Got it

How to configure L2TP over IPSec with Nat Traversal? [Insider sharing] Highlighted

Latest reply: Apr 23, 2018 14:41:21 14299 14 1 0 0

Hello, VPN addicts! 

Check this post that explains how to configure L2TP over IPSec with Nat Traversal! Let’s find a simple way to connect securely to the branch office. 


What do you think about the L2TP over IPSec with NAT traversal VPN solution? L2TP is widely deployed on the enterprise network and as a traveling employee, you can start dialup session so gateway can identify you and manage your access.

Of course, we need to ensure security, traffic should be encapsulated through IPSec and gateway branch router should function as LNS with firewall service deployed.

Usually when you travel your internet connection goes through NAT device. So we will need to consider enabling NAT traversal feature for IKE.

Let's assume that your branch office router is a AR 157 and you are located somewhere in the internet.

To make it simple we can divide the AR157 configuration in 3 parts. 


l2tp enable                         //Enable
ip pool lns                         //Create an IP address pool named lns
from which IP addresses are allocated to access users.
 network mask
aaa                                                         //Configure the user name and password for L2TP access.
 local-user admin password cipher
 local-user admin server-type ppp      
interface Virtual-Template1                           //Create an L2TP group and set
parameters for creating an L2TP tunnel.
 ppp authentication-mode pap                                //Choose the authetication
mode between CHAP and PAP.
 remote address pool lns                                                    //Bind ip pool to the logical
 ip address                                       //gateway ip address.
l2tp-group 1
 undo tunnel authentication                                     //The non-authentication
mode is recommended for PC dialup.
 allow l2tp virtual-template 1                                                        //Bind
logical interface to the group.


 ike local-name xp       //Use the local name for
IKE negotiation. The local name must be used for NAT traversal in IPSec.
ipsec proposal 1
ike peer xp v1                                                                  
 exchange-mode aggressive         //Configure the aggressive
mode. NAT traversal can be only used in aggressive mode.
 pre-shared-key simple huawei                                               //Pre-shared-key huawei is used.
 local-id-type name                                                    //Set the local ID type
to name in IKE negotiation.
 nat traversal                                                                              //Enable NAT
ipsec policy-template
xptemp 2                     //Configure an IPSec
policy template so that negotiation requests from                                                                            //multiple PCs can be processed. 
 ike-peer xp                                                                   
 proposal 1
ipsec policy xp 1 isakmp
template xptemp                                   //Reference an IPSec
policy template in an IPSec policy.
 ip address
 ipsec policy xp                                                                                         //Bind the IPSec
policy to the interface.


acl number 3001                                                                                    //Configure an ACL.
 rule 5 permit udp destination-port eq
1701                //Configure an ACL rule to allow
packets from a specified L2TP port.
 rule 10 permit udp destination-port eq 4500                       //Configure an ACL rule to allow packets from a specified                                                                                                             //L2TP port after NAT
traveral in IPSec.
 rule 15 permit udp destination-port eq
500                //Configure an ACL rule to allow
packets from a specified L2TP port                                                                                                              //before NAT traveral in IPSec.
firewall zone untrust                                                                               //Set zone priorities.                             
 priority 1                                                                    
firewall zone trust                                                         
priority 15                                                                   
firewall interzone trust
untrust                                                 //Configure interzone policy.                                            
 firewall enable                                                               
 packet-filter 3001 inbound                                      //Configure the firewall and
enable packet filtering.
GigabitEthernet1/0/0                                         //Add WAN
interface to untrust zone.
 zone untrust

The router configuration is now over. We should focus on the PC. I recommend using the Huawei made Secoway Client. Is quite easy to use. 

Configuration steps

1. Set up the LNS server IP address, username and password.

2. Set up PAP as authentication mode.

3. Adjust IPSec settings.

4. Configure IKE exchange mode, ID type and remote gateway name as below.

VPN client configuration is over. Initialize the tunnel from the VPN client side. Once IPSEC connection is up and running, AR 157 will send assign an IP address to the PC and open access.

On the AR side, if the tunnel is up, we can observe IKE pass phase 1 and phase 2, and IPSec  ESP SAs  are available for inbound and outbound:

<AR157VW>dis ike sa                                                             
       Conn-ID  Peer            VPN   Flag(s)                Phase                 
            72  0     RD                     2                     
            71  0     RD                     1                     
       Flag Description:                                                             

<AR157VW>dis ipsec sa   
          [Outbound ESP SAs]                                                                SPI: 430133074 (0x19a34f52)                                                     Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5                                       SA remaining key duration (bytes/sec): 1887410207/3451                          Max sent sequence-number: 309                                                   UDP encapsulation used for NAT traversal: Y                                                                                                                   [Inbound ESP SAs]                                                                 SPI: 857401420 (0x331ae84c)                                                     Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5                                       SA remaining key duration (bytes/sec): 1887400228/3451                          Max received sequence-number: 411                                               Anti-replay window size: 32                                                     UDP encapsulation used for NAT traversal: Y

The L2TP tunnel is up and we have an IP address associated to the remote peer device:

<AR157VW>dis l2tp tunnel                                                        
                 Total tunnel = 1                                                               
                  LocalTID   RemoteTID     RemoteAddress     Port    Sessions      RemoteName                 
                         2              1            2193         1

That's all about how to configure L2TP over IPSec with Nat Traversal. If you have anything to add, please leave a comment below.

  • x
  • convention:

Created Jan 10, 2014 00:50:02

thank you for your sharing !
View more
  • x
  • convention:

Created Sep 18, 2014 11:30:23

Hi! How can I configure on AR2240 L2TP over IPSec with Nat Traversal in the standard way in Win 7, without the Huawei Secospace Client?
View more
  • x
  • convention:

Created Sep 18, 2014 12:43:19

you can check below link, but it didn't use nat traversal.

The problem is with NAT traversal, i'm not sure Windows support this feature. 

View more
  • x
  • convention:

Created Sep 18, 2014 13:50:05

This only l2tp, without ipsec, and need to edit the registry.

Maybe have another way? Easy connect remote users to the internal network in the headquarters.

View more
  • x
  • convention:

Created Sep 18, 2014 14:08:21

it is L2tp over IPSEC, check the whole configuration. Indeed is necessary to modify that registry, but it will work. 

The easy way is to use the Secoway client. 

View more
  • x
  • convention:

Created Sep 18, 2014 14:43:01

But this ways not for me. Will install linux, would configure l2tp/ipsec server. For remote users on win 7 it config easier. Thank you for answers, have a nice day!
View more
  • x
  • convention:

Created Apr 24, 2015 14:25:35

I can not download the software for VPN access, can you help me pliss?

View more
  • x
  • convention:

Created Dec 30, 2014 10:27:23

Where can you download the Secoway client?
View more
  • x
  • convention:

Created Jan 5, 2015 07:46:14

follow this link:|7919710|9858768|9859116|8640581&fastLocation=fastLocation

View more
  • x
  • convention:

Back to list


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.