L2TPclient on FortiOS
Case 1: Static
--net150--FGT85---net89---ROUTER27----net130---FGT60--net110---
config system interface
edit "internal"
set vdom "root"
set ip 8.8.130.60 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set l2tp-client enable
config l2tp-client-settings
set defaultgw enable
set password adsl
set peer-host "172.18.9.85"
set user "adsl"
end
next
end
FGT-602803033467 #
config router static
edit 1
set device "internal"
set gateway 8.8.130.2
next
end
FGT-602803033467 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [2/0] via 10.10.10.100, ppp0
C 8.8.110.0/24 is directly connected, vlan110
C 8.8.130.0/24 is directly connected, internal
C 10.10.10.100/32 is directly connected, ppp0
is directly connected, ppp0
FGT-602803033467 # d ip route li
tab=254 vf=0 scope=0 type=1 proto=14 prio=10 0.0.0.0/0.0.0.0/0->172.18.9.85/32 pref=0.0.0.0 gwy=8.8.130.2 dev=5(internal) ==> Host route, added by l2tpclient
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->8.8.110.0/24 pref=8.8.110.60 gwy=0.0.0.0 dev=13(vlan110)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.10.10.100 dev=12(ppp0)
[defaultgw]
If unset the defaultgw, l2tpclient won't inject a default route with distance 2.
FGT-602803033467 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 8.8.130.2, internal ==> config in router static
C 8.8.110.0/24 is directly connected, vlan110
C 8.8.130.0/24 is directly connected, internal
C 10.10.10.101/32 is directly connected, ppp0
is directly connected, ppp0
[distance]
since the static route has default distance as 10, l2tpclient should inject a route with lower distance. 9 works if use static route to get l2tpsrv, not connected route
config l2tp-client-settings
set defaultgw enable
set distance 9
FGT-602803033467 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [9/0] via 10.10.10.101, ppp0
C 8.8.110.0/24 is directly connected, vlan110
C 8.8.130.0/24 is directly connected, internal
C 10.10.10.101/32 is directly connected, ppp0
is directly connected, ppp0
Case 2: DHCP mode
Same topo. but FGT60 get the default route from DHCP. Since DHCP injected default route with distance 5, the above setting won't work.
GT-602803033467 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 8.8.130.2, internal ==> override l2tpclient route(9)
C 8.8.110.0/24 is directly connected, dmz
C 8.8.130.0/24 is directly connected, internal
C 10.10.10.101/32 is directly connected, ppp0
is directly connected, ppp0
after change the distance value to 4, it works well
FGT-602803033467 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [4/0] via 10.10.10.100, ppp0
C 8.8.110.0/24 is directly connected, dmz
C 8.8.130.0/24 is directly connected, internal
C 10.10.10.100/32 is directly connected, ppp0
is directly connected, ppp0
FGT-602803033467 #
Case 3: PPPoE
2 ppp interface get involved. ppp0 and ppp1
FGT-602803033467 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [4/0] via 10.10.10.101, ppp1
C 8.8.110.0/24 is directly connected, dmz
C 8.8.130.2/32 is directly connected, ppp0
C 10.10.10.101/32 is directly connected, ppp1
is directly connected, ppp1
C 30.30.30.31/32 is directly connected, ppp0
FGT-602803033467 # d ip route li
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->8.8.130.2/32 pref=30.30.30.31 gwy=0.0.0.0 dev=12(ppp0)
tab=254 vf=0 scope=0 type=1 proto=14 prio=10 0.0.0.0/0.0.0.0/0->172.18.9.85/32 pref=0.0.0.0 gwy=8.8.130.2 dev=12(ppp0)
tab=254 vf=0 scope=0 type=1 proto=14 prio=253 10.10.10.101/255.255.255.255/0->172.18.9.85/32 pref=0.0.0.0 gwy=8.8.130.2 dev=12(ppp0)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.10.10.101 dev=13(ppp1)
GT-602803033467 # d sniffer pack any icmp 4
interfaces=[any]
filters=[icmp]
1.792248 dmz in 8.8.110.21 -> 8.8.150.85: icmp: echo request
1.792308 ppp1 out 10.10.10.101 -> 8.8.150.85: icmp: echo request
1.796778 ppp1 in 8.8.150.85 -> 10.10.10.101: icmp: echo reply
1.796810 dmz out 8.8.150.85 -> 8.8.110.21: icmp: echo reply
2.793102 dmz in 8.8.110.21 -> 8.8.150.85: icmp: echo request
2.793144 ppp1 out 10.10.10.101 -> 8.8.150.85: icmp: echo request
Tuesday, June 24, 2008
Subscribe to:
Post Comments (Atom)
1 comment:
Good stuff
Post a Comment