Web: Example for Configuring Mobile Users to Use the SecoClient to Access Both an Enterprise Network and the Internet Based on the Tunnel Splitting Technology
The tunnel splitting technology is enabled on the gateway deployed at the enterprise headquarters. Mobile users use the SecoClient to access the enterprise network through the L2TP over IPSec VPN tunnel with encrypted traffic and access the Internet with unencrypted traffic.
Context
When tunnels are not split, all traffic from mobile users enters the enterprise headquarters gateway through the L2TP over IPSec VPN tunnel, and the users cannot access the LAN or Internet.
To allow mobile users to access the enterprise network through a VPN tunnel and directly access the LAN or Internet, adopt either of the following methods:
1. Use the SecoClient.
Each mobile user configures a route on the SecoClient by specifying the destination IP address of the VPN connection. After the connection is established, traffic destined for other IP addresses can directly access the LAN or Internet.
2. Configure the enterprise headquarters gateway.
The enterprise network administrator enables the tunnel splitting function on the gateway, configures the ACL for the VPN connection on the gateway, and sends the ACL information to the SecoClient. If the route configuration mode of the SecoClient is Mode Config, the SecoClient can receive the ACL information from the gateway. Then, the SecoClient sends encrypted traffic through the VPN tunnel to the enterprise network and sends unencrypted traffic to the LAN or Internet.
The comparison of the two methods is as follows:
- Method 1 is complicated for mobile users. It is difficult for the users to update the IP address list in a timely manner, and the IP address must be re-configured if a device is replaced.
- Method 2 is easy and maintenance-free for mobile users. The ACL information is configured and maintained on the enterprise headquarters gateway.
This example uses method 2 to describe the tunnel splitting configuration.
Networking Requirements
As shown in Figure 3-2, a mobile user uses the tunnel splitting technology to access both an enterprise network and the Internet.
- Encrypted traffic accesses the enterprise network through the L2TP over IPSec VPN tunnel.
- Unencrypted traffic directly accesses the Internet.
Data Planning
Item |
Data |
|---|---|
Interface |
Interface: GigabitEthernet 1/0/1 IP address: 1.1.1.1/24 Security zone: Untrust |
Interface: GigabitEthernet 1/0/2 IP address: 10.1.1.1/24 Security zone: Trust |
|
L2TP configuration |
User name: user0001 Password: Password@123 Address pool: 172.16.1.1-172.16.1.100 Tunnel authentication password: Hello@123 NOTE:
If the intranet server IP address and IP addresses in the address pool are on different subnets, configure a route to the address pool on the intranet server. |
IPSec configuration |
IPSec policy type: template policy Pre-shared key: Admin@123 Local ID: IP address Peer ID: any peer ID Tunnel splitting: Enable Accessible network: 10.1.2.0/24 Security protocol: ESP IKE authentication algorithm: SHA2-256 IKE encryption algorithm: AES-256 ESP authentication algorithm: SHA2-256 ESP encryption algorithm: AES-256 NOTE:
Only IKEv1 supports the tunnel splitting function. |
Mobile user (SecoClient) |
User name: user0001 Password: Password@123 Route settings: Mode Config NOTE:
The L2TP/IPSec connection parameter settings on the SecoClient must be consistent with those on the FW. Otherwise, the connection cannot be established. |
Configuration Roadmap
- Complete the basic configurations of the FW, including the configurations of interfaces and security policies.
- Configure L2TP over IPSec on the FW.
- Configure the SecoClient on the PC of the mobile user.
Procedure
- Choose to configure the interface.
- Choose to configure a security policy.
- Choose to configure a route to the Internet.
In this example, the next-hop IP address of the route from the FW to the Internet is 1.1.1.2.
- Choose to create a user.
- Set Scenario to L2TP/L2TP over IPSec and User Location to Local.
- In User Management List, click Add to create a user.
In this example, set the login name to user0001 and password to Password@123.
- Set Scenario to L2TP/L2TP over IPSec and User Location to Local.
- Choose to configure L2TP over IPSec VPN.
- In IPSec Policy List, click Add.
- Set Scenario to Site-to-multisite and Peer Type to L2TP over IPSec client.
- In Basic Configuration, set the following parameter values. In this example, set the pre-shared key to Admin@123. To allow multiple gateways or devices to access to the headquarters, no detailed peer information is specified.
- Set Dial—up User Configuration as follows:
Choose Add IP pool from the IP Address Pool drop-down list.
