No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Wireless Branch Access to the WAN (Using IPsec over L2TP)

Wireless Branch Access to the WAN (Using IPsec over L2TP)

L2TP provides remote access functions, and IPsec over L2TP ensures data transmission security.

Applicable Products and Versions

This solution applies to NE20E-S series routers running V800R008C10 or later.

Service Requirements

The business expansion of banks poses new requirements on branches:
  • A large number of ATMs are located in a wide area.
  • The outburst service requests of mobile counters requires that the service quality be ensured.
  • The layout of off-bank terminals such as ATMs is difficult, and the leased line expense is high. The more flexible and cost-efficient bank network is needed.
3G/LTE wireless access is the development trend of the current bank branch expansion:
  • Multiple carriers provide network support.
  • The deployment is flexible and management is easy, ensuring good signal quality.
  • Remote access without lines can be achieved at any time and in any place.
As shown in Figure 1-4, 3G/LTE wireless access provides the following two access solutions:
  • Normal branch: Regarding costs, most of branches use a leased line and do not have backup lines. The LTE line can serve as the backup line and can ensure network connectivity when the leased line is faulty.

  • Off-bank branch/Mobile bank: Leased lines cannot be deployed in certain off-bank branches, and LTE lines can be used as main lines for real-time data transmission. Leased lines cannot be used for mobile banks, and LTE lines can be used as main lines for real-time data transmission.

Figure 1-4  Wireless branch access to the WAN

Solution Design

The branch access device serves as the IPsec gateway, and an IPsec tunnel is established between the access device and the LNS. The details are as follows:
  • The LTE line serves as the backup line or the main access line of the off-bank branch/mobile bank. The off-bank branch router dials up to the carrier LAC, and the LAC performs authentication based on the APN, user name, and password.
  • The LAC launches the L2TP tunnel establishment request to the level-1 branch aggregation LNS based on the APN. The LNS allocates a private network IP address to the branch access device. The tunnel from the branch to the LNS is established.

Networking Requirements

As shown in Figure 1-5, the bank headquarters have branches in other cities, and Ethernet is deployed in branches.

The headquarters need to provide L2TP access services for branches and allow any user in the branches to access. When branches access the headquarters, data needs to be encrypted to avoid data theft.

This is achieved by the following networking: Device A serves as the access server and uses PPP dial-up to initiate the PPP session and trigger L2TP tunnel establishment. After the L2TP tunnel is established, the LNS generates a route to Device A. Device A obtains the IP address and launches the IPsec tunnel establishment request. Device A and the LNS can use the IPsec tunnel for secure transmission.

Figure 1-5  Networking for wireless branch access to the WAN
NOTE:

In this example, interface 1 and interface 2 represent GE 0/1/0 and GE 0/2/0, respectively.


In Figure 1-5, the device requirements are as follows:

  • Device A can initiate IKE negotiation to the LNS and can dial up using PPP.

  • Device A sends PPP connection requests through the LAC to the LNS. The LNS receives the PPP requests and allocates an IP address to Device A.

Configuration Roadmap

The encapsulation mode is tunnel mode, authentication algorithm is the SM3 algorithm approved by the State Password Administration Committee Office, encryption algorithm is the SM4 algorithm approved by the State Password Administration Committee Office, and the integrity algorithm is HMAC-SHA2-256 algorithm. The configuration roadmap is as follows:

  1. Configure IP addresses for interfaces between the LAC and LNS.

  2. Configure Device A to dial up using PPP.

  3. Configure the L2TP tunnel between the LAC and LNS.

  4. Configure the IPsec tunnel on Device A. Do as follows:
    • Configure ACL rule groups to define data streams that need to be protected.

    • Configure the IKE proposal.

    • Configure the IKE peer.

    • Configure the IPsec proposal.

    • Configure the IPsec policy.

    • Apply the IPsec security policy to interfaces.

    • Configure the static route to divert traffic for IPsec.

  5. Configure the IPsec tunnel on the LNS. Do as follows:
    • Configure ACL groups to define data streams that need to be protected.

    • Configure the IKE proposal.

    • Configure the IKE peer.

    • Configure the IPsec proposal.

    • Configure the IPsec policy.

    • Configure the IPsec service instance group.
    • Create and configure a tunnel interface.

    • Apply the IPsec policy to the tunnel interface.

    • Configure the static route to divert traffic for IPsec.

Data Preparations

To complete the configuration, you need the following data:

  • IP addresses of interfaces
  • PPP data, including the virtual template interface, AAA scheme, and BAS interface
  • L2TP data, including the L2TP group ID, remote IP address pool ID, range, and mask
  • IPsec data, including:
    • ACL ID

    • IP address segment for each network

    • Pre-shared key

    • Authentication algorithm used by the IKE proposal

    • Security protocol, encryption algorithm, and authentication algorithm used by the IPsec proposal

    • IP addresses of the tunnel interface

Procedure

  • Configure Device A.

    NOTE:
    To keep the example complete, the configuration of Device A is provided here. The actual configuration may vary based on actual devices. The NE20E cannot serve as Device A.

