SupportDocumentationSecurityProducts RecommendUSGConfiguration & CommissioningInteroperation Configuration Guide

Huawei Firewall VPN Interoperation Configuration Guide

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Web: Example for Configuring L2TP over IPSec to Allow Mobile Users to Access the Headquarters Using Mac OS X Terminals

Web: Example for Configuring L2TP over IPSec to Allow Mobile Users to Access the Headquarters Using Mac OS X Terminals

L2TP over IPSec VPN allows mobile employees to dial up to the headquarters (HQ) server using the Mac OS X L2TP client.

Networking Requirements

The LAC client directly initiates a connection request to the LNS. The LAC client and LNS negotiate an IPSec tunnel, and perform L2TP negotiation to authenticate the user's identity and establish an L2TP over IPSec tunnel. The data between the LAC client and the LNS is transmitted through the tunnel. Layer-2 data is encapsulated using L2TP and then the data is encrypted using IPSec.

Figure 2-16 Networking diagram for configuring L2TP over IPSec for mobile employees to access the headquarters

Data Planning

Item

Data

LNS

Interface: GigabitEthernet 1/0/1

IP address: 1.1.1.2/24

Security zone: Untrust

Interface: GigabitEthernet 1/0/3

IP address: 192.168.1.1/24

Security zone: Trust

IP address and user for L2TP

IP pool 1

Address pool: 10.1.1.2-10.1.1.100

User name: macpc

User authentication password: Hello123

IPSec configuration

Security protocol: ESP

IKE authentication algorithm: sha1

IKE encryption algorithm: 3des

ESP authentication algorithm: sha1

ESP encryption algorithm: 3des

Pre-Shared Key: Admin@123

Local ID: IP Address

Peer ID: Any Type

LAC

Server Address: 1.1.1.2

Account Name: macpc

User Authentication Password: Hello123

Shared Secret: Admin@123

Configuration Roadmap

  1. Complete basic configurations, including the configurations of interfaces, security policies, and routes.
  2. Complete the L2TP over IPSec configuration on FW.
  3. On mobile employee's PC, complete the configurations. The parameters on the PC must match those on the FW.

Procedure

  1. Configure the LNS.
    1. Set an IP address for each interface and assign the interfaces to security zones.

      1. Choose Network > Interface.

      2. Click of GE1/0/1 and set the following parameters:

        Zone

        untrust

        IPv4

        IP Address

        1.1.1.2/24
      3. Click OK.

      4. Repeat the preceding steps to set the parameters of the GE1/0/3 interface.

        Zone

        trust

        IPv4

        IP Address

        192.168.1.1/24

    2. Configure security policies.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add and set the parameters of the security policy for the Untrust->Trust as follows:

        When the web UI is used to configure L2TP over IPSec, the FW uses Virtual-template 0 to communicate with the peer. When the PC dials up to the FW using L2TP, the FW adds Virtual-template 0 to the security zone of the interface that receives L2TP packets. In this example, the security zone refers to the Untrust zone to which interface GE1/0/1 is added. Employees on the move need to access intranet resources. Therefore, you need to configure an interzone security policy between the security zone where Virtual-template 0 resides and the security zone where the intranet resides. In the example, you need to configure an interzone security policy between the Untrust and Trust zone.

        If you assign Virtual-template 0 to another security zone through the CLI, enable the interzone security policy between the zone where Virtual-template 0 resides and the security zone where the intranet resides.

        Name

        policy_ipsec_1

        Source Zone

        untrust

        Destination Zone

        trust

        Source Address/Region

        10.1.1.2-10.1.1.100

        Destination Address/Region

        192.168.1.0/24

        Action

        Permit

        Name

        policy_ipsec_2

        Source Zone

        trust

        Destination Zone

        untrust

        Source Address/Region

        192.168.1.0/24

        Destination Address/Region

        10.1.1.2-10.1.1.100

        Action

        Permit

      3. Repeat preceding steps to configure security policies for the Untrust -> Local interzones.

        Name

        policy_ipsec_3

        Source Zone

        untrust

        Destination Zone

        local

        Destination Address/Region

        1.1.1.2/32

        Action

        Permit

    3. Configure an L2TP user.

      1. Choose Object > User.

      2. Select the default authentication domain.

      3. Under User/User Group/Security Group Management List, click Add, select Add User, and set the following parameters.

        User Name

        macpc

        Password

        Hello123

        Confirm Password

        Hello123
      4. Click OK.

    4. Configure the L2TP over IPSec tunnel.

      1. Choose Network > IPSec > IPSec, and click Add under IPSec Policy List.

      2. Select Site-to-multisite as Scenario as L2TP over IPSec client.

      3. Configure Basic Configuration as follows. The headquarters needs to be accessed by multiple branches. Therefore, do not specify the remote gateway address. The pre-shared key is Admin@123.

      4. Configure Dial-up User Configuration as follows.

      5. Under Data Flow to Be Encrypted, click Add to add a data flow as follows.

      6. Configure IKE and IPSec protocol.

      7. Click Apply to complete the configurations.

    5. The LAC client uses the built-in L2TP client to dial up. Tunnel verification is not supported. Therefore, you need to disable tunnel verification on the FW.

