No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Web: Example for Accessing the Virtual System Network Using a Windows 7 PC Through an L2TP over IPSec Tunnel

Web: Example for Accessing the Virtual System Network Using a Windows 7 PC Through an L2TP over IPSec Tunnel

This example describes how to access the virtual system network using a Windows 7 PC through an L2TP over IPSec tunnel.

Networking Requirements

As shown in Figure 3-10, only one public IP address is configured for FW_A. Different virtual systems (LNSs) establish L2TP over IPSec tunnels with the peer PC (LAC Client), equipped with the Windows 7 system, using the public IP address. The LAC Client and the LNS communicate with each other through a tunnel. Data is encapsulated using L2TP and then encrypted using IPSec. When IPSec policies are configured for the root system, they are applied to WAN interfaces of the root system to protect traffic of the virtual system and achieve secure access between the virtual system network and the peer PC.

Figure 3-10 Accessing the virtual system network using a Windows 7 PC through an L2TP over IPSec tunnel

Data Planning

Item

Data

FW_A

public (LNS)

WAN interface: GE1/0/1

IP address of the WAN interface: 1.1.1.1/24

Security zone of the WAN interface: Untrust

Private interface: public virtual interface Virtual-if0

Security zone of the LAN interface: Trust

Address pool

Address pool name: pool1

Range of addresses in the address pool: 100.1.1.2-100.1.1.100

User configuration

vsysa user:
  • User name: user0001@network_vsysa
  • Password: Hello@123
vsysb user:
  • User name: user0002@network_vsysb
  • Password: Hello@123

IPSec configuration

Security protocol: ESP

IKE verification algorithm: SHA1

IKE encryption algorithm: 3DES

ESP verification algorithm: SHA1

ESP encryption algorithm: 3DES

Local ID type: IP address

Local ID: 1.1.1.1

Peer ID type: any

Authentication mode: pre-shared key

Key type: multiple keys

Pre-shared keys:
  • vsysa: Admin@123
  • vsysb: Admin@456

vsysa

WAN interface: virtual interface Virtual-if1 of vsysa

Security zone of the WAN interface: Untrust

LAN interface: GE1/0/2

IP address of the LAN interface: 10.1.0.1/24

Private address range: 10.1.0.0/24

Security zone of the LAN interface: Trust

vsysb

WAN interface: virtual interface Virtual-if2 of vsysb

Security zone of the WAN interface: Untrust

LAN interface: GE1/0/4

IP address of the LAN interface: 10.2.0.1/24

Private address range: 10.2.0.0/24

Security zone of the LAN interface: Trust

LAC Client 1

Internet IP address: 1.1.1.1

User name: user0001@network_vsysa

Password: Hello@123

Pre-shared key: Admin@123

LAC Client 2

Internet IP address: 1.1.1.1

User name: user0002@network_vsysb

Password: Hello@123

Pre-shared key: Admin@456

Configuration Roadmap

Principles for configuring vsysb and LAC Client 2 are similar. This section describes how to configure the system to enable multiple virtual systems to establish an IPSec VPN tunnel with the peer gateway by sharing a public IP address using vsysa and LAC Client 1 as an example. For details about the configuration of vsysb and LAC Client 2, see the configuration of vsysa and LAC Client 1.

  1. In the root system, create virtual system vsysa and allocate resources to the virtual system.
  2. In the root system, configure the interface, route, and security policy.
  3. In vsysa, configure the interface, route, and security policy.
  4. In the root system, configure the address pool, authentication domain, and user.
  5. In the root system, configure an L2TP over IPSec tunnel and bind the IPSec policies with vsysa.
  6. On LAC Client 1, configure VPN connection parameters. Ensure that the parameters match those configured for FW_A.

Procedure

  • Configure FW_A.
    1. Enter Dashboard. In Device Information, click Configure following Virtual System to enable the virtual system.

    2. Configure the resource class of the virtual system.

      1. Choose System > Virtual System > Resource Class.

      2. Click Add. Set the number of assured IPSec tunnels and maximum number of IPSec tunnels of the virtual system by referring to the configuration of system resource class r1 of vsysa.

        The number of assured IPSec tunnels cannot be larger than the maximum number of IPSec tunnels.

    3. In the root system, create virtual system vsysa and allocate resources.

      1. Choose System > Virtual System > Virtual System.

      2. Click Add. Select the Basic Settings tab and configure basic parameters for the virtual system.

      3. Select the Interface Settings tab, click Add, and allocate an interface to the virtual system.

      4. Click OK.

    4. Configure the interface in the root system and add the interface to the security zone. The IP address of Virtual-if0 can be any value as long as it does not conflict with the IP address on any other interface.

