SupportDocumentationSecurityProducts RecommendUSGConfiguration & CommissioningInteroperation Configuration Guide

Huawei Firewall VPN Interoperation Configuration Guide

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Web: Example for Configuring L2TP over IPSec to Allow Mobile Users to Access the Headquarters Using Android Terminals

Web: Example for Configuring L2TP over IPSec to Allow Mobile Users to Access the Headquarters Using Android Terminals

L2TP over IPSec VPN allows mobile employees to dial up to the headquarters (HQ) server using Android phones.

Networking Requirements

The LAC client directly initiates a connection request to the LNS. The LAC client and LNS negotiate an IPSec tunnel, and perform L2TP negotiation to authenticate the user's identity and establish an L2TP over IPSec tunnel. The data between the LAC client and the LNS is transmitted through the tunnel. Layer-2 data is encapsulated using L2TP and then the data is encrypted using IPSec.

Figure 2-34 Networking diagram for configuring L2TP over IPSec for mobile employees to access the headquarters

Data Planning

Item

Data

LNS

Interface: GigabitEthernet 1/0/1

IP address: 1.1.1.2/24

Security zone: Untrust

Interface: GigabitEthernet 1/0/3

IP address: 192.168.1.1/24

Security zone: Trust

IP address and user for L2TP

IP pool 1

Address pool: 10.1.1.2-10.1.1.100

User name: vpdnuser

User authentication password: Hello123

IPSec configuration

Security protocol: ESP

ESP authentication algorithm: sha1

ESP encryption algorithm: aes-128

Pre-Shared Key: Admin@123

Local ID: IP Address

Peer ID: Any Type

IKE version: IKEv1

LAC

Server address: 1.1.1.2

IPSec preshared key: Admin@123

Username: vpdnuser

Password: Hello123

Configuration Roadmap

  1. Complete basic configurations, including the configurations of interfaces, security policies, and routes.
  2. Complete the L2TP over IPSec configuration on FW.
  3. On mobile employee's Android phone, complete the configurations. The parameters on the Android phone must match those on the FW.

Procedure

  1. Configure the LNS.
    1. Set an IP address for each interface and assign the interfaces to security zones.

      1. Choose Network > Interface.

      2. Click of GE1/0/1 and set the following parameters:

        Zone

        untrust

        IPv4

        IP Address

        1.1.1.2/24
      3. Click OK.

      4. Repeat the preceding steps to set the parameters of the GE1/0/3 interface.

        Zone

        trust

        IPv4

        IP Address

        192.168.1.1/24

    2. Configure security policies.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add and set the parameters of the security policy for the Untrust->Trust as follows:

        When the web UI is used to configure L2TP over IPSec, the FW uses Virtual-template 0 to communicate with the peer. When the PC dials up to the FW using L2TP, the FW adds Virtual-template 0 to the security zone of the interface that receives L2TP packets. In this example, the security zone refers to the Untrust zone to which interface GE1/0/1 is added. Employees on the move need to access intranet resources. Therefore, you need to configure an interzone security policy between the security zone where Virtual-template 0 resides and the security zone where the intranet resides. In the example, you need to configure an interzone security policy between the Untrust and Trust zone.

        If you assign Virtual-template 0 to another security zone through the CLI, enable the interzone security policy between the zone where Virtual-template 0 resides and the security zone where the intranet resides.

        Name

        policy_ipsec_1

        Source Zone

        untrust

        Destination Zone

        trust

        Source Address/Region

        10.1.1.2-10.1.1.100

        Destination Address/Region

        192.168.1.0/24

        Action

        Permit

        Name

        policy_ipsec_2

        Source Zone

        trust

        Destination Zone

        untrust

        Source Address/Region

        192.168.1.0/24

        Destination Address/Region

        10.1.1.2-10.1.1.100

        Action

        Permit

      3. Repeat preceding steps to configure security policies for the Untrust -> Local interzones.

        Name

        policy_ipsec_3

        Source Zone

        untrust

        Destination Zone

        local

        Destination Address/Region

        1.1.1.2/32

        Action

        Permit

    3. Configure an L2TP user.

      1. Choose Object > User.

      2. Select the default authentication domain.

      3. Under User/User Group/Security Group Management List, Click Add, select Add User, and set the following parameters.

        User Name

        vpdnuser

        Password

        Hello123

        Confirm Password

        Hello123
      4. Click OK.

