Method used to configure the default L2TP on the USG6000

6

You can configure the default L2TP on the USG6000 as follows:
Enable the L2TP.
Note:
When the L2TP is disabled, you can still make the related configuration. However, the configuration does not take effect.
Choose Network > L2TP > L2TP.
In Configure L2TP, select Enable and click Apply.
If the system displays information indicating a successful operation, the L2TP is normally enabled.
Click New in L2TP Group List or select the default group.
Note:
By default, an L2TP group in LNS type exists. The default group can be modified instead of being deleted. Groups created by clicking New are not default groups.
After selecting the default LNS group, if you do not specify Peer Tunnel Name, the group serves as the default LNS group.
During tunnel negotiation, the LNS searches for Peer Tunnel Name of each non-default group based on the configured sequence, and matches Peer Tunnel Name with Local Tunnel Name on the LAC end. If Peer Tunnel Name of a certain L2TP group matches Local Tunnel Name on the LAC end, the L2TP group is used for negotiation and tunnel establishment. If Peer Tunnel Name of no L2TP group matches Local Tunnel Name, the default group is used for negotiation.
If Peer Tunnel Name is specified for the default group, the default group becomes a non-default group. Then, the LNS has no default group. If Peer Tunnel Name of no L2TP group matches Local Tunnel Name, the LNS discards the negotiation packet and the tunnel fails to be established.

Other related questions:
Method used to configure the L2TP VPN on the USG6000
The L2TP application scenarios on the USG6000 are as follows: 1. NAS-Initiated VPN A user accesses the LAC by means of PPPoE dialup, and a tunnel is established between the LAC and the LNS. A user accesses the LAC by means of PPPoE dialup. The LAC sends a tunnel establishment request to the LNS through Internet. The LNS allocates an address to the user. The user is authenticated by the proxy on the LAC side or by both the LAC and the proxy on the LAC side. When all L2TP users are offline, the tunnel is automatically released to save resources. The tunnel is re-established when a user is accessed. This networking is applicable to the following scenario: A branch office user initiates a request to connect to the HQ network, and generally, the branch office user does not frequently access the HQ network. 2. LAC autodial A permanent L2TP session is established between the LAC and the LNS. A client can transmit data over the tunnel by means of an IP connection without PPP dialup. The user can configure the trigger condition for establishing a permanent L2TP session between the LAC and the LNS. The LAC establishes a permanent L2TP tunnel with the LNS using the locally-stored user name. The L2TP tunnel serves as a physical connection. In this way, the connection between the user and the LAC is based on the IP connection instead of the PPP connection. The LAC can forward IP packets of the user to the LNS. 3. Client-Initiated VPN A client that supports L2TP dialup can directly initiate a tunnel establishment request to the LNS bypassing the LAC. The user can directly initiate the connection. Therefore, the user can directly initiate a tunnel establishment request to the LNS bypassing the LAC. The LNS allocates an address to the user. Since the LNS needs to establish a tunnel for each remote user, the LNS configuration is relative complex compared with that in the NAS-Initiated VPN scenario. However, the user access is not subject to geographical restrictions. This scenario is applicable to the mobile office. For example, an employee on a business trip can access the HQ server using PCs or mobile phones.

