Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
Traveling employees access the enterprise network from different locations, and they want to communicate with the headquarters frequently. As shown in Figure 1-1, traveling employees connect to the headquarters by dialing up using their Android phones, and the headquarters can authenticate and manage access users. In addition, communication between the traveling employees and headquarters is encrypted to prevent information leakage.
Figure 1-1 Connecting Android phones of mobile office users to the headquarters through L2TP over IPSec
The commands used to configure IKE peers and the IKE protocol differ depending on the software version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure the Router.
#
sysname Router
#
l2tp enable //Enable L2TP.
#
acl number 3101 //Configure the IP address segment that permits IPSec encryption.
rule 5 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
#
ipsec proposal tran1 //Configure the authentication and encryption algorithms for the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 10 //Configure the authentication, encryption, and DH group algorithms for the IKE proposal.
encryption-algorithm aes-128 //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer a //Set the pre-shared key of the IKE peer to Admin@123.
pre-shared-key cipher %^%#/[$;=)q~,Fj9_s4|M>R9S%]QG,x&[6X]4"@eOs{E%^%#
ike-proposal 10
#
ipsec policy-template policy_temp 1 //Configure an IPSec policy template and reference related parameters.
security acl 3101
ike-peer a
proposal tran1
#
ipsec policy policy1 10 isakmp template policy_temp //Configure an IPSec policy and associate it with the IPSec policy template.
#
ip pool 1 //Configure the device to allocate IP addresses to L2TP clients from the IP address pool.
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa //Configure AAA local authentication and set the user name and password to vpdnuser and Hello123.
authentication-scheme l2tp
domain l2tp
authorization-scheme l2tp
local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f)IjQ8\>~b\-1"i^b@~.)+,2gi9K%^%#
local-user vpdnuser privilege level 0
local-user vpdnuser service-type ppp
#
interface GigabitEthernet1/0/1
ip address 1.1.1.2 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy to the interface and enable IPSec.
#
interface GigabitEthernet1/0/2
ip address 10.1.1.1 255.255.255.0
#
interface Virtual-Template1 //Create a VT template and configure dial-up parameters.
ppp authentication-mode chap domain l2tp //Configure an authentication mode and specify that authentication information carries the domain name.
remote address pool 1 //Reference the IP address pool.
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
undo tunnel authentication //Dial up using a mobile phone. You are advised to disable tunnel authentication.
allow l2tp virtual-template 1
#
ip route-static 3.3.3.0 255.255.255.0 1.1.1.1
ip route-static 10.1.1.0 255.255.255.0 Virtual-Template1
#
return
Step 2 Configure the Android phone.
Set Router to Admin@123, which is the same as the IPSec pre-shared key configured on the Router.
Step 3 Verify the configuration.
Enable VPN connection on the Android phone. You can find that the VPN connection is established successfully.
Run the display l2tp tunnel command on the Router. You can find that an L2TP tunnel is established successfully.
Run the display ike sa command on the Router. You can find that an SA is established successfully.
After the configuration is complete, the traveling employee and the headquarters can exchange encrypted data.
----End
Configuration Notes
l The pre-shared key for IKE negotiation at both ends must be the same.
l Tunnel authentication must be disabled on the Router if the L2TP client does not support tunnel authentication.