      1. Choose Network > Interface.

      2. Click Edit in the line where interface GE1/0/1 is located, and configure the IP address and security zone.

      3. Click Edit in the line where interface Virtual-if0 is located, and configure the IP address and security zone.

    5. Configure the route in the root system. Assume that the next-hop IP address of FW_A is 1.1.1.2.

      1. Choose Network > Route > Static Route.

      2. Click Add. Add a default route destined for the Internet.

    6. Configure security policies in the root system.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add, select Add Security Policy, and configure security policies.

        # Configure a security policy for the access from the Trust zone to the Untrust zone, and allow intranet users to access the Internet.

        You can configure strict security policies for IP addresses of intranet users. Therefore, when configuring security policies in the root system, you do not need to specify the address range.

        # Configure the security policy for the access from the Local zone to the Untrust zone, and allow FW_A to establish an IPSec tunnel with the peer device.

        # Configure the security policy for the access from the Untrust zone to the Local zone, and allow the peer device to establish an IPSec tunnel with FW_A.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP, port 500 for UDP (port 4500 also in NAT traversal scenarios) and port 1701 for UDP.

    7. Configure an interface in vsysa.

      1. In the Virtual System drop-down list, select vsysa to enter vsysa.

      2. Choose Network > Interface.

      3. Click Edit in the line where interface GE1/0/2 is located, and configure the IP address and security zone.

      4. Click Edit in the line where Virtual-if1 is located and configure the IP address and security zone.

    8. Configure routes in vsysa to guide Internet access traffic from employees in vsysa to the root system.

      In this example, the network topology and routing configuration are simplified. If vsysa only needs to communicate with the Internet, set Destination Address/Mask to 0.0.0.0 0.0.0.0. That is, all packets are sent to the root system. In practice, for accurate routing information, Destination Address/Mask should be set to a specific Internet address range that the intranet users are allowed to access. Incorrect routing configurations may interrupt the communications of the private networks connected to vsysa.

      1. Choose Network > Router > Static Route.

      2. Click Add and add a static route.

    9. Configure a security policy in vsysa.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add, select Add Security Policy, and configure security policies.

        # Configure a security policy for the access from the Trust zone to the Untrust zone, and allow users in network A to access resources of LCA Client 1.

        # Configure a security policy for the access from the Untrust zone to the Trust zone, and allow LCA Client 1 to access resources of network A.

    10. In the root system, configure the address pool, authentication domain, and object.

      1. In the Virtual System drop-down list, select public to enter the root system.

      2. Choose Object > IP Address Pool, click Add, and create user address pool pool1.

      3. Choose Object > User > Authentication Domain, click Add, and create authentication domain network_vsysa based on vsysa.

      4. Choose Object > User > network_vsysa, select L2TP/L2TP over IPSec in Scenario, click Add in User Management List, and create an intranet user of vsysa. In this example, the user name is user0001 and password is Hello@123.

      5. Click Apply.

    11. In the root system, configure an L2TP over IPSec tunnel.

      1. Choose Network > IPSec > IPSec, click Add, select Site-to-multisite in Scenario, and select L2TP over IPSec client in Peer Type.

      2. Configure basic information about the IPSec policy and set the authentication mode to Pre-Shared Key and key type to Different.

      3. In IKE User Information List, click Add. Add IKE user information, and set pre-shared key to Admin@123.

        The configuration on the local end is used as a template. IPSec tunnel protection involves traffic of multiple virtual systems. Therefore, you do not need to manually configure to-be-encrypted traffic when configuring IPSec policies in the root system, and the to-be-encrypted traffic is subject to negotiation with the peer end.

      4. Configure the user address pool, and select pool1 in the IP Address Pool drop-down list.

      5. Expand Advanced in IKE/IPSec Proposal, and configure a security proposal.

      6. Click Apply. The configuration on FW_A is complete.

  • Configure routes for an internal server of network A.

    The internal server of network A can communicate with LAC Client 1 only when a route destined to the user address pool is configured. The next-hop address of the route must destine for the intranet interface address of vsysa.

  • Configure VPN connection parameters for LAC Client 1.
    1. View the IPSec service state and ensure that the IPSec service is enabled.

      1. In Start > Run, run the services.msc command, and click OK. The Services page is displayed.
      2. In the Name column, ensure that IPsec Policy Agent is in the Started state. If IPsec Policy Agent is not in the Started state, right-click IPsec Policy Agent and select Properties. Set Startup type to Automatic and click Apply. Then, select Start in Service type.
      3. Close the Services page.

    2. Create an L2TP over IPSec connection.

    3. After configuration, use software of LAC Client 1 to dial up. The dialing is successful.

Verification

  1. On LAC Client 1, allocate an address in network segment 100.1.1.2/24-100.1.1.100/24, access LAC Client 1 to the intranet of system vsysa (network A), and enable LAC Client 1 to access server resources on network A.

