No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Web: Example for Configuring a Mobile User to Use the SecoClient to Access the Enterprise Network over an L2TP over IPSec VPN Tunnel (Using Pre-shared Key Authentication)

Web: Example for Configuring a Mobile User to Use the SecoClient to Access the Enterprise Network over an L2TP over IPSec VPN Tunnel (Using Pre-shared Key Authentication)

This section describes how to configure a mobile user to use the SecoClient to access the enterprise network over an L2TP over IPSec VPN tunnel.

Networking Requirement

Figure 3-1 shows the enterprise network. The enterprise requires that external mobile users access intranet resources over an L2TP over IPSec VPN tunnel.
Figure 3-1 Networking diagram of configuring a mobile user to use the SecoClient to access the enterprise network over an L2TP over IPSec VPN tunnel

Data Planning

Item

Data

Interface

Interface number: GigabitEthernet 1/0/1

IP address: 1.1.1.1/24

Security zone: Untrust

GigabitEthernet 1/0/2

IP address: 10.1.1.1/24

Security zone: Trust

L2TP configuration

User name: user0001

Password: Password@123

Address pool: 172.16.1.1 to 172.16.1.100

NOTE:

If the intranet server IP address and IP address of address pool are on different subnets, configure a route to the address pool on the intranet server.

Tunnel authentication password: Hello@123

IPSec configuration

Setup mode: policy template

Pre-shared key: Admin@123

Local ID: IP address

Peer ID: any peer ID

Local ID: IP address

Security protocol: ESP

IKE authentication algorithm: SHA2–256

IKE encryption algorithm: AES-256

ESP authentication algorithm: SHA2–256

ESP encryption algorithm: AES-256

Mobile user

User name: user0001

Password: Password@123

Procedure

  • Configure the FW.
    1. Set interface IP addresses and assign the interfaces to security zones.

      1. Choose Network > Interface.

      2. Click of GE1/0/1 and set the parameters as follows:

        Zone

        Untrust

        IPv4

        IP Address

        1.1.1.1/24

        Access Management

        HTTPS, Ping
      3. Click OK.

      4. Repeat the preceding steps to configure GE1/0/2.

        Zone

        Trust

        IPv4

        IP Address

        10.1.1.1/24

        Access Management

        HTTPS, Ping

    2. Configure the security policy.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add and configure a security policy for the Untrust -> Local interzone as follows to allow the mobile user to log in to the L2TP VPN gateway:

        Name

        l2tpipsec_ul

        Source Zone

        Untrust

        Destination Zone

        Local

        Destination Address/Region

        1.1.1.1/24

        Action

        Allow
      3. Click OK.

      4. Repeat the preceding steps to configure Untrust -> Local, Untrust -> Trust, and Trust -> Untrust interzone policies.

        The parameters of the Local -> Untrust interzone policy are as follows:

        Name

        l2tpipsec_lu

        Source Zone

        Local

        Destination Zone

        Untrust

        Source Address/Region

        1.1.1.1/24

        Action

        Allow

        The parameters of the Untrust -> Trust interzone policy are as follows:

        Name

        l2tpipsec_ut

        Source Zone

        Untrust

        Destination Zone

        Trust

        Source Address/Region

        172.16.1.0/24

        Destination Address/Region

        10.1.2.0/24

        Action

        Allow

        The parameters of the Trust -> Untrust interzone policy are as follows:

        Name

        l2tpipsec_tu

        Source Zone

        Trust

        Destination Zone

        Untrust

        Source Address/Region

        10.1.2.0/24

        Destination Address/Region

        172.16.1.0/24

        Action

        Allow

    3. Configure a route to the Internet.

      In the example, the next-hop IP address from FW to the Internet is 1.1.1.2.

      1. Choose Network > Route > Static Route.

      2. Click Add and set parameters as follows:

        Destination Address/Mask

        0.0.0.0/0.0.0.0

        Next Hop

        1.1.1.2

      3. Click OK.

    4. Create a user group and a user.

      1. Choose Object > User > default.
      2. Select L2TP/L2TP over IPSec for Scenario and Local for User Location.
      3. Click Add, set the user name to user0001, and set the password to Password@123.

