No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
CLI: Example for Configuring Mobile Users to Use the SecoClient to Access Both an Enterprise Network and the Internet Based on the Tunnel Splitting Technology

CLI: Example for Configuring Mobile Users to Use the SecoClient to Access Both an Enterprise Network and the Internet Based on the Tunnel Splitting Technology

The tunnel splitting technology is enabled on the gateway deployed at the enterprise headquarters. Mobile users use the SecoClient to access the enterprise network through the L2TP over IPSec VPN tunnel with encrypted traffic and access the Internet with unencrypted traffic.

Context

When tunnels are not split, all traffic from mobile users enters the enterprise headquarters gateway through the L2TP over IPSec VPN tunnel, and the users cannot access the LAN or Internet.

To allow mobile users to access the enterprise network through a VPN tunnel and directly access the LAN or Internet, adopt either of the following methods:

  • 1. Use the SecoClient.

    Each mobile user configures a route on the SecoClient by specifying the destination IP address of the VPN connection. After the connection is established, traffic destined for other IP addresses can directly access the LAN or Internet.

  • 2. Configure the enterprise headquarters gateway.

    The enterprise network administrator enables the tunnel splitting function on the gateway, configures the ACL for the VPN connection on the gateway, and sends the ACL information to the SecoClient. If the route configuration mode of the SecoClient is Mode Config, the SecoClient can receive the ACL information from the gateway. Then, the SecoClient sends encrypted traffic through the VPN tunnel to the enterprise network and sends unencrypted traffic to the LAN or Internet.

The comparison of the two methods is as follows:

  • Method 1 is complicated for mobile users. It is difficult for the users to update the IP address list in a timely manner, and the IP address must be re-configured if a device is replaced.
  • Method 2 is easy and maintenance-free for mobile users. The ACL information is configured and maintained on the enterprise headquarters gateway.

This example uses method 2 to describe the tunnel splitting configuration.

Networking Requirements

As shown in Figure 3-3, a mobile user uses the tunnel splitting technology to access both an enterprise network and the Internet.

—Requirements are as follows:
  • Encrypted traffic accesses the enterprise network through the L2TP over IPSec VPN tunnel.
  • Unencrypted traffic directly accesses the Internet.
Figure 3-3 Networking diagram of mobile users using the SecoClient to access both an enterprise network and the Internet based on the tunnel splitting technology

Data Planning

Item

Data

LNS

Interface configuration

Interface: GigabitEthernet 1/0/1

IP address: 1.1.1.1/24

Security zone: Untrust

Interface: GigabitEthernet 1/0/2

IP address: 10.1.1.1/24

Security zone: Trust

Virtual-Template interface configuration

Interface number: Virtual-Template 0

IP address: 172.16.1.101/24

Security zone: Untrust

L2TP configuration

Authentication mode: PAP

Tunnel authentication: enabled

Tunnel authentication password: Hello@123

Peer tunnel name: ipsec_tunnel_split

Address pool and user configuration

Address pool name: pool0

Address range: 172.16.1.1-172.16.1.100

User authentication name: user0001@domain0

User authentication password: Password@123

IPSec configuration

IPSec security policy type: template

Security protocol: ESP

ESP authentication algorithm: SHA2-256

ESP encryption algorithm: AES-256

Pre-shared key: Admin@123

Local ID type: IP

Peer ID type: any

IKE configuration

IKE version: IKEv1

IKE authentication algorithm: SHA2-256

IKE encryption algorithm: AES-256

DH group: group2

NOTE:

Only IKEv1 supports the tunnel splitting function.

LAC

L2TP configuration

Authentication mode: PAP

Tunnel name: ipsec_tunnel_split

Tunnel authentication: enabled

Tunnel authentication password: Hello@123

IPSec configuration

ESP authentication algorithm: SHA2-256

ESP encryption algorithm: AES-256

Pre-shared key: Admin@123

Peer IP address: 1.1.1.1

User configuration

User name: user0001@domain0

Password: Password@123

Configuration Roadmap

  1. Complete the basic configurations of the FW, including the configurations of interfaces and security policies.
  2. Configure L2TP over IPSec on the FW.
  3. Configure the SecoClient on the PC of the mobile user.