      1. Choose Network > L2TP > L2TP. In L2TP Group List, click default-lns and deselect Tunnel Password Authentication. Set the Associated Zone to untrust.
      2. Click OK.

  2. Configure a route on the HQ server.

    To communicate with mobile employees, the HQ server must have a route to the L2TP address pool, with the next hop pointing to the LAN interface address of the FW.

  3. Configure the mobile employee's PC.
    1. As shown in Figure 2-17, click in Dock. Alternatively, choose APPLE > System Preferences at the upper left corner of the system desktop.

      Figure 2-17 Desktop Dock

    2. As shown in Figure 2-18, choose Internet & Wireless > Network.

      Figure 2-18 Accessing the VPN setting page

    3. As shown in Figure 2-19, click + in the lower left corner to create a network connection.

      Figure 2-19 Creating a network connection

    4. Figure 2-20 shows the configuration page. Set Interface to VPN, VPN Type to L2TP over IPSec, and Service Name to any value (using VPN(L2TP) as an example). After the configuration is complete, click Create.

      Figure 2-20 Creating a VPN connection

    5. As shown in Figure 2-21, click VPN(L2TP) in the left column. Server Address indicates the IP address of the interface on the LNS connecting to the Internet. 1.1.1.2 is used as an example. Account Name indicates the user name registered with the LNS. macpc is used as an example.

      Figure 2-21 Setting the IP address and user name

    6. Click Authentication Settings... shown in Figure 2-21. On the page shown in Figure 2-22, choose User Authentication > Password, and enter an authentication password (using abcd1234! as an example) for user macpc. Then choose Machine Authentication > Shared Secret and enter the preshared key (using abc123 as an example). After the configuration is complete, click OK.

      Figure 2-22 Setting the authentication password and preshared password

    7. Click Advanced... in the lower right corner of Figure 2-21. On the page shown in Figure 2-23, select the first three items of Session on the Options tab page. After the configuration is complete, click OK.

      Figure 2-23 Setting advanced options for a VPN connection

    8. Click Apply in the lower right corner of Figure 2-21 to make all parameters take effect.

Configuration Verification

  1. Click Connect to set up a VPN tunnel.

    After the VPN tunnel is set up, the connection status changes, as shown in the following figure. The displayed information shows that the VPN connection is Connected, the connection duration is 00:00:39, and the IP address assigned to the LAC client is 10.1.1.2. To terminate the VPN connection, click Disconnect.

  2. After the dial-up succeeds, check the L2TP tunnel setup status on the LNS.

  3. Check the IPSec tunnel establishment on the LNS. If the following information is displayed, the IPSec tunnel is established.

Configuration Scripts

#
 l2tp enable
l2tp domain suffix-separator @
#
acl number 3001
 rule 5 permit udp source-port eq 1701
#
ike proposal pro91165721597
 encryption-algorithm 3des 
 authentication-algorithm sha1 
 dh group2
#
ike peer ike91165721597
 local-id-type ip
 pre-shared-key %$%$Z1}*8w'rH;MD;%$%$                                
 ike-proposal pro91165721597
#
ipsec proposal prop91165721597
 esp authentication-algorithm sha1 
 esp encryption-algorithm 3des 
#
ipsec policy-template tpl91165721597 1                                          
 security acl 3001                                                              
 ike-peer ike91165721597                                                        
 alias policy_ipsec                                                             
 scenario point-to-multipoint l2tp-user-access                    
 proposal prop91165721597                                                       
#
ipsec policy ipsec9116572166 10000 isakmp template tpl91165721597
#
interface GigabitEthernet1/0/1
 ip address 1.1.1.2 255.255.255.0
 ipsec policy ipsec9116572166
#
interface GigabitEthernet1/0/3
 ip address 192.168.1.1 255.255.255.0
#
interface Virtual-Template1
 ppp authentication-mode chap pap 
 remote service-scheme l2tpSScheme_1445251722019
 ip address 10.1.1.2 255.255.255.0
 alias L2TP_LNS_0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
 add interface Virtual-Template1
#
l2tp-group default-lns
 allow l2tp virtual-template 1
 undo tunnel authentication
#
ip pool pool1
 section 1 10.1.1.2 10.1.1.100
#
aaa
 authentication-scheme default
  authentication-mode local
 #
 domain default
  authentication-schem default
  service-scheme l2tp
#
security-policy
 rule name policy_ipsec_1
  source-zone untrust
  destination-zone trust
  source-address range 10.1.1.2 10.1.1.100
  destination-address 192.168.1.0 24
  action permit
 rule name policy_ipsec_2
  source-zone trust
  destination-zone untrust
  source-address range 192.168.1.0 24
  destination-address 10.1.1.2 10.1.1.100
  action permit
 rule name policy_ipsec_3
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.2 32
  action permit
# The following user/group creation configuration is stored in the database, but not in the configuration profile.
user-manage user vpdnuser domain default
 password *********