No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Dialup Fails in an L2TP over IPSec Scenario

Dialup Fails in an L2TP over IPSec Scenario

This section provides a case that dialup fails in an L2TP over IPSec scenario.

Networking

  • IP address of the AR's uplink interface GE0/0/0: 10.29.234.50/31
  • Gateway address: 209.29.234.49/31

When users use L2TP to access the headquarters intranet from the external network, IPSec is used to encrypt and protect data flows to ensure security. Dailup access is performed using L2TP over IPSec.

Main configuration on the AR:

#
ipsec proposal 1
#
ike peer xp v1
 exchange-mode aggressive
 pre-shared-key simple huawei
#
ipsec policy-template xptemp 2
 ike-peer xp
 proposal 1
#
ipsec policy xp 1 isakmp template xptemp
#
aaa 
 local-user admin password cipher %$%$0(ywBGER!CR)4xR$K;=N>aJc%$%$
 local-user admin service-type ppp
#
interface Virtual-Template1
 ppp authentication-mode pap 
 remote address pool lns
 ip address 10.0.0.241 255.255.255.240 
#
interface GigabitEthernet0/0/0
 ip address 10.29.234.50 255.255.255.248 
 ipsec policy xp
 nat outbound 3001
#
l2tp-group 1
 undo tunnel authentication
 allow l2tp virtual-template 1 
#
ip route-static 0.0.0.0 0.0.0.0 209.29.234.49
#

Fault Analysis

The user fails to dial up. Check whether the IPSec and L2TP tunnels are successfully established.

  1. The IPSec tunnel is not successfully established on the AR. Run the display ike sa command. No SA is established.
  2. According to the scenario, a NAT device must exist on the public network. A NAT device does exist in the environment after consultation.
  3. An IPSec SA will not be established unless NAT traversal is configured in IPSec. The problem is solved by configuring NAT traversal in IKE peers.

Modified configuration:

#
ike peer xp v1
 exchange-mode aggressive
 pre-shared-key simple huawei
 nat traversal
#

Suggestion

If the initiator on a private network needs to establish an IPSec tunnel with the responder on a public network, NAT traversal must be enabled for establishing an IPSec tunnel in the scenario where there is a NAT device between two endpoints.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000079719

Views: 499162

Downloads: 4547

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next