CLI: Example for Configuring L2TP over IPSec for Mobile Employees to Access the Headquarters Using the Windows 10 Client

HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

CLI: Example for Configuring L2TP over IPSec for Mobile Employees to Access the Headquarters Using the Windows 10 Client

This section describes how to configure L2TP over IPSec for Windows so that mobile employees can use the Windows L2TP client to dial in the server at the headquarters.

Networking Requirements

As shown in Figure 3-9, the LAC client directly initiates a connection request to the LNS. The LAC client and LNS negotiate an IPSec tunnel, and perform L2TP negotiation to complete the identity authentication and establishment of an L2TP over IPSec tunnel. The data between the LAC client and the LNS is transmitted through the tunnel. The Layer 2 data is encapsulated using L2TP and then the data is encrypted using IPSec.

Figure 3-9 Networking diagram for configuring L2TP over IPSec for Windows
click to enlarge

Data Planning

Item	Data
LNS	Interface: GigabitEthernet 1/0/1 IP address: 1.1.1.2/24 Security zone: Untrust
Interface: GigabitEthernet 1/0/3 IP address: 192.168.1.1/24 Security zone: Trust
Address pool and user configuration IP pool 1 Address range: 10.1.1.2 to 10.1.1.100 User authentication name: vpdnuser Password for user authentication: Hello123
IPSec configuration Security protocol: ESP IKE authentication algorithm: SHA1 IKE encryption algorithm: 3DES ESP authentication algorithm: SHA1 ESP encryption algorithm: AES128 Pre-shared key: Admin@123 Local ID: IP address Peer ID: any IKE version: IKEv1
LAC	Internet address: 1.1.1.2 User name: vpdnuser Password: Hello123 Pre-shared key: Admin@123

Item

Data

LNS

Interface: GigabitEthernet 1/0/1

IP address: 1.1.1.2/24

Security zone: Untrust

Interface: GigabitEthernet 1/0/3

IP address: 192.168.1.1/24

Security zone: Trust

Address pool and user configuration

IP pool 1

Address range: 10.1.1.2 to 10.1.1.100

User authentication name: vpdnuser

Password for user authentication: Hello123

IPSec configuration

Security protocol: ESP

IKE authentication algorithm: SHA1

IKE encryption algorithm: 3DES

ESP authentication algorithm: SHA1

ESP encryption algorithm: AES128

Pre-shared key: Admin@123

Local ID: IP address

Peer ID: any

IKE version: IKEv1

LAC

Internet address: 1.1.1.2

User name: vpdnuser

Password: Hello123

Pre-shared key: Admin@123

Configuration Roadmap

Complete the basic configurations of the FW, including the configurations of interfaces, security policies, and routes.
Complete the L2TP over IPSec configuration on the FW.
On the mobile employee's PC, complete the configurations. The parameters on the PC must match those on the FW.

Procedure

Complete the basic configurations of the FW.

Configure an IP address for the interface.

Configure the IP address of interface GigabitEthernet 1/0/1.

<sysname> system-view
[sysname] sysname FW
[FW] interface GigabitEthernet 1/0/1 
[FW-GigabitEthernet1/0/1] ip address 1.1.1.2 24  
[FW-GigabitEthernet1/0/1] quit

Configure the IP address of interface GigabitEthernet 1/0/3.

[FW] interface GigabitEthernet 1/0/3 
[FW-GigabitEthernet1/0/3] ip address 192.168.1.1 24 
[FW-GigabitEthernet1/0/3] quit

Assign interfaces to security zones.

Add GigabitEthernet 1/0/3 to the Trust zone.

[FW] firewall zone trust 
[FW-zone-trust] add interface GigabitEthernet 1/0/3 
[FW-zone-trust] quit

Add GigabitEthernet 1/0/1 to the Untrust zone.

[FW] firewall zone untrust 
[FW-zone-untrust] add interface GigabitEthernet 1/0/1 
[FW-zone-untrust] quit

Configure interzone security policies.

# Configure a security policy to allow employees at the headquarters to initiate access traffic to mobile employees. The destination address of the security policy must be set to the address of the L2TP address pool.

[FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone trust
[FW-policy-security-rule-policy1] destination-zone untrust
[FW-policy-security-rule-policy1] source-address 192.168.1.0 24
[FW-policy-security-rule-policy1] destination-address range 10.1.1.2 10.1.1.100
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit

# Configure a security policy to allow mobile employees to initiate access traffic to employees at the headquarters.

[FW-policy-security] rule name policy2
[FW-policy-security-rule-policy2] source-zone untrust
[FW-policy-security-rule-policy2] destination-zone trust
[FW-policy-security-rule-policy2] source-address range 10.1.1.2 10.1.1.100
[FW-policy-security-rule-policy2] destination-address 192.168.1.0 24
[FW-policy-security-rule-policy2] action permit
[FW-policy-security-rule-policy2] quit

# Configure a security policy to allow mobile employees to negotiate an IPSec tunnel with the headquarters.

[FW-policy-security] rule name policy3
[FW-policy-security-rule-policy3] source-zone local
[FW-policy-security-rule-policy3] destination-zone untrust
[FW-policy-security-rule-policy3] source-address 1.1.1.2 32
[FW-policy-security-rule-policy3] action permit
[FW-policy-security-rule-policy3] quit

[FW-policy-security] rule name policy4
[FW-policy-security-rule-policy4] source-zone untrust
[FW-policy-security-rule-policy4] destination-zone local
[FW-policy-security-rule-policy4] destination-address 1.1.1.2 32
[FW-policy-security-rule-policy4] action permit
[FW-policy-security-rule-policy4] quit
[FW-policy-security] quit

Configure an L2TP access user and an authentication policy on the FW.

Configure address pools.
```
[FW] ip pool pool1
[FW-ip-pool-pool1] section 1 10.1.1.2 10.1.1.100
[FW-ip-pool-pool1] quit
```
If the address pool addresses and headquarters addresses reside on the same subnet, you must enable the ARP proxy function on the LNS interface connecting to the headquarters to ensure that the LNS can respond to the ARP requests from the servers at the headquarters.

Set the authentication mode of authentication scheme default to local authentication.

[FW] aaa
[FW_aaa] authentication-scheme default 
[FW_aaa-authen-default] authentication-mode local
[FW_aaa-authen-default] quit

Configure the service scheme used by remote access users.

[FW] aaa
[FW-aaa] service-scheme l2tp 
[FW-aaa-service-l2tp] ip-pool pool1
[FW-aaa-service-l2tp] quit

Configure an authentication domain and reference the authentication scheme and service scheme used by access users.

[FW-aaa] domain net1
[FW-aaa-domain-net1] service-type l2tp
[FW-aaa-domain-net1] authentication-scheme default
[FW-aaa-domain-net1] service-scheme l2tp
[FW-aaa-domain-net1] quit
[FW-aaa] quit

Configure users and user groups for branch employees.

[FW] user-manage group /default/ontravel
[FW-usergroup-/default/ontravel] quit
[FW] user-manage user vpdnuser domain net1
[FW-localuser-vpdnuser@net1] parent-group /default/ontravel
[FW-localuser-vpdnuser@net1] password Hello123
[FW-localuser-vpdnuser@net1] quit

Configure L2TP on the FW.
1. Enable L2TP.
```
[FW] l2tp enable
```
2. Configure the virtual interface template and add it to an Untrust zone.
```
[FW] interface Virtual-Template 1
[FW-Virtual-Template1] ppp authentication-mode chap
[FW-Virtual-Template1] ip address 10.1.1.1 255.255.255.0
[FW-Virtual-Template1] remote service-scheme l2tp
[FW-Virtual-Template1] quit
```
```
[FW] firewall zone untrust 
[FW-zone-untrust] add interface Virtual-Template 1
[FW-zone-untrust] quit
```
  The IP address of the VT interface can be any address except the addresses in the address pool or of other interfaces.
  
  The service scheme for allocating the peer IP address must be consistent with that configured in the AAA domain. Otherwise, the LNS cannot allocate any address to the client.
3. Create an L2TP group, bind the virtual interface template, and configure tunnel verification.
```
[FW] l2tp-group 1
[FW-l2tp-1] allow l2tp virtual-template 1
[FW-l2tp-1] undo tunnel authentication
[FW-l2tp-1] quit
```
  The LAC client uses the built-in L2TP client to dial up. Tunnel verification is not supported. Therefore, disable tunnel verification on the FW.
  
  The peer tunnel name is not configurable. Therefore, you can select only the default L2TP group, l2tp1, which allows the peer name being unspecified.

Configure the IPSec policy on the FW and apply the policy to the corresponding interface.

Create advanced ACL 3000.
```
[FW] acl 3000 
[FW_acl-adv-3000] rule 5 permit udp source-port eq 1701
[FW_acl-adv-3000] quit
```
During L2TP over IPSec encapsulation, L2TP encapsulation occurs before IPSec encapsulation. Therefore, the matching condition is L2TP source port (port 1701). All L2TP packets are transmitted through the IPSec tunnel.

Configure an IPSec proposal named tran1.

[FW] ipsec proposal tran1
[FW_ipsec-proposal-tran1] encapsulation-mode transport 
[FW_ipsec-proposal-tran1] esp authentication-algorithm sha1
[FW_ipsec-proposal-tran1] esp encryption-algorithm aes-128 
[FW_ipsec-proposal-tran1] quit

Configure an IKE proposal.

[FW] ike proposal 10 
[FW_ike-proposal-10] authentication-method pre-share 
[FW_ike-proposal-10] authentication-algorithm sha1 
[FW_ike-proposal-10] encryption-algorithm 3des
[FW_ike-proposal-10] dh group2
[FW_ike-proposal-10] quit

Configure an IKE peer.

[FW] ike peer a
[FW_ike-peer-a] ike-proposal 10
[FW_ike-peer-a] pre-shared-key Admin@123 
[FW_ike-peer-a] quit

Configure a template IPSec policy.

[FW] ipsec policy-template policy_temp 1 
[FW_ipsec-policy-templet-policy_temp-1] security acl 3000 
[FW_ipsec-policy-templet-policy_temp-1] proposal tran1 
[FW_ipsec-policy-templet-policy_temp-1] ike-peer a 
[FW_ipsec-policy-templet-policy_temp-1] quit
[FW] ipsec policy policy 10 isakmp template policy_temp

Apply the IPSec policy to interface GigabitEthernet 1/0/1.

[FW] interface GigabitEthernet 1/0/1 
[FW_GigabitEthernet1/0/1] ipsec policy policy
[FW_GigabitEthernet1/0/1] quit

Configure a route on the device at the headquarters.
To communicate with mobile employees, the device at the headquarters must have a route to the L2TP address pool, with the next hop pointing to the LAN interface address of the FW.
Configure the mobile employee's PC.
1. Change the values of the following registires:
  1. Choose Start > Run, enter regedit.exe, and click OK to access the registry editor.
  2. Choose My Computer > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > PolicyAgent in the navigation tree and choose Edit > Add > DWORD Value from the menu.
  3. Enter AssumeUDPEncapsulationContextOnSendRule, press Enter, and modify the file name.
  4. Right-click AssumeUDPEncapsulationContextOnSendRule and choose Edit.
  5. Enter 2 in Value data, indicating that security association can be established with the server behind the NAT device. After the modification is complete, click OK.
  6. Choose My Computer > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > RasMan > Parameters in the navigation tree and choose Edit > Add > DWORD Value from the menu.
  7. Enter ProhibitIpSec, press Enter, and modify the file name.
  8. Right-click ProhibitIpSec and choose Modify.
  9. Enter 0 in Value data. After the modification is complete, click OK and exit the registry editor.
  10. Restart the PC to apply the configuration changes.
2. Establish an L2TP over IPSec connection.
  Right-click the network icon on the task bar and choose Open Network and Sharing Center.
  
  L2TP over IPSec dialup succeeds, and the system displays that the status is connected.

Verification

The LAC Client succeeds in dialing up using the built-in software.
On the LAC, you can see that addresses on the network segment from 10.1.1.2/24 to 10.1.1.100/24 are allocated, and mobile employees can properly access server resources at the headquarters.

When a VPN user is connected, run the display l2tp tunnel command on the LNS. The output indicates that the tunnel is established successfully.

<FW> display l2tp tunnel
 Total tunnel = 1                                                               
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName                 
 1        1         3.3.3.3          5524   1        -

Run the display l2tp session command on the LNS. The session is successfully established.

<FW_A> display l2tp session
L2TP::Total Session: 1

  LocalSID  RemoteSID  LocalTID   RemoteTID  UserID  UserName    VpnInstance
 ------------------------------------------------------------------------------
  1         2688       1          11800      30629   vpdnuser                  
 ------------------------------------------------------------------------------
  Total 1, 1 printed

Run display ike sa and display ipsec sa brief commands on the LNS. The IKE and IPSec SAs are successfully established.

<FW> display ike sa

Ike sa number: 2                                                        
-----------------------------------------------------------------------------   
Conn-ID    Peer              VPN                   Flag(s)       Phase      
-----------------------------------------------------------------------------   
400236    3.3.3.3:5524                             RD|A          v1:2    
400235    3.3.3.3:5524                             RD|A          v1:1    
                                                                                
  Number of SA entries  : 2                                                     
                                                                                
  Number of SA entries of all cpu : 2                                           
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
<FW> display ipsec sa brief
Current ipsec sa num:2

Spu board slot 1, cpu 0 ipsec sa information:                                   
Number of SAs:2                                                   
Src Address     Dst Address     SPI         VPN   Protocol  Algorithm                  
------------------------------------------------------------------------------  
3.3.3.3         1.1.1.2         1826317110        ESP       E:AES-128 A:SHA1-96       
1.1.1.2         3.3.3.3         209587142         ESP       E:AES-128 A:SHA1-96

Configuration Scripts

#
 sysname FW
#
 l2tp enable
#
acl number 3000
 rule 5 permit udp source-port eq 1701 
#
ipsec proposal tran1
 encapsulation-mode transport
 esp encryption-algorithm aes-128
 esp authentication-algorithm sha1
#
ike proposal 10
 encryption-algorithm 3des                                                   
 dh group2                                                                      
 authentication-algorithm sha1
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer a
 pre-shared-key lr~i0!Yi+.N;s+D~|gfN,dTG
 ike-proposal 10
#
ipsec policy-template policy_temp 1
 security acl 3000
 ike-peer a
 proposal tran1
#
ipsec policy policy 10 isakmp template policy_temp
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 1.1.1.2 255.255.255.0
 ipsec policy policy
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 192.168.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
 add interface Virtual-Template1
#
interface Virtual-Template1 
 ppp authentication-mode chap
 ip address 10.1.1.1 255.255.255.0 
 remote service-scheme l2tp
#
l2tp-group 1
 allow l2tp virtual-template 1
 undo tunnel authentication
 #
ip pool pool1
 section 1 10.1.1.2 10.1.1.100
#
aaa
 authorization-scheme default
  authentication-mode local
 service-scheme l2tp 
  ip-pool pool1
 domain net1
  service-type l2tp
  authentication-schem default
  service-scheme l2tp
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 255.255.255.0
  destination-address range 10.1.1.2 10.1.1.100
  action permit
 rule name policy2
  source-zone untrust
  destination-zone trust
  source-address range 10.1.1.2 10.1.1.100
  destination-address 192.168.1.0 255.255.255.0
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  source-address 1.1.1.2 255.255.255.255
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.2 255.255.255.255
  action permit
# 
return
The following configurations for creating users/groups are stored in the database, not described in the configuration file.
user-manage group /default/ontravel
user-manage user vpdnuser domain net1
 parent-group /default/ontravel
 password *********

Networking Requirements
Data Planning
Configuration Roadmap
Configuration Scripts

Translation

简体中文

Download

Updated: 2020-04-01

Document ID: EDOC1000154805

Downloads: 3689

Average rating:

This Document Applies to these Products