Procedure

  1. Complete the basic configurations of the FW.
    1. Set the interface IP address.

      # Set an IP address for GigabitEthernet 1/0/1.

      <sysname> system-view
[sysname] sysname FW
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet 1/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet 1/0/1] quit

      # Set an IP address for GigabitEthernet 1/0/2.

      [FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet 1/0/2] ip address 10.1.1.1 24
[FW-GigabitEthernet 1/0/2] quit

    2. Assign interfaces to security zones.

      # Add GigabitEthernet 1/0/2 to the Trust zone.

      [FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/2
[FW-zone-trust] quit

      # Add GigabitEthernet 1/0/1 to the Untrust zone.

      [FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-zone-untrust] quit

    3. Configure interzone security policies.

      # Configure an Untrust -> Local policy to allow the mobile user to establish an IPSec tunnel to the headquarters.

      [FW] security-policy
[FW-policy-security] rule name l2tpipsec_ul
[FW-policy-security-rule-l2tpipsec_ul] source-zone untrust
[FW-policy-security-rule-l2tpipsec_ul] destination-zone local
[FW-policy-security-rule-l2tpipsec_ul] destination-address 1.1.1.1 24
[FW-policy-security-rule-l2tpipsec_ul] action permit
[FW-policy-security-rule-l2tpipsec_ul] quit

      # Configure a Trust -> Untrust policy to allow the headquarters to initiate access to the mobile user.

      [FW-policy-security] rule name l2tpipsec_tu
[FW-policy-security-rule-l2tpipsec_tu] source-zone trust
[FW-policy-security-rule-l2tpipsec_tu] destination-zone untrust
[FW-policy-security-rule-l2tpipsec_tu] source-address 10.1.2.0 24
[FW-policy-security-rule-l2tpipsec_tu] destination-address range 172.16.1.1 172.16.1.100
[FW-policy-security-rule-l2tpipsec_tu] action permit
[FW-policy-security-rule-l2tpipsec_tu] quit

      # Configure an Untrust -> Trust policy to allow the mobile user to initiate access to the headquarters.

      [FW-policy-security] rule name l2tpipsec_ut
[FW-policy-security-rule-l2tpipsec_ut] source-zone untrust
[FW-policy-security-rule-l2tpipsec_ut] destination-zone trust
[FW-policy-security-rule-l2tpipsec_ut] source-address range 172.16.1.1 172.16.1.100
[FW-policy-security-rule-l2tpipsec_ut] destination-address 10.1.2.0 24
[FW-policy-security-rule-l2tpipsec_ut] action permit
[FW-policy-security-rule-l2tpipsec_ut] quit
[FW-policy-security] quit

  2. Configure the L2TP access user and authentication policy on the FW.
    1. Configure the address pool.

      [FW] ip pool pool0
[FW-ip-pool-pool0] section 0 172.16.1.1 172.16.1.100
[FW-ip-pool-pool0] quit

      If the address pool addresses and headquarters addresses reside on the same subnet, you must enable the ARP proxy function on the LNS interface connecting to the headquarters to ensure that the LNS can respond to the ARP requests from the servers at the headquarters.

    2. Configure an authentication scheme.

      [FW] aaa
[FW-aaa] authentication-scheme scheme0
[FW-aaa-authen-scheme0] authentication-mode local
[FW-aaa-authen-scheme0] quit

    3. Configure a service scheme for access users.

      [FW-aaa] service-scheme l2tp
[FW-aaa-service-l2tp] ip-pool pool0
[FW-aaa-service-l2tp] quit

    4. Configure an authentication domain and reference the authentication scheme and the service scheme for access users.

      [FW-aaa] domain domain0
[FW-aaa-domain-domain0] service-type l2tp
[FW-aaa-domain-domain0] authentication-scheme scheme0
[FW-aaa-domain-domain0] service-scheme l2tp
[FW-aaa-domain-domain0] quit
[FW-aaa] quit

