Dialup Fails in an L2TP over IPSec Scenario

Publication Date:  2015-04-01 Views:  218 Downloads:  0
Issue Description

IP address of the AR's uplink interface GE0/0/0:

Gateway address:

When users use L2TP to access the headquarters intranet from the external network, IPSec is used to encrypt and protect data flows to ensure security. Dailup access is performed using L2TP over IPSec.

Main configuration on the AR:

# ipsec proposal 1 # ike peer xp v1 exchange-mode aggressive pre-shared-key simple huawei # ipsec policy-template xptemp 2 ike-peer xp proposal 1 # ipsec policy xp 1 isakmp template xptemp # aaa local-user admin password cipher %$%$0(ywBGER!CR)4xR$K;=N>aJc%$%$ local-user admin service-type ppp # interface Virtual-Template1 ppp authentication-mode pap remote address pool lns ip address # interface GigabitEthernet0/0/0 ip address ipsec policy xp nat outbound 3001 # l2tp-group 1 undo tunnel authentication allow l2tp virtual-template 1 # ip route-static #
Handling Process
The user fails to dial up. Check whether the IPSec and L2TP tunnels are successfully established.

1.  The IPSec tunnel is not successfully established on the AR. Run the display ike sa command. No SA is established.

2.   According to the scenario, a NAT device must exist on the public network. A NAT device does exist in the environment after consultation.

3.  An IPSec SA will not be established unless NAT traversal is configured in IPSec. The problem is solved by configuring NAT traversal in IKE peers.

Modified configuration:

# ike peer xp v1 exchange-mode aggressive pre-shared-key simple huawei nat traversal #
If the initiator on a private network needs to establish an IPSec tunnel with the responder on a public network, NAT traversal must be enabled for establishing an IPSec tunnel in the scenario where there is a NAT device between two endpoints.