    Item

    Device A

    1. Configure the dial-up access group to allow all IPv4 packets to pass.

    dialer-rule
     dialer-rule 1 ip permit

    2. Create and configure a dial-up interface.

    interface Dialer1
     link-protocol ppp
     ppp chap user xxx@ipsec
     ip address ppp-negotiate
     dialer user huawei
     dialer bundle 1
     dialer-group 1

    3. Bind the dial-up interface to the physical interface and establish the PPPoE session.

    interface GigabitEthernet0/1/0
     pppoe-client dial-bundle-number 1

    4. Configure ACLs to define data streams that need to be protected.

    acl number 3600
     rule 5 permit ip source 172.16.1.1 0 destination 192.168.1.1 0
    5. Configure the IKE proposal and IKE peer.
    ike proposal 11
     encryption-algorithm sm4-cbc
     dh group2
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer pee1
     pre-shared-key cipher 1234567890
     ike-proposal 11
     remote-address 10.7.1.1
    6. Configure the IPsec tunnel.
    ipsec proposal 11
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    ipsec policy ply6 1 isakmp
     security acl 3600
     ike-peer pee1
     proposal 11
    #
    interface Dialer1
     ipsec policy ply6   //Bind the IPsec policy.
    7. Configure the traffic diverting route.
    ip route-static 10.7.1.1 255.255.255.0 Dialer1   //Divert traffic to the IPsec tunnel for encryption.
    ip route-static 192.168.1.1 255.255.255.255 Dialer1   //Divert the traffic encrypted by the IPsec tunnel to the actual physical egress.

  • Configure the LNS.

    Item

    LNS

    1. Configure the IP address of the interface connecting to the LAC.

    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 10.5.0.5 255.255.255.0
     undo dcn

    2. Define an IP address pool to allocate IP addresses to dial-up users.

    ip pool ipsec bas local
     gateway 10.9.0.1 255.255.255.0
     section 0 10.9.0.2 10.9.0.100

    3. Configure the virtual interface template.

    interface Virtual-Template0
     ppp authentication-mode auto

    4. Configure the domain of user access.

    aaa 
    #
     authentication-scheme s1
      authentication-mode none
    #
     authorization-scheme s1
      authorization-mode none
    #
     accounting-scheme s1
      accounting-mode none
    #
     domain 1
      authentication-scheme s1
      authorization-scheme s1
      accounting-scheme s1
      ip-pool ipsec

    5. Configure a loopback interface, and use the IP address as the L2TP tunnel address.

    interface LoopBack1
     ip address 172.19.19.19 255.255.255.255

    6. Configure the L2TP tunnel.

    l2tp-group l2tp-ipsec
     undo tunnel authentication
     allow l2tp Virtual-Template 0 remote ipsec
     tunnel password simple ipsec
     tunnel name ipsec
    #
    lns-group l2tp-ipsec
     bind slot 2
     bind source LoopBack1

    7. Configure ACLs to define data streams that need to be protected.

    acl number 3600
     rule 5 permit ip source 172.16.1.1 0 destination 192.168.1.1 0

    8. Configure the IKE proposal and IKE peer.

    ike proposal 6
     encryption-algorithm sm4-cbc
     dh group2
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer pee1
     pre-shared-key cipher 1234567890
     ike-proposal 11

    9. Configure the IPsec tunnel.

    ipsec proposal 11
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    ipsec policy-template temp1 1
     security acl 3600
     ike-peer pee1
     proposal 11
    #
    ipsec policy ply6 1 isakmp template temp1
    #
    service-location 1
     location slot 1
    #
    service-instance-group 1
     service-location 1
    #
    interface Tunnel0/0/1
     ip address 10.7.1.1 255.255.255.255
     tunnel-protocol ipsec
     ipsec policy ply6 service-instance-group 1   //Bind the IPsec policy.

    7. Configure the traffic diverting route.

    ip route-static 0.0.0.0 0.0.0.0 Tunnel0/0/1 10.5.0.4   //When the peer IP address is unknown, the default route can be used for traffic diverting.

  • Configure the LAC.

    Item

    LAC

    1. Configure the IP address of the interface connecting to the LNS.

    interface GigabitEthernet0/2/0
     undo shutdown
     ip address 10.5.0.4 255.255.255.0
     undo dcn

    2. Configure the domain of user access.

    aaa 
    #
     authentication-scheme s1
      authentication-mode none
    #
     authorization-scheme s1
      authorization-mode none
    #
     accounting-scheme s1
      accounting-mode none
    #
     domain 1
      authentication-scheme s1
      authorization-scheme s1
      accounting-scheme s1
      ip-pool ipsec

    3. Get users online.

    interface GigabitEthernet0/1/0
     undo shutdown
     bas
     #
    access-type layer2-subscriber

    5. Configure a loopback interface and use the IP address as the L2TP tunnel address.

    interface LoopBack1
     ip address 172.18.18.18 255.255.255.255

    6. Configure the L2TP tunnel.

    l2tp-group l2tp-ipsec
     undo tunnel authentication
     tunnel name ipsec
     start l2tp ip 172.19.19.19 
     tunnel source LoopBack1

  • Verify the configuration.

    On Device A or LNS, run the display ike sa command to view the SA information.

    On Device A or LNS, run the display ip routing-table command to view information about the route to the peer through the tunnel interface.

    Networks of the two ends can interwork.

Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 26040

Downloads: 876

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next