Configuration of L2TP over IPSec on the USG6000
Configuration of L2TP over IPSec on the USG6000 Configuration procedure: 1. Complete basic interface configuration, security policy configuration, and route configuration. 2. Configure and apply the IPSec. Note that the source and destination addresses of the data flow protected by the IPSec are the source and destination addresses of the sensitive traffic transmitted over the external interfaces of two gateways. 3. Configure the L2TP and L2TP tunnel source. For details, click Huawei Security Forum USG6000 L2TP over IPSec Configuration Cases. Procedure 1. Configure the IP address of each interface, and add the interfaces to the security zone. The specific configuration procedure is not described here. 2. Enable the inter-zone security policy. e map_temp [NGFW_A] interface GigabitEthernet 1/0/1 [NGFW_A-GigabitEthernet 1/0/1] ipsec policy map1 [NGFW_B] ipsec policy map1 10 isakmp [NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000 [NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1 [NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer b [NGFW_B] interface GigabitEthernet 1/0/1 [NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 5. Configure the L2TP. A. (LNS end) Configure the L2TP. [NGFW_A] user-manage user l2tpuser //Configure the L2TP user. [NGFW_A-localuser-l2tpuser] password Password1 [NGFW_A-localuser-l2tpuser] quit [NGFW_A] l2tp enable //Enable the L2TP. [NGFW_A] aaa [NGFW_A-aaa] ip pool 0 192.168.0.2 192.168.0.99 //Configure the IP address pool. [NGFW_A] interface Virtual-Template 1 //Configure the virtual template interface. [NGFW_A-Virtual-Template1] ppp authentication-mode pap [NGFW_A-Virtual-Template1] ip address 1.1.1.2 255.255.255.0 [NGFW_A-Virtual-Template1] remote address pool 0 //Set the virtual interface to reference the address pool used to allocate addresses to the peer end. [NGFW_A] l2tp-group 1 //Create the L2TP group. [NGFW_A-l2tp1] allow l2tp virtual-template 1 [NGFW_A-l2tp1] tunnel password cipher Pass1234 B. Configure the L2TP. # Configure the L2TP user. [NGFW_B] user-manage user l2tpuser [NGFW_B-localuser-l2tpuser] password Password1 [NGFW_B-localuser-l2tpuser] quit Configure the L2TP. [NGFW_B] l2tp enable [NGFW_B] interface Virtual-Template 1 [NGFW_B-Virtual-Template1] ppp authentication-mode pap [NGFW_B-Virtual-Template1] quit [NGFW_B] interface GigabitEthernet 1/0/3 [NGFW_B-GigabitEthernet1/0/3] pppoe-server bind virtual-template 1 [NGFW_B-GigabitEthernet1/0/3] quit [NGFW_B] l2tp-group 1 [NGFW_B-l2tp1] tunnel password cipher Pass1234 [NGFW_B-l2tp1] start l2tp ip 1.1.3.1 fullusername l2tpuser [NGFW_B-l2tp1] quit

Method used to configure security policies in L2TP dial-up access scenario on the USG6000
L2TP packets are transmitted over the Untrust and Local zones. Decapsulated packets are transmitted over the DMZ (security zone where the VT interface resides) and Trust zones.

Method used to configure the L2TP user name and password on the USG6000
The L2TP user name and password can be configured as follows: Configure the L2TP user name and password using the CLI: 1. Set the user name and password (consistent with those set on the LAC), and bind the user with the authentication domain. a. Configure the authentication domain for the L2TP user. [LNS] aaa [LNS-aaa] domain domain1.com [LNS-aaa-domain-domain1.com] quit [LNS-aaa] quit b. Configure the L2TP user. [LNS] user-manage user vpdnuser domain domain1.com [LNS-localuser-vpdnuser@domain1.com] password Password1 [LNS-localuser-vpdnuser@domain1.com] quit 2. Enable the L2TP. [LNS] l2tp enable 3. Create and configure the L2TP group. [LNS] l2tp-group 1 [LNS-l2tp1] tunnel name LNS [LNS-l2tp1] allow l2tp virtual-template 1 remote LAC [LNS-l2tp1] tunnel authentication [LNS-l2tp1] tunnel password cipher Password1 [LNS-l2tp1] quit 4. Configure the address pool allocated to the user. [LNS] aaa [LNS-aaa] domain domain1.com [LNS-aaa-domain-domain1.com] ip pool 1 192.168.0.2 192.168.0.100 [LNS-aaa-domain-domain1.com] quit [LNS-aaa] quit Configure the L2TP user name and password using the web UI: 1. Configure the L2TP user. a. Choose Object > User > User/Group. b. Select the default authentication domain. c. In Member Management, click New and select New User. Configure parameters as follows: User name: pc1 Password: Password1 Confirm password: Password1 d. Click OK. 2. Configure the L2TP parameters. a. Choose Network > L2TP > L2TP. b. In Configure L2TP, select Enable and click Apply. c. In L2TP Group List, click New. d. Set Group Type to LNS. e. Configure the L2TP parameters. The server address shall be in the same network segment as the address in the address pool. In this way, you do not need to configure a route. Peer Tunnel Name must be consistent with Local Tunnel Name configured on the LAC. Group Type: LNS Peer Tunnel Name: LAC Tunnel Password Authentication: Enable Password Type: Ciphertext Tunnel password: Hello123 Confirm Tunnel password: Hello123 User Group: default Set the user address allocation parameters as follows: Server Address/Subnet Mask: 10.2.1.1/255.255.255.0 User Address Pool: 10.2.1.2-10.2.1.100 f. Click OK.

