FW1：<H3C>sysSystem View: return to User View with Ctrl+Z.[H3C]sysname FW1[FW1]int gi 1/0/3[FW1-GigabitEthernet1/0/3]ip address 10.0.0.2 30[FW1-GigabitEthernet1/0/3]des <connect to SW1>[FW1-GigabitEthernet1/0/3]quit[FW1]acl basic 2000[FW1-acl-ipv4-basic-2000]rule 0 permit source any[FW1-acl-ipv4-basic-2000]quit[FW1]int gi 1/0/2[FW1-GigabitEthernet1/0/2]des <connect to R1>[FW1-GigabitEthernet1/0/2]ip address 202.2.100.2 30[FW1-GigabitEthernet1/0/2]nat outbound 2000[FW1-GigabitEthernet1/0/2]quit[FW1]ip route-static 0.0.0.0 0.0.0.0 202.2.100.1[FW1]int gi 1/0/4[FW1-GigabitEthernet1/0/4]des <connect to ISP1>[FW1-GigabitEthernet1/0/4]ip address 202.3.100.2 30[FW1-GigabitEthernet1/0/4]nat outbound 2000[FW1-GigabitEthernet1/0/4]quit[FW1]ip route-static 202.103.224.0 255.255.255.0 202.3.100.1[FW1]security-zone name trust[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/3[FW1-security-zone-Trust]quit[FW1]security-zone name Untrust[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/2[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/4[FW1-security-zone-Untrust]quit[FW1]acl basic 2001[FW1-acl-ipv4-basic-2001]rule 0 permit source any[FW1-acl-ipv4-basic-2001]quit[FW1][FW1]zone-pair security source trust destination untrust[FW1-zone-pair-security-Trust-Untrust]packet-filter 2001[FW1-zone-pair-security-Trust-Untrust]quit[FW1][FW1]zone-pair security source untrust destination trust[FW1-zone-pair-security-Untrust-Trust]packet-filter 2001[FW1-zone-pair-security-Untrust-Trust]quit[FW1][FW1]zone-pair security source trust destination local[FW1-zone-pair-security-Trust-Local]packet-filter 2001[FW1-zone-pair-security-Trust-Local]quit[FW1][FW1]zone-pair security source local destination trust[FW1-zone-pair-security-Local-Trust]packet-filter 2001[FW1-zone-pair-security-Local-Trust]quit[FW1][FW1]zone-pair security source untrust destination local[FW1-zone-pair-security-Untrust-Local]packet-filter 2001[FW1-zone-pair-security-Untrust-Local]quit[FW1][FW1]zone-pair security source local destination untrust[FW1-zone-pair-security-Local-Untrust]packet-filter 2001[FW1-zone-pair-security-Local-Untrust]quitFW1 L2TP VPN LNS关键配置点1（用于与独立LAC建立隧道）：
[FW1]local-user weijianing class networkNew local user added.[FW1-luser-network-weijianing]password simple weijianing[FW1-luser-network-weijianing]service-type ppp[FW1-luser-network-weijianing]quit[FW1]domain system[FW1-isp-system]authentication ppp local[FW1-isp-system]quit[FW1]ip pool weijianing 172.16.1.2 172.16.1.254[FW1]ip pool weijianing gateway 172.16.1.1[FW1]int Virtual-Template 1[FW1-Virtual-Template1]ip address 172.16.1.1 24[FW1-Virtual-Template1]ppp authentication-mode chap domain system[FW1-Virtual-Template1]remote address pool weijianing[FW1-Virtual-Template1]quit[FW1]security-zone name Untrust[FW1-security-zone-Untrust]import interface Virtual-Template 1[FW1-security-zone-Untrust]quit[FW1]l2tp enable[FW1]l2tp-group 1 mode lns[FW1-l2tp1]tunnel authentication[FW1-l2tp1]tunnel name LNS[FW1-l2tp1]allow l2tp virtual-template 1 remote LAC[FW1-l2tp1]tunnel password simple weijianing[FW1-l2tp1]quitFW1 L2TP VPN LNS关键配置点2（用于与客户LAC建立隧道）：
[FW1]local-user ninglihua class networkNew local user added.[FW1-luser-network-ninglihua]password simple ninglihua[FW1-luser-network-ninglihua]service-type ppp[FW1-luser-network-ninglihua]quit[FW1]ip pool ninglihua 172.16.100.2 172.16.100.254[FW1]ip pool ninglihua gateway 172.16.100.1[FW1]int Virtual-Template 2[FW1-Virtual-Template2]ip address 172.16.100.1 24[FW1-Virtual-Template2]ppp authentication-mode chap domain system[FW1-Virtual-Template2]remote address pool ninglihua[FW1-Virtual-Template2]quit[FW1]domain system[FW1-isp-system]authentication ppp local[FW1-isp-system]quit[FW1]security-zone name Untrust[FW1-security-zone-Untrust]import interface Virtual-Template 2[FW1-security-zone-Untrust]quit[FW1]l2tp enable[FW1]l2tp-group 2 mode lns[FW1-l2tp2]undo tunnel authentication[FW1-l2tp2]tunnel name LNS[FW1-l2tp2]allow l2tp virtual-template 2 remote h3c[FW1-l2tp2]quit