No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring L2TP Client-Initiated L2TP Connections

Example for Configuring L2TP Client-Initiated L2TP Connections

Networking Requirements

As shown in Figure 1-23, an enterprise has some branches located in other cities, and branches use the Ethernet network.

The headquarters network provides VPDN services for the branch staff to allow them to access the network of the headquarters. The LNS only authenticates the L2TP Client. The L2TP Client dials up to establish L2TP connections to the LNS.

Figure 1-23  Networking diagram for establishing L2TP Client-Initiated L2TP connections

Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable L2TP on the L2TP Client. The virtual PPP user sends a connection request to the server in the headquarters over an L2TP tunnel. After the PPP user is authenticated, a tunnel is set up.

  2. On the L2TP Client, configure a reachable route to the LNS and the enable the dial-up function.

  3. On the LNS, configure L2TP, a virtual PPP user, and a route to the public network segment.

Procedure

  1. Configure the L2TP Client_1.

    # Configure an IP address for the public-network-side interface.

    <Huawei> system-view
    [Huawei] sysname L2TP Client_1
    [L2TP Client_1] interface gigabitethernet 1/0/0
    [L2TP Client_1-GigabitEthernet1/0/0] ip address 1.1.2.1 255.255.255.0
    [L2TP Client_1-GigabitEthernet1/0/0] quit

    # Configure an IP address for the user-side interface.

    [L2TP Client_1] interface gigabitethernet 2/0/0
    [L2TP Client_1-GigabitEthernet2/0/0] ip address 10.1.10.1 255.255.255.0
    [L2TP Client_1-GigabitEthernet2/0/0] quit

    # Enable L2TP globally, create an L2TP group, and configure the user huawei to establish an L2TP connection to the LNS.

    [L2TP Client_1] l2tp enable
    [L2TP Client_1] l2tp-group 1
    [L2TP Client_1-l2tp1] tunnel name L2TP_Client_1
    [L2TP Client_1-l2tp1] start l2tp ip 1.1.1.1 fullusername huawei

    # Enable tunnel authentication and set the tunnel password.

    [L2TP Client_1-l2tp1] tunnel authentication
    [L2TP Client_1-l2tp1] tunnel password cipher huawei
    [L2TP Client_1-l2tp1] quit

    # Configure the user name and password, authentication mode, and IP address for the virtual PPP user.

    [L2TP Client_1] interface virtual-template 1
    [L2TP Client_1-Virtual-Template1] ppp chap user huawei
    [L2TP Client_1-Virtual-Template1] ppp chap password cipher Huawei@1234
    [L2TP Client_1-Virtual-Template1] ip address ppp-negotiate
    [L2TP Client_1-Virtual-Template1] ospf p2mp-mask-ignore
    [L2TP Client_1-Virtual-Template1] quit

    # On the LNS, configure a static route to the public network. For example, set the next hop address to 1.1.2.2.

    [L2TP Client_1] ip route-static 1.1.1.1 255.255.255.255 1.1.2.2

    # Enable the L2TP Client to dial up and establish an L2TP tunnel.

    [L2TP Client_1] interface virtual-template 1
    [L2TP Client_1-Virtual-Template1] l2tp-auto-client enable
    [L2TP Client_1-Virtual-Template1] quit
    # Configure private routes so that branches can communicate with the headquarters through the private network.
    [L2TP Client_1] ospf 10
    [L2TP Client_1-ospf-10] area 0
    [L2TP Client_1-ospf-10-area-0.0.0.0] network 10.1.1.0 0.0.0.255
    [L2TP Client_1-ospf-10-area-0.0.0.0] network 10.1.10.0 0.0.0.255
    [L2TP Client_1-ospf-10-area-0.0.0.0] quit
    [L2TP Client_1-ospf-10] quit

  2. Configure the L2TP Client_2.

    # Configure an IP address for the public-network-side interface.

    <Huawei> system-view
    [Huawei] sysname L2TP Client_2
    [L2TP Client_2] interface gigabitethernet 1/0/0
    [L2TP Client_2-GigabitEthernet1/0/0] ip address 1.1.3.1 255.255.255.0
    [L2TP Client_2-GigabitEthernet1/0/0] quit

    # Configure an IP address for the user-side interface.

    [L2TP Client_2] interface gigabitethernet 2/0/0
    [L2TP Client_2-GigabitEthernet2/0/0] ip address 10.1.20.1 255.255.255.0
    [L2TP Client_2-GigabitEthernet2/0/0] quit

    # Enable L2TP globally, create an L2TP group, and configure the user huawei to establish an L2TP connection to the LNS.

    [L2TP Client_2] l2tp enable
    [L2TP Client_2] l2tp-group 1
    [L2TP Client_2-l2tp1] tunnel name L2TP_Client_2
    [L2TP Client_2-l2tp1] start l2tp ip 1.1.1.1 fullusername huawei

    # Enable tunnel authentication and set the tunnel password.

    [L2TP Client_2-l2tp1] tunnel authentication
    [L2TP Client_2-l2tp1] tunnel password cipher huawei
    [L2TP Client_2-l2tp1] quit

    # Configure the user name and password, authentication mode, and IP address for the virtual PPP user.

    [L2TP Client_2] interface virtual-template 1
    [L2TP Client_2-Virtual-Template1] ppp chap user huawei
    [L2TP Client_2-Virtual-Template1] ppp chap password cipher Huawei@1234
    [L2TP Client_2-Virtual-Template1] ip address ppp-negotiate
    [L2TP Client_2-Virtual-Template1] ospf p2mp-mask-ignore
    [L2TP Client_2-Virtual-Template1] quit

    # On the LNS, configure a static route to the public network. For example, set the next hop address to 1.1.3.2.

    [L2TP Client_2] ip route-static 1.1.1.1 255.255.255.255 1.1.3.2

    # Enable the L2TP Client to dial up and establish an L2TP tunnel.

    [L2TP Client_2] interface virtual-template 1
    [L2TP Client_2-Virtual-Template1] l2tp-auto-client enable
    [L2TP Client_2-Virtual-Template1] quit
    # Configure private routes so that branches can communicate with the headquarters through the private network.
    [L2TP Client_2] ospf 10
    [L2TP Client_2-ospf-10] area 0
    [L2TP Client_2-ospf-10-area-0.0.0.0] network 10.1.1.0 0.0.0.255
    [L2TP Client_2-ospf-10-area-0.0.0.0] network 10.1.20.0 0.0.0.255
    [L2TP Client_2-ospf-10-area-0.0.0.0] quit
    [L2TP Client_2-ospf-10] quit

  3. Configure the LNS.

    # Configure an IP address for the public-network-side interface.

    <Huawei> system-view
    [Huawei] sysname LNS
    [LNS] interface gigabitethernet 1/0/0
    [LNS-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
    [LNS-GigabitEthernet1/0/0] quit

    # Configure an IP address for the user-side interface.

    [LNS] interface gigabitethernet 2/0/0
    [LNS-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [LNS-GigabitEthernet2/0/0] quit

    # Configure AAA authentication, and set the user name and password to huawei and Huawei@1234 on the LNS.

    [LNS] aaa
    [LNS-aaa] local-user huawei password
    Please configure the login password (8-128)
    It is recommended that the password consist of at least 2 types of characters, i
    ncluding lowercase letters, uppercase letters, numerals and special characters. 
    Please enter password: 
    Please confirm password:
    Info: Add a new user.
    Warning: The new user supports all access modes. The management user access mode
    s such as Telnet, SSH, FTP, HTTP, and Terminal have security risks. You are advi
    sed to configure the required access modes only.
    [LNS-aaa] local-user huawei service-type ppp
    [LNS-aaa] quit

    # Configure an IP address pool for the LNS and allocate an IP address to the dial-up interface of the L2TP Client.

    [LNS] ip pool l
    [LNS-ip-pool-1] network 10.1.1.0 mask 24
    [LNS-ip-pool-1] gateway-list 10.1.1.1
    [LNS-ip-pool-1] quit

    # Create a virtual interface template and configure PPP negotiation parameters.

    [LNS] interface virtual-template 1
    [LNS-Virtual-Template1] ppp authentication-mode chap
    [LNS-Virtual-Template1] remote address pool 1
    [LNS-Virtual-Template1] ip address 10.1.1.1 255.255.255.0
    [LNS-Virtual-Template1] ospf network-type p2mp
    [LNS-Virtual-Template1] ospf timer hello 10
    [LNS-Virtual-Template1] ospf p2mp-mask-ignore
    [LNS-Virtual-Template1] quit