    5. Configure a group and a user for the mobile user.

      [FW] user-manage group /domain0/ontravel
[FW-usergroup-/domain0/ontravel] quit
[FW] user-manage user user0001 domain domain0
[FW-localuser-user0001@domain0] parent-group /domain0/ontravel
[FW-localuser-user0001@domain0] password Password@123
[FW-localuser-user0001@domain0] quit

  3. Configure L2TP on the FW.
    1. Enable the L2TP function.

      [FW] l2tp enable

    2. Configure the Virtual-Template interface.

      [FW] interface Virtual-Template 0
[FW-Virtual-Template0] ppp authentication-mode pap
[FW-Virtual-Template0] remote service-scheme l2tp
[FW-Virtual-Template0] ip address 172.16.1.101 24
[FW-Virtual-Template0] quit
      • The IP address of the virtual-template interface cannot overlap the address pool or replicate the IP addresses of other interfaces. You can set any IP address except the mentioned ones.
      • The service scheme assigning an IP address to the peer must be the same as the one configured in the AAA domain. Otherwise, the LNS cannot assign IP addresses to clients.
      • A Virtual-Template interface can join any security zone. After adding the Virtual-Template to a security zone, you must enable the security policy between the zone where the Virtual-Template interface resides and the zone of the headquarters network. In addition, you must enable the security policy between the Local zone and the zone of the physical interface through which the FW sends and receives L2TP tunnel packets.

    3. Add the Virtual-Template template to the Untrust zone.

      [FW] firewall zone untrust
[FW-zone-untrust] add interface Virtual-Template 0
[FW-zone-untrust] quit

    4. Create an L2TP group, bind the Virtual-Template interface to the group, and configure the tunnel authentication function.

      [FW] l2tp-group tunnel_split
[FW-l2tp-tunnel_split] allow l2tp virtual-template 0 remote ipsec_tunnel_split
[FW-l2tp-tunnel_split] tunnel authentication
[FW-l2tp-tunnel_split] tunnel password cipher Hello@123
[FW-l2tp-tunnel_split] quit

  4. Configure an IPSec policy on the FW and apply it to the interface.
    1. Create advanced ACL 3000.

      [FW] acl 3000
[FW_acl-adv-3000] rule 5 permit udp source-port eq 1701
[FW_acl-adv-3000] quit

      During L2TP over IPSec encapsulation, L2TP encapsulation occurs before IPSec encapsulation. Therefore, the matching condition is L2TP port (port 1701). All L2TP packets are transmitted through the IPSec tunnel.

    2. Create advanced ACL 3001.

      [FW] acl 3001
[FW_acl-adv-3001] rule 5 permit ip source 10.1.2.0 0.0.0.255
[FW_acl-adv-3001] quit

      The headquarters gateway pushes this ACL to the SecoClient if the tunnel splitting function is enabled.

    3. Configure IPSec proposal prop0.

      [FW] ipsec proposal prop0
[FW-ipsec-proposal-prop0] encapsulation-mode auto
[FW-ipsec-proposal-prop0] transform esp
[FW-ipsec-proposal-prop0] esp authentication-algorithm sha2-256
[FW-ipsec-proposal-prop0] esp encryption-algorithm aes-256
[FW-ipsec-proposal-prop0] quit

    4. Configure an IKE proposal.

      [FW] ike proposal 10
[FW-ike-proposal-10] authentication-method pre-share
[FW-ike-proposal-10] authentication-algorithm sha2-256
[FW-ike-proposal-10] encryption-algorithm aes-256
[FW-ike-proposal-10] dh group2
[FW-ike-proposal-10] quit

    5. Configure an IKE peer.

      [FW] ike peer peer0
[FW-ike-peer-peer0] ike-proposal 10
[FW-ike-peer-peer0] exchange-mode auto
[FW-ike-peer-peer0] pre-shared-key Admin@123
[FW-ike-peer-peer0] resource acl 3001
[FW-ike-peer-peer0] quit

      The resource acl command sets the ACL information that the headquarters gateway pushes to the mobile user. After IKE SA phase 1 is established between the headquarters and mobile user, the headquarters pushes the ACL information to the user upon the receipt of an ACL request from the user. The ACL restricts the access scope. Only the traffic destined for the IP addresses specified in the ACL can pass through the IPSec tunnel.

