HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

CLI: Example for Configuring Mobile Office Users Accessing the Enterprise Intranet Using the SecoClient Through the L2TP over IPSec VPN Tunnel (Using USB Key Digital Signature Certificate Authentication)

CLI: Example for Configuring Mobile Office Users Accessing the Enterprise Intranet Using the SecoClient Through the L2TP over IPSec VPN Tunnel (Using USB Key Digital Signature Certificate Authentication)

This section describes how to configure related data so that mobile office users can use the SecoClient to access the enterprise intranet through the L2TP over IPSec VPN tunnel after USB key digital signature certificate authentication.

Networking Requirements

Figure 3-5 shows the network topology. An enterprise has the following requirements: Mobile office users access intranet resources through the L2TP over IPSec VPN tunnel and use the USB key digital signature certificate for identity authentication.

Figure 3-5 Mobile office users accessing the enterprise intranet using the SecoClient through the L2TP over IPSec VPN tunnel (USB key digital signature certificate authentication)
click to enlarge

Data Planning

Item	Data
Interface	Interface: GigabitEthernet 1/0/1 IP address: 1.1.1.1/24 Security zone: Untrust
Interface	Interface: GigabitEthernet 1/0/2 IP address: 10.1.1.1/24 Security zone: Trust
L2TP configuration	User name: user0001 Password: Password@123 Address pool: 172.16.1.1 to 172.16.1.100 Tunnel authentication password: Hello@123 NOTE: If the intranet server IP address and IP addresses in the address pool are on different subnets, configure a route to the address pool on the intranet server.
IPSec configuration	Establishment mode: policy template Authentication mode: RSA signature (USB key digital signature certificate authentication) Local ID: DN (subject) Peer ID: any peer ID Security protocol: ESP IKE authentication algorithm: SHA1 IKE encryption algorithm: AES-256 ESP authentication algorithm: SHA2-256 ESP encryption algorithm: AES-256 DH group: Group5
Mobile office user (SecoClient)	User name: user0001 Password: Password@123 NOTE: The L2TP/IPSec connection parameter settings on the SecoClient must be consistent with those on the FW. Otherwise, the connection cannot be established.

Configuration Roadmap

Configure basic data of the FW, including interfaces, security policies, and routes.
Configure the FW to apply for local and CA certificates in online mode using SCEP.
Configure L2TP over IPSec on the FW, including creating users, address pools, L2TP groups, and IPSec policies.
Configure the SecoClient on the PC of the mobile office user and insert the USB key for authentication.

Procedure

Configure basic data of the FW.

Configure IP addresses for interfaces.

# Configure an IP address for GigabitEthernet 1/0/1.

<sysname> system-view
[sysname] sysname FW
[FW] interface GigabitEthernet1/0/1
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet1/0/1] quit

# Configure an IP address for GigabitEthernet 1/0/2.

[FW] interface GigabitEthernet1/0/2
[FW-GigabitEthernet1/0/2] ip address 10.1.1.1 24
[FW-GigabitEthernet1/0/2] quit

Assign interfaces to security zones.

# Assign GigabitEthernet 1/0/2 to the Trust zone.

[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet1/0/2
[FW-zone-trust] quit

# Assign GigabitEthernet 1/0/1 to the Untrust zone.

[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet1/0/1
[FW-zone-untrust] quit

Configure interzone security policies.

# Configure an Untrust -> Local policy to allow mobile office users to establish an IPSec tunnel to the headquarters.

[FW] security-policy
[FW-policy-security] rule name l2tpipsec_ul
[FW-policy-security-rule-l2tpipsec_ul] source-zone untrust
[FW-policy-security-rule-l2tpipsec_ul] destination-zone local
[FW-policy-security-rule-l2tpipsec_ul] destination-address 1.1.1.1 24
[FW-policy-security-rule-l2tpipsec_ul] action permit
[FW-policy-security-rule-l2tpipsec_ul] quit