  2. In the root system of FW_A, choose Network > IPSec > Monitor, and view the IPSec tunnel monitoring information.

  3. In the root system of FW_A, choose Network > L2TP > Monitor, and view the L2TP tunnel monitoring information.

Configuration Scripts

The configuration script of FW_A root system is as follows:

#
sysname FW_A
#
 l2tp enable
 l2tp domain suffix-separator @
#
vsys enable 
#
resource-class r1
 resource-item-limit ipsec-tunnel reserved-number 10 maximum 500 
#
vsys name vsysa 1
 assign interface GigabitEthernet1/0/2
 assign resource-class r1
#
vsys name vsysb 2
 assign interface GigabitEthernet1/0/3
 assign resource-class r1
#
ipsec proposal prop4115571757
 encapsulation-mode auto
 esp authentication-algorithm sha1 
 esp encryption-algorithm 3des 
#
ike proposal 1
 encryption-algorithm 3des 
 dh group2 
 authentication-algorithm sha1 
 authentication-method pre-share
 integrity-algorithm hmac-sha1-96 
 prf hmac-sha1 
#
ike user-table 1
 user l2tp_over_ipsec_vsysa
  pre-shared-key %^%#zWlRJ$]-I3o7!2+0]uA:C<%<2e3L:$V|\tS(.+9)%^%#
  vpn-instance-traffic name vsysa
 user l2tp_over_ipsec_vsysb
  pre-shared-key %^%#zWlRJ$]-I3o7!2+0]uA:C<%<2e3L:$V|\tS(.+9)%^%#
  vpn-instance-traffic name vsysb
#
ike peer ike4115571757
 ike-proposal 1
 local-id 1.1.1.1
 user-table 1
#
ipsec policy-template tpl4115571757 1
 ike-peer ike4115571757
 proposal prop4115571757
 scenario point-to-multi-point l2tp-user-access 
#
ipsec policy ipsec4115571728 10000 isakmp template tpl4115571757
#
ip pool pool1
 section 0 100.1.1.2 100.1.1.100
 excluded-ip-address 100.1.1.2 
#
aaa
 service-scheme webServerScheme1483516521019
 service-scheme l2tpSScheme_1483516640858
  ip-pool pool1
 domain network_vsysa
  service-scheme webServerScheme1483516521019
  service-type l2tp
  internet-access mode password
  reference user current-domain
 domain network_vsysb
  service-scheme webServerScheme1483516521019
  service-type l2tp
  internet-access mode password
  reference user current-domain
#
interface Virtual-Template0
 ppp authentication-mode chap pap
 remote service-scheme l2tpSScheme_1483516640858
 ip address 100.1.1.1 255.255.255.255
#
interface GigabitEthernet1/0/1
 ip address 1.1.1.1 255.255.255.0
 service-manage ping permit
 ipsec policy ipsec4115571728
#
interface GigabitEthernet1/0/2
 ip binding vpn-instance vsysa
 ip address 10.1.0.1 255.255.255.0
#
interface GigabitEthernet1/0/3
 ip binding vpn-instance vsysb
 ip address 10.2.0.1 255.255.255.0
#
interface Virtual-if0
 ip address 172.16.0.1 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.1 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface Virtual-if0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
 add interface Virtual-Template0
#
l2tp-group default-lns
 undo tunnel authentication
 allow l2tp virtual-template 0 domain network_vsysa
 allow l2tp virtual-template 0 domain network_vsysb
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
security-policy
 rule name to_intenret
  source-zone trust
  destination-zone untrust
  action permit
 rule name sec_policy_1
  source-zone local
  destination-zone untrust
  source-address 1.1.1.1 mask 255.255.255.255
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
#
return

The following user/group configuration is saved in the database and is not shown in the profile.
user-manage user user0001 domain network_vsysa
 password *********
user-manage user user0002 domain network_vsysb
 password *********

The configuration script of vsysa of the FW_A is as follows:

#
switch vsys vsysa
#
interface GigabitEthernet1/0/2
 ip binding vpn-instance vsysa
 ip address 10.1.0.1 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface Virtual-if1
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.255.0
  destination-address range 100.1.1.2 100.1.1.100
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address range 100.1.1.2 100.1.1.100
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 public
#
return

The configuration script of vsysb of the FW_A is as follows:

#
switch vsys vsysb
#
interface GigabitEthernet1/0/3
 ip binding vpn-instance vsysb
 ip address 10.2.0.1 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5
 add interface Virtual-if2
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.2.0.0 mask 255.255.255.0
  destination-address range 100.1.1.2 100.1.1.100
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address range 100.2.1.2 100.1.1.100
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 public
#
return
Translation
简体中文
Download
Updated: 2020-04-01

Document ID: EDOC1000154805

Views: 157903

Downloads: 3705

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :