Example for Configuring L2TP Client-Initiated L2TP Connections Using the 3G Interface
Networking Requirements
As shown in Figure 1-24, an enterprise has some branches located in other cities, and its branches use the Ethernet network and have gateways deployed, so that branch hosts can access the Internet.
The headquarters provides VPDN services for the branch staff to allow any staff to access the network of the headquarters. The LNS only authenticates the L2TP Client. The L2TP Client dials up to establish L2TP connections between the L2TP Client and LNS.
Configuration Roadmap
The configuration roadmap is as follows:
Configure a dial string for dialup on a 3G interface and a route to the public network address.
Enable L2TP on the L2TP Client. The virtual PPP user sends a connection request to the server in the headquarters over an L2TP tunnel. After the PPP user is authenticated, a tunnel is set up.
Configure a route to the public network address with the 3G interface as the outbound interface, and enable the dial function on the L2TP Client.
On the LNS, configure L2TP, a virtual PPP user, and a route to the public network segment.
Procedure
Configure RouterA (the L2TP Client side).
In this example, the IP address of Cellular0/0/0 on RouterA is allocated by the ISP, and the IP address of GE2/0/0 on RouterB is 12.1.1.1.
# Configure dialup on Cellular0/0/0.
<Huawei> system-view[Huawei] sysname RouterA[RouterA] dialer-rule[RouterA-dialer-rule] dialer-rule 1 ip permit[RouterA-dialer-rule] quit[RouterA] interface cellular 0/0/0[RouterA-Cellular0/0/0] link-protocol ppp [RouterA-Cellular0/0/0] ip address ppp-negotiate[RouterA-Cellular0/0/0] dialer enable-circular[RouterA-Cellular0/0/0] dialer-group 1[RouterA-Cellular0/0/0] dialer timer autodial 60[RouterA-Cellular0/0/0] dialer number *99# autodial[RouterA-Cellular0/0/0] mode wcdma wcdma-precedence[RouterA-Cellular0/0/0] quit[RouterA] apn profile 3gprofile[RouterA-apn-profile-3gprofile] apn 3GNET[RouterA-apn-profile-3gprofile] quit[RouterA] interface cellular 0/0/0[RouterA-Cellular0/0/0] apn-profile 3gprofile[RouterA-Cellular0/0/0] shutdown[RouterA-Cellular0/0/0] undo shutdown[RouterA-Cellular0/0/0] quit
# Configure an IP address for the public-network-side interface.
[RouterA] interface gigabitethernet 1/0/0[RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 255.255.255.0[RouterA-GigabitEthernet1/0/0] quit
# Configure an L2TP group and its attributes.
[RouterA] l2tp enable[RouterA] l2tp-group 1[RouterA-l2tp1] tunnel name L2TP_Client[RouterA-l2tp1] start l2tp ip 12.1.1.1 fullusername huawei
# Enable tunnel authentication and set the tunnel password.
[RouterA-l2tp1] tunnel authentication[RouterA-l2tp1] tunnel password cipher 123[RouterA-l2tp1] quit
# Configure the user name and password, authentication mode, and IP address for the virtual PPP user.
[RouterA] interface virtual-template 1[RouterA-Virtual-Template1] ppp chap user huawei[RouterA-Virtual-Template1] ppp chap password ciphe Huawei@1234[RouterA-Virtual-Template1] ip address 13.1.1.2 255.255.255.0[RouterA-Virtual-Template1] quit
# Configure a public route so that the packets sent to the headquarters are forwarded through the 3G interface.
[RouterA] ip route-static 0.0.0.0 0 Cellular0/0/0
# Enable the L2TP Client to establish an L2TP tunnel.
[RouterA] interface virtual-template 1[RouterA-virtual-template1] l2tp-auto-client enable[RouterA-virtual-template1] quit
# Configure private routes so that branches can communicate with the headquarters through the private network.[RouterA] ip route-static 192.168.0.0 255.255.255.0 virtual-template 1
Configure RouterB (the LNS side).
# Assign an IP address to GigabitEthernet2/0/0 on RouterB.
<Huawei> system-view[Huawei] sysname RouterB[RouterB] interface gigabitEthernet 2/0/0[RouterB-GigabitEthernet2/0/0] ip address 12.1.1.1 255.255.255.0[RouterB-GigabitEthernet2/0/0] quit
# Configure a private IP address.
[RouterB] interface GigabitEthernet 1/0/0[RouterB-GigabitEthernet1/0/0] ip address 192.168.0.1 255.255.255.0[RouterB-GigabitEthernet1/0/0] quit
# Create and configure a virtual template.
[RouterB] interface virtual-template 1[RouterB-Virtual-Template1] ppp authentication-mode chap[RouterB-Virtual-Template1] ip address 13.1.1.1 255.255.255.0[RouterB-Virtual-Template1] quit
# Enable L2TP and configure an L2TP group.
[RouterB] l2tp enable[RouterB] l2tp-group 1
# Set the local and remote tunnel names for the LNS.
[RouterB-l2tp1] tunnel name LNS[RouterB-l2tp1] allow l2tp virtual-template 1 remote L2TP_Client
# Enable tunnel authentication and set the tunnel password.
[RouterB-l2tp1] tunnel authentication[RouterB-l2tp1] tunnel password cipher 123[RouterB-l2tp1] quit
# Set the user name and password to huawei and Huawei@1234, which must be the same as those on the L2TP Client side.
[RouterB] aaa[RouterB-aaa] local-user huawei passwordPlease configure the login password (8-128) It is recommended that the password consist of at least 2 types of characters, i ncluding lowercase letters, uppercase letters, numerals and special characters. Please enter password: Please confirm password: Info: Add a new user. Warning: The new user supports all access modes. The management user access mode s such as Telnet, SSH, FTP, HTTP, and Terminal have security risks. You are advi sed to configure the required access modes only. [RouterB-aaa] local-user huawei service-type ppp[RouterB-aaa] quit
# Configure an IP address and a route to the Internet. For example, set the next hop address to the Internet to 12.1.1.2.
[RouterB] ip route-static 0.0.0.0 0 12.1.1.2
# Configure private routes so that the headquarters can communicate with branches through the private network.[RouterB] ip route-static 192.168.1.0 255.255.255.0 virtual-template 1
Verify the configuration.
# Run the display l2tp tunnel command on the L2TP Client and LNS. You can see that a tunnel has been established. The command output on the L2TP Client is used as an example.
[RouterA] display l2tp tunnel Total tunnel : 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1 12.1.1.1 1701 1 LNS
# Run the display l2tp session command to check the session status. The command output on the LNS is used as an example.
[RouterB] display l2tp session Total session : 1 LocalSID RemoteSID LocalTID 1 1 1
# Check that PCs in the branch can access servers in the headquarters.
Configuration Files
Configuration file of RouterA
# sysname RouterA # l2tp enable # interface Virtual-Template1 ppp chap user huawei ppp chap password cipher %^%#'&=6Q(|7-#|.]EB`mK$(h7[CY`2m}-YT)Q=Oh2~2%^%# ip address 13.1.1.2 255.255.255.0 l2tp-auto-client enable # interface Cellular0/0/0 link-protocol ppp ip address ppp-negotiate dialer enable-circular dialer-group 1 apn-profile 3GNET dialer timer autodial 60 dialer number *99# autodial # interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255.0 # l2tp-group 1 tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@ tunnel name L2TP_Client start l2tp ip 12.1.1.1 fullusername huawei # dialer-rule dialer-rule 1 ip permit #apn profile 3GNET #ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 ip route-static 192.168.0.0 255.255.255.0 Virtual-Template1 # return
Configuration file of RouterB
# sysname RouterB # l2tp enable # aaa local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%# local-user huawei privilege level 0 local-user huawei service-type ppp # interface Virtual-Template1 ppp authentication-mode chap ip address 13.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 12.1.1.1 255.255.255.0 # l2tp-group 1 allow l2tp virtual-template 1 remote L2TP_Client tunnel password cipher %@%@5j*=S&AGXK'J}kG])REK]_-o%@%@ tunnel name LNS # ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 ip route-static 192.168.1.0 255.255.255.0 Virtual-Template1 # return
