Got it

L2TP over IPSec for Remote Dial-Up Users having Problem with AR Router

Created: Feb 13, 2019 02:54:12Latest reply: Feb 18, 2019 09:31:52 1956 10 0 0 0
  Rewarded HiCoins: 3 (problem resolved)

Hi,  I am using the AR2200 router to establish L2TP over IPSec connection to connect from my Laptop at Home to the Office. 


My configuration is completed and as per the link below. 


 https://support.huawei.com/enterprise/en/doc/EDOC1000138063/47f7bc84/example-for-configuring-l2tp-over-ipsec-for-remote-dial-up-users-to-connect-to-the-headquarters 



Once the configurations is completed and when I connect the VPN it starts on connecting and after some time it stops automatically without giving error (Windows 10 used in my laptop and I am using the built in client). I dont have direct Public IP Address, it is connected through the Wifi. On the router Side, what I see there is a valid ike sa and IPSec sa for some time but there is no l2tp session.  



Router  

==== 



<HQ-R>display  ike sa    

Conn-ID    Peer                  VPN                             Flag(s)               Phase 

  ----------------------------------------------------------------------------------------------    

3189       49.178.52.144:64524                                   RD|A                  v1:2    

3188       49.178.52.144:64524                                   RD|A                  v1:1   

Number of IKE SA : 2   -------------------------------------------------------------------------------------------- 


<HQ-R>display ipsec sa


ipsec sa information:


===============================

Interface: GigabitEthernet0/0/0

===============================


  -----------------------------

  IPSec policy name: "Remote1_Connect"

  Sequence number  : 10

  Acl group        : 0

  Acl rule         : 0

  Mode             : Template

  -----------------------------

    Connection ID     : 3193

    Encapsulation mode: Transport

    Tunnel local      : 87.55.32.210

    Tunnel remote     : 49.178.52.144

    Flow source       : 87.55.32.210/255.255.255.255 17/1701

    Flow destination  : 49.178.52.144/255.255.255.255 17/63890


    [Outbound ESP SAs]

      SPI: 1597022986 (0x5f30a30a)

      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1

      SA remaining key duration (kilobytes/sec): 250000/3598

      Outpacket count       : 0

      Outpacket encap count : 0

      Outpacket drop count  : 0

      Max sent sequence-number: 0

      UDP encapsulation used for NAT traversal: Y


    [Inbound ESP SAs]

      SPI: 3932576243 (0xea6659f3)

      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1

      SA remaining key duration (kilobytes/sec): 250000/3598

      Inpacket count        : 2

      Inpacket decap count  : 2

      Inpacket drop count   : 0

      Max received sequence-number: 2

      UDP encapsulation used for NAT traversal: Y

      Anti-replay : Enable

      Anti-replay window size: 1024


Username and password are correct.  



#

l2tp-group 1

 undo tunnel authentication

 allow l2tp virtual-template 1

#


#

interface Virtual-Template1

 ppp authentication-mode chap

 remote address pool lns

 ppp chap user l2tp

 ppp chap password cipher %^%#XW@B!!ckF.Vq<LGmzjvQhZ%/U(gBrHpy.x/=a^dT%^%#

 ip address 192.168.200.1 255.255.255.0

 l2tp-auto-client enable

#







=================================================================== 


IPSec Connectivity  


# ike peer Remote_Connect  

undo version 2  

pre-shared-key cipher %^%#S%}b$0&d!8fkeG2+M^8:}1tcR(7m<%29&1;#i=KX%^%#  

ike-proposal 2 

#


ipsec policy Remote1_Connect 10 isakmp template Remote_Connect 

#


ipsec policy-template Remote_Connect 10  

ike-peer Remote_Connect  

proposal Remote_Connect 

#



  • x
  • convention:

