IP L2TP IP 164

IP a ccept-client-ip IP no accept-client-ip L2TP L2TP 1 2 1 2 4 8 16 L2TP transmit-retry times times 1 10 5 L2TP no no transmit-retry IPSec L2TP over IPSec IPSec L2TP L2TP L2TP IPSec next-tunnel ipsec tunnel-name tunnel-name IPSec VPN L2TP no IPSec no next-tunnel ipsec L2TP L2TP L2TP L2TP L2TP L2TP LNS VR L2TP L2TP L2TP VPN VR LNS L2TP L2TP tunnel l2tp tunnel-name [bind-to-domain domain-name] tunnel-name L2TP bind-to-domain domain-name L2TP domain name L2TP 165

LNS no L2TP no tunnel l2tp tunnel-name no tunnel l2tp tunnel-name bind-to-domain domain-name L2TP LNS exec l2tp tunnel-name kickout user user-name tunnel-name L2TP user-name clear l2tp tunnel-name tunnel-name L2TP L2TP show L2TP L2TP show tunnel l2tp [l2tp-tunnel-name] L2TP show l2tp tunnel l2tp-tunnel-name L2TP show l2tp client {tunnel-name l2tp-tunnel-name [user user-name] tunnel-id ID} L2TP show l2tp pool [pool-name] L2TP show l2tp pool pool-name statistics L2TP show auth-user l2tp [interface interface-name vrouter vrouter-name slot slot-no] L2TP L2TP Hillstone LNS L2TP 166

L2TP Windows 2000/2003/XP/Vista L2TP Windows 2000/2003/XP/Vista Windows L2TP LNS Hillstone Secure Defender L2TP L2TP L2TP VPN 54 L2TP LNS L2TP LNS Hillstone hostname(config)# interface ethernet0/1 hostname(config-if-eth0/1)# zone untrust hostname(config-if-eth0/1)# ip address 58.31.46.207/24 hostname(config-if-eth0/1)# exit 167

hostname(config)# interface ethernet0/2 hostname(config-if-eth0/2)# zone trust hostname(config-if-eth0/2)# ip address 10.110.0.190/24 hostname(config-if-eth0/2)# exit hostname(config)# AAA hostname(config)# aaa-server local hostname(config-aaa-server)# user shanghai hostname(config-user)# password 123456 hostname(config-user)# exit hostname(config-aaa-server)# exit hostname(config)# LNS IP hostname(config)# l2tp pool pool1 hostname(config-l2tp-pool)# address 10.232.241.2 10.232.244.254 hostname(config-l2tp-pool)# exit hostname(config)# L2TP hostname(config)# tunnel l2tp test hostname(config-tunnel-l2tp)# pool pool1 hostname(config-tunnel-l2tp)# dns 202.106.0.20 10.188.7.10 hostname(config-tunnel-l2tp)# interface ethernet0/1 hostname(config-tunnel-l2tp)# ppp-auth any hostname(config-tunnel-l2tp)# keepalive 1800 hostname(config-tunnel-l2tp)# aaa-server local hostname(config-tunnel-l2tp)# exit hostname(config)# L2TP test hostname(config)# interface tunnel1 hostname(config-if-tun1)# zone untrust hostname(config-if-tun1)# ip address 10.232.241.1 255.255.248.0 hostname(config-if-tun1)# manage ping hostname(config-if-tun1)# tunnel l2tp test hostname(config-if-tun1)# exit hostname(config)# hostname(config)# policy-global hostname(config-policy)# rule hostname(config-policy-rule)# src-zone untrust hostname(config-policy-rule)# dst-zone trust hostname(config-policy-rule)# src-addr any hostname(config-policy-rule)# dst-addr any hostname(config-policy-rule)# service any hostname(config-policy-rule)# action permit hostname(config-policy-rule)# exit hostname(config-policy)# exit hostname(config)# 168

Windows XP L2TP 1. L2TP 2. 3. IPSec L2TP Windows XP L2TP 1. Internet 2. 3. 4. L2TP 5. 6. IP LNS IP 58.31.46.207 7. L2TP L2TP 1. L2TP 55 L2TP 169

2. L2TP 3. L2TP 4. CHAP 170

56 5. L2TP VPN L2TP IP Internet TCP/IP 171

57 L2TP 6. Windows XP L2TP IPSec Windows XP IPSec L2TP 1. Regedt32 2. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Paramet ers 3. Parameters DWORD Parameters DWORD ProhibitIPSec REG_DWORD 1 172

58 4. LNS LNS LNS VPN LNS L2TP shanghai 123456 173

59 L2TP Web FTP MS-DOS ipconfig LNS 10.232.241.2 15 LNS PC IP L2TP over IPSec L2TP over IPSec L2TP VPN Web PC LNS IPSec 174

60 L2TP over IPSec LNS L2TP LNS Hillstone hostname(config)# interface ethernet0/2 hostname(config-if-eth0/2)# zone trust hostname(config-if-eth0/2)# ip address 10.110.0.190/24 hostname(config-if-eth0/2)# exit hostname(config)# interface ethernet0/3 hostname(config-if-eth0/3)# zone untrust hostname(config-if-eth0/3)# ip address 192.168.1.1/24 hostname(config-if-eth0/3)# exit hostname(config)# IPSec VPN hostname(config)# isakmp proposal p1 hostname(config-isakmp-proposal)# authentication pre-share hostname(config-isakmp-proposal)# hash sha hostname(config-isakmp-proposal)# exit hostname(config)# ipsec proposal p2 hostname(config-ipsec-proposal)# protocol esp hostname(config-ipsec-proposal)# hash sha hostname(config-ipsec-proposal)# encryption 3des hostname(config-ipsec-proposal)# exit hostname(config)# isakmp peer east hostname(config-isakmp-peer)# interface ethernet0/3 hostname(config-isakmp-peer)# type usergroup hostname(config-isakmp-peer)# accept-all-peer-id hostname(config-isakmp-peer)# mode main hostname(config-isakmp-peer)# isakmp-proposal p1 hostname(config-isakmp-peer)# pre-share hello1 hostname(config-isakmp-peer)# aaa-server local hostname(config)# tunnel ipsec vpn1 auto hostname(config-tunnel-ipsec-auto)# mode transport hostname(config-tunnel-ipsec-auto)# isakmp-peer east 175