# Configure a Trust -> Untrust policy to allow the headquarters to initiate access to mobile office users.

[FW-policy-security] rule name l2tpipsec_tu
[FW-policy-security-rule-l2tpipsec_tu] source-zone trust
[FW-policy-security-rule-l2tpipsec_tu] destination-zone untrust
[FW-policy-security-rule-l2tpipsec_tu] source-address 10.1.2.0 24
[FW-policy-security-rule-l2tpipsec_tu] destination-address range 172.16.1.1 172.16.1.100
[FW-policy-security-rule-l2tpipsec_tu] action permit
[FW-policy-security-rule-l2tpipsec_tu] quit

# Configure an Untrust -> Trust policy to allow mobile office users to initiate access to the headquarters.

[FW-policy-security] rule name l2tpipsec_ut
[FW-policy-security-rule-l2tpipsec_ut] source-zone untrust
[FW-policy-security-rule-l2tpipsec_ut] destination-zone trust
[FW-policy-security-rule-l2tpipsec_ut] source-address range 172.16.1.1 172.16.1.100
[FW-policy-security-rule-l2tpipsec_ut] destination-address 10.1.2.0 24
[FW-policy-security-rule-l2tpipsec_ut] action permit
[FW-policy-security-rule-l2tpipsec_ut] quit
[FW-policy-security] quit

Configure a route to the Internet.
In the example, the next-hop IP address from the FW to the Internet is 1.1.1.2.
```
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
```

Apply for certificates in online mode for the FW using SCEP.

Create a 2048-bit RSA key pair rsa_scep, and set it to be exportable from the device.

[FW] pki rsa local-key-pair create rsa_scep exportable 
 Info: The name of the new key-pair will be: rsa_scep  
 The size of the public key ranges from 2048 to 4096.  
 Input the bits in the modules:2048 
 Generating key-pairs...  
..................+++ 
.+++

Configure entity information.

[FW] pki entity user01 
[FW-pki-entity-user01] common-name devicea 
[FW-pki-entity-user01] country cn 
[FW-pki-entity-user01] email test@user.com 
[FW-pki-entity-user01] fqdn test.abc.com 
[FW-pki-entity-user01] ip-address 1.1.1.1 
[FW-pki-entity-user01] state beijing 
[FW-pki-entity-user01] organization huawei 
[FW-pki-entity-user01] organization-unit dev 
[FW-pki-entity-user01] quit

Apply for certificates in online mode using SCEP, and update the certificates.

The fingerprint information of the CA certificate is obtained from the CA server. In the example, the CA server (IP address: 10.10.10.10) uses Windows Server 2008. Assume that the CA server uses the challenge password to process certificate application and the challenge password is 6AE73F21E6D3571D. The challenge password and fingerprint can be obtained at http://10.10.10.10:8080/certsrv/mscep_admin. The fingerprint information of the CA certificate is 6330974fb2fe3c52d16bdac40140918b4bcd3ec7 in SHA1 mode and the URL at which the certificate is obtained is http://10.10.10.10:8080/certsrv/mscep/mscep.dll.

[FW] pki realm usbkeyclient 
# Configure a trusted CA. 
[FW-pki-realm-usbkeyclient] ca id ca_root 
# Bind an entity.  
[FW-pki-realm-usbkeyclient] entity user01 
# Configure the fingerprint of the CA certificate. In the example, the CA certificate fingerprint is 6330974fb2fe3c52d16bdac40140918b4bcd3ec7.
[FW-pki-realm-usbkeyclient] fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7 
# Configure the URL of the CA for certificate application. 
[FW-pki-realm-usbkeyclient] enrollment-url http://10.10.10.10:8080/certsrv/mscep/mscep.dll ra 
# Specify the RSA key pair for certificate application. 
[FW-pki-realm-usbkeyclient] rsa local-key-pair rsa_scep 
# Specify the challenge password. In the example, the challenge password is 6AE73F21E6D3571D.  
[FW-pki-realm-usbkeyclient] password cipher 6AE73F21E6D3571D 
[FW-pki-realm-usbkeyclient] quit 
# Obtain the CA certificate and save it to the local computer.  
[FW] pki get-certificate ca realm usbkeyclient

The obtained CA certificate is named usbkeyclient_ca.cer and saved in the device storage.

# Import the CA certificate to the memory.

[FW_A] pki import-certificate ca filename usbkeyclient_ca.cer
 The CA's Subject is /CN=ca_root  
 The CA's fingerprint is: 
   MD5  fingerprint:1135 25D8 96D3 5936 C382 35EA 2CEE 80EB 
   SHA1 fingerprint:6330 974F B2FE 3C52 D16B DAC4 0140 918B 4BCD 3EC7 
 Is the fingerprint correct?(Y/N):y 
 Info: Succeeded in importing file.

