No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Remote Dial-Up Users Cannot Access External Resources After Connecting to the AR Router Through an L2TP over IPSec Tunnel

Remote Dial-Up Users Cannot Access External Resources After Connecting to the AR Router Through an L2TP over IPSec Tunnel

This section provides a troubleshooting case for the fault that remote dial-up users cannot access external resources after connecting to the AR router through an L2TP over IPSec tunnel.

Networking

RouterA configuration:

# 
l2tp enable 
# 
dns proxy enable 
 dns resolve   
# 
acl number 3000                            
 rule 5 deny udp destination-port eq 1701  
 rule 10 permit ip  
# 
ipsec proposal prop                                 
 encapsulation-mode transport                                                    
#                                                                                
ike proposal 5                                       
 encryption-algorithm aes-cbc-128    
 authentication-algorithm sha2-256  
# 
ike peer peer1 v1   
 pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
 ike-proposal 5 
 nat traversal                                                                 
# 
ipsec policy-template temp1 10                                                   
 ike-peer peer1                                                                  
 proposal prop                                                                   
# 
ipsec policy policy1 10 isakmp template temp1       
# 
ip pool 1    
 gateway-list 10.2.1.1   
 network 10.2.1.0 mask 255.255.255.0  
 dns-list 1.1.1.1 1.1.1.2 
#  
aaa    
 authentication-scheme l2tp  
 domain l2tp  
 authorization-scheme l2tp 
 local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f;)IjQ8\>~b\-1"i^b@~.)+,2gi9K%^%# 
 local-user vpdnuser privilege level 0                                           
 local-user vpdnuser service-type ppp# 
# 
interface Dialer1 
 link-protocol ppp 
 ppp chap user 26001916530 
 ppp chap password cipher %@%@U')L2]_HhR@A;$7)M)y*,.=0%@%@ 
 ppp pap local-user 26001916530 password cipher %@%@@>5J,;,lnIJhVTKhRlyM,.=!%@%@ 
 ppp ipcp dns admit-any 
 ppp ipcp dns request 
 nat outbound 3000  
#  
interface GigabitEthernet1/0/0                                                          
 ip address 1.1.1.2 255.255.255.0                                         
 ipsec policy policy1                                                           
# 
interface Virtual-Template1    
 ppp authentication-mode chap domain l2tp    
 remote address pool 1   
 ip address 10.2.1.1 255.255.255.0 
# 
interface GigabitEthernet1/0/0 
 pppoe-client dial-bundle-number 1 
# 
l2tp-group 1   
 undo tunnel authentication    
 allow l2tp virtual-template 1 
# 
return

Fault Description

After the configuration is complete, a remote user uses the dial-up software on the PC to connect to RouterA. The dial-up is successful, and service packets can be normally transmitted. However, the user cannot access external resources through the AR router in the headquarters.

Fault Analysis

  1. Check the L2TP over IPSec configuration on RouterA. Run the display l2tp tunnel command. You can view that the L2TP dial-up tunnel is set up successfully. Run the display ike sa command. You can view that the SA is set up successfully.
  2. Check the IP address pool configuration on RouterA. Run the display ip pool command. You can view that the dns-list 1.1.1.1 1.1.1.2 command is configured.
  3. Check the DNS server address on the PC. You can find that the PC fails to obtain the DNS server address from the IP address pool.
  4. The analysis result shows that PPP dial-up is different from DHCP IP address allocation on the Ethernet network. The PC does not obtain the DNS server address from the IP address pool. Instead, it obtains the DNS server address from the virtual interface template.
  5. You need to add a DNS server address in the VT interface view to allow the remote user to access external resources using a domain name. After the ppp ipcp dns 1.1.1.1 1.1.1.2 command is configured in the VT interface view to set the DNS server address for the remote device, the problem is solved.

Procedure

The procedure is as follows:

<RouterA> system-view  
[RouterA] interface virtual-template 1
[RouterA-Virtual-Template1] ppp ipcp dns 1.1.1.1 1.1.1.2

Conclusions and Suggestions

The remote user dials up to connect to the L2TP VPN and uses the intranet bandwidth to access the Internet. That is, the network traffic flows from the PC to the AR router over the L2TP over IPSec tunnel, and the AR router forwards the traffic to the Internet after network address translation (NAT) on the same interface. The AR router also returns a packet containing DNS server IP address information to the PC. To allow the user to access external resources using the obtained DNS server IP address, you need to configure DNS according to the traffic flow.

When the AR router functions as the LNS, run the ppp ipcp dns primary-dns-address [ secondary-dns-address ] command in the VT interface view to set the DNS server IP address for the remote device. After the configuration, the remote user can access external resources using a domain name.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 453774

Downloads: 4311

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next