Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
L2TP for Remote Dial-Up U...

L2TP for Remote Dial-Up Users over two ISP

Created: Mar 27, 2021 22:24:43Latest reply: Mar 30, 2021 01:21:59 508 12 0 0 0
  HiCoins as reward: 0 (problem unresolved)
View the author 1#

Hello!


I'm working on configuration L2TP on my AR651 Huawei router. I have two ISPs and I want the router to accepts L2TP connection on both interfaces toward my ISPs. I decided to make a VPN instance to separate l2tp groups. But the problem is that I can set vpn-instance param in l2tp-group section only if I've set remote param (which means my client's hostname). It works for branch to main office scheme, but not for remote connecting users. Is there any way to solve this problem?  


Net


Like (0) Dislike (0) Favorite(0) Share Report
Previous: Device status CE series
Next: ​Problem to register accounting of IPv6 PD address of PPPoE client in dual-stack config
Featured Answers

Recommended answer

(0) (0)
chenhui
Admin Created Mar 29, 2021 07:14:13

Hello @VolanD
The L2TP group requires the remote name compulsorily when the L2TP group is not 1. When L2TP group 1 is used and the tunnel name is not specified, the default L2TP group receives L2TP connection requests sent by any remote end and the tunnel name on the LAC side is not checked. This method can be used when the name of a remote tunnel end is unknown to the LNS.
Please allow the L2TP connection in the group 1 while the remote device cannot specify a name.
View more
  • x
  • convention:

VolanD
VolanD Created Mar 29, 2021 07:43:44 (0) (0)
But I cannot use the same l2tp-group for two ISP connections. My plan was to put them in two different vpn-instances. If I use l2tp-group 1 I don't need remote name in my configuration. And it probably works for global routing-table. But what about the second l2tp-group in separated vpn-instance? I must set remote name param becouse the allow command format:
allow l2tp virtual-template virtual-template-number [ remote remote-name [ vpn-instance vpn-instance-name ] ]  
VolanD
VolanD Created Mar 29, 2021 07:45:13 (0) (0)
As you can see the vpn-instance param follows after remote one. So, I cannt set vpn-instance if I haven't set remote param.  
chenhui
chenhui Reply VolanD  Created Mar 29, 2021 07:59:57 (0) (0)
Well, maybe you can separate the mobile users and HQ into two groups. For the HQ, you can use group 2 or any other group except group 1. And the group 1 is used to connect the mobile users.  
VolanD
VolanD Reply chenhui  Created Mar 29, 2021 09:08:25 (0) (0)
If I have two public IP addresses (for instance: XX.XX.XX.XX for ISP1 and YY.YY.YY.YY for ISP2) I must add a default route to my configuration to make moblie users access to the router. I cannot have two default routers in global routing-table. So if I want to use both ISP connections I have to separate the routing tables.  
All Answers
(1) (0)
2#
user_3582781
user_3582781 Created Mar 28, 2021 02:49:20

Hi,
You can refer to this https://support.huawei.com/hedex/hdx.do?docid=EDOC1100087043&id=EN-US_TASK_0192217911&lang=en
Thanks!
View more
  • x
  • convention:

VolanD
VolanD Created Mar 28, 2021 11:45:15 (0) (0)
Thank you for your reply. But unfortunally this is not my case. In my network I don't have L2TP client routers, only users PC connecting to LNS via two ISPs. My plan was to put l2tp-groups in two separatied vpn-instances. And it works if I use client's hostname as remote param in l2tp-group allow section. But in real life I have many clients with different hostnames. That means I cannot use l2tp-group in separated VPNs for remote clients, only if I have predicated L2TP client routers.  
(0) (0)
3#
chenhui
chenhui Admin Created Mar 29, 2021 07:14:13

Hello @VolanD
The L2TP group requires the remote name compulsorily when the L2TP group is not 1. When L2TP group 1 is used and the tunnel name is not specified, the default L2TP group receives L2TP connection requests sent by any remote end and the tunnel name on the LAC side is not checked. This method can be used when the name of a remote tunnel end is unknown to the LNS.
Please allow the L2TP connection in the group 1 while the remote device cannot specify a name.
View more
  • x
  • convention:

VolanD
VolanD Created Mar 29, 2021 07:43:44 (0) (0)
But I cannot use the same l2tp-group for two ISP connections. My plan was to put them in two different vpn-instances. If I use l2tp-group 1 I don't need remote name in my configuration. And it probably works for global routing-table. But what about the second l2tp-group in separated vpn-instance? I must set remote name param becouse the allow command format:
allow l2tp virtual-template virtual-template-number [ remote remote-name [ vpn-instance vpn-instance-name ] ]  
VolanD
VolanD Created Mar 29, 2021 07:45:13 (0) (0)
As you can see the vpn-instance param follows after remote one. So, I cannt set vpn-instance if I haven't set remote param.  
chenhui
chenhui Reply VolanD  Created Mar 29, 2021 07:59:57 (0) (0)
Well, maybe you can separate the mobile users and HQ into two groups. For the HQ, you can use group 2 or any other group except group 1. And the group 1 is used to connect the mobile users.  
VolanD
VolanD Reply chenhui  Created Mar 29, 2021 09:08:25 (0) (0)
If I have two public IP addresses (for instance: XX.XX.XX.XX for ISP1 and YY.YY.YY.YY for ISP2) I must add a default route to my configuration to make moblie users access to the router. I cannot have two default routers in global routing-table. So if I want to use both ISP connections I have to separate the routing tables.  
(1) (0)
4#
chenhui
chenhui Admin Created Mar 30, 2021 01:21:59

Hello VolanD,
First of all, it's possible to configure two default routes in the global routing table, in which way, the traffic will load balance on these two routes.
Back to your question, I'm not sure why you want two default routes in the global routing-table, actually, you configured the VPN-instance to separate the two ISPs, why not configure the default route for the VPN-instance separately?
In addition, can you please make your question more detailedly. By now, I'm such confused about why you make two default routes in the global routing table.
View more
  • x
  • convention:

VolanD
VolanD Created Mar 30, 2021 07:14:02 (0) (0)
Hello! Thank you for yout reply! I've added a network diagram in my first message. I need default routes because I want my mobile users be able to connect to XX.XX.XX.XX or YY.YY.YY.YY. If I have two default routes in global table I face a situation when user connected to XX.XX.XX.XX receives a reply with source YY.YY.YY.YY (because of balancing). On the other hand, I can add a default route in vpn-instance, but I cannot bind l2tp-group with this vpn-instance then.  
chenhui
chenhui Reply VolanD  Created Mar 30, 2021 09:35:01 (0) (0)
Sorry but I don't know why the user cannot visit XX.XX.XX.XX, from my understanding, when connecting from the internet, the users should be able to visit your public IP XX.XX.XX.XX  
VolanD
VolanD Reply chenhui  Created Mar 30, 2021 10:30:00 (0) (0)
Because if I have two defaults in my configuration the router replies with XX.XX.XX.XX or YY.YY.YY.YY as a source address. AFAK huawei doesn't track users connection. In that case, user may initiate his l2tp on XX.XX.XX.XX address, but router (if it has two defaults) replies from the second interface YY.YY.YY.YY , then the user's l2tp client stops the connection.  
chenhui
chenhui Reply VolanD  Created Mar 31, 2021 03:43:18 (0) (0)
I see. I'm sorry but there is no perfect solution for your scenario. Maybe you can consider not separate the L2TP group.  
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.