Pass-through ports configured for L2TP over IPSec on the USG2000 and USG5000

4

The pass-through ports configured for L2TP over IPSec on the USG2000 and USG5000 are as follows:

1. Port 500 is initially used for IKE negotiation. After the NAT-T capability detection and NAT gateway detection are complete, the number of the UDP port that encapsulate ISAKMP messages is changed to 4500. This port is used for subsequent negotiations and data transmission.
2. L2TP is registered with UDP port 1701. However, this port is only used for initial tunnel establishment. The L2TP tunnel initiator (LAC) selects any idle port (may not necessarily be port 1701) to send packets to port 1701 on the receiver end; upon receiving the packets, the LNS also selects any idle port (may not necessarily be port 1701) to send packets to the specified port of the LAC. Therefore, ports of both ends are specified and remain unchanged within the tunnel connection period.
3. According to the L2TP over IPSec mechanism, packets are encapsulated based on L2TP and then IPSec. Therefore, port 1701 that transmits L2TP packets is used as a matching condition. All encapsulated L2TP packets are transmitted over the IPSec tunnel.
Therefore, if the L2TP over IPSec is configured but no NAT traversal is available, port 500 and port 1701 are configured as pass-through ports.
If the NAT traversal is available, port 500, port 4500, and port 1701 are configured as pass-through ports.

Other related questions:
Method used to configure the L2TP over IPSec user address segment on the USG2000 and USG5000
The method used to configure the L2TP over IPSec user address segment on the USG2000 and USG5000 is as follows: Configure the L2TP over IPSec user address segment using the CLI: # Define an address pool and allocate an IP address to the dial-up user. [LNS] aaa [LNS-aaa] ip pool 1 10.1.1.1 10.1.1.100 # Set the user name and password (consistent with those configured on the PC of the employee on a business trip). [LNS-aaa] local-user vpdnuser password cipher Hello123 [LNS-aaa] quit # Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit Configure the L2TP over IPSec user address segment using the web UI: Configure the L2TP parameters. 1. Choose Network > L2TP > L2TP. 2. In Configure L2TP, select Enable and click Apply. 3. In L2TP Group List, click New. 4. Set Group Type to LNS. 5. Configure the L2TP parameters. The server address shall be in the same network segment as the address in the address pool. In this way, you do not need to configure a route. Peer Tunnel Name must be consistent with Local Tunnel Name configured on the LAC. Group Type: LNS Peer Tunnel Name: LAC Tunnel Password Authentication: Enable Password Type: Ciphertext Tunnel password: Hello123 Confirm Tunnel password: Hello123 User Group: default Set the user address allocation parameters as follows: Server Address/Subnet Mask: 10.2.1.1/255.255.255.0 User Address Pool: 10.2.1.2-10.2.1.100 6. Click OK.

Difference between the L2TP and the IPSec on the USG2000 and USG5000
The L2TP provides tunnel transmission support to data frames on the PPP link layer and allows L2 link terminations and PPP session points reside on different devices, thereby expanding the PPP model. That is, the L2TP establish a PPP link between a cross-LAC user and the LNS. The IPSec is an open network-layer security framework protocol, stipulated by the Internet Engineering Task Force (IETF). It is a series of protocols and services that provide IP network security. The IPSec mainly includes the Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and algorithms used for network authentication and encryption. The L2TP over IPSec mechanism encapsulates packets based on the L2TP and then the IPSec. In this way, the L2TP over IPSec mechanism integrates advantages of two types of VPNs, implements user authentication and address allocation based on the L2TP, and makes up the disadvantages of the IPSec in terms of user authentication and authorization.

Method used to configure the L2TP over IPSec dial-up access for iPhone and Mac users on the USG2000 and USG5000
The method used to configure the L2TP over IPSec dial-up access for iPhone and Mac users on the USG2000 and USG5000 is as follows: 1. The configuration on the iPhone is as follows: Choose Settings > General > Network > VPN. Select Add VPN Configuration. On the Add Configuration screen, select L2TP from Type. Set the L2TP options as follows: Description: L2TP VPN description. In this example, it can be set to any value. Server: L2TP VPN server address. In this example, it is set to 188.135.3.146, that is, the IP address of the firewall. Account: L2TP user name. It is set to the user name configured for the AAA on the firewall. RSA SecurID: It determines whether to perform verification using the RSA ID. In this example, it is disabled. Password: Password of the L2TP user. It is consistent with the user name. Secret: Exchange key of the L2TP VPN, that is, the pre-shared key in the IKE. In this example, it is set to nawras. Send All Traffic: It is enabled, so that all traffic is transmitted over the VPN. IPSec configuration: Generally, after you configure the L2TP options, the IPSec options are automatically filled in by the system. If not, fill in the options as follows: Description: VPN description. In this example, it can be set to any value. Server: IP address of the firewall interface. In this example, it is set to 188.135.3.146. Account: L2TP user name. It is set to the user name configured for the AAA on the firewall. Password: Password of the L2TP user. It is consistent with the user name. User Certificate: The certificate is not required. This option is unavailable. Group Name: The group name is not required. It can be left blank. Secret: Pre-shared key in the IKE. In this example, it is set to nawras. 2. Configuration on the Mac OS: a. VPN configuration on the Mac PC: The IKE negotiation is set to the main mode. The encryption algorithm for the IKE negotiation is set to 3DES. The authentication algorithm is set to SHA-1. The authentication method is set to PRE-SHARED-KEY (PSK). The IPSec negotiation is set to transport mode. The IPSec encryption algorithm is set to 3DES. The IPSec authentication algorithm is set to MD5. b. Configuration procedure: Click Network. Click "+" in the lower left corner, and create a new service. Set VPN Type to L2TP over IPSec and Service Name to any value, for example, VPN (L2TP). Set Service Address to the interface IP address of the firewall, and Account Name to the L2TP user name that must have been configured for the AAA. Then, click Authentication Setting. Set password to the password of the L2TP user, and Shared Secret to the pre-shared key in the IKE peer, for example, nawras. After the parameters are set, click OK. Then, click Apply in the lower right corner to validate the settings. If the VPN connection is required, click Connect. The system automatically initiates the L2TP over IPSec negotiation. After the connection is established, the current state is displayed as Connected. A new IP address is allocated, that is, allocated by the L2TP.

Whether the USG can control a device's access to L2TP over IPSec
Across-Layer-3 MAC identification cannot be implemented on the public network. Usually, only users whose access is permitted are told the user name and password. This cannot be controlled on the device.

Configuration of L2TP over IPSec on the USG6000
Configuration of L2TP over IPSec on the USG6000 Configuration procedure: 1. Complete basic interface configuration, security policy configuration, and route configuration. 2. Configure and apply the IPSec. Note that the source and destination addresses of the data flow protected by the IPSec are the source and destination addresses of the sensitive traffic transmitted over the external interfaces of two gateways. 3. Configure the L2TP and L2TP tunnel source. For details, click Huawei Security Forum USG6000 L2TP over IPSec Configuration Cases. Procedure 1. Configure the IP address of each interface, and add the interfaces to the security zone. The specific configuration procedure is not described here. 2. Enable the inter-zone security policy. e map_temp [NGFW_A] interface GigabitEthernet 1/0/1 [NGFW_A-GigabitEthernet 1/0/1] ipsec policy map1 [NGFW_B] ipsec policy map1 10 isakmp [NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000 [NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1 [NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer b [NGFW_B] interface GigabitEthernet 1/0/1 [NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 5. Configure the L2TP. A. (LNS end) Configure the L2TP. [NGFW_A] user-manage user l2tpuser //Configure the L2TP user. [NGFW_A-localuser-l2tpuser] password Password1 [NGFW_A-localuser-l2tpuser] quit [NGFW_A] l2tp enable //Enable the L2TP. [NGFW_A] aaa [NGFW_A-aaa] ip pool 0 192.168.0.2 192.168.0.99 //Configure the IP address pool. [NGFW_A] interface Virtual-Template 1 //Configure the virtual template interface. [NGFW_A-Virtual-Template1] ppp authentication-mode pap [NGFW_A-Virtual-Template1] ip address 1.1.1.2 255.255.255.0 [NGFW_A-Virtual-Template1] remote address pool 0 //Set the virtual interface to reference the address pool used to allocate addresses to the peer end. [NGFW_A] l2tp-group 1 //Create the L2TP group. [NGFW_A-l2tp1] allow l2tp virtual-template 1 [NGFW_A-l2tp1] tunnel password cipher Pass1234 B. Configure the L2TP. # Configure the L2TP user. [NGFW_B] user-manage user l2tpuser [NGFW_B-localuser-l2tpuser] password Password1 [NGFW_B-localuser-l2tpuser] quit Configure the L2TP. [NGFW_B] l2tp enable [NGFW_B] interface Virtual-Template 1 [NGFW_B-Virtual-Template1] ppp authentication-mode pap [NGFW_B-Virtual-Template1] quit [NGFW_B] interface GigabitEthernet 1/0/3 [NGFW_B-GigabitEthernet1/0/3] pppoe-server bind virtual-template 1 [NGFW_B-GigabitEthernet1/0/3] quit [NGFW_B] l2tp-group 1 [NGFW_B-l2tp1] tunnel password cipher Pass1234 [NGFW_B-l2tp1] start l2tp ip 1.1.3.1 fullusername l2tpuser [NGFW_B-l2tp1] quit

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top