Got it

[Gateway Whiz]Configuring IPSec over L2TP Between Headquarters and Branches

Latest reply: May 11, 2017 01:22:30 3053 1 1 0 0

Hello everyone,

Today I will share with you how to configure IPSec over L2TP between headquarters and branches.

Specifications

This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements

As shown in Figure 1-1, an enterprise has some branches located in other cities, and the branches use the Ethernet network.

The enterprise requires that the headquarters should provide VPDN services for branch users so that the branch users can access the headquarters network. When branch users access intranet servers on the headquarters network, data should be encrypted to prevent data leaks.

To meet these requirements, you can configure the LAC to initiate an L2TP connection request to the LNS. Then you can configure IPSec to protect data exchanged between branch users and intranet servers. IPSec-encrypted data is transmitted over the L2TP tunnel between the LAC and LNS.

Figure 1-1 IPSec over L2TP networking

20170508150700756001.png

 

Procedure

Step 1    Configure the LAC.

#
 sysname LAC
#
 l2tp enable  //Enable L2TP.
#
acl number 3000  //Configure an ACL.
 rule 0 permit ip source 10.2.1.0 0.0.0.255 destination 10.3.1.0 0.0.0.255 
#
ipsec proposal lac  //Create an IPSec proposal.
 esp authentication-algorithm sha2-512
 esp encryption-algorithm aes-256

#
ike peer lac v1  //Create an IKE peer.
 pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#  //Set the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
 remote-address 10.4.1.1  //Specify an IP address for the remote IPSec interface.
#
ipsec policy lac 1 isakmp  //Create an IPSec policy.
 security acl 3000
 ike-peer lac
 proposal lac

#
interface Virtual-Template1  //Create a virtual tunnel template.
 ppp chap user huawei  //Set the user name of a virtual PPP user to huawei.
 ppp chap password cipher %@%@\;#%<c~6Y%cNZK/h.pK%:>Uo%@%@  //Set the password of the virtual PPP user to Huawei@1234.
 ip address ppp-negotiate  //Configure IP address negotiation.
 l2tp-auto-client enable  //Enable the virtual PPP user to initiate an L2TP connection request.
 ipsec policy lac  //Apply an IPSec policy.
#
interface GigabitEthernet1/0/0
 ip address 1.1.1.1 255.255.255.0

#
interface GigabitEthernet2/0/0
 ip address 10.2.1.1 255.255.255.0

#
l2tp-group 1  //Create an L2TP group and set related attributes.
 tunnel password cipher %@%@7v&1O#yr\#gl]w=Rk^uY:>@"%@%@  //Enable tunnel authentication and set the cipher-text password to huawei, which is the same as the password specified on the remote device.
 tunnel name lac
 start l2tp ip 1.1.2.1 fullusername huawei
#
ip route-static 10.3.1.0 255.255.255.0 Virtual-Template1 10.1.1.1  //Configure a static route.
ip route-static 10.4.1.0 255.255.255.0 Virtual-Template1  
#
return

Step 2    Configure the LNS.

#
 sysname LNS
#
 l2tp enable  //Enable L2TP.
#
ip pool 1  //Create an IP address pool.
 gateway-list 10.1.1.1 
 network 10.1.1.0 mask 255.255.255.0 

#
aaa  //Create a local user and set the user name and password to huawei and Huawei@1234.
 local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
 local-user huawei privilege level 0  
 local-user huawei service-type ppp

#
interface Virtual-Template1  //Create a virtual tunnel template.
 ppp authentication-mode chap 
 remote address pool 1
 ip address 10.1.1.1 255.255.255.0

#
interface GigabitEthernet1/0/0
 ip address 1.1.2.1 255.255.255.0

#
interface GigabitEthernet2/0/0
 ip address 10.4.1.2 255.255.255.0

#
l2tp-group 1 //Create an L2TP group and set related attributes.
 allow l2tp virtual-template 1 remote lac tunnel password cipher %@%@FN15@5D_BGc=v"2~0=iJ,b+H%@%@  //Enable tunnel authentication and set the cipher-text password to huawei, which is the same as the password specified on the remote device.
 tunnel name lns
#
ip route-static 10.2.1.0 255.255.255.0 Virtual-Template1  //Configure a static route.
ip route-static 10.3.1.0 255.255.255.0 10.4.1.1
#
return

Step 3    Configure Router_1.

#
 sysname Router_1
#
acl number 3000  //Configure an ACL.
 rule 0 permit ip source 10.3.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255 
#
ipsec proposal lac1 //Create an IPSec proposal.
 esp authentication-algorithm sha2-512
 esp encryption-algorithm aes-256

#
ike peer lac1 v1  //Create an IKE peer.
 pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#  //Set the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
#
ipsec policy-template temp 1  //Apply the IPSec policy template.
 security acl 3000
 ike-peer lac1
 proposal lac1

#
ipsec policy lac1 1 isakmp template temp  //Configure an IPSec policy.
#
interface GigabitEthernet1/0/0
 ip address 10.4.1.1 255.255.255.0
 ipsec policy lac1  //Bind the IPSec policy to the interface.

#
interface GigabitEthernet2/0/0
 ip address 10.3.1.1 255.255.255.0

#
ip route-static 10.1.1.0 255.255.255.0 10.4.1.2  //Configure a static route.
ip route-static 10.2.1.0 255.255.255.0 10.4.1.2
#
return

Step 4    Verify the configuration.

# Run the display l2tp tunnel command on the LAC or LNS. You can see that an L2TP tunnel and a session numbered 1 have been established.

# Run the display ike sa command on the LAC or Router_1. In the command output, Flag(s) is displayed as RD, indicating that an SA has been established successfully; Phase is displayed as 1 and 2.

# The headquarters and branch can ping each other.

                                                                                                                                                 ----End

Configuration Notes

  • The LAC and LNS must use the same user name and password.

  • On the LAC, the IPSec policy must be bound to the VT1 interface.

  • When you configure a static route on the LAC, the outbound interface in the route destined to the headquarters network segment must be the VT1 interface.

That is all I want to share with you! Thank you!

 

  • x
  • convention:

doctor.zhang
Created May 11, 2017 01:22:30

good!thanks!
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.