FAQ---How to configure site-to-site L2TP over IPSEC between an AR19-10 and a USG firewall

Publication Date:  2014-12-01 Views:  928 Downloads:  0
Issue Description
Hello,

I recently had a case in which customer found trouble in configuring an L2TP over IPSEC tunnel between a second generation AR , AR 19-10 and a USG.

As you probably know, AR19-10 is at the end of production and the product documentation cannot be found so easily. Given the fact that the configuration on this router is slightly different than on AR G3 I would like to post a configuration example for the scenario described in the title.

As shown in the picture bellow,Enterprise branch and HQ are connected one USG and one AR19-10. The networking requirements are as follows:
An L2TP tunnel can be established between USG2000 and AR-10, and the data is between the two networks is encrypted by IPSec.
Enterprise branch netowrk (192.168.10.0/24) is connected to vlanif 1 on AR19-10.
HQ network (192.168.2.0/24) is connected to vlanif 1 on firewall.
USG 2000 and AR19-10 are reachable to each other.
Solution

As described in the documentation the configuration roadmap :

Complete the basic interface, interzone packet filtering, and routing configurations on each gateway.
On the LAC and LNS, set the L2TP parameters such as creating the virtual interface template and setting L2TP group parameters.
On the LAC and LNS, create a user name and set the password for mobile employees. On the LNS, create an IP address pool to assign IP addresses to mobile employees.
Create an advanced ACL on both endpoints to define the data flow to be protected, namely, the data between Network A and Network B.
On USG_A and AR19-10, configure the IPSec proposal, IKE proposal, and IKE peer.

After the configuration is properly made following the road map and the configuration example of an AR G3 we would see that the tunnel cannot be established. The configuration difference between the ARG3 and the AR19-10 is that if the LAC configured AR19-10 needs one more command under the virtual-template view. Even though we configure the authentication mode on the LNS and create the user with the  ppp chap command we still need to specify the authentication mode on the LAC as well : ppp authentication-mode chap


Related configuration of both devices bellow:

LNS (USG):
interface Ethernet2/0/0
ip address 1.1.1.1 255.255.255.0
#
interface Virtual-Template1
ppp authentication-mode chap
ip address 192.168.1.1 255.255.255.0
remote address pool 1
#
l2tp-group 1
allow l2tp virtual-template 1 remote lac
tunnel password cipher %$%$Ep,nAPTRW>G0gh0^Jak@0H~6%$%$
tunnel name lns
#
aaa
local-user huawei password cipher %$%$sYZ.SzL[M'.~F*T/lSS>q_VM%$%$
local-user huawei service-type ppp
ip pool 1 192.168.1.2 192.168.1.100
            


LAC (AR19-10)

l2tp-group 1
tunnel password cipher $c$3$YElpxswlaXQGIJMZzrTKEanDS0/RqvomQyuedbM=
tunnel name lac
start l2tp ip 1.1.1.1 fullusername huawei
#
interface Ethernet1/0
port link-mode route
ip address 2.2.2.2 255.255.255.0
#
interface Virtual-Template1
ppp authentication-mode chap
ppp chap user huawei
ppp chap password cipher $c$3$mrAm2tX6fWVQ+IUt4jM6Ar7+7RvYX9RNMlYP6BI=
l2tp-auto-client enable
ip address ppp-negotiate
#
interface NULL0
#

Result:

[1910]dis l2tp tunnel                                                          
Total tunnel = 1                                                              

                                                                
LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName                
1        1         1.1.1.1          1701   1        lns       

[FW]dis l2tp tunnel                                                            
17:11:10  2014/11/19                                                           
Total tunnel = 1                                                              
LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName                
1        1         2.2.2.2          1701   1        lac   

END