Got it

[Gateway Whiz]Connecting Android Phones to Headquarters Through L2TP over IPSec

Latest reply: May 22, 2017 10:20:38 1229 1 0 0 1


This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements

Traveling employees access the enterprise network from different locations, and they want to communicate with the headquarters frequently. As shown in Figure 1-1, traveling employees connect to the headquarters by dialing up using their Android phones, and the headquarters can authenticate and manage access users. In addition, communication between the traveling employees and headquarters is encrypted to prevent information leakage.

Figure 1-1 Connecting Android phones of mobile office users to the headquarters through L2TP over IPSec




The commands used to configure IKE peers and the IKE protocol differ depending on the software version.

l  In earlier versions of V200R008:

ike peer peer-name [ v1 | v2 ]

l  In V200R008 and later versions:

l  To configure IKE peers: ike peer peer-name

l  To configure the IKE protocol: version { 1 | 2 }

By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.


                      Step 1    Configure the Router.

 sysname Router
 l2tp enable   //Enable L2TP.
acl number 3101   //Configure the IP address segment that permits IPSec encryption.
 rule 5 permit ip source destination
ipsec proposal tran1   //Configure the authentication and encryption algorithms for the IPSec proposal.
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
ike proposal 10   //Configure the authentication, encryption, and DH group algorithms for the IKE proposal.
 encryption-algorithm aes-128   //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
 dh group14                       
 authentication-algorithm sha2-256  
ike peer a   //Set the pre-shared key of the IKE peer to Admin@123.
 pre-shared-key cipher %^%#/[$;=)q~,Fj9_s4|M>R9S%]QG,x&[6X]4"@eOs{E%^%#
 ike-proposal 10
ipsec policy-template policy_temp 1   //Configure an IPSec policy template and reference related parameters.
 security acl 3101
 ike-peer a
 proposal tran1
ipsec policy policy1 10 isakmp template policy_temp   //Configure an IPSec policy and associate it with the IPSec policy template.
ip pool 1   //Configure the device to allocate IP addresses to L2TP clients from the IP address pool.
 network mask 

aaa   //Configure AAA local authentication and set the user name and password to vpdnuser and Hello123.
 authentication-scheme l2tp 
 domain l2tp 
  authorization-scheme l2tp
 local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f)IjQ8\>~b\-1"i^b@~.)+,2gi9K%^%#
 local-user vpdnuser privilege level 0                                          
 local-user vpdnuser service-type ppp

interface GigabitEthernet1/0/1
 ip address
 ipsec policy policy1   //Bind an IPSec policy to the interface and enable IPSec.
interface GigabitEthernet1/0/2
 ip address
interface Virtual-Template1   //Create a VT template and configure dial-up parameters.
 ppp authentication-mode chap domain l2tp   //Configure an authentication mode and specify that authentication information carries the domain name.
 remote address pool 1   //Reference the IP address pool.
 ip address
l2tp-group 1   //Create an L2TP group and configure L2TP connection parameters.
 undo tunnel authentication   //Dial up using a mobile phone. You are advised to disable tunnel authentication.
 allow l2tp virtual-template 1
ip route-static
ip route-static Virtual-Template1


                      Step 2    Configure the Android phone.



Set Router to Admin@123, which is the same as the IPSec pre-shared key configured on the Router.

                      Step 3    Verify the configuration.

Enable VPN connection on the Android phone. You can find that the VPN connection is established successfully.

Run the display l2tp tunnel command on the Router. You can find that an L2TP tunnel is established successfully.

Run the display ike sa command on the Router. You can find that an SA is established successfully.

After the configuration is complete, the traveling employee and the headquarters can exchange encrypted data.


Configuration Notes

l   The pre-shared key for IKE negotiation at both ends must be the same.

l   Tunnel authentication must be disabled on the Router if the L2TP client does not support tunnel authentication.


  • x
  • convention:

Created May 22, 2017 10:20:38

View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.