Web: Example for Accessing the Virtual System Network Using a Windows 7 PC Through an L2TP over IPSec Tunnel
This example describes how to access the virtual system network using a Windows 7 PC through an L2TP over IPSec tunnel.
Networking Requirements
As shown in Figure 3-10, only one public IP address is configured for FW_A. Different virtual systems (LNSs) establish L2TP over IPSec tunnels with the peer PC (LAC Client), equipped with the Windows 7 system, using the public IP address. The LAC Client and the LNS communicate with each other through a tunnel. Data is encapsulated using L2TP and then encrypted using IPSec. When IPSec policies are configured for the root system, they are applied to WAN interfaces of the root system to protect traffic of the virtual system and achieve secure access between the virtual system network and the peer PC.
Data Planning
Item |
Data |
|
---|---|---|
FW_A |
public (LNS) |
WAN interface: GE1/0/1 IP address of the WAN interface: 1.1.1.1/24 Security zone of the WAN interface: Untrust |
Private interface: public virtual interface Virtual-if0 Security zone of the LAN interface: Trust |
||
Address pool Address pool name: pool1 Range of addresses in the address pool: 100.1.1.2-100.1.1.100 |
||
User configuration vsysa user:
vsysb user:
|
||
IPSec configuration Security protocol: ESP IKE verification algorithm: SHA1 IKE encryption algorithm: 3DES ESP verification algorithm: SHA1 ESP encryption algorithm: 3DES Local ID type: IP address Local ID: 1.1.1.1 Peer ID type: any Authentication mode: pre-shared key Key type: multiple keys Pre-shared keys:
|
||
vsysa |
WAN interface: virtual interface Virtual-if1 of vsysa Security zone of the WAN interface: Untrust |
|
LAN interface: GE1/0/2 IP address of the LAN interface: 10.1.0.1/24 Private address range: 10.1.0.0/24 Security zone of the LAN interface: Trust |
||
vsysb |
WAN interface: virtual interface Virtual-if2 of vsysb Security zone of the WAN interface: Untrust |
|
LAN interface: GE1/0/4 IP address of the LAN interface: 10.2.0.1/24 Private address range: 10.2.0.0/24 Security zone of the LAN interface: Trust |
||
LAC Client 1 |
Internet IP address: 1.1.1.1 User name: user0001@network_vsysa Password: Hello@123 Pre-shared key: Admin@123 |
|
LAC Client 2 |
Internet IP address: 1.1.1.1 User name: user0002@network_vsysb Password: Hello@123 Pre-shared key: Admin@456 |
Configuration Roadmap
Principles for configuring vsysb and LAC Client 2 are similar. This section describes how to configure the system to enable multiple virtual systems to establish an IPSec VPN tunnel with the peer gateway by sharing a public IP address using vsysa and LAC Client 1 as an example. For details about the configuration of vsysb and LAC Client 2, see the configuration of vsysa and LAC Client 1.
- In the root system, create virtual system vsysa and allocate resources to the virtual system.
- In the root system, configure the interface, route, and security policy.
- In vsysa, configure the interface, route, and security policy.
- In the root system, configure the address pool, authentication domain, and user.
- In the root system, configure an L2TP over IPSec tunnel and bind the IPSec policies with vsysa.
- On LAC Client 1, configure VPN connection parameters. Ensure that the parameters match those configured for FW_A.
Procedure
- Configure FW_A.
- Configure routes for an internal server of network A.
The internal server of network A can communicate with LAC Client 1 only when a route destined to the user address pool is configured. The next-hop address of the route must destine for the intranet interface address of vsysa.
- Configure VPN connection parameters for LAC Client 1.
Verification
- On LAC Client 1, allocate an address in network segment 100.1.1.2/24-100.1.1.100/24, access LAC Client 1 to the intranet of system vsysa (network A), and enable LAC Client 1 to access server resources on network A.
In the root system of FW_A, choose , and view the IPSec tunnel monitoring information.
In the root system of FW_A, choose , and view the L2TP tunnel monitoring information.