Method used to configure the L2TP VPN in transparent mode on the USG6000
In transparent mode, the USG6000 uses the IP address of the VLANIF interface as the address of the LNS server. The NAT server is configured on the access device. The IP address of the VLANIF interface is provided, as a public IP address, for users. Configure the LNS as follows: 1. Configure the VLAN and VLANIF interface. a. Create a VLAN with ID 10. [LNS] vlan 10 [LNS-vlan10] quit b. Add interfaces GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 to VLAN 10. [LNS] interface GigabitEthernet 0/0/1 [LNS-GigabitEthernet0/0/1] portswitch [LNS-GigabitEthernet0/0/1] port access vlan 10 [LNS-GigabitEthernet0/0/1] quit [LNS] interface GigabitEthernet 0/0/2 [LNS-GigabitEthernet0/0/2] portswitch [LNS-GigabitEthernet0/0/2] port access vlan 10 [LNS-GigabitEthernet0/0/2] quit c. Create a VLANIF interface and configure an IP address. [LNS] interface vlanif 10 [LNS-Vlanif10] ip address 10.2.1.3 255.255.255.0 [LNS-Vlanif10] quit 2. Configure a static route. a. Configure a default route for the LNS, with the next hop address being the IP address of the access device interface that is directly connected to the LNS. [LNS] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1 b. Configure a route to the server network segment on the HQ intranet, with the next hop address being the IP address of the VLANIF interface in the VLAN where the intranet L3 switch interface that is directly connected to the LNS resides. [LNS] ip route-static 10.4.1.0 255.255.255.0 10.2.1.2 3. Configure the L2TP. a. Configure the local user and password. [LNS] aaa [LNS-aaa] local-user vpnuser@domain1.com password cipher Vpnuser@123 b. Configure the IP address pool and allocate an intranet IP address to the VPN user. [LNS-aaa] domain domain1.com [LNS-aaa-domain-domain1.com] ip pool 1 10.3.1.2 10.3.1.254 [LNS-aaa-domain-domain1.com] quit [LNS-aaa] quit c. Enable the L2TP. [LNS] l2tp enable d. Configure the suffix separator of the domain name. Only separator @ is supported when a user name containing a domain name requires a separator. [LNS] l2tp domain suffix-separator @ e. Create the virtual interface template and configure the related parameters, including the IP address, PPP authentication mode, and address pool binding. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] ip address 10.3.1.1 255.255.255.0 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit f. Create an L2TP group and configure the related parameters, including the local end name of the tunnel, bound virtual interface template, and password used for L2TP tunnel verification. [LNS] l2tp-group 1 [LNS-l2tp1] tunnel name headquarter [LNS-l2tp1] allow l2tp virtual-template 1 [LNS-l2tp1] tunnel password cipher Tunnel@123 [LNS-l2tp1] quit 4. Add the interface to the security zone and configure the inter-zone packet filter. Note: The Virtual-Template interface can be added to any security zone. If the security zone where the Virtual-Template interface resides is different from the security zone where the interface connecting the HQ LNS and the L3 switch resides, packet filter must be configured for two security zones, so that a dial-up user can access resources on the HQ intranet. Packet filter between the security zone where the interface connecting the LNS and the access device resides and the Local security zone must be enabled to accept tunnel negotiation requests initiated by the LAC, for example, the Untrust security zone where interface (5)GigabitEthernet 0/0/1 resides. a. Add the interface to the security zone. [LNS] firewall zone trust [LNS-zone-trust] add interface Vlanif10 [LNS-zone-trust] add interface Virtual-Template 1 [LNS-zone-trust] quit [LNS] firewall zone untrust [LNS-zone-untrust] add interface GigabitEthernet 0/0/1 [LNS-zone-untrust] quit [LNS] firewall zone dmz [LNS-zone-dmz] add interface GigabitEthernet 0/0/2 [LNS-zone-dmz] quit

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top