    4. Configure the L2TP over IPSec tunnel.

      1. Choose Network > IPSec > IPSec, and click Add under IPSec Policy List.

      2. Select Site-to-multisite as Scenario as L2TP over IPSec client.

      3. Configure Basic Configuration as follows. The headquarters needs to be accessed by multiple branches. Therefore, do not specify the remote gateway address. The pre-shared key is Admin@123.

      4. Configure Dial-up User Configuration as follows.

      5. Under Data Flow to Be Encrypted, click Add to add a data flow as follows.

      6. Configure IKE and IPSec protocol.

      7. Click Apply to complete the configurations.

    5. The LAC client uses the built-in L2TP client to dial up. Tunnel verification is not supported. Therefore, you need to disable tunnel verification on the FW.

      1. Choose Network > L2TP > L2TP. In L2TP Group List, click default-lns and deselect Tunnel Password Authentication. Set the Associated Zone to untrust.
      2. Click OK.

  2. Configure a route on the HQ server.

    To communicate with mobile employees, the HQ server must have a route to the user address pool, with the next hop pointing to the LAN interface address of the FW.

  3. Configure the mobile employee's Android phone.

    Complete the following configurations on the Settings page.

Configuration Verification

  1. Enable the VPN connection on the phone.

  2. After the dial-up succeeds, check the L2TP tunnel setup status on the LNS.

  3. Check the IPSec tunnel establishment on the LNS. If the following information is displayed, the IPSec tunnel is established.

Configuration Scripts

#
 l2tp enable
l2tp domain suffix-separator @
#
acl number 3001
 rule 5 permit udp source-port eq 1701
#
ike proposal pro91165721597
 encryption-algorithm aes-128 
 authentication-algorithm sha1 
 dh group2
#
ike peer ike91165721597
 local-id-type ip
 pre-shared-key %$%$Z1}*8w'rH;MD;%$%$                                
 ike-proposal pro91165721597
#
ipsec proposal prop91165721597
 esp authentication-algorithm sha1 
 esp encryption-algorithm aes-128 
#
ipsec policy-template tpl91165721597 1                                          
 security acl 3001                                                              
 ike-peer ike91165721597                                                        
 alias policy_ipsec                                                             
 scenario point-to-multipoint l2tp-user-access                    
 proposal prop91165721597                                                       
#
ipsec policy ipsec9116572166 10000 isakmp template tpl91165721597
#
interface GigabitEthernet1/0/1
 ip address 1.1.1.2 255.255.255.0
 ipsec policy ipsec9116572166
#
interface GigabitEthernet1/0/3
 ip address 192.168.1.1 255.255.255.0
#
interface Virtual-Template1
 ppp authentication-mode chap pap 
 remote service-scheme l2tpSScheme_1445251722019
 ip address 10.1.1.2 255.255.255.0
 alias L2TP_LNS_0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
 add interface Virtual-Template1
#
l2tp-group default-lns
 allow l2tp virtual-template 1
 undo tunnel authentication
#
ip pool pool1
 section 1 10.1.1.2 10.1.1.100
#
aaa
 authentication-scheme default
  authentication-mode local
 #
 domain default
  authentication-schem default
  service-scheme l2tp
#
security-policy
 rule name policy_ipsec_1
  source-zone untrust
  destination-zone trust
  source-address range 10.1.1.2 10.1.1.100
  destination-address 192.168.1.0 24
  action permit
 rule name policy_ipsec_2
  source-zone trust
  destination-zone untrust
  source-address range 192.168.1.0 24
  destination-address 10.1.1.2 10.1.1.100
  action permit
 rule name policy_ipsec_3
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.2 32
  action permit
# The following user/group creation configuration is stored in the database, but not in the configuration profile.
user-manage user vpdnuser domain default
 password *********