The device automatically obtains the local certificate usbkeyclient_local.cer and has it installed automatically.

Configure an L2TP access user and an authentication policy on the FW.

Configure an address pool.
```
[FW] ip pool pool0
[FW-ip-pool-pool0] section 0 172.16.1.1 172.16.1.100
[FW-ip-pool-pool0] quit
```
If the address pool addresses and headquarters addresses reside on the same subnet, you must enable the ARP proxy function on the LNS interface connecting to the headquarters to ensure that the LNS can respond to the ARP requests from the servers at the headquarters.

Configure an authentication scheme.

[FW] aaa
[FW-aaa] authentication-scheme scheme0
[FW-aaa-authen-scheme0] authentication-mode local
[FW-aaa-authen-scheme0] quit

Configure a service scheme for access users.

[FW-aaa] service-scheme l2tp
[FW-aaa-service-l2tp] ip-pool pool0
[FW-aaa-service-l2tp] quit

Configure an authentication domain and reference the authentication scheme and the service scheme for access users.

[FW-aaa] domain domain0
[FW-aaa-domain-domain0] service-type l2tp
[FW-aaa-domain-domain0] authentication-scheme scheme0
[FW-aaa-domain-domain0] service-scheme l2tp
[FW-aaa-domain-domain0] quit
[FW-aaa] quit

Configure a group and a user for the mobile office user.

[FW] user-manage user user0001 domain domain0
[FW-localuser-user0001@domain0] password Password@123
[FW-localuser-user0001@domain0] quit

Configure L2TP on the FW.
1. Enable the L2TP function.
```
[FW] l2tp enable
```
2. Configure the Virtual-Template interface.
```
[FW] interface Virtual-Template 0
[FW-Virtual-Template0] ppp authentication-mode pap
[FW-Virtual-Template0] remote service-scheme l2tp
[FW-Virtual-Template0] ip address 172.16.1.101 24
[FW-Virtual-Template0] quit
```
  - The IP address of the Virtual-Template interface cannot overlap the address pool or replicate the IP addresses of other interfaces. You can set any IP address except the mentioned ones.
  - The service scheme for assigning IP addresses for the remote peers must be the same as the service scheme configured in the AAA domain. Otherwise, the LNS cannot assign addresses for clients.
  - A Virtual-Template interface can join any security zone. After you assign the Virtual-Template interface to a security zone, enable the security policy between the security zone of the Virtual-Template interface and the security zone of the headquarters network to permit the interzone traffic. You also need to enable the security policy between the Local zone and the security zone of the physical interface that the FW uses to send and receive L2TP tunnel packets to permit the traffic between the two zones.
3. Add the Virtual-Template interface to the Untrust zone.
```
[FW] firewall zone untrust
[FW-zone-untrust] add interface Virtual-Template 0
[FW-zone-untrust] quit
```
4. Create an L2TP group, bind the Virtual-Template interface to the group, and configure the tunnel authentication function.
```
[FW] l2tp-group l2tp-lns
[FW-l2tp-l2tp-lns] allow l2tp virtual-template 0
[FW-l2tp-l2tp-lns] tunnel authentication
[FW-l2tp-l2tp-lns] tunnel password cipher Hello@123
[FW-l2tp-l2tp-lns] quit
```

Configure an IPSec policy on the FW and apply it to the interface.

Create advanced ACL 3000.
```
[FW] acl 3000
[FW_acl-adv-3000] rule 5 permit udp source-port eq 1701
[FW_acl-adv-3000] quit
```
During L2TP over IPSec encapsulation, L2TP encapsulation occurs before IPSec encapsulation. Therefore, the matching condition is L2TP port (port 1701). All L2TP packets are transmitted through the IPSec tunnel.

Configure IPSec proposal prop0.

[FW] ipsec proposal prop0
[FW-ipsec-proposal-prop0] encapsulation-mode auto
[FW-ipsec-proposal-prop0] transform esp
[FW-ipsec-proposal-prop0] esp authentication-algorithm sha2-256
[FW-ipsec-proposal-prop0] esp encryption-algorithm aes-256
[FW-ipsec-proposal-prop0] quit

Configure an IKE proposal.

[FW] ike proposal 10
[FW-ike-proposal-10] authentication-method rsa-signature
[FW-ike-proposal-10] authentication-algorithm sha2-256
[FW-ike-proposal-10] encryption-algorithm aes-256
[FW-ike-proposal-10] dh group5
[FW-ike-proposal-10] quit

Configure an IKE peer.
```
[FW] ike peer peer0
[FW-ike-peer-peer0] ike-proposal 10
[FW-ike-peer-peer0] exchange-mode auto
[FW-ike-peer-peer0] local-id-type dn
[FW-ike-peer-peer0] resource acl 3000
[FW-ike-peer-peer0] certificate local-filename usbkeyclient_local.cer
[FW-ike-peer-peer0] quit
```
The resource acl command sets the ACL information that the headquarters gateway pushes to the mobile office user. After IKE SA phase 1 is established between the headquarters and mobile office user, the headquarters pushes the ACL information to the user upon the receipt of an ACL request from the user. The ACL restricts the access scope. Only the traffic destined for the IP addresses specified in the ACL can pass through the IPSec tunnel.

Configure a template IPSec policy.

[FW] ipsec policy-template policy_temp0 1
[FW-ipsec-policy-template-policy_temp0-1] security acl 3000
[FW-ipsec-policy-template-policy_temp0-1] proposal prop0
[FW-ipsec-policy-template-policy_temp0-1] ike-peer peer0
[FW-ipsec-policy-template-policy_temp0-1] quit
[FW] ipsec policy ipsec_policy0 10 isakmp template policy_temp0

Apply IPSec policy ipsec_policy0 to GigabitEthernet 1/0/1.

[FW] interface GigabitEthernet1/0/1
[FW-GigabitEthernet1/0/1] ipsec policy ipsec_policy0
[FW-GigabitEthernet1/0/1] quit
[FW] quit

Configure a route for the traffic from the headquarters gateway to the L2TP address pool.
The headquarters gateway can communicate with mobile office users only when it has a route to the L2TP address pool. The next hop of the route must be the address of the LAN interface on the FW.
Configure the SecoClient at the mobile office user side.
1. Download the CA certificate from the PC, and apply for and install the user (client) certificate.
2. Export the user (client) certificate in .pfx format from the PC, insert the USB key, and import the certificate into the USB key.
  
  For details about how to import and install a certificate in the USB key, see the related guide of the USB key.
3. Start the SecoClient. The main window is displayed.
  Select New Connection from the Connect drop-down list.
4. Set L2TP VPN connection parameters.
  In the New Connection dialog box, select L2TP/IPSec from the left navigation tree and set connection parameters.
5. Configure IPSec.
Log in to the L2TP over IPSec VPN gateway.
1. Insert the USB key into the USB port of the terminal.
2. Select the created L2TP over IPSec VPN connection from the Connect drop-down list, and click Connect.
3. In the login dialog box, enter the user name and password, and select the identified USB key certificate.
4. Click Login to initiate a VPN connection.
  If the VPN connection is successful, a message is displayed in the lower right corner of the page.
  
  After the connection is set up, mobile office users can access intranet resources as enterprise intranet users.

Verification

On the PC of an employee on the move, you can see that an address on the network segment from 172.16.1.1/24 to 172.16.1.100/24 is allocated, and the employee can properly access server resources at the headquarters.

When a VPN user is connected, run the display l2tp tunnel command on the FW. The tunnel is established successfully.

<FW> display l2tp tunnel
 L2TP::Total Tunnel: 1 
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance 
 ------------------------------------------------------------------------------ 
 1        1         3.3.3.3          5524   1        tunnel      
 ------------------------------------------------------------------------------ 
  Total 1, 1 printed

Run the display l2tp session command on the FW. The session is successfully established.

<FW> display l2tp session
L2TP::Total Session: 1  
  LocalSID  RemoteSID  LocalTID   RemoteTID  UserID  UserName    VpnInstance 
 ------------------------------------------------------------------------------  
 1         2688       1          11800      30629   user0001                   
 ------------------------------------------------------------------------------ 
  Total 1, 1 printed

On the FW, run the display ike sa and display ipsec sa brief commands. IKE tunnels and IPSec tunnels are established successfully.

<FW> display ike sa
Ike sa information :
    Conn-ID     Peer       VPN    Flag(s)    Phase  RemoteType  RemoteID
  ------------------------------------------------------------------------------
     16777239    3.3.3.3          RD|ST|A    v2:2   DN          usbkey
     16777232    3.3.3.3          RD|ST|A    v2:1   DN          usbkey

  Number of SA entries  : 2 

  Number of SA entries of all cpu : 2 

  Flag Description: 
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

<FW> display ipsec sa biref
Current ipsec sa num:2  

Spu board slot 1, cpu 0 ipsec sa information:
Number of SAs:2
  Src Address     Dst Address     SPI         VPN   Protocol  Algorithm
--------------------------------------------------------------------------------------
  3.3.3.3         1.1.1.1         1826317110        ESP       E:AES-256 A:SHA2_256_128
  1.1.1.1         3.3.3.3         209587142         ESP       E:AES-256 A:SHA2_256_128

Number of IPSec SA : 2   
--------------------------------------------------------------------------------------

Configuration Scripts

#
sysname FW
#
 l2tp enable
#
acl number 3000
 rule 5 permit udp source-port eq 1701 
#
ipsec proposal prop0
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 10
 encryption-algorithm aes-256 
 dh group5 
 authentication-algorithm sha2-256 
 authentication-method rsa-signature
#
ike peer peer0
 exchange-mode auto
 ike-proposal 10
 local-id-type dn
 resource acl 3000
 certificate local-filename usbkeyclient_local.cer
#
ipsec policy-template policy_temp0 1
 security acl 3000
 ike-peer peer0
 proposal prop0
#
ipsec policy ipsec_policy0 10 isakmp template policy_temp0
# 
pki entity user01 
 country CN 
 state beijing 
 organization huawei 
 organization-unit dev 
 common-name devicea 
 fqdn test.abc.com  
 ip-address 1.1.1.1 
 email test@user.com
# 
pki realm abc 
 ca id ca_root 
 enrollment-url http://10.10.10.10:8080/certsrv/mscep/mscep.dll ra 
 entity user01 
 fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7 
 rsa local-key-pair rsa_scep 
 password cipher %$%$r1OA2scco3r5w.A\:(18v%+z%$%$ 
#
ip pool pool0
 section 0 172.16.1.1 172.16.1.100
#
aaa
 service-scheme l2tp
  ip-pool pool0
 domain domain0
  authentication-scheme scheme0
  service-scheme l2tp
  service-type l2tp
  internet-access mode password
  reference user current-domain
#
l2tp-group l2tp-lns
 tunnel password cipher %$%$Uv{@X=\}w"g`aV;UP.H9AY8J%$%$
 allow l2tp virtual-template 0 remote tunnel
#
interface Virtual-Template0
 ppp authentication-mode pap
 remote service-scheme l2tp
 ip address 172.16.1.101 255.255.255.0
 alias L2TP_LNS_0
 undo service-manage enable
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 ipsec policy ipsec_policy0
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
 add interface Virtual-Template0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
security-policy
 rule name l2tpipsec_ul
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name l2tpipsec_tu
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address range 172.16.1.1 172.16.1.100
  action permit
 rule name l2tpipsec_ut
  source-zone untrust
  destination-zone trust
  source-address range 172.16.1.1 172.16.1.100
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
  # The following user/group configuration is saved in the database and is not shown in the profile.
 user-manage user user0001 domain domain0
  password Password@123

Networking Requirements
Data Planning
Configuration Roadmap
Configuration Scripts

Translation

简体中文

Download

Updated: 2023-09-12

Document ID: EDOC1000154805

Downloads: 5044

Average rating:

This Document Applies to these Products

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

CLI: Example for Configuring Mobile Office Users Accessing the Enterprise Intranet Using the SecoClient Through the L2TP over IPSec VPN Tunnel (Using USB Key Digital Signature Certificate Authentication)

Networking Requirements

Data Planning

Configuration Roadmap

Procedure

Verification

Configuration Scripts

Related Version

Related Documents