Got it

AR1220 L2TP/IPSec setup

Created: Jun 1, 2018 19:28:11Latest reply: Aug 9, 2018 06:43:40 3283 4 0 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hello, everybody!


This post enquires about the AR1220 L2TP/IPSec setup. Please see more details as you scroll further down this post.


L2TP/IPSec


ISSUE DESCRIPTION


I'm strugling with AR1220 L2TP/IPSec VPN access setup from Android (8.0) and Windows 10 (embeded clients).

With the same client configuration, I can connect to Mikrotik L2TP/IPSec VPN.


Huawei AR1220


If anyone had any working configuration and like to share, that would be very appreciated.


I started with http://support.huawei.com/huaweiconnect/enterprise/en/forum.php?mod=viewthread&tid=403399 , however seems like this configuraiton doesn't support NAT-T and doesn't work in my environment. 



The error message is:


Jun  1 14:50:08 Jun  1 2018 18:50:08.237.6 Huawei IKE/4/IKE_Debug Warning:#015#0120:1501 EXCHANGE ICOOKIE: ed32b8cef1294541 - exchange lookup from cookie : Exchange not found#015
Jun  1 14:50:09 Jun  1 2018 18:50:08.237.18 Huawei IKE/3/IKE_Debug Error:#015#0120:7513 Phase 1 Exchange: ike peer configuration not match for peer "192.168.142.41"#015


The current configuration is:


[V200R007C00SPCc00]
#
 board add 0/1 4FXS1FXO
 board add 0/3 DSP5203
#
 drop illegal-mac alarm
#
 clock timezone GMT+2 add 03:00:00
#
 l2tp enable
#
dns resolve
dns proxy enable
#
vlan batch 41
#
stp mode rstp
#
 ike local-name AR1220
#
 lldp enable
#
 poe slot 0 max-power 100000
#
dhcp enable
#
pki realm default
 enrollment self-signed
#
ssl policy default_policy type server
 pki-realm default
#
acl number 2000
 description Allow NAT 192.168.0.0/16
 rule 5 permit source 192.168.0.0 0.0.255.255
acl number 2001
 description Permit 192.168.0.0/16 - Admin access
 rule 5 permit source 192.168.0.0 0.0.255.255
 rule 10 deny
#
acl number 3101
 description IPSec Destinations
 rule 5 permit ip destination 192.168.0.0 0.0.255.255
#
ipsec proposal prop
 encapsulation-mode transport
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 5
 encryption-algorithm aes-cbc-128
 dh group2
 authentication-algorithm sha2-256
 prf hmac-sha2-256
#
ike peer peer1 v1
 exchange-mode aggressive
 pre-shared-key cipher %^%#@4CS90Kwn"99}T0'7-m<Dr([X_V$9M+TQ,1ZZZZZZZ#
 ike-proposal 5
 local-id-type name
 nat traversal
#
ipsec policy-template templ 10
 ike-peer peer1
 proposal prop
#
ipsec policy policy1 10 isakmp template templ
#
ip pool l2tp
 gateway-list 192.168.100.1
 network 192.168.100.0 mask 255.255.255.0
#
ip pool ip-pool.41
 gateway-list 192.168.41.1
 network 192.168.41.0 mask 255.255.255.0
 dns-list 192.168.41.1 1.1.1.1
 domain-name www.wlan
#
aaa
 authentication-scheme default
 authentication-scheme l2tp
 authorization-scheme default
 authorization-scheme l2tp
 accounting-scheme default
 domain default
 domain default_admin
 domain l2tp
  authorization-scheme l2tp
 local-user vpnuser password cipher %^%#WiQC9|U4B<+tNQIusw#<1,idOL~_XXXXXXXXXXXXXXX#
 local-user vpnuser privilege level 0
 local-user vpnuser service-type ppp
#
firewall zone Local
 priority 16
#
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend winnuke enable
 firewall defend syn-flood enable
 firewall defend udp-flood enable
 firewall defend icmp-flood enable
 firewall defend icmp-redirect enable
 firewall defend icmp-unreachable enable
 firewall defend ip-sweep enable
 firewall defend port-scan enable
 firewall defend tracert enable
 firewall defend ping-of-death enable
 firewall defend teardrop enable
 firewall defend tcp-flag enable
 firewall defend ip-fragment enable
 firewall defend large-icmp enable
 firewall blacklist enable
#
interface Vlanif41
 ip address 192.168.41.1 255.255.255.0
 dhcp select global
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 mode lacp-static
#
interface Virtual-Template1
 ppp authentication-mode chap domain l2tp
 remote address pool l2tp
 ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/0/0
 description To PowerLAN
 port link-type access
 port default vlan 41
#
interface GigabitEthernet0/0/1
 description To me0 EX2200
 port link-type access
 port default vlan 41
#
interface GigabitEthernet0/0/2
 description Empty VLAN 41
 port link-type access
 port default vlan 41
#
interface GigabitEthernet0/0/3
 description Empty VLAN 41
 port link-type access
 port default vlan 41
#
interface GigabitEthernet0/0/4
 description Trunk to EX2200-1
 eth-trunk 1
#
interface GigabitEthernet0/0/5
 description Trunk to EX2200-2
 eth-trunk 1
#
interface GigabitEthernet0/0/6
 description AP
 port link-type access
 port default vlan 41
#
interface GigabitEthernet0/0/7
 description Empty-POE
#
interface GigabitEthernet0/0/8
 description WAN
 tcp adjust-mss 1200
 nat outbound 2000
 ipsec policy policy1
 auto speed 100
 combo-port copper
 ip address dhcp-alloc
#
interface GigabitEthernet0/0/9
 tcp adjust-mss 1200
 ip address 192.168.1.1 255.255.255.0
 combo-port copper
 dhcp select global
#
interface GigabitEthernet0/0/10
 description VirtualPort
#
interface Cellular0/0/0
#
interface Cellular0/0/1
#
interface NULL0
#
l2tp-group 1
 undo tunnel authentication
 allow l2tp virtual-template 1
#
 info-center source default channel 2 log level debugging debug state on
 info-center source IPSEC channel 6
 info-center source IKE channel 6
 info-center source L2TP channel 6
 info-center loghost 192.168.41.20
#
 snmp-agent local-engineid 800007DB0348D539636EBD
#
 stelnet server enable
#
 http acl 2001
 http secure-server ssl-policy default_policy
 http server enable
 http secure-server enable
#
ip route-static 192.168.100.0 255.255.255.0 Virtual-Template1
#
fib regularly-refresh disable
#
user-interface maximum-vty 8
user-interface con 0
 authentication-mode aaa
user-interface vty 0 7
 acl 2001 inbound
 authentication-mode aaa
 user privilege level 15
 history-command max-size 20
 screen-length 0
#
wlan
 wmm-profile name wmmf id 0
 traffic-profile name traf id 0
 security-profile name secf id 0
 radio-profile name radiof id 0
  wmm-profile id 0
 radio-profile name arwebradio id 1
  wmm-profile id 0
#
interface Wlan-Radio0/0/0
#
 ntp-service unicast-peer 195.85.215.215
#
voice
 #
 enterprise default
 #
 diagnose
#
ops
#
autostart
#
return