    6. Configure an IPSec policy template.

      [FW] ipsec policy-template policy_temp0 1
[FW-ipsec-policy-template-policy_temp0-1] security acl 3000
[FW-ipsec-policy-template-policy_temp0-1] proposal prop0
[FW-ipsec-policy-template-policy_temp0-1] ike-peer peer0
[FW-ipsec-policy-template-policy_temp0-1] scenario point-to-multi-point l2tp-user-access
[FW-ipsec-policy-template-policy_temp0-1] quit
[FW] ipsec policy ipsec_policy0 10 isakmp template policy_temp0

    7. Apply the IPSec policy ipsec_policy0 to GigabitEthernet 1/0/1.

      [FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet 1/0/1] ipsec policy ipsec_policy0
[FW-GigabitEthernet 1/0/1] quit
[FW] quit

  5. Configure a route for the traffic from the headquarters gateway to the L2TP address pool.

    The headquarters gateway can communicate with the mobile user only when it has a route to the L2TP address pool. The next hop of the route must be the address of the LAN interface on the FW.

  6. Set connection parameters for the SecoClient on the PC of a mobile user.
    1. Open the SecoClient and choose New Connection from the Connect drop-down list.

    2. In the New Connection window, select L2TP/IPSec from the navigation tree and set L2TP connection parameters.

      In this example, tunnel authentication is enabled, and the authentication password is Hello@123.

    3. Select Enable IPSec Protocol and Pre-shared Key, enter the pre-shared key Admin@123 in the Authenticator text box, and set IPSec connection parameters.

      The values of L2TP/IPSec connection parameters must be consistent with those on the gateway. Otherwise, the connection fails.

    4. Set Router to Mode Config.

      The SecoClient can obtain ACL information from the gateway only when the route obtaining mode is Mode Config.

    5. Click OK.

Verification

  1. From the Connect drop-down list, choose the created L2TP over IPSec connection and click Connect.

  2. Enter the user name and password on the login page. In this example, the user name is user0001@domain0, and the password is Password@123.

  3. Click Login to initiate a connection.

    After the VPN connection succeeds, the prompt message negotiation is successed pops up at the lower right corner.

  4. On the LAC, you can see that the network segment 172.16.1.1/24-172.16.1.100/24 is assigned. The mobile user can access resources on the headquarters server, the LAN, and the Internet.

  5. When a VPN user is connected, run the display l2tp tunnel command on the LNS. The output indicates that the tunnel is established successfully.

    <FW> display l2tp tunnel
 L2TP::Total Tunnel: 1
 
  LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance
  ------------------------------------------------------------------------------
  1        1         1.1.1.2          5524   1        ipsec_tu...             
  ------------------------------------------------------------------------------
   Total 1, 1 printed

  6. Run the display l2tp session command on the LNS. The session is successfully established.

    <FW> display l2tp session
 L2TP::Total Session: 1
 
   LocalSID  RemoteSID  LocalTID   RemoteTID  UserID  UserName    VpnInstance
  ------------------------------------------------------------------------------
   4         1          1          1          1244    user0001...               
  ------------------------------------------------------------------------------
   Total 1, 1 printed

  7. Run the display ike sa command on the LNS. The IKE negotiation succeeds.

    <FW> display ike sa
IKE SA information :
    Conn-ID    Peer                  VPN                             Flag(s)               Phase 
   ----------------------------------------------------------------------------------------------
    8          1.1.1.2:5524                                          RD|A                  v1:2    
    7          1.1.1.2:5524                                          RD|A                  v1:1    
 
   Number of IKE SA : 2
   ----------------------------------------------------------------------------------------------
 
   Flag Description:
   RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
   HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
   M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