Featured Answers
chenhui
Admin Created Feb 14, 2019 06:17:00

Posted by Maverick at 2019-02-13 23:17 Hi, there are some firewall zone configurations on the router as mentioned in the tutorial by WheatG ...
hi,
L2TP over IPSec configuration on the PC is complex, and settings such as the registry and services need to be modified, Huawei dialup software Secoway VPN Client is used on the PC. You can visit http://support.huawei.com to obtain the software version.
as described in the document, you may need to do some changes in the registry and services, maybe you can try the dialup software Secoway VPN Client first,
for the modifying the registry please refer to https://support.huawei.com/hedex/hdx.do?lib=EDOC1000085855AEG05127&docid=EDOC1000085855&lang=en&v=14&tocLib=EDOC1000085855AEG05127&tocV=14&id=dc_ar_faq_l2tp_0008_2&tocURL=resources%2fdc%2fdc%5far%5ffaq%5fl2tp%5f0008%2ehtml&p=t&fe=1&ui=3&keyword=window&text=What%252BCan%252BI%252BDo%252BIf%252Ba%252BPC%252BRunning%252Bthe%252B%25253Cb%25253EWindows%25253C%25252Fb%25253E%252B7%252Bor%252BXP%252BOperating%252BSystem%252BFails%252Bto%252BEstablish%252Ban%252BL2TP%252Bover%252BIPSec%252BTunnel%252Bwith%252Bthe%252BDevice%25253F
View more
  • x
  • convention:

All Answers
WheatGrass
WheatGrass Created Feb 13, 2019 03:13:30

  • x
  • convention:

Maverick
Maverick Created Feb 13, 2019 03:24:23

Hi this Firewall configurations on the router is required or we can ignore it.
View more
  • x
  • convention:

Maverick
Maverick Created Feb 13, 2019 03:33:20

Because in after that it doesnt work.
View more
  • x
  • convention:

chenhui
chenhui Admin Created Feb 13, 2019 08:30:26

Posted by Maverick at 2019-02-13 03:33 Because in after that it doesnt work.
@Maverick hi,
since you connect to the office from home, the ISP will nat your IP address somewhere, so you'd better refer to @WheatGrass 's answer
View more
  • x
  • convention:

chenhui
chenhui Admin Created Feb 13, 2019 08:32:20

Posted by chenhui at 2019-02-13 08:30 @Maverick hi, since you connect to the office from home, the ISP will nat your IP address somewher ...
by the way, what's your meaning by saying the firewall configurations on the router is required?
View more
  • x
  • convention:

Maverick
Maverick Created Feb 13, 2019 23:17:15

Hi, there are some firewall zone configurations on the router as mentioned in the tutorial by WheatGrass. So I didnt configure that. Moreover I can see IPSec is up but why L2TP is not up. Can you please send me little guidance.
View more
  • x
  • convention:

chenhui
chenhui Admin Created Feb 14, 2019 06:17:00

Posted by Maverick at 2019-02-13 23:17 Hi, there are some firewall zone configurations on the router as mentioned in the tutorial by WheatG ...
hi,
L2TP over IPSec configuration on the PC is complex, and settings such as the registry and services need to be modified, Huawei dialup software Secoway VPN Client is used on the PC. You can visit http://support.huawei.com to obtain the software version.
as described in the document, you may need to do some changes in the registry and services, maybe you can try the dialup software Secoway VPN Client first,
for the modifying the registry please refer to https://support.huawei.com/hedex/hdx.do?lib=EDOC1000085855AEG05127&docid=EDOC1000085855&lang=en&v=14&tocLib=EDOC1000085855AEG05127&tocV=14&id=dc_ar_faq_l2tp_0008_2&tocURL=resources%2fdc%2fdc%5far%5ffaq%5fl2tp%5f0008%2ehtml&p=t&fe=1&ui=3&keyword=window&text=What%252BCan%252BI%252BDo%252BIf%252Ba%252BPC%252BRunning%252Bthe%252B%25253Cb%25253EWindows%25253C%25252Fb%25253E%252B7%252Bor%252BXP%252BOperating%252BSystem%252BFails%252Bto%252BEstablish%252Ban%252BL2TP%252Bover%252BIPSec%252BTunnel%252Bwith%252Bthe%252BDevice%25253F
View more
  • x
  • convention:

Maverick
Maverick Created Feb 18, 2019 06:20:27

this is not resolved
View more
  • x
  • convention:

chenhui
chenhui Admin Created Feb 18, 2019 09:25:37

hi, have you tried to install the Secoway VPN client and connect the VPN through the client software? did it generate any errors?
View more
  • x
  • convention:

12
Back to list

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.