No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Connecting Android Phones of Mobile Office Users to the Headquarters Through L2TP over IPSec

Example for Connecting Android Phones of Mobile Office Users to the Headquarters Through L2TP over IPSec

Networking Requirements

Traveling employees access the enterprise network from different locations, and they want to communicate with the headquarters frequently. As shown in Figure 5-66, traveling employees connect to the headquarters by dialing up using their Android phones, and the headquarters can authenticate and manage access users. In addition, communication between the traveling employees and headquarters is encrypted to prevent information leakage.

Figure 5-66  Connecting Android phones of mobile office users to the headquarters through L2TP over IPSec
NOTE:

This example uses version 5.1 of the Android phone system.

Configuration Roadmap

You can configure L2TP over IPSec on the Android phone and headquarters egress to enable communication between them. The configuration roadmap is as follows:

  1. Configure the IP address and static route on each interface of the Router to implement communication between the two ends.
  2. Configure L2TP over IPSec on the Router to connect it to the Android phone.
  3. Configure L2TP over IPSec on the Android phone to connect it to the Router.

    Parameters configured on the Android phone must be the same as those configured on the Router.

Procedure

  1. Configure the Router.
    1. Configure interface IP addresses and static routes.

      # Configure the interface IP addresses.

      <Huawei> system-view
      [Huawei] sysname Router
      [Router] interface gigabitethernet 1/0/1
      [Router-GigabitEthernet1/0/1] ip address 1.1.1.2 24
      [Router-GigabitEthernet1/0/1] quit
      [Router] interface gigabitethernet 1/0/2
      [Router-GigabitEthernet1/0/2] ip address 10.1.1.1 24
      [Router-GigabitEthernet1/0/2] quit
      [Router] interface Virtual-Template 1
      [Router-Virtual-Template1] ip address 10.2.1.1 255.255.255.0
      [Router-Virtual-Template1] quit
      

      # Configure public and private network routes. The following describes a static route with 1.1.1.1 as the next-hop IP address.

      [Router] ip route-static 3.3.3.3 255.255.255.0 1.1.1.1
      [Router] ip route-static 10.1.1.0 255.255.255.0 Virtual-Template1

    2. Configure L2TP.

      # Enable L2TP.

      [Router] l2tp enable

      # Create an L2TP group and bind it to a virtual interface template.

      NOTE:

      Tunnel authentication must be disabled on the Router if the L2TP client does not support tunnel authentication.

      The default L2TP group 1 is used in this example because you cannot configure the remote tunnel name.

      [Router] l2tp-group 1
      [Router-l2tp1] allow l2tp virtual-template 1
      [Router-l2tp1] undo tunnel authentication
      [Router-l2tp1] quit

      # Configure the IP address pool used to assign addresses to users.

      [Router] ip pool 1
      [Router-ip-pool-1] network 10.2.1.0 mask 24
      [Router-ip-pool-1] gateway-list 10.2.1.1
      [Router-ip-pool-1] quit

      # Configure AAA authentication on the Router and set the user name and password to vpdnuser and Hello123.

      [Router] aaa
      [Router-aaa] authentication-scheme l2tp
      [Router-aaa-authen-l2tp] authentication-mode local
      [Router-aaa-authen-l2tp] quit
      [Router-aaa] domain l2tp
      [Router-aaa-domain-l2tp] authentication-scheme l2tp
      [Router-aaa-domain-l2tp] quit
      [Router-aaa] local-user vpdnuser password
      Please configure the login password (8-128)
      It is recommended that the password consist of at least 2 types of characters, i
      ncluding lowercase letters, uppercase letters, numerals and special characters. 
      Please enter password: Hello123
      Please confirm password: Hello123
      Info: Add a new user.
      [Router-aaa] local-user vpdnuser service-type ppp
      [Router-aaa] quit
      

      # Configure Virtual-Template 1.

      [Router] interface Virtual-Template 1
      [Router-Virtual-Template1] ppp authentication-mode chap domain l2tp
      [Router-Virtual-Template1] remote address pool 1
      [Router-Virtual-Template1] quit
      

    3. Configure IPSec.

      # Create advanced ACL 3101.

      [Router] acl number 3101
      [Router-acl-adv-3101] rule permit ip
      [Router-acl-adv-3101] quit

      # Configure the IPSec proposal tran1.

      [Router] ipsec proposal tran1
      [Router-ipsec-proposal-tran1] encapsulation-mode transport
      [Router-ipsec-proposal-tran1] transform esp 
      [Router-ipsec-proposal-tran1] esp authentication-algorithm sha1
      [Router-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
      [Router-ipsec-proposal-tran1] quit
      

      # Configure an IKE proposal.

      [Router] ike proposal 10 
      [Router-ike-proposal-10] authentication-method pre-share
      [Router-ike-proposal-10] authentication-algorithm sha1
      [Router-ike-proposal-10] encryption-algorithm aes-128
      [Router-ike-proposal-10] dh group2
      [Router-ike-proposal-10] quit

      # Configure an IKE peer.

      [Router] ike peer a
      [Router-ike-peer-a] undo version 2
      [Router-ike-peer-a] ike-proposal 10
      [Router-ike-peer-a] pre-shared-key cipher Admin@123 
      [Router-ike-peer-a] quit
      

      # Configure an IPSec policy policy_temp in template mode.

      [Router] ipsec policy-template policy_temp 1 
      [Router-ipsec-policy-templet-policy_temp-1] security acl 3101 
      [Router-ipsec-policy-templet-policy_temp-1] proposal tran1 
      [Router-ipsec-policy-templet-policy_temp-1] ike-peer a 
      [Router-ipsec-policy-templet-policy_temp-1] sa duration time-based 604800 
      [Router-ipsec-policy-templet-policy_temp-1] sa duration traffic-based 0
      [Router-ipsec-policy-templet-policy_temp-1] quit
      [Router] ipsec policy policy1 10 isakmp template policy_temp
      
      NOTE:

      The SA lifetime of a mobile phone is long. If the SA lifetime of the device is shorter than that of the mobile phone, the device cannot initiate IPSec SA re-negotiation. As a result, the IPSec tunnel is interrupted and services are interrupted. Therefore, it is recommended that the SA lifetime of the device be longer than or equal to that of the mobile phone. For example, the SA lifetime of an Android phone is typically 8 hours, and that of an IOS phone is typically 1 hour.

      # Apply the IPSec policy policy1 to the Router.

      [Router] interface gigabitethernet 1/0/1 
      [Router-GigabitEthernet1/0/1] ipsec policy policy1
      [Router-GigabitEthernet1/0/1] quit

  2. Configure the Android phone.

    NOTE:
    Set Router to Admin@123, which is the same as the IPSec pre-shared key configured on the Router.

Verification

  1. Enable VPN connection on the Android phone.

  2. Run the display l2tp tunnel command on the Router. You can find that an L2TP tunnel is established successfully.

    [Router] display l2tp tunnel
     Total tunnel : 1                                                               
     LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName                 
     1        1         3.3.3.3          1701   1        -   
    
  3. Run the display ike sa command on the Router. You can find that an SA is established successfully.

    [Router] display ike sa
    Conn-ID    Peer          VPN   Flag(s)    Phase    RemoteType  RemoteID
    -----------------------------------------------------------------------------   
    4          3.3.3.3:500         RD|A       v1:2     IP          3.3.3.3
    3          3.3.3.3:500         RD|A       v1:1     IP          3.3.3.3
                                                                                    
      Number of IKE SA : 2                                                     
    -----------------------------------------------------------------------------   
                                                                                    
      Flag Description:                                                             
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
    

Configuration File

#
 sysname Router
#
 l2tp enable
#
acl number 3101
 rule 5 permit ip
#
ipsec proposal tran1
 encapsulation-mode transport
 esp authentication-algorithm sha1
 esp encryption-algorithm aes-128
#
ike proposal 10
 encryption-algorithm aes-128 
 dh group2                       
 authentication-algorithm sha1  
 authentication-method pre-share 
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer a
 undo version 2
 pre-shared-key cipher %^%#/[$;=)q~,Fj9_s4|M>R9S%]QG,x&[6X]4"@eOs{E%^%#
 ike-proposal 10
#
ipsec policy-template policy_temp 1
 security acl 3101
 ike-peer a
 proposal tran1
 sa duration traffic-based 0
 sa duration time-based 604800
#
ipsec policy policy1 10 isakmp template policy_temp
#
ip pool 1 
 gateway-list 10.2.1.1
 network 10.2.1.0 mask 255.255.255.0 
# 
aaa                                                                             
 authentication-scheme l2tp                                                     
 domain l2tp                                                                    
  authentication-scheme l2tp                                                     
 local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f)IjQ8\>~b\-1"i^b@~.)+,2gi9K%^%#
 local-user vpdnuser privilege level 0                                          
 local-user vpdnuser service-type ppp
# 
interface GigabitEthernet1/0/1
 ip address 1.1.1.2 255.255.255.0
 ipsec policy policy1
#
interface GigabitEthernet1/0/2
 ip address 10.1.1.1 255.255.255.0
#
interface Virtual-Template1 
 ppp authentication-mode chap domain l2tp
 remote address pool 1
 ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1
 undo tunnel authentication
 allow l2tp virtual-template 1
#
ip route-static 3.3.3.0 255.255.255.0 1.1.1.1
ip route-static 10.1.1.0 255.255.255.0 Virtual-Template1
# 
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142442

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next