No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

PAP (ENCRYPTION) CAN ONLY BE USED FOR LDAP AUTHENTICATION IN L2TP OVER IPSEC VPN

Publication Date:  2015-10-26 Views:  206 Downloads:  5
Issue Description

PAP (ENCRYPTION) CAN ONLY BE USED FOR LDAP AUTHENTICATION IN L2TP OVER IPSEC VPN

BACKGROUND:

Enterprise Customer XX purchased Huawei IP solution to replace existing Cisco network and following fully redundant design was finalized.

1-      Gateway Router: ADSL and Leased line uplinks were terminated on Mushroom Gateway Router.

2-      DMZ Switches: Due to lesser number of ports on Mushroom router we used two stacked switches between firewall and mushroom router for full redundancy.

3-      Firewalls: Two firewalls were used to provide complete redundancy using VRRP and to provide L2tp/over IPSEC VPN for remote clients using LDAP authentication.

4-      Core Switches: Two core switches were used in CSS to provide fully redundant core.

5-      Access Switches: Access Switches with 10 G uplinks were used.

 

TECHNICAL CHALLENGE:

Customer wanted to use LDAP authentication for L2tp over IPSEC client VPN users.  VPN was configured using conventional method.  CHAP and PAP authentications were configured on client side as per Hedex.

 

FIREWALL CONFIGURATION FOR L2TP OVER IPSEC VPN:

#

 L2tp enable

 L2tp domain suffix-separator @

#

#

ldap-server template smcldap

 ldap-server authentication 172.16.23.194 389

 ldap-server authentication 172.16.23.184 389 secondary

 ldap-server authentication base-dn DC=SMC,DC=LOCAL

 ldap-server authentication manager cn=Administrator,cn=users %$%$w5%X"mrDMWYN_^96RgW2)<3*%$%$ %$%$w5%X"mrDMWYN_^96RgW2)<3*%$%$

 ldap-server group-filter ou=SHJMAIL

 ldap-server user-filter sAMAccountName  

 ldap-server ip-address-filter VIP mask-filter VIPMask

 ldap-server server-type ad

#

#

acl number 3001

 rule 5 permit udp source-port eq 1701

 rule 10 permit udp destination-port eq 1701

#

ike proposal 1

 authentication-algorithm sha2-256

 integrity-algorithm aes-xcbc-96 hmac-sha2-256

#

ike peer ike211011183182

 exchange-mode auto

 pre-shared-key %$%$Ba6372b43,=Bfq%$n{},3=4+%$%$

 ike negotiate compatible

 ike-proposal 1

 remote-id-type none

#

ipsec proposal prop21101118318

 encapsulation-mode auto

 esp authentication-algorithm sha2-256

#

ipsec proposal ol

 esp authentication-algorithm sha2-256

#

ipsec policy-template tpl211011183182 1

 security acl 3001

 ike-peer ike211011183182

 alias L2TP_IPSEC

 scenario point-to-multipoint l2tp-user-access

 proposal prop21101118318

 local-address “Public IP”

 reverse-route enable

 sa duration traffic-based 200000000

 sa duration time-based 3600

#

ipsec policy ipsec2110111831 10000 isakmp template tpl211011183182

#

#

interface Virtual-Template0

 ppp authentication-mode chap pap

 alias L2TP_LNS_0

 ip address 172.16.36.5 255.255.255.0

 remote address pool 1

 undo service-manage enable

#

#

l2tp-group 1

 undo tunnel authentication

 allow l2tp virtual-template 0 domain smc.local

#

#

aaa

 

 domain smc.local

  description smc.local

  authentication-scheme ldap

  ldap-server smcldap

  service-type access internet-access

  ip pool 1 172.16.36.10 172.16.36.200

  reference user current-domain

  new-user add-local group /smc.local

 #

WINDOWS L2TP OVER IPSEC VPN CLIENT CONFIGURTION

 

After configuring firewall and VPN client we were unable to connect to VPN.

 

FINAL SOLUTION:

We did some experimentation and found out that when using LDAP authentication only PAP can be used for authentication as AD/LADP works on PAP authentication.

CONCLUSION

 

When using LDAP for vpn users authentication, only PAP can be used for VPN authentication in Security tab for VPN client as AD/LDAP works on PAP authentication method.

 

If AD authentication method can be changed to CHAP, then CHAP is recommended.

Solution

When using LDAP for vpn users authentication, only PAP can be used for VPN authentication in Security tab for VPN client as AD/LDAP works on PAP authentication method.

 

If AD authentication method can be changed to CHAP, then CHAP is recommended.

END