No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPsec over L2TP Scenario

IPsec over L2TP Scenario

Example for Configuring IPsec over L2TP

Context

As shown in Figure 12-14, an enterprise sets up branch networks, deployed as Ethernet networks, in other cities.

The HQ network is required to provide the L2TP access service for branch network users and allow the access of any branch network user. When the branch network users access the HQ network, data is encrypted to prevent data theft.

The preceding requirements can be satisfied using the following configurations: Device A functions as the access server. A PPP session is initiated in PPP dial-up mode to trigger the L2TP tunnel establishment. After the L2TP tunnel is successfully established, the LNS generates a route destined for Device A. Device A obtains an IP address and initiates the IPsec tunnel establishment. Finally, Device A and the LNS can securely transmit data over the IPsec tunnel.

Figure 12-14 Configuring IPsec over L2TP
NOTE:

Interface1 and interface2 in this example represent GE 0/1/0 and GE 0/1/1.


As shown in Figure 12-14, the devices must satisfy the following requirements:

  • Device A can initiate an IKE negotiation to the LNS and go online in PPP dial-up mode.

  • Device A can initiate a PPP connection request to the LNS through the LAC. Upon receiving the PPP request, the LNS allocates an address to DeviceA.

Configuration Roadmap

This section uses IPsec in IKE mode as an example to describe how to configure IPSec over L2TP. The tunnel mode is used for encapsulation. The authentication algorithm adopts SM3 approved by the State Password Administration Committee Office. The encryption algorithm adopts SM4 approved by the State Password Administration Committee Office. The integrity algorithm adopts HMAC-SHA2-256.

The configuration roadmap is as follows:

  1. Configure IP addresses for interfaces between the LAC and the LNS.

  2. Enable Device A to go online in PPP dial-up mode.

  3. Configure an L2TP tunnel between the LAC and the LNS.

  4. Configure an IPsec tunnel for Device A. The following steps are involved:
    • Configure an ACL to define the data flow to be protected.

    • Configure an IKE proposal.

    • Configure IKE peers.

    • Configure an IPsec proposal.

    • Configure an IPsec policy.

    • Apply the IPsec policy to the tunnel interface.

    • Configure a static route to divert IPsec traffic.

  5. Configure an IPsec tunnel for the LNS. The following steps are involved:
    • Configure an ACL to define the data flow to be protected.

    • Configure an IKE proposal.

    • Configure IKE peers.

    • Configure an IPsec proposal.

    • Configure an IPsec policy.

    • Configure an IPsec service instance group.

    • Create a tunnel interface and configure attributes for the tunnel interface.

    • Apply the IPsec policy to the tunnel interface.

    • Configure a static route to divert IPsec traffic.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of interfaces
  • PPP data, including the virtual template interface, AAA scheme, and BAS interface.
  • L2TP data, including the L2TP number, remote address pool number, range, and mask.
  • IPsec-related data, mainly including:
    • ACL number

    • IP address segments

    • Pre-shared key

    • Authentication algorithm used by the IKE proposal

    • Security protocol, encryption algorithm, and authentication algorithm to be used by the IPsec proposal

    • IP addresses of tunnel interfaces

Procedure

  • Configure DeviceA as follows:

    NOTE:
    To maintain the example integrity, this example provides the configuration of Device A. The configuration must be subject to actual devices. The router cannot function as Device A.

    Item

    Device A

    1. Configure the dial-up access group that permits all IPv4 packets.

    dialer-rule
     dialer-rule 1 ip permit

    2. Create a dialing interface and set the related parameters.

    interface Dialer1
     link-protocol ppp
     ppp chap user xxx@ipsec
     ip address ppp-negotiate
     dialer user huawei
     dialer bundle 1
     dialer-group 1

    3. Bind the physical interface to the dialing interface and establish a PPPoE session.

    interface GigabitEthernet0/1/0
     pppoe-client dial-bundle-number 1

    4. Configure an ACL to define the data flow to be protected.

    acl number 3600
      rule 5 permit ip source 172.16.1.1 0 destination 192.168.1.1 0
    5. Configure the IKE proposal and IKE peer.
    ike proposal 11
     encryption-algorithm sm4-cbc
     dh group2
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer pee1
     pre-shared-key cipher 1234567890
     ike-proposal 11
     remote-address 10.7.1.1
    6. Configure the IPsec tunnel.
    ipsec proposal 11
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    ipsec policy ply6 1 isakmp
     security acl 3600
     ike-peer pee1
     proposal 11
    #
    interface Dialer1
     ipsec policy ply6   //Bind the IPsec policy.
    7. Configure the diversion routes.
    ip route-static 10.7.1.1 255.255.255.0 Dialer1   //Introduce the traffic to the IPsec tunnel for encryption.
    ip route-static 192.168.1.1 255.255.255.255 Dialer1   //Introduce the traffic encrypted by IPsec to the actual physical outbound interface.

  • Configure the LNS as follows:

    Item

    LNS

    1. Configure an address for the interface that is directly connected to the LAC.

    interface GigabitEthernet0/1/0
     undo shutdown
     ip address 10.5.0.5 255.255.255.0
     undo dcn

    2. Configure an address pool for IP address assignment to dial-up users.

    ip pool ipsec bas local
     gateway 10.9.0.1 255.255.255.0
     section 0 10.9.0.2 10.9.0.100

    3. Configure a virtual interface template.

    interface Virtual-Template0
     ppp authentication-mode auto

    4. Configure a user access domain.

    aaa 
    #
     authentication-scheme s1
      authentication-mode none
    #
     authorization-scheme s1
      authorization-mode none
    #
     accounting-scheme s1
      accounting-mode none
    #
     domain 1
      authentication-scheme s1
      authorization-scheme s1
      accounting-scheme s1
      ip-pool ipsec

    5. Configure a Loopback interface and set the address to the L2TP tunnel interface.

    interface LoopBack1
     ip address 9.9.9.9 255.255.255.255

    6. Configure an L2TP tunnel.

    NOTE:

    On an LNS, the source addresses of the L2TP and IPsec tunnels cannot be the same.

    l2tp enable
    #
    l2tp-group l2tp-ipsec
     undo tunnel authentication
     allow l2tp Virtual-Template 0 remote ipsec
     tunnel password simple ipsec
     tunnel name ipsec
    #
    lns-group l2tp-ipsec
     bind slot 9
     bind source LoopBack1

    7. Configure an ACL to define the data flow to be protected.

    acl number 3600
      rule 5 permit ip source 192.168.1.1 0 destination 172.16.1.1 0

    8. Configure the IKE proposal and IKE peer.

    ike proposal 11
     encryption-algorithm sm4-cbc
     dh group2
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer pee1
     pre-shared-key cipher 1234567890
     ike-proposal 11

    9. Configure the IPsec tunnel.

    ipsec proposal 11
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    ipsec policy-template temp1 1
     security acl 3600
     ike-peer pee1
     proposal 11
    #
    ipsec policy ply6 1 isakmp template temp1
    #
    service-location 1
     location slot 9
    #
    service-instance-group 1
     service-location 1
    #
    interface Tunnel1
     ip address 10.7.1.1 255.255.255.255
     tunnel-protocol ipsec
     ipsec policy ply6 service-instance-group 1   //Bind the IPsec policy.

    10. Configure the diversion routes.

    ip route-static 0.0.0.0 0.0.0.0 Tunnel1 10.5.0.4   //Set the default route to divert the traffic when the peer address is unknown.

  • Configure the LAC as follows:

    Item

    LAC

    1. Configure an address for the interface that is directly connected to the LNS.

    interface GigabitEthernet0/1/1
     undo shutdown
     ip address 10.5.0.4 255.255.255.0
     undo dcn

    2. Configure a user access domain.

    aaa 
    #
     authentication-scheme s1
      authentication-mode none
    #
     authorization-scheme s1
      authorization-mode none
    #
     accounting-scheme s1
      accounting-mode none
    #
     domain 1
      authentication-scheme s1
      authorization-scheme s1
      accounting-scheme s1
    

    3. Enable the user to go online.

    interface GigabitEthernet0/1/0
     undo shutdown
     bas
     #
    access-type layer2-subscriber

    5. Configure a Loopback interface and set the address to the L2TP tunnel interface.

    interface LoopBack1
     ip address 8.8.8.8 255.255.255.255

    6. Configure an L2TP tunnel.

    l2tp enable
    #
    l2tp-group l2tp-ipsec
     undo tunnel authentication
     tunnel name ipsec
     start l2tp ip 9.9.9.9 
     tunnel source LoopBack1

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19835

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next