  8. Run the display ipsec sa brief command on the LNS. The IPSec tunnel is established.

    <FW> display ipsec sa brief
 IPSec SA information:
 
    Src address     Dst address     SPI         VPN                                 Protocol     Algorithm
  -------------------------------------------------------------------------------------------------------------------------
    1.1.1.1         1.1.1.2         3981322574                                      ESP          E:AES-256 A:SHA2_256_128
    1.1.1.2         1.1.1.1         4249120194                                      ESP          E:AES-256 A:SHA2_256_128
 
   Number of IPSec SA : 2
  --------------------------------------------------------------------------------------------------------------------------

Configuration Scripts

#                                                                         
sysname FW                     
 #
  l2tp enable
  undo l2tp sendaccm enable
  l2tp domain suffix-separator @
 #
 acl number 3000
  rule 5 permit udp source-port eq 1701
 acl number 3001
  rule 5 permit ip source 10.1.2.0 0.0.0.255
 #
 ipsec proposal prop0
  encapsulation-mode auto
  esp authentication-algorithm sha2-256
  esp encryption-algorithm aes-256
 #
 ike proposal 10
  encryption-algorithm aes-256
  dh group2
  authentication-algorithm sha2-256
  authentication-method pre-share
  integrity-algorithm hmac-sha2-256
  prf hmac-sha2-256
 #
 ike peer peer0
  exchange-mode auto
  pre-shared-key %^%#/AU'7#XuSP85X[47n3%#TM#e2)|5c=3!9<0>f}]H%^%#
  ike-proposal 10
  resource acl 3001
 #
 ipsec policy-template policy_temp0 1
  security acl 3000
  ike-peer peer0
  proposal prop0
  scenario point-to-multi-point l2tp-user-access
 #
 ipsec policy ipsec_policy0 10 isakmp template policy_temp0
 #
 ip pool pool0
  section 0 172.16.1.2 172.16.1.100
 #
 aaa
  authentication-scheme scheme0
  service-scheme l2tp
   ip-pool pool0
  domain domain0
   authentication-scheme scheme0
   service-scheme l2tp
   service-type l2tp
   internet-access mode password
   reference user current-domain
 #
 l2tp-group tunnel_split
  allow l2tp virtual-template 0 remote ipsec_tunnel_split
  tunnel password cipher %$%$f#c=(BljBC!s=)Xc*3*%$%$
 #
 interface Virtual-Template0
  ppp authentication-mode pap
  remote service-scheme l2tp
  ip address 172.16.1.101 255.255.255.0
 #
 interface GigabitEthernet0/0/1
  undo shutdown
  ip address 1.1.1.1 255.255.255.0
  ipsec policy ipsec_policy0
 #
 interface GigabitEthernet0/0/2
  undo shutdown
  ip address 10.1.1.1 255.255.255.0
 #
 firewall zone trust
  set priority 85
  add interface GigabitEthernet0/0/2
 #
 firewall zone untrust
  set priority 5
  add interface GigabitEthernet0/0/1
  add interface Virtual-Template0
 #
 security-policy
  rule name l2tpipsec_ul
   source-zone untrust
   destination-zone local
   destination-address 1.1.1.0 mask 255.255.255.0
   action permit
  rule name l2tpipsec_tu
   source-zone trust
   source-zone untrust
   destination-zone untrust
   source-address 10.1.2.0 mask 255.255.255.0
   destination-address range 172.16.1.2 172.16.1.100
   action permit
  rule name l2tpipsec_ut
   source-zone untrust
   destination-zone trust
   source-address range 172.16.1.2 172.16.1.100
   destination-address 10.1.2.0 mask 255.255.255.0
   action permit                                                               
 # The following user/group creation configuration is stored in the database, but not in the configuration profile.
 user-manage group /domain0/ontravel
 user-manage user user0001@domain0
  parent-group /domain0/ontravel
  password Password@123
Translation
简体中文
Download
Updated: 2023-09-12

Document ID: EDOC1000154805

Views: 265869

Downloads: 5044

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :