No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Web: Example for Configuring Mobile Office Users Accessing the Enterprise Intranet Using the SecoClient Through the L2TP over IPSec VPN Tunnel (Using USB Key Digital Signature Certificate Authentication)

Web: Example for Configuring Mobile Office Users Accessing the Enterprise Intranet Using the SecoClient Through the L2TP over IPSec VPN Tunnel (Using USB Key Digital Signature Certificate Authentication)

This section describes how to configure related data so that mobile office users can use the SecoClient to access the enterprise intranet through the L2TP over IPSec VPN tunnel after USB key digital signature certificate authentication.

Networking Requirements

Figure 3-4 shows the network topology. An enterprise has the following requirements: Mobile office users access intranet resources through the L2TP over IPSec VPN tunnel and use the USB key digital signature certificate for identity authentication.

Figure 3-4 Mobile office users accessing the enterprise intranet using the SecoClient through the L2TP over IPSec VPN tunnel (USB key digital signature certificate authentication)

Data Planning

Item

Data

Interface

Interface: GigabitEthernet 1/0/1

IP address: 1.1.1.1/24

Security zone: Untrust

Interface: GigabitEthernet 1/0/2

IP address: 10.1.1.1/24

Security zone: Trust

L2TP configuration

User name: user0001

Password: Password@123

Address pool: 172.16.1.1 to 172.16.1.100

Tunnel authentication password: Hello@123

NOTE:

If the intranet server IP address and IP addresses in the address pool are on different subnets, configure a route to the address pool on the intranet server.

IPSec configuration

Establishment mode: policy template

Authentication mode: RSA signature (USB key digital signature certificate authentication)

Local ID: DN (subject)

Peer ID: any peer ID

Security protocol: ESP

IKE authentication algorithm: SHA1

IKE encryption algorithm: AES-256

ESP authentication algorithm: SHA2-256

ESP encryption algorithm: AES-256

DH group: Group5

Mobile office user (SecoClient)

User name: user0001

Password: Password@123

NOTE:

The L2TP/IPSec connection parameter settings on the SecoClient must be consistent with those on the FW. Otherwise, the connection cannot be established.

Configuration Roadmap

  1. Configure basic data of the FW, including interfaces, security policies, and routes.
  2. Configure the FW to apply for local and CA certificates in online mode using SCEP.
  3. Configure L2TP over IPSec on the FW, including creating users, address pools, L2TP groups, and IPSec policies.
  4. Configure the SecoClient on the PC of the mobile office user and insert the USB key for authentication.

Procedure

  1. Set an IP address for each interface, assign interfaces to security zones, and complete basic parameter settings.

    Choose Network > Interface. Click corresponding to GE1/0/1 and GE1/0/2, set parameters as follows, and click OK.

    Interface Name

    GE1/0/1

    Zone

    untrust

    IP Type

    IPv4

    IP Address

    1.1.1.1/24

    Access Management

    HTTPS, Ping

    Interface Name

    GE1/0/2

    Zone

    trust

    IP Type

    IPv4

    IP Address

    10.1.1.1/24

    Access Management

    HTTPS, Ping

  2. Configure interzone security policies.

    Choose Policy > Security Policy > Security Policy. Click Add Security Policy, configure an interzone policy based on the following parameter settings, and click OK.

    # Configure an Untrust -> Local policy to allow mobile office users to establish an IPSec tunnel to the headquarters.

    Name

    l2tpipsec_ul

    Source Zone

    untrust

    Destination Zone

    local

    Destination Address/Region

    1.1.1.1/24

    Action

    Permit

    # Configure a Trust -> Untrust policy to allow the headquarters to initiate access to mobile office users.

    Name

    l2tpipsec_tu

    Source Zone

    trust

    Destination Zone

    untrust

    Source Address/Region

    10.1.2.0/24

    Destination Address/Region

    172.16.1.1-172.16.1.100

    Action

    Permit

    # Configure an Untrust -> Trust policy to allow mobile office users to initiate access to the headquarters.

    Name

    l2tpipsec_ut

    Source Zone

    untrust

    Destination Zone

    trust

    Source Address/Region

    172.16.1.1-172.16.1.100

    Destination Address/Region

    10.1.2.0/24

    Action

    Permit

  3. Choose Network > Route > Static Route. Click Add, configure the route to the Internet based on the following parameter settings, and click OK.

    In the example, the next-hop IP address from the FW to the Internet is 1.1.1.2.

    Destination Address/Mask

    0.0.0.0/0.0.0.0

    Next Hop

    1.1.1.2

  4. Configure the FW to apply for a local certificate in online mode using SCEP and upload the local certificate and CA certificate to the FW.

    During local certificate application, the IP address in the application file must be set to the IP address used by the FW when the IPSec tunnel is established.

    For details about how to apply for a local certificate in online mode using SCEP and upload the local certificate and CA certificate, see the Firewall Configuration Guide.

  5. Choose Object > IP Address Pool. Click Add, create the address pool pool0, and click OK.

    In the example, Pool Range is set to 172.16.1.1-172.16.1.100.

