When multiple branches connect to the headquarters, L2TP services are unavailable because private routes are incorrectly configured

68

The next hop in the static route from the LNS to the branch is incorrect. As a result, packets fail to be forwarded.
Two solutions are available:
1. Configure a static route for each branch on the LNS. You need to obtain the address of the virtual template interface of a branch, and then configure a route. Because the address obtained by the virtual template interface may change, the maintenance workload is heavy.
2. Configure a dynamic routing protocol on the LNS and LAC to advertise private network segments and virtual template interface addresses and to learn the private network route to the remote end. When adding a branch, you only need to perform configurations on the LAC. The configuration does not need to be changed regardless of whether the IP address of the virtual template interface on the LAC changes. The maintenance workload is greatly reduced.

Other related questions:
How to obtain the route of the branch private network when the AR is configured with IPSec and the headquarters provides egress of multiple egresses
When the headquarters connects to multiple branches, consider route selection. You need to obtain the private network routes of branches. Static routes can be configured. However, the static route configuration is complex when there are many branches. When a branch is added each time, a static route needs to be added on the headquarters network, which is inconvenient for maintenance.
On the headquarters, you can run the route inject command to configure route injection, which can be static or dynamic.  
-  When static route injection is enabled, the route generated through the route injection function is added to the local device and the route status does not vary with the tunnel status change. 
-  When dynamic route injection is enabled, the route generated through the route injection function can be added to the local device if the IPSec tunnel is Up, and the route is deleted if the IPSec tunnel is Down.
Compared with static route injection, dynamic route injection associates the generated route with the IPSec tunnel status. When the IPSec tunnel is Down, the AR does not send traffic to the remote end through the IPSec tunnel, preventing traffic loss.

Set the priority of a route generated through dynamic route injection to 10.
<Huawei> system-view 
[Huawei] ipsec policy policy1 10 isakmp 
[Huawei-ipsec-policy-isakmp-policy1-10] route inject dynamic preference 10

 

Method used to configure IPSec between the headquarters and branches on the AR
Huawei AR routers support IPSec tunnel for implementing interconnection between the headquarters and branches. For details about the configuration, see IPSec under "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples. The point-to-multipoint IPSec cases are as follows: - Example for Establishing Multiple IPSec Tunnels Between the Headquarters and Branches Using the IPSec Policy Template - Example for Configuring OSPF and GRE Over IPSec to Implement Communication Between the Branch and Headquarters - Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and Headquarters and NAT to Implement Communication Between Branches (Running OSPF) - Example for Establishing IPSec over DSVPN Tunnels Between Hub and Spokes (Based on ACL) - Example for Establishing an IPSec Tunnel In Manual and IKE Negotiation Modes - Example for Configuring IPSec Reverse Route Injection

L2TP dialup fails because the UDP port mapping of the NAT server is incorrectly configured
The AR is configured with port mapping so that packets from the public network are mapped to other network devices. The troubleshooting for the L2TP dialup failure is as follows: 1. Verify that the configuration is correct. 2. If the configuration is correct, run the debugging ppp all and debugging l2tp all commands to collect debugging information for fault location. 3. If debugging information cannot be collected, check whether packets reach the LNS, are rejected by the LNS, and are forwarded to other network devices. 4. When port mapping is configured on the NAT server, consider service features especially L2TP and Telnet. Prevent service exceptions or interruptions.

How to configure AR routers in branches to use a domain name to access the headquarters through DSVPN
In the figure on the right, the branch and headquarters access the Internet through PPPoE dialup, and the branch uses the domain name to access the headquarters through DSVPN. Assume that the public network route is reachable. The following describes only key configurations. 1. Configure Spoke1. The configuration of Spoke2 is similar to that of Spoke1, and is not mentioned here. interface Dialer1 //Configure a dialer interface. link-protocol ppp ppp chap user user@huawei.com //Configure CHAP authentication. ppp chap password cipher huawei@123 //Set the CHAP authentication password to huawei@123. ip address ppp-negotiate dialer user huawei //Configure the peer user name for the dialer interface. dialer bundle 1 //Configure a dialer bundle for the dialer interface. dialer-group 1 // Configure a dialer access group. # interface Tunnel0/0/0 //Configure a DSVPN tunnel interface. ip address 10.16.1.2 255.255.255.0 tunnel-protocol gre p2mp source dialer 1 //Configure the dialer interface as the source interface. ospf network-type broadcast nhrp entry 10.16.1.1 www.123.com register //Configure an NHRP mapping table. # interface GigabitEthernet1/0/0 pppoe-client dial-bundle-number 1 //Configure the PPPoE client to use dialer bundle 1. # dialer-rule //Configure a dialer ACL. dialer-rule 1 ip permit # ip route-static 0.0.0.0 0.0.0.0 dialer1 //Configure a default route pointing to the dialer interface. 2. Configure the hub. dns resolve //Enable the dynamic DNS (DDNS) function. dns server 2.1.1.1 //Configure an IP address for the DNS server. # interface Dialer1 link-protocol ppp ppp chap user user@huawei.com ppp chap password cipher huawei@123 ip address ppp-negotiate dialer user huawei dialer bundle 1 dialer-group 1 ddns apply policy mypolicy //Bind the DDNS policy to the interface. # ddns policy mypolicy //Specify the URL in a DDNS update request. The user name is steven and the password is nevets@123. url ""http://:@members.3322.org/dyndns/update?system=dyndns&hostname=&ip="" username steven password nevets@123 # interface Tunnel0/0/0 ip address 10.16.1.1 255.255.255.0 tunnel-protocol gre p2mp source dialer 1 ospf network-type broadcast nhrp entry multicast dynamic # interface GigabitEthernet1/0/0 pppoe-client dial-bundle-number 1 # dialer-rule dialer-rule 1 ip permit # ip route-static 0.0.0.0 0.0.0.0 dialer1

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top