    # Enable L2TP and configure an L2TP group.

    [LNS] l2tp enable
    [LNS] l2tp-group 1

    # Configure an LNS tunnel name and L2TP Client tunnel name.

    [LNS-l2tp1] tunnel name lns
    [LNS-l2tp1] allow l2tp virtual-template 1

    # Enable the tunnel authentication function, and configure an authentication password.

    [LNS-l2tp1] tunnel authentication
    [LNS-l2tp1] tunnel password cipher huawei
    [LNS-l2tp1] quit

    # On the LNS, configure a static route to the public network. For example, set the next hop address to 1.1.1.2.

    [LNS] ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
    [LNS] ip route-static 1.1.3.1 255.255.255.255 1.1.1.2
    # Configure private routes so that the headquarters can communicate with branches through the private network.
    [LNS] ospf 10
    [LNS-ospf-10] area 0
    [LNS-ospf-10-area-0.0.0.0] network 10.1.1.0 0.0.0.255
    [LNS-ospf-10-area-0.0.0.0] network 10.1.2.0 0.0.0.255
    [LNS-ospf-10-area-0.0.0.0] quit
    [LNS-ospf-10] quit

  4. Verify the configuration.

    # Run the display l2tp tunnel command on the L2TP Client or LNS to view L2TP tunnel and session information in RemoteName and Sessions. The command output for the LNS is shown as an example.

    [LNS] display l2tp tunnel
    
     Total tunnel : 2
     LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
     1        1         1.1.2.1          1701   1        L2TP_Client_1
     2        1         1.1.3.1          1701   1        L2TP_Client_2

    # Check that PC1 and PC3 can communicate with PC2 in the enterprise headquarters.

Configuration Files

  • Configuration file of the L2TP Client_1

    #
     sysname L2TP Client_1
    #
     l2tp enable
    #
    interface Virtual-Template1
     ppp chap user huawei
     ppp chap password cipher %^%#'&=6Q(|7-#|.]EB`mK$(h7[CY`2m}-YT)Q=Oh2~2%^%#
     ip address ppp-negotiate
     l2tp-auto-client enable
     ospf p2mp-mask-ignore 
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.2.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.10.1 255.255.255.0
    #
    l2tp-group 1
     tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
     tunnel name L2TP_Client_1
     start l2tp ip 1.1.1.1 fullusername huawei
    #
    ospf 10
     area 0.0.0.0
      network 10.1.1.0 0.0.0.255
      network 10.1.10.0 0.0.0.255
    #
    ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
    #
    return
  • Configuration file of the L2TP Client_2

    #
     sysname L2TP Client_2
    #
     l2tp enable
    #
    interface Virtual-Template1
     ppp chap user huawei
     ppp chap password cipher %^%#'&=6Q(|7-#|.]EB`mK$(h7[CY`2m}-YT)Q=Oh2~2%^%#
    
     ip address ppp-negotiate
     l2tp-auto-client enable
     ospf p2mp-mask-ignore 
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.3.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.20.1 255.255.255.0
    #
    l2tp-group 1
     tunnel password cipher %@%@6Za[BAw}f$WX}sX`]:QP1%.t%@%@
     tunnel name L2TP_Client_2
     start l2tp ip 1.1.1.1 fullusername huawei
    #
    ospf 10
     area 0.0.0.0
      network 10.1.1.0 0.0.0.255
      network 10.1.20.0 0.0.0.255
    #
    ip route-static 1.1.1.1 255.255.255.255 1.1.3.2
    #
    return
  • Configuration file of the LNS

    #
     sysname LNS
    #
     l2tp enable
    #
    ip pool 1
     gateway-list 10.1.1.1
     network 10.1.1.0 mask 255.255.255.0
    #
    aaa
     local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
     local-user huawei privilege level 0  
     local-user huawei service-type ppp
    #
    interface Virtual-Template1
     ppp authentication-mode chap
     remote address pool 1
     ip address 10.1.1.1 255.255.255.0
     ospf network-type p2mp
     ospf timer hello 10
     ospf p2mp-mask-ignore
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    l2tp-group 1
     allow l2tp virtual-template 1
     tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
     tunnel name lns
    #
    ospf 10
     area 0.0.0.0
      network 10.1.1.0 0.0.0.255
      network 10.1.2.0 0.0.0.255
    #
    ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
    ip route-static 1.1.3.1 255.255.255.255 1.1.1.2
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142858

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next