Configuration Scripts
The configuration script of FW_A root system is as follows:
# sysname FW_A # l2tp enable l2tp domain suffix-separator @ # vsys enable # resource-class r1 resource-item-limit ipsec-tunnel reserved-number 10 maximum 500 # vsys name vsysa 1 assign interface GigabitEthernet1/0/2 assign resource-class r1 # vsys name vsysb 2 assign interface GigabitEthernet1/0/3 assign resource-class r1 # ipsec proposal prop4115571757 encapsulation-mode auto esp authentication-algorithm sha1 esp encryption-algorithm 3des # ike proposal 1 encryption-algorithm 3des dh group2 authentication-algorithm sha1 authentication-method pre-share integrity-algorithm hmac-sha1-96 prf hmac-sha1 # ike user-table 1 user l2tp_over_ipsec_vsysa pre-shared-key %^%#zWlRJ$]-I3o7!2+0]uA:C<%<2e3L:$V|\tS(.+9)%^%# vpn-instance-traffic name vsysa user l2tp_over_ipsec_vsysb pre-shared-key %^%#zWlRJ$]-I3o7!2+0]uA:C<%<2e3L:$V|\tS(.+9)%^%# vpn-instance-traffic name vsysb # ike peer ike4115571757 ike-proposal 1 local-id 1.1.1.1 user-table 1 # ipsec policy-template tpl4115571757 1 ike-peer ike4115571757 proposal prop4115571757 scenario point-to-multi-point l2tp-user-access # ipsec policy ipsec4115571728 10000 isakmp template tpl4115571757 # ip pool pool1 section 0 100.1.1.2 100.1.1.100 excluded-ip-address 100.1.1.2 # aaa service-scheme webServerScheme1483516521019 service-scheme l2tpSScheme_1483516640858 ip-pool pool1 domain network_vsysa service-scheme webServerScheme1483516521019 service-type l2tp internet-access mode password reference user current-domain domain network_vsysb service-scheme webServerScheme1483516521019 service-type l2tp internet-access mode password reference user current-domain # interface Virtual-Template0 ppp authentication-mode chap pap remote service-scheme l2tpSScheme_1483516640858 ip address 100.1.1.1 255.255.255.255 # interface GigabitEthernet1/0/1 ip address 1.1.1.1 255.255.255.0 service-manage ping permit ipsec policy ipsec4115571728 # interface GigabitEthernet1/0/2 ip binding vpn-instance vsysa ip address 10.1.0.1 255.255.255.0 # interface GigabitEthernet1/0/3 ip binding vpn-instance vsysb ip address 10.2.0.1 255.255.255.0 # interface Virtual-if0 ip address 172.16.0.1 255.255.255.0 # interface Virtual-if1 ip address 172.16.1.1 255.255.255.0 # interface Virtual-if2 ip address 172.16.2.1 255.255.255.0 # firewall zone trust set priority 85 add interface Virtual-if0 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 add interface Virtual-Template0 # l2tp-group default-lns undo tunnel authentication allow l2tp virtual-template 0 domain network_vsysa allow l2tp virtual-template 0 domain network_vsysb # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # security-policy rule name to_intenret source-zone trust destination-zone untrust action permit rule name sec_policy_1 source-zone local destination-zone untrust source-address 1.1.1.1 mask 255.255.255.255 action permit rule name sec_policy_2 source-zone untrust destination-zone local destination-address 1.1.1.1 mask 255.255.255.255 action permit # return The following user/group configuration is saved in the database and is not shown in the profile. user-manage user user0001 domain network_vsysa password ********* user-manage user user0002 domain network_vsysb password *********
The configuration script of vsysa of the FW_A is as follows:
# switch vsys vsysa # interface GigabitEthernet1/0/2 ip binding vpn-instance vsysa ip address 10.1.0.1 255.255.255.0 # interface Virtual-if1 ip address 172.16.1.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/2 # firewall zone untrust set priority 5 add interface Virtual-if1 # security-policy rule name sec_policy_1 source-zone trust destination-zone untrust source-address 10.1.0.0 mask 255.255.255.0 destination-address range 100.1.1.2 100.1.1.100 action permit rule name sec_policy_2 source-zone untrust destination-zone trust source-address range 100.1.1.2 100.1.1.100 destination-address 10.1.0.0 mask 255.255.255.0 action permit # ip route-static 0.0.0.0 0.0.0.0 public # return
The configuration script of vsysb of the FW_A is as follows:
# switch vsys vsysb # interface GigabitEthernet1/0/3 ip binding vpn-instance vsysb ip address 10.2.0.1 255.255.255.0 # interface Virtual-if2 ip address 172.16.2.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3 # firewall zone untrust set priority 5 add interface Virtual-if2 # security-policy rule name sec_policy_1 source-zone trust destination-zone untrust source-address 10.2.0.0 mask 255.255.255.0 destination-address range 100.1.1.2 100.1.1.100 action permit rule name sec_policy_2 source-zone untrust destination-zone trust source-address range 100.2.1.2 100.1.1.100 destination-address 10.1.0.0 mask 255.255.255.0 action permit # ip route-static 0.0.0.0 0.0.0.0 public # return