No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring L2TP Over IPSec to Implement Secure Communication Between the Headquarters and Branch

Example for Configuring L2TP Over IPSec to Implement Secure Communication Between the Headquarters and Branch

Networking Requirements

As shown in Figure 4-52, the LAC is the enterprise branch gateway and the LNS is the enterprise headquarters gateway. The LAC automatically dials up to establish L2TP connections between the LNS for secure communication.

The enterprise requires that service packets transmitted over the L2TP tunnel be protected from being intercepted and tampered. L2TP over IPSec can be configured to encrypt service packets transmitted between the enterprise headquarters and branch.

Figure 4-52  Configuring L2TP over IPSec to implement secure communication between the headquarters and branch

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the IP address and static route on each interface to implement communication between interfaces.

  2. Enable L2TP on the LAC. The PPP user sends a connection request to the LNS in the headquarters through an L2TP tunnel. After the PPP user is authenticated, a tunnel is set up.

  3. On the LAC, configure a reachable route to the LNS and the enable the auto dial-up function.

  4. On the LNS, configure L2TP, create a PPP user, and configure a route to the public network segment.

  5. Configure an ACL to define the data flows to be protected by the IPSec tunnel.

  6. Configure an IPSec proposal to define the traffic protection method.

  7. Configure an IKE peer and define the attributes used for IKE negotiation.

  8. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peers to the IPSec policy to define the data flows to be protected and protection method.

  9. Apply the IPSec policy group to an interface so that the interface can protect traffic.

Procedure

  1. Assign IP addresses to interfaces and configure a static route to the remote device.

    # Assign an IP address to each interface on the LAC.

    <Huawei> system-view
    [Huawei] sysname LAC
    [LAC] interface gigabitethernet 1/0/0
    [LAC-GigabitEthernet1/0/0] ip address 1.1.2.1 255.255.255.0
    [LAC-GigabitEthernet1/0/0] quit
    [LAC] interface gigabitethernet 2/0/0
    [LAC-GigabitEthernet2/0/0] ip address 10.1.10.1 255.255.255.0
    [LAC-GigabitEthernet2/0/0] quit

    # Configure a public network route on the LAC to implement a reachable route to the LNS. A static route is used in this example, and the next-hop IP address is 1.1.2.2.

    [LAC] ip route-static 1.1.1.1 255.255.255.0 1.1.2.2

    # Assign an IP address to each interface on the LNS.

    <Huawei> system-view
    [Huawei] sysname LNS
    [LNS] interface gigabitEthernet 1/0/0
    [LNS-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
    [LNS-GigabitEthernet1/0/0] quit
    [LNS] interface gigabitEthernet 2/0/0
    [LNS-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [LNS-GigabitEthernet2/0/0] quit

    # Configure a public network route on the LNS to implement a reachable route to the LAC. A static route is used in this example, and the next-hop IP address is 1.1.1.2.

    [LNS] ip route-static 1.1.2.1 255.255.255.0 1.1.1.2

  2. Configure L2TP.

    # On the LAC, enable L2TP globally, create an L2TP group, and configure the user huawei to establish an L2TP connection to the LNS.

    [LAC] l2tp enable
    [LAC] l2tp-group 1
    [LAC-l2tp1] tunnel name lac
    [LAC-l2tp1] start l2tp ip 1.1.1.1 fullusername huawei

    # Enable tunnel authentication and set the tunnel password on the LAC.

    [LAC-l2tp1] tunnel authentication
    [LAC-l2tp1] tunnel password cipher huawei
    [LAC-l2tp1] quit

    # Configure the user name and password, PPP authentication, and IP address for the virtual PPP user on the LAC.

    [LAC] interface virtual-template 1
    [LAC-Virtual-Template1] ppp chap user huawei
    [LAC-Virtual-Template1] ppp chap password cipher Huawei@1234
    [LAC-Virtual-Template1] ip address ppp-negotiate
    [LAC-Virtual-Template1] quit

    # Enable the LAC to dial up and establish an L2TP tunnel.

    [LAC] interface virtual-template 1
    [LAC-Virtual-Template1] l2tp-auto-client enable
    [LAC-Virtual-Template1] quit
    # Configure a private network route on the LAC, so users in the enterprise branch can communicate with users in the headquarters.
    [LAC] ip route-static 10.1.2.0 255.255.255.0 virtual-template 1

    # Configure AAA authentication, user name huawei, and password Huawei@1234 on the LNS.

    [LNS] aaa
    [LNS-aaa] local-user huawei password
    Please configure the login password (8-128)
    It is recommended that the password consist of at least 2 types of characters, i
    ncluding lowercase letters, uppercase letters, numerals and special characters. 
    Please enter password: 
    Please confirm password:
    Info: Add a new user.
    Warning: The new user supports all access modes. The management user access mode
    s such as Telnet, SSH, FTP, HTTP, and Terminal have security risks. You are advi
    sed to configure the required access modes only.
    [LNS-aaa] local-user huawei service-type ppp
    [LNS-aaa] quit

    # Configure an IP address pool for the LNS and assign an IP address to the dial-up interface of the LAC.

    [LNS] ip pool 1
    [LNS-ip-pool-1] network 10.1.1.0 mask 24
    [LNS-ip-pool-1] gateway-list 10.1.1.1
    [LNS-ip-pool-1] quit

    # Create a virtual interface template and configure PPP negotiation parameters on the LNS.

    [LNS] interface virtual-template 1
    [LNS-Virtual-Template1] ppp authentication-mode chap
    [LNS-Virtual-Template1] remote address pool 1
    [LNS-Virtual-Template1] ip address 10.1.1.1 255.255.255.0
    [LNS-Virtual-Template1] quit

    # Enable L2TP and configure an L2TP group on the LNS.

    [LNS] l2tp enable
    [LNS] l2tp-group 1

    # Configure the LNS tunnel name and specify the LAC tunnel name.

    [LNS-l2tp1] tunnel name lns
    [LNS-l2tp1] allow l2tp virtual-template 1 remote lac

    # Enable the tunnel authentication function, and configure an authentication password.

    [LNS-l2tp1] tunnel authentication
    [LNS-l2tp1] tunnel password cipher huawei
    [LNS-l2tp1] quit
    # Configure a private network route on the LNS, so users in the headquarters can communicate with users in the enterprise branch.
    [LNS] ip route-static 10.1.10.0 255.255.255.0 virtual-template 1

  3. Configure an ACL to define the traffic to be protected.

    # Configure an ACL on the LAC.

    [LAC] acl number 3101
    [LAC-acl-adv-3101] rule permit ip source 1.1.2.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
    [LAC-acl-adv-3101] quit

    # Configure an ACL on the LNS.

    [LNS] acl number 3101
    [LNS-acl-adv-3101] rule permit ip source 1.1.1.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
    [LNS-acl-adv-3101] quit

  4. Create an IPSec proposal.

    # Create an IPSec proposal on the LAC.

    [LAC] ipsec proposal tran1
    [LAC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [LAC-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [LAC-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on the LNS.

    [LNS] ipsec proposal tran1
    [LNS-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [LNS-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [LNS-ipsec-proposal-tran1] quit

  5. Configure IKE peers.

    # Configure an IKE proposal on the LAC.

    [LAC] ike proposal 5
    [LAC-ike-proposal-5] encryption-algorithm aes-128
    [LAC-ike-proposal-5] authentication-algorithm sha2-256
    [LAC-ike-proposal-5] dh group14
    [LAC-ike-proposal-5] quit

    # Create an IKE peer on the LAC and set the pre-shared key and remote ID based on the default configuration.

    [LAC] ike peer spub
    [LAC-ike-peer-spub] undo version 2
    [LAC-ike-peer-spub] ike-proposal 5
    [LAC-ike-peer-spub] pre-shared-key cipher Huawei@1234
    [LAC-ike-peer-spub] remote-address 1.1.1.1
    [LAC-ike-peer-spub] quit

    # Configure an IKE proposal on the LNS.

    [LNS] ike proposal 5
    [LNS-ike-proposal-5] encryption-algorithm aes-128
    [LNS-ike-proposal-5] authentication-algorithm sha2-256
    [LNS-ike-proposal-5] dh group14
    [LNS-ike-proposal-5] quit

    # Create an IKE peer on the LNS and set the pre-shared key and remote ID based on the default configuration.

    [LNS] ike peer spua
    [LNS-ike-peer-spua] undo version 2
    [LNS-ike-peer-spua] ike-proposal 5
    [LNS-ike-peer-spua] pre-shared-key cipher Huawei@1234
    [LNS-ike-peer-spua] remote-address 1.1.2.1
    [LNS-ike-peer-spua] quit

  6. Create an IPSec policy.

    # Configure an IPSec policy in IKE negotiation mode on the LAC.

    [LAC] ipsec policy map1 10 isakmp
    [LAC-ipsec-policy-isakmp-map1-10] ike-peer spub
    [LAC-ipsec-policy-isakmp-map1-10] proposal tran1
    [LAC-ipsec-policy-isakmp-map1-10] security acl 3101
    [LAC-ipsec-policy-isakmp-map1-10] quit

    # Configure an IPSec policy in IKE negotiation mode on the LNS.

    [LNS] ipsec policy use1 10 isakmp
    [LNS-ipsec-policy-isakmp-use1-10] ike-peer spua
    [LNS-ipsec-policy-isakmp-use1-10] proposal tran1
    [LNS-ipsec-policy-isakmp-use1-10] security acl 3101
    [LNS-ipsec-policy-isakmp-use1-10] quit

  7. Apply the IPSec policy group to an interface so that the interface can protect traffic.

    # Apply an IPSec policy group to the interface of the LAC.

    [LAC] interface gigabitethernet 1/0/0
    [LAC-GigabitEthernet1/0/0] ipsec policy map1
    [LAC-GigabitEthernet1/0/0] quit

    # Apply an IPSec policy group to the interface of the LNS.

    [LNS] interface gigabitethernet 1/0/0
    [LNS-GigabitEthernet1/0/0] ipsec policy use1
    [LNS-GigabitEthernet1/0/0] quit

  8. Verify the configuration.

    After the configurations are complete, PC1 can ping PC2 successfully. The data transmitted between PC1 and PC2 is encrypted. Run the display ipsec statistics command to view packet statistics.

    Run the display ike sa command on the LAC to view the SAs established through IKE negotiation.

    [LAC] display ike sa
    IKE SA information :
      Conn-ID      Peer          VPN    Flag(s)   Phase   RemoteType  RemoteID
      --------------------------------------------------------------------------------
       16          1.1.1.1:500          RD|ST     v1:2    IP          1.1.1.1
       14          1.1.1.1:500          RD|ST     v1:1    IP          1.1.1.1
                                       
      Number of IKE SA : 2
      --------------------------------------------------------------------------------
                                                               
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

    # Run the display l2tp tunnel command on the LAC or LNS to view L2TP tunnel and session information. The command output for the LAC is shown as an example.

    [LAC] display l2tp tunnel
    
     Total tunnel : 1
     LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
     1        1         1.1.1.1          1701   1       lns

Configuration Files

  • Configuration file of the LAC

    #
     sysname LAC
    #
     l2tp enable
    #
    acl number 3101
     rule 5 permit ip source 1.1.2.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256 
     esp encryption-algorithm aes-128 
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer spub
     undo version 2
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     ike-proposal 5
     remote-address 1.1.1.1
    #
    ipsec policy map1 10 isakmp
     security acl 3101
     ike-peer spub
     proposal tran1
    #
    interface Virtual-Template1
     ppp chap user huawei
     ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
     ip address ppp-negotiate
     l2tp-auto-client enable
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.2.1 255.255.255.0
     ipsec policy map1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.10.1 255.255.255.0
    #
    l2tp-group 1
     tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
     tunnel name lac
     start l2tp ip 1.1.1.1 fullusername huawei
    #
    ip route-static 1.1.1.1 255.255.255.0 1.1.2.2
    ip route-static 10.1.2.0 255.255.255.0 Virtual-Template1
    #
    return
  • Configuration file of the LNS

    #
     sysname LNS
    #
     l2tp enable
    #
    acl number 3101
     rule 5 permit ip source 1.1.1.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256 
     esp encryption-algorithm aes-128 
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer spua
     undo version 2
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
     remote-address 1.1.2.1
    #
    ipsec policy use1 10 isakmp
     security acl 3101
     ike-peer spua
     proposal tran1
    #
    ip pool 1
     network 10.1.1.0 mask 255.255.255.0
     gateway-list 10.1.1.1
    #
    aaa
     local-user huawei password cipher $1a$_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI$
     local-user huawei service-type ppp
    #
    interface Virtual-Template1
     ppp authentication-mode chap
     remote address pool 1
     ip address 10.1.1.1 255.255.255.0
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.1.1 255.255.255.0
     ipsec policy use1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    l2tp-group 1
     allow l2tp virtual-template 1 remote lac
     tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
     tunnel name lns
    #
    ip route-static 1.1.2.1 255.255.255.0 1.1.1.2
    ip route-static 10.1.10.0 255.255.255.0 Virtual-Template1
    #
    return
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 34679

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next