  6. Choose Object > User > Authentication Domain. Click Add, create the authentication domain domian0, and click OK.

  7. Choose Object > User > domain0. Configure user management data and click Apply.

    1. Select L2TP/L2TP over IPSec for Scenario and Local for User Location.

    2. In the User Management List area, click Add. Create a user and click OK.

      In the example, User Name is set to user0001 and Password to Password@123.

    3. In the Advanced Settings area, select User Address Pool pool0.

  8. Choose Network > IPSec > IPSec and configure L2TP over IPSec VPN.

    1. In the IPSec Policy List area, click Add. Create an IPSec policy and click Apply.

    2. Set Scenario to Site-to-multisite and Peer Type to L2TP over IPSec Client.

    3. Set parameters in Basic Configuration as follows. In the example, Authentication Type is set to RSA signature and Local ID to DN (Subject).

      When setting Certificate, select the imported local certificate from the certificate drop-down list.

    4. Set parameters in Dial-Up User Configuration as follows. In the example, L2TP Authentication is set to PAP and IP Address Pool to the created pool0.

    5. In the Data Flow to Encrypt area, click Add. Create a data flow rule based on the following parameter settings, and click OK.

    6. Configure an IPSec proposal. The algorithm configured in the FW IPSec proposal must be the same as that configured on the peer SecoClient. Otherwise, negotiation fails and the tunnel cannot be established.

  9. Choose Network > L2TP > L2TP, click the default group name default-lns in L2TP Group List, configure the L2TP group, and click OK.

    Enable Tunnel Password Authentication. In the example, Peer Tunnel Name is set to tunnel and Password to Hello@123. Tunnel Name set on the peer SecoClient must be the same as Peer Tunnel Name here. Otherwise, the L2TP authentication fails and the connection cannot be established.

  10. Configure a route for the traffic from the headquarters gateway to the L2TP address pool.

    The headquarters gateway can communicate with mobile office users only when it has a route to the L2TP address pool. The next hop of the route must be the address of the LAN interface on the FW.

  11. Configure the SecoClient at the mobile office user side.

    1. Download the CA certificate from the PC, and apply for and install the user (client) certificate.
    2. Export the user (client) certificate in .pfx format from the PC, insert the USB key, and import the certificate into the USB key.

      For details about how to import and install a certificate in the USB key, see the related guide of the USB key.

    3. Start the SecoClient. The main window is displayed.

      Select New Connection from the Connect drop-down list.

    4. Set L2TP VPN connection parameters.

      In the New Connection dialog box, select L2TP/IPSec from the left navigation tree and set connection parameters.

    5. Configure IPSec.

  12. Log in to the L2TP over IPSec VPN gateway.

    1. Insert the USB key into the USB port of the terminal.
    2. Select the created L2TP over IPSec VPN connection from the Connect drop-down list, and click Connect.

    3. In the login dialog box, enter the user name and password, and select the identified USB key certificate.

    4. Click Login to initiate a VPN connection.

      If the VPN connection is successful, a message is displayed in the lower right corner of the page.

      After the connection is set up, mobile office users can access intranet resources as enterprise intranet users.

Verification

  1. Choose Network > L2TP > Monitor and view information in L2TP Tunnel Monitoring. You can find that the user0001 user has logged in successfully.

  2. Choose Network > IPSec > Monitor and view information in IPSec Monitoring List. You can view the establishment status of the IPSec tunnel.

Configuration Scripts

#
sysname FW
#
 l2tp enable
#
acl number 3000
 rule 5 permit udp source-port eq 1701 
#
ipsec proposal prop0
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 10
 encryption-algorithm aes-256 
 dh group5 
 authentication-algorithm sha2-256 
 authentication-method rsa-signature
#
ike peer peer0
 exchange-mode auto
 ike-proposal 10
 local-id-type dn
 resource acl 3000
 certificate local-filename usbkeyclient_local.cer
#
ipsec policy-template policy_temp0 1
 security acl 3000
 ike-peer peer0
 proposal prop0
#
ipsec policy policy1 10 isakmp template policy_temp0
#
ip pool pool0
 section 0 172.16.1.1 172.16.1.100
 excluded-ip-address 172.16.1.1 
#
aaa
 service-scheme l2tp
  ip-pool pool0
 domain domain0
  authentication-scheme scheme0
  service-scheme l2tp
  service-type l2tp
  internet-access mode password
  reference user current-domain
#
l2tp-group default-lns
 tunnel password cipher %$%$Uv{@X=\}w"g`aV;UP.H9AY8J%$%$
 allow l2tp virtual-template 0 remote tunnel
#
interface Virtual-Template0
 ppp authentication-mode pap
 remote service-scheme l2tp
 ip address 172.16.1.101 255.255.255.0
 alias L2TP_LNS_0
 undo service-manage enable
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 ipsec policy policy1
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
 add interface Virtual-Template0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
security-policy
 rule name l2tpipsec_ul
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name l2tpipsec_tu
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address range 172.16.1.1 172.16.1.100
  action permit
 rule name l2tpipsec_ut
  source-zone untrust
  destination-zone trust
  source-address range 172.16.1.1 172.16.1.100
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 # The following user/group configuration is saved in the database and is not shown in the profile.
 user-manage user user0001 domain domain0
  password Password@123
Translation
简体中文
Download
Updated: 2023-09-12

Document ID: EDOC1000154805

Views: 267979

Downloads: 5077

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :