CLI: Example for Configuring L2TP over IPSec to Allow Mobile Users to Access the Headquarters Using Mac OS X Terminals
Networking Requirements
As shown in Figure 3-24, a mobile user terminal (LAC) is connected to the LNS of the headquarters over the Internet. The LAC can initiate an IPSec tunnel connection request with the LNS to transmit data over a tunnel. L2TP encapsulates Layer 2 data and authenticates user identity, and then IPSec encrypts L2TP packets.
Data Plan
Item |
Data |
|---|---|
LNS |
Interface number: GigabitEthernet 1/0/1 IP address: 1.1.1.2/24 |
Interface number: GigabitEthernet 1/0/3 IP address: 192.168.1.1/24 |
|
VT interface Interface number: Virtual-Template 1 IP address: 10.1.1.1/24 |
|
Address pool IP pool 1 IP address range: 10.1.1.2 to 10.1.1.100 |
|
L2TP configuration Authentication type: CHAP and PAP User name: macpc User authentication password: Hello123 Tunnel verification: Disabled |
|
IPSec configuration Establishment method: policy template Security protocol: ESP IKE authentication algorithm: SHA2-256 IKE encryption algorithm: AES-128 ESP authentication algorithm: SHA2-256 ESP encryption algorithm: AES-128 Pre-shared key: Admin@123 Local ID type: IP address Peer ID type: any IKE version: IKEv1 |
|
LAC client |
Server address: 1.1.1.2 Account: macpc Password: Hello123 Pre-shared key: Admin@123 |
Configuration Roadmap
- Complete basic firewall configurations, including the interfaces, security policies, and routes.
- Complete the L2TP over IPSec configuration on the FW.
- Complete the Mac OS X client configuration on the traveling employee's terminal. The parameters of the LAC must be consistent with those of the FW.
Procedure
- Configure the LNS.
- Configure L2TP.
# Configure an address pool for allocating addresses to users.
[LNS] ip pool pool1 [LNS-ip-pool-pool1] section 1 10.1.1.2 10.1.1.100 [LNS-ip-pool-pool1] quit
# Set the authentication mode of authentication scheme default to local authentication.
[LNS] aaa [LNS-aaa] authentication-scheme default [LNS-aaa-authen-default] authentication-mode local [LNS-aaa-authen-default] quit
# Configure the service scheme used by remote access users.
[LNS] aaa [LNS-aaa] service-scheme l2tp [LNS-aaa-service-l2tp] ip-pool pool1 [LNS-aaa-service-l2tp] quit
# Apply authentication scheme default and service scheme l2tp to the default domain.
[LNS-aaa] domain default [LNS-aaa-domain-default] service-scheme l2tp [LNS-aaa-domain-default] authentication-scheme default
# Configure a local user.
[LNS] user-manage user macpc domain default [LNS-localuser-macpc] password Hello123 [LNS-localuser-macpc] quit
# Set the domain name separator.
A suffix separator needs to be configured when a user name is coupled with a domain name. In this case, the FW can extract the user name based on the separator. For example, if the user name is user@domain1, the FW uses user as the name of the user in the domain1 domain.
[LNS] l2tp domain suffix-separator @
# Enable the L2TP function.
[LNS] l2tp enable
# Configure a VT interface Virtual-Template 1.
The IP address of the VT interface cannot be the same as the addresses in the address pool or addresses of other interfaces.
[LNS] interface Virtual-Template 1 [LNS-Virtual-Template1] ppp authentication-mode chap pap [LNS-Virtual-Template1] ip address 10.1.1.1 255.255.255.0 [LNS-Virtual-Template1] remote service-scheme l2tp [LNS-Virtual-Template1] quit
# Add the VT interface to the Untrust zone.
[LNS] firewall zone untrust [LNS-zone-untrust] add interface Virtual-Template 1 [LNS-zone-untrust] quit
# Create an L2TP group, bind it to the VT interface, and configure the tunnel verification function.
The LAC client uses the built-in L2TP client to dial up. Tunnel verification is not supported. Therefore, disable tunnel verification on the FW.
The remote tunnel name is not configurable. Therefore, you can select only the default L2TP group default-lns, which allows the remote tunnel name not specified.
[LNS] l2tp-group default-lns [LNS-l2tp-default-lns] allow l2tp virtual-template 1 [LNS-l2tp-default-lns] undo tunnel authentication [LNS-l2tp-default-lns] quit
- Configure IPSec.
# Create advanced ACL 3000.
During L2TP over IPSec encapsulation, the device encapsulates packets using L2TP and then IPSec. Therefore, source port 1701 is used as the matching condition in the advanced ACL. All L2TP-encapsulated packets are transmitted through the IPSec tunnel.
[LNS] acl 3000 [LNS-acl-adv-3000] rule 5 permit udp source-port eq 1701 [LNS-acl-adv-3000] quit
# Configure IPSec proposal tran1.
[LNS] ipsec proposal tran1 [LNS-ipsec-proposal-tran1] transform esp [LNS-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [LNS-ipsec-proposal-tran1] esp encryption-algorithm aes-128 [LNS-ipsec-proposal-tran1] quit
# Configure an IKE proposal.
[LNS] ike proposal 10 [LNS_ike-proposal-10] authentication-method pre-share [LNS_ike-proposal-10] authentication-algorithm sha2-256 [LNS_ike-proposal-10] encryption-algorithm aes-128 [LNS_ike-proposal-10] dh group2 [LNS_ike-proposal-10] quit
# Configure an IKE peer.
[LNS] ike peer a [LNS-ike-peer-a] local-id-type ip [LNS-ike-peer-a] ike-proposal 10 [LNS-ike-peer-a] pre-shared-key Admin@123 [LNS-ike-peer-a] quit
# Configure an IPSec policy in the template mode.
[LNS] ipsec policy-template policy_temp 1 [LNS-ipsec-policy-templet-policy_temp-1] security acl 3000 [LNS-ipsec-policy-templet-policy_temp-1] proposal tran1 [LNS-ipsec-policy-templet-policy_temp-1] ike-peer a [LNS-ipsec-policy-templet-policy_temp-1] quit [LNS] ipsec policy policy 10 isakmp template policy_temp
# Apply the IPSec policy to GigabitEthernet 1/0/1.
[LNS] interface GigabitEthernet 1/0/1 [LNS-GigabitEthernet1/0/1] ipsec policy policy [LNS-GigabitEthernet1/0/1] quit
- Configure L2TP.
- Configure a route to the headquarters intranet.
To communicate with traveling employees, the headquarters server must have routes to the employees. The IP addresses in the routes must be allocated from the L2TP address pool and the next hop must be the LAN interface address of the FW.
- Configure the mobile employee's PC.
- As shown in Figure 3-25, click
in Dock. Alternatively, choose at the upper left corner of the system desktop.
- As shown in Figure 3-26, choose .
- As shown in Figure 3-27, click + in the lower left corner to create a network connection.
- Figure 3-28 shows the configuration page. Set Interface to VPN, VPN Type to L2TP over IPSec, and Service Name to any value (using VPN(L2TP) as an example). After the configuration is complete, click Create.
- As shown in Figure 3-29, click in the left column. Server Address indicates the IP address of the interface on the LNS connecting to the Internet. 1.1.1.2 is used as an example. Account Name indicates the user name registered with the LNS. macpc is used as an example.
- Click Authentication Settings... shown in Figure 3-29. On the page shown in Figure 3-30, choose , and enter an authentication password (using abcd1234! as an example) for user macpc. Then choose and enter the preshared key (using abc123 as an example). After the configuration is complete, click OK.
- Click Advanced... in the lower right corner of Figure 3-29. On the page shown in Figure 3-31, select the first three items of Session on the tab page. After the configuration is complete, click OK.
- As shown in Figure 3-25, click
in Dock. Alternatively, choose 
Verification
Click Connect to set up a VPN tunnel.
After the VPN tunnel is set up, the connection status changes, as shown in the following figure:The displayed information shows that the VPN connection is Connected, the connection duration is 00:00:39, and the IP address assigned to the LAC client is 10.1.1.2. To terminate the VPN connection, click Disconnect.
When a VPN user is connected, run the display l2tp tunnel command on the LNS. You can find that a tunnel is established successfully.
<LNS> display l2tp tunnel L2TP::Total Tunnel: 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName VpnInstance ------------------------------------------------------------------------------ 1 11800 3.3.3.3 54175 1 anonymous ------------------------------------------------------------------------------ Total 1, 1 printed
Run the display l2tp session command on the LNS. You can find that a session is successfully established.
<LNS> display l2tp session L2TP::Total Session: 1 LocalSID RemoteSID LocalTID RemoteTID UserID UserName VpnInstance ------------------------------------------------------------------------------ 1 2688 1 11800 30629 vpdnuser ------------------------------------------------------------------------------ Total 1, 1 printed
Run the display ike sa and display ipsec sa brief commands on the LNS. You can find that IKE and IPSec SAs are successfully established.
<LNS> display ike sa IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID ------------------------------------------------------------------------------- 65254213 3.3.3.3:5524 RD|A v1:2 IP 3.3.3.3 65254123 3.3.3.3:5524 RD|A v1:1 IP 3.3.3.3 Number of IKE SA : 2 ------------------------------------------------------------------------------- Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING<LNS> display ipsec sa brief current ipsec sa number: 2 current ipsec tunnel number: 1 Src Address Dst Address SPI Protocol Algorithm ------------------------------------------------------------------------------ 3.3.3.3 1.1.1.2 1826317110 ESP E:3DES A:SHA1-96 1.1.1.2 3.3.3.3 209587142 ESP E:3DES A:SHA1-96
Configuration Files
# sysname LNS # l2tp enable l2tp domain suffix-separator @ # acl number 3000 rule 5 permit udp source-port eq 1701 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 10 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer a local-id-type ip pre-shared-key %^%#)AsqM;q*K2"R^y0LfgB<D011%^%# ike-proposal 10 # ipsec policy-template policy_temp 1 security acl 3000 ike-peer a alias policy_temp_1 proposal tran1 # ipsec policy policy 10 isakmp template policy_temp # interface GigabitEthernet1/0/1 undo shutdown ip address 1.1.1.2 255.255.255.0 ipsec policy policy # interface GigabitEthernet1/0/3 undo shutdown ip address 192.168.1.1 255.255.255.0 # interface Virtual-Template1 ppp authentication-mode chap pap ip address 10.1.1.1 255.255.255.0 remote service-scheme l2tp # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 add interface Virtual-Template1 # l2tp-group default-lns allow l2tp virtual-template 1 undo tunnel authentication # ip pool pool1 section 1 10.1.1.2 10.1.1.100 # aaa authentication-scheme default authentication-mode local domain default authentication-scheme default service-scheme l2tp # security-policy rule name policy_ipsec_1 source-zone untrust destination-zone trust source-address range 10.1.1.2 10.1.1.100 destination-address 192.168.1.0 255.255.255.0 action permit rule name policy_ipsec_2 source-zone trust destination-zone untrust source-address range 192.168.1.0 255.255.255.0 destination-address 10.1.1.2 10.1.1.100 action permit rule name policy_ipsec_3 source-zone untrust destination-zone local destination-address 1.1.1.2 255.255.255.255 action permit rule name policy_ipsec_4 source-zone local destination-zone untrust source-address 1.1.1.2 255.255.255.255 action permit # return The following configurations for creating users/groups are stored in the database, not described in the configuration file. user-manage user vpdnuser domain default password *********