      4. Click OK.
      5. Click Apply.

    5. Configure L2TP over IPSec VPN.

      1. Choose Network > IPSec > IPSec, click Add, and set the parameters shown in the following figure:

        In the example, the pre-shared key is Admin@123, and the user address pool range is 172.16.1.1-172.16.1.100.

        The parameters configured in Advanced must be identical to the client side, otherwise the tunnel cannot be negotiated successfully and established.

      2. Click Apply.
      3. Choose Network > L2TP > L2TP. In L2TP Group List, click default-lns and set the following parameters to configure the default L2TP group.

      4. Click OK.

  • Configure the SecoClient at the mobile user side.
    1. Open the SecoClient.

      Select New Connection from the Connect drop-down list.

    2. Set L2TP VPN connection parameter values.

      In the New Connection dialog box, select L2TP/IPSec from the left navigation tree and set connection parameter values.

    3. Configure IPSec.



    1. Log in to the L2TP over IPSec VPN gateway.

      1. Select the created l2tp_over_ipsec_vpn connection from the Connect drop-down list and click Connect.

      2. On the login page, enter the user name and password.

      3. Click Login to initiate a VPN connection.

        When the VPN access succeeds, a prompt is displayed at the lower right corner of the screen.

        Using the connection, the mobile user can access intranet resources as users in the enterprise intranet.

Verification

  1. Log in to the FW, choose Network > L2TP > Monitor, and view the monitoring list. User user0001 successfully logs in.
  2. Check the IPSec tunnel establishment on the FW. If the following information is displayed, the IPSec tunnel is established.

  3. Mobile users can access resources in the enterprise intranet.

Configuration Scripts

#
sysname FW
#
 l2tp enable
 undo l2tp sendaccm enable
 l2tp domain suffix-separator @
#
interface GigabitEthernet 1/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 service-manage https permit
 service-manage ping permit
 ipsec policy ipsec1651051555
#
interface GigabitEthernet 1/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
 service-manage https permit
 service-manage ping permit
#  
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
acl number 3000
 rule 5 permit udp source-port eq 1701 
#
ipsec proposal prop16510515517
 encapsulation-mode transport
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer ike165105155173
 undo version 2
 exchange-mode auto
 pre-shared-key %^%#_%kCMyV]"T8IM[VjLO.#2H.R3]I~!=.2)EP>b%pB%^%#
 ike-proposal 1
 local-id 1.1.1.1
#
ipsec policy-template tpl165105155173 1
 security acl 3000
 ike-peer ike165105155173
 proposal prop16510515517
 alias ipsec 
 scenario point-to-multi-point l2tp-user-access 
#
ipsec policy ipsec1651051555 10000 isakmp template tpl165105155173
#
ip pool pool
 section 0 172.16.1.1 172.16.1.100
 excluded-ip-address 172.16.1.1
#
aaa
 service-scheme l2tpSScheme_1463367117513
  ip-pool pool
 domain default
  service-type l2tp
#
l2tp-group default-lns
 allow l2tp virtual-template 1 
 undo tunnel authentication
#
interface Virtual-Template1
 ppp authentication-mode chap pap
 remote service-scheme l2tpSScheme_1463367117513
 ip address 172.16.1.1 255.255.255.255
 alias L2TP_LNS_1
 undo service-manage enable
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 1/0/1
 add interface Virtual-Template1
#
security-policy
 rule name l2tpipsec_ul
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name l2tpipsec_lu
  source-zone local
  destination-zone untrust
  source-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name l2tpipsec_ut
  source-zone untrust
  destination-zone trust
  source-address 172.16.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name l2tpipsec_tu
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 172.16.1.0 mask 255.255.255.0
  action permit
# The following configuration is stored in the database, but not in the configuration profile. 
user-manage group /default/research
user-manage user user0001
 parent-group /default/research
 password *********
Translation
简体中文
Download
Updated: 2023-09-12

Document ID: EDOC1000154805

Views: 267448

Downloads: 5070

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :