Web: Example for Configuring L2TP over IPSec to Allow Users to Access the Headquarters Using Windows 7 Terminals
L2TP over IPSec VPN allows mobile employees to dial up to the headquarters (HQ) server using the Windows L2TP client.
Networking Requirements
The LAC client directly initiates a connection request to the LNS. The LAC client and LNS negotiate an IPSec tunnel, and perform L2TP negotiation to authenticate the user's identity and establish an L2TP over IPSec tunnel. The data between the LAC client and the LNS is transmitted through the tunnel. Layer-2 data is encapsulated using L2TP and then the data is encrypted using IPSec.
Data Planning
Item |
Data |
|---|---|
LNS |
Interface: GigabitEthernet 1/0/1 IP address: 1.1.1.2/24 |
Interface: GigabitEthernet 1/0/3 IP address: 192.168.1.1/24 |
|
IP address and user for L2TP IP pool 1 Address pool: 10.1.1.2-10.1.1.100 User name: vpdnuser User authentication password: Hello123 |
|
IPSec configuration Security protocol: ESP IKE authentication algorithm: sha1 IKE encryption algorithm: 3des ESP authentication algorithm: sha1 ESP encryption algorithm: AES128 Pre-Shared Key: Admin@123 Local ID: IP Address Peer ID: Any Type IKE version: IKEv1 |
|
LAC |
Internet address: 1.1.1.2 User name: vpdnuser Password: Hello123 Pre-Shared Key: Admin@123 |
Configuration Roadmap
- Complete basic configurations, including the configurations of interfaces, security policies, and routes.
- Complete the L2TP over IPSec configuration on FW.
- On mobile employee's PC, complete the configurations. The parameters on the PC must match those on the FW.
Procedure
- Configure the LNS.
- Set an IP address for each interface and assign the interfaces to security zones.
- Choose .
Click
of GE1/0/1 and set the following parameters:
Zone
untrust
IPv4
IP Address
1.1.1.2/24
- Click OK.
Repeat the preceding steps to set the parameters of the GE1/0/3 interface.
Zone
trust
IPv4
IP Address
192.168.1.1/24
- Configure an L2TP user.
Choose .
- Select the default authentication domain.
- Select the L2TP/L2TP over IPSec Scenario.
Under User/User Group/Security Group Management List, Click Add, select Add User, and set the following parameters.
User Name
vpdnuser
Password
Hello123
Confirm Password
Hello123
- Click OK.
- Configure the L2TP over IPSec tunnel.
Choose , and click Add under IPSec Policy List.
Select Site-to-multisite as Scenario as L2TP over IPSec client.
Configure Basic Configuration as follows. The headquarters needs to be accessed by multiple branches. Therefore, do not specify the remote gateway address. The pre-shared key is Admin@123.
Configure Dial-up User Configuration as follows.
- Choose Add IP pool in the User address pool drop-down list.
Set an IP pool.
- Click OK.
- Under Data Flow to Be Encrypted, click Add to add a data flow as follows.
Configure IKE and IPSec protocol.
Click Apply to complete the configurations.
- Set an IP address for each interface and assign the interfaces to security zones.
- Configure a route on the HQ server.
To communicate with mobile employees, the HQ server must have a route to the user address pool, with the next hop pointing to the LAN interface address of the FW.
- Set dial-in parameters on the LAC client.
- Create an L2TP over IPSec connection.
- Create an L2TP over IPSec connection.
of 
Configuration Verification
The LAC Client succeeds in dialing up using the built-in software.
On the LAC, you can view that the 10.1.1.2/24-10.1.1.100/24 address range is assigned to the LAC, and mobile employees can access the HQ server.
After the LAC dials up, check whether the L2TP tunnel is established on the LNS.
Check the IPSec tunnel establishment on the LNS. If the following information is displayed, the IPSec tunnel is established.
Configuration Scripts
Configuration script on the LNS:
# l2tp enable l2tp domain suffix-separator @ # acl number 3001 rule 5 permit udp source-port eq 1701 # ike proposal pro91165721597 encryption-algorithm 3des authentication-algorithm sha1 dh group14 # ike peer ike91165721597 pre-shared-key %$%$Z1}*8w'rH;MD;%$%$ ike-proposal pro91165721597 # ipsec proposal prop91165721597 encapsulation-mode transport esp authentication-algorithm sha1 esp encryption-algorithm aes-128 # ipsec policy-template tpl91165721597 1 security acl 3001 ike-peer ike91165721597 alias policy_ipsec scenario point-to-multipoint l2tp-user-access proposal prop91165721597 # ipsec policy ipsec9116572166 10000 isakmp template tpl91165721597 # interface GigabitEthernet1/0/1 ip address 1.1.1.2 255.255.255.0 ipsec policy ipsec9116572166 # interface GigabitEthernet1/0/3 ip address 192.168.1.1 255.255.255.0 # interface Virtual-Template1 ppp authentication-mode chap pap remote service-scheme l2tpSScheme_1445251722019 ip address 10.1.1.2 255.255.255.0 alias L2TP_LNS_0 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3 add interface Virtual-Template1 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 # l2tp-group 1 allow l2tp virtual-template 1 undo tunnel authentication # ip pool pool1 section 1 10.1.1.2 10.1.1.100 # aaa authentication-scheme default authentication-mode local # domain default authentication-schem default service-scheme l2tp # security-policy rule name policy_ipsec_1 source-zone trust destination-zone untrust source-address 192.168.1.0 24 destination-address range 10.1.1.2 10.1.1.100 action permit rule name policy_ipsec_2 source-zone untrust destination-zone trust source-address range 10.1.1.2 10.1.1.100 destination-address 192.168.1.0 24 action permit rule name policy_ipsec_3 source-zone untrust destination-zone local destination-address 1.1.1.2 32 action permit rule name policy_ipsec_4 source-zone local destination-zone untrust source-address 1.1.1.2 32 action permit # The following user/group creation configuration is stored in the database, but not in the configuration profile. user-manage user vpdnuser domain default password *********