Got it

AR2220E L2TP over IPSec Configuration

Latest reply: Oct 10, 2018 22:31:52 1269 2 0 0 0
Hi all
I've been attempting to implement a simple L2TP over IPSec. Basically, it should get me from my laptop to connect to the office's Huawei AR2220E Router.
So far I've been able to implement only an L2TP server over Chap authentication, which is A) Not secure enough and B) doesn't work on new Mac OSX.

I want my setup to look like this:
MacBook <-->AnyInternet <==IPSec==> <==L2TP==> <==IPSec==> Huawei Router AR2220E <--> Fileserver/ClientDevices

The tutorials available online are either old or Router-to-Router type of implementation.
Can someone please help me with this?

  • x
  • convention:

Created Oct 9, 2018 07:07:17


Please check this example :

Networking for configuring an L2TP over IPSec tunnel between the PC and router 

Networking Requirements

As shown in Figure, RouterA functions as the headquarters gateway. Traveling employees use PC A to communicate with the headquarters through the public network. To ensure security of traveling employees, the enterprise requires that an L2TP over IPSec tunnel be set up between the traveling employee's PC and headquarters gateway.

In this example, the PC runs Windows 7 operating system.


  1. Configure RouterA.

     sysname RouterA  //Configure the device name.
     l2tp enable   //Enable L2TP.
    ipsec proposal prop  //Configure an IPSec proposal.                              
     encapsulation-mode transport                                                   
    ike proposal 5  //Configure an IKE proposal.                                    
     encryption-algorithm aes-cbc-128   //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
     authentication-algorithm sha2-256 
    ike peer peer1 v1  //The commands used to configure IKE peers and the IKE protocol differ depending on the software version. In earlier versions of V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.
     pre-shared-key cipher %^%#JvZxR2g8c;a9FPNn'$7`DEV&=G(=Et02P/%\*!%^%#  //Configure the pre-shared key.
     ike-proposal 5                                                                 
    ipsec policy-template temp1 10  //Configure an IPSec policy template.                                                
     ike-peer peer1                                                                 
     proposal prop                                                                  
    ipsec policy policy1 10 isakmp template temp1  //Configure an IPSec policy.    
    ip pool 1   //Configure the device to allocate IP addresses to L2TP clients from the IP address pool.
     network mask 
    aaa   //Configure AAA local authentication and set the user name and password to vpdnuser and Hello123.
     authentication-scheme l2tp 
      authentication-mode local
     domain l2tp 
      authorization-scheme l2tp
     local-user vpdnuser password cipher %^%#!$GMN5Gj=j&f)IjQ8\>b\-1"i^b@.)+,2gi9K%^%#
     local-user vpdnuser privilege level 0                                          
     local-user vpdnuser service-type ppp
    interface GigabitEthernet1/0/0                                                         
     ip address                                        
     ipsec policy policy1                                                          
    interface Virtual-Template1   //Create a VT template and configure dial-up parameters.
     ppp authentication-mode chap domain l2tp   //Configure an authentication mode and specify that authentication information carries the domain name.
     remote address pool 1   //Reference the IP address pool.
     ip address
    l2tp-group 1   //Create an L2TP group and configure L2TP connection parameters.
     undo tunnel authentication   //Dial up using a mobile phone. You are advised to disable tunnel authentication.
     allow l2tp virtual-template 1
    ip route-static  //Configure a static route.
    ip route-static Virtual-Template1

  2. Configure the personal PC for the traveler. This example describes how to set dial-up parameters on a Windows 7 client.
    1. View the IPSec service status and ensure that the IPSec service is enabled.

      1. Choose Start > Run, enter services.msc, and click OK to access the Services page.
      2. In the Name column, check whether the status of IPsec Policy Agent is Started. If not, right-click IPsec Policy Agent and select Properties. In Properties, set Startup type to Automatic and click Apply. Then select Start in Service type.
      3. Close the Services page.

    2. Create an L2TP over IPSec connection.

      1. Choose Start > Control Panel.
      2. Select Network and Internet.
      3. Select Set up a new connection or network.

      4. Select Connect to a workplace.

      5. Select Use my Internet connection(VPN).
      6. Set the Internet address and target name.

        Set the Internet address to the IP address of the WAN interface on the RouterA (you can also enter the domain name if the domain name is fixed).

      7. Set the user name and password.


      8. Click Connect.
      9. Click Skip to skip the verification process. After a message indicating that the connection is available is displayed, click Close.

    3. Set IKE connection parameters.

      1. In the left pane of Network and Sharing Center, select Change adapter setting.
      2. Right-click the new VPN connection and select Properties.
      3. Set OptionsSecurity, and Networking.


  3. Verify the configuration.

    # After the configurations are complete, PC A succeeds in dialing up using the built-in software.

    Run the display l2tp tunnel command on the RouterA. You can find that an L2TP tunnel is established successfully.

    Run the display ike sa command on the RouterA. You can find that an SA is established successfully.

Configuration Notes

  • The pre-shared key for IKE negotiation at both ends must be the same.
  • Tunnel authentication must be disabled on the device if the L2TP client does not support tunnel authentication.
  • A host-to-gateway IPSec tunnel is established between a traveling employee and the headquarters; therefore, the IPSec tunnel is based on the transport mode.
View more
  • x
  • convention:

Created Oct 10, 2018 22:31:52

Hi Sergio, thanks for the detailed guide.

I followed it all the way to the end of it.  Also changed to in static route.

But the error that I'm getting is:
On Windows: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
On Macbook: The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.

Do I need to open any ports or create access lists on the Huawei router for this communication to happen?

Best regards
Vin This post was last edited by vin7 at 2018-10-11 02:11.
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.