Please assist me in solving this issue about AR1220 L2TP/IPSec setup. Thanks!

  • x
  • convention:

Featured Answers
StarOfWest
Created Jun 6, 2018 06:26:44

Dear user,

You may try to adjust the security ACL to map the L2TP traffic: 

 
 acl number 3101   
 rule 5 permit udp source-port eq 1701

Or you may configure a wider range of IP addresses.  Basically, you can permit a wider range of IPs in the security ACL and deny in NAT ACL the traffic that is supposed to be encrypted. NAT it will be processed before IPSEC, so you can simply deny the traffic you want to protect. 

You need to apply to get the software, while also expressing the reasons why you need it and hopefully it will be approved.
 
Otherwise you may need to get in touch with your local TAC. Maybe they can help you with this request. 

View more
  • x
  • convention:

All Answers
StarOfWest
StarOfWest Created Jun 5, 2018 07:21:06

  • x
  • convention:

Didomir
Didomir Created Jun 5, 2018 07:57:09

Posted by StarOfWest at 2018-06-05 07:21 Hi, Please check this guide how to setup the tunnel. Also you may need V200R008 or higher. http://su ...
Hi,
Thank you very much for advice.

How I can download V200R008 or higher versions ?
In this scenario ""Example for Connecting Android Phones of Mobile Office Users to the Headquarters Through L2TP over IPSec"" I've 2 concerns:
- LAC is behind NAT
- LAC external IP addresses (NATed) are randomly changed, how to configure acl number 3101 to work with dynamic IP's ?
View more
  • x
  • convention:

StarOfWest
StarOfWest Created Jun 6, 2018 06:26:44

Dear user,

You may try to adjust the security ACL to map the L2TP traffic: 

 
 acl number 3101   
 rule 5 permit udp source-port eq 1701

Or you may configure a wider range of IP addresses.  Basically, you can permit a wider range of IPs in the security ACL and deny in NAT ACL the traffic that is supposed to be encrypted. NAT it will be processed before IPSEC, so you can simply deny the traffic you want to protect. 

You need to apply to get the software, while also expressing the reasons why you need it and hopefully it will be approved.
 
Otherwise you may need to get in touch with your local TAC. Maybe they can help you with this request. 

View more
  • x
  • convention:

StarOfWest
StarOfWest Created Aug 9, 2018 06:43:40

@Didomir , This query it's resolved?
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.