Set the address pool name to pool and address range to 172.16.1.1-172.16.1.100.
- Click OK.
Enable Split Tunnel and add the enterprise network segment that can be accessed through the VPN tunnel in Accessible Network.
- In Data Flow to Be Encrypted, click Add and set the following parameters to configure a data flow rule.
- Configure the security proposal.
- In IPSec Policy List, click Add.
- Choose to create an L2TP group.
- In Configure L2TP, enable L2TP and click Apply.
- In L2TP Group List, click Add and set the following parameters to create an L2TP group.
In this example, the tunnel authentication password Hello@123.
- In Configure L2TP, enable L2TP and click Apply.
- Set connection parameters for the SecoClient on the PC of a mobile user.
- Open the SecoClient and choose New Connection from the Connect drop-down list.
- In the New Connection window, select L2TP/IPSec from the navigation tree and set L2TP connection parameters.
In this example, tunnel authentication is enabled, and the authentication password is Hello@123.
- Select Enable IPSec Protocol and Pre-shared Key, enter the pre-shared key Admin@123 in the Authenticator text box, and set IPSec connection parameters.
The values of L2TP/IPSec connection parameters must be consistent with those on the gateway. Otherwise, the connection fails.
- Set Router to Mode Config.
The SecoClient can obtain ACL information from the gateway only when the route obtaining mode is Mode Config.
- Open the SecoClient and choose New Connection from the Connect drop-down list.
Verification
From the Connect drop-down list, choose the created L2TP over IPSec connection and click Connect.
Enter the user name and password on the login page. In this example, the user name is user0001, and the password is Password@123.
Click Login to initiate a connection.
After the VPN connection succeeds, the prompt message negotiation is successed pops up at the lower right corner.
Log in to the FW, choose , and view the monitoring list. You can see that user0001 has been logged in.
Choose to view IPSec tunnel establishment.
If the following information is displayed, the IPSec tunnel is established.
- Now, the mobile user can access the enterprise network like users on the network, and the Internet.
Configuration Scripts
# sysname FW # l2tp enable undo l2tp sendaccm enable l2tp domain suffix-separator @ # acl number 3000 rule 5 permit udp source-port eq 1701 acl number 3001 rule 5 permit ip source 10.1.2.0 0.0.0.255 # ipsec proposal prop27102026382 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 1 encryption-algorithm aes-256 dh group2 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer ike271020263829 undo version 2 exchange-mode auto pre-shared-key %^%#~UO9$_>X"W8JlC9H$Ym1/ejt,faz,#9Vr:T"G2N*%^%# ike-proposal 1 resource acl 3001 # ipsec policy-template tpl271020263829 1 security acl 3000 ike-peer ike271020263829 proposal prop27102026382 alias ipsec sa duration traffic-based 5242880 sa duration time-based 3600 scenario point-to-multi-point l2tp-user-access # ipsec policy ipsec2710202638 10000 isakmp template tpl271020263829 # ip pool pool section 0 172.16.1.1 172.16.1.100 excluded-ip-address 172.16.1.1 # aaa authentication-scheme default service-scheme l2tpSScheme_1477571202254 ip-pool pool domain default service-type l2tp internet-access mode password reference user current-domain # l2tp-group tunnel_split allow l2tp virtual-template 0 remote ipsec_tunnel_split tunnel password cipher %$%$xRSr~'N6SIvdF--BEn3CM{&0%$%$ # interface Virtual-Template0 ppp authentication-mode chap pap remote service-scheme l2tpSScheme_1477571202254 ip address 172.16.1.1 255.255.255.255 alias L2TP_LNS_0 undo service-manage enable # interface GigabitEthernet 1/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 ipsec policy ipsec2710202638 # interface GigabitEthernet 1/0/2 undo shutdown ip address 10.1.1.1 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet 1/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet 1/0/1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # security-policy rule name l2tpipsec_ul source-zone untrust destination-zone local destination-address 1.1.1.1 mask 255.255.255.255 action permit rule name l2tpipsec_ut source-zone untrust destination-zone trust source-address range 172.16.1.1 172.16.1.100 destination-address 10.1.2.0 mask 255.255.255.0 action permit rule name l2tpipsec_tu source-zone trust destination-zone untrust source-address 10.1.2.0 mask 255.255.255.0 destination-address range 172.16.1.1 172.16.1.100 action permit # The following user/group creation configuration is stored in the database, but not in the configuration profile. user-manage group /default user-manage user user0001 parent-group /default password *********
