Hello everyone,
Today I will share with you how to configure IPSec over L2TP between headquarters and branches.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 1-1, an enterprise has some branches located in other cities, and the branches use the Ethernet network.
The enterprise requires that the headquarters should provide VPDN services for branch users so that the branch users can access the headquarters network. When branch users access intranet servers on the headquarters network, data should be encrypted to prevent data leaks.
To meet these requirements, you can configure the LAC to initiate an L2TP connection request to the LNS. Then you can configure IPSec to protect data exchanged between branch users and intranet servers. IPSec-encrypted data is transmitted over the L2TP tunnel between the LAC and LNS.
Figure 1-1 IPSec over L2TP networking
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 10.2.1.0 0.0.0.255 destination 10.3.1.0 0.0.0.255
#
ipsec proposal lac //Create an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lac v1 //Create an IKE peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
remote-address 10.4.1.1 //Specify an IP address for the remote IPSec interface.
#
ipsec policy lac 1 isakmp //Create an IPSec policy.
security acl 3000
ike-peer lac
proposal lac
#
interface Virtual-Template1 //Create a virtual tunnel template.
ppp chap user huawei //Set the user name of a virtual PPP user to huawei.
ppp chap password cipher %@%@\;#%<c~6Y%cNZK/h.pK%:>Uo%@%@ //Set the password of the virtual PPP user to Huawei@1234.
ip address ppp-negotiate //Configure IP address negotiation.
l2tp-auto-client enable //Enable the virtual PPP user to initiate an L2TP connection request.
ipsec policy lac //Apply an IPSec policy.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set related attributes.
tunnel password cipher %@%@7v&1O#yr\#gl]w=Rk^uY:>@"%@%@ //Enable tunnel authentication and set the cipher-text password to huawei, which is the same as the password specified on the remote device.
tunnel name lac
start l2tp ip 1.1.2.1 fullusername huawei
#
ip route-static 10.3.1.0 255.255.255.0 Virtual-Template1 10.1.1.1 //Configure a static route.
ip route-static 10.4.1.0 255.255.255.0 Virtual-Template1
#
return
Step 2 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ip pool 1 //Create an IP address pool.
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
aaa //Create a local user and set the user name and password to huawei and Huawei@1234.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1 //Create a virtual tunnel template.
ppp authentication-mode chap
remote address pool 1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.4.1.2 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set related attributes.
allow l2tp virtual-template 1 remote lac tunnel password cipher %@%@FN15@5D_BGc=v"2~0=iJ,b+H%@%@ //Enable tunnel authentication and set the cipher-text password to huawei, which is the same as the password specified on the remote device.
tunnel name lns
#
ip route-static 10.2.1.0 255.255.255.0 Virtual-Template1 //Configure a static route.
ip route-static 10.3.1.0 255.255.255.0 10.4.1.1
#
return
Step 3 Configure Router_1.
#
sysname Router_1
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 10.3.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
#
ipsec proposal lac1 //Create an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lac1 v1 //Create an IKE peer.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //Set the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
#
ipsec policy-template temp 1 //Apply the IPSec policy template.
security acl 3000
ike-peer lac1
proposal lac1
#
ipsec policy lac1 1 isakmp template temp //Configure an IPSec policy.
#
interface GigabitEthernet1/0/0
ip address 10.4.1.1 255.255.255.0
ipsec policy lac1 //Bind the IPSec policy to the interface.
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 10.4.1.2 //Configure a static route.
ip route-static 10.2.1.0 255.255.255.0 10.4.1.2
#
return
Step 4 Verify the configuration.
# Run the display l2tp tunnel command on the LAC or LNS. You can see that an L2TP tunnel and a session numbered 1 have been established.
# Run the display ike sa command on the LAC or Router_1. In the command output, Flag(s) is displayed as RD, indicating that an SA has been established successfully; Phase is displayed as 1 and 2.
# The headquarters and branch can ping each other.
----End
Configuration Notes
The LAC and LNS must use the same user name and password.
On the LAC, the IPSec policy must be bound to the VT1 interface.
When you configure a static route on the LAC, the outbound interface in the route destined to the headquarters network segment must be the VT1 interface.
That is all I want to share with you! Thank you!