Web UI: Example for Configuring L2TP VPN (Local Authentication) in the Client-Initiated Scenario

This section provides an example for configuring L2TP VPN in the client-initiated scenario. In the scenario, mobile users use the SecoClient to access the enterprise intranet through L2TP VPN tunnels.

Networking Requirements

As shown in Figure 1, the enterprise expects that mobile users can access intranet resources through L2TP VPN tunnels.

Figure 1 Networking where mobile users access intranet resources through L2TP VPN tunnels

Data Planning

Item	Data
LNS	Interface	Interface ID: GigabitEthernet 0/0/1 IP address: 1.1.1.1/24 Security zone: Untrust Interface ID: GigabitEthernet 0/0/2 IP address: 10.1.1.1/24 Security zone: Trust
L2TP configuration	Peer tunnel name: client User name: user0001 Password: Password123 Tunnel authentication password: Hello123 Address pool: 172.16.1.2 to 172.16.1.100 NOTE: If the intranet server IP address and address pool addresses are on different network segments, configure a route on the intranet server to an address in the address pool.
Mobile user	User name: user0001 Password: Password123

Item

Data

LNS

Interface

Interface ID: GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: Untrust

Interface ID: GigabitEthernet 0/0/2

IP address: 10.1.1.1/24

Security zone: Trust

L2TP configuration

Peer tunnel name: client

User name: user0001

Password: Password123

Tunnel authentication password: Hello123

Address pool: 172.16.1.2 to 172.16.1.100

NOTE:

If the intranet server IP address and address pool addresses are on different network segments, configure a route on the intranet server to an address in the address pool.

Mobile user

User name: user0001

Password: Password123

Procedure

Configure the LNS.
1. Set IP addresses for interfaces and assign the interfaces to security zones.
  1. Choose Network > Interface.
  2. Click of GE0/0/1 and set required parameters.
    
    Zone
    
    untrust
    
    IPv4
    
    IP Address
    
    1.1.1.1/24
  3. Click OK.
  4. Configure GE0/0/2 based on the preceding step.
    
    Zone
    
    trust
    
    IPv4
    
    IP Address
    
    10.1.1.1/24
2. Create users and user groups.
  1. Choose Object > User > default.
  2. In Scenario, select L2TP/L2TP over IPSec. In User Location, select Local.
  3. Click Apply.
3. Configure L2TP VPN.
  1. Choose Network > L2TP > L2TP.
  2. In Configure L2TP, select Enable and click Apply.
  3. In L2TP Group List, click Add and set L2TP parameters.
    
    Set Password to Hello123 and the address range of Address/Address Pool to 172.16.1.2 to 172.16.1.100. Server Address/Subnet Mask is the address of the VT interface on the LNS side. It is recommended that the IP address be in the same network as the address pool.
  4. Click OK.
4. Configure a route to the Internet. It is assumed that the next-hop address of the route is 1.1.1.2.
  1. Choose Network > Route > Static Route.
  2. Click Add and set required parameters.
    
    Destination Address/Mask
    
    0.0.0.0/0.0.0.0
    
    Next Hop
    
    1.1.1.2
  3. Click OK.
5. Configure a security policy.
  1. Choose Policy > Security Policy > Security Policy.
  2. Click Add. Configure interzone security policies between the Trust zone and DMZ to permit the traffic sent by mobile users to access the intranet of the headquarters and the traffic sent by devices on the intranet of the headquarters to mobile users. After the configuration is complete, click OK.
    
    Name
    
    service_td
    
    Source Zone
    
    trust
    
    Destination Zone
    
    dmz
    
    Source Address/Region
    
    10.1.2.0/24
    
    Destination Address/Region
    
    172.16.1.0/24
    
    Action
    
    Permit
    
    Name
    
    service_dt
    
    Source Zone
    
    dmz
    
    Destination Zone
    
    trust
    
    Source Address/Region
    
    172.16.1.0/24
    
    Destination Address/Region
    
    10.1.2.0/24
    
    Action
    
    Permit
  3. Click Add. Configure an interzone security policy from the Untrust zone to the Local zone to permit L2TP packets. After the configuration is complete, click OK.
    
    Name
    
    l2tp_ul
    
    Source Zone
    
    untrust
    
    Destination Zone
    
    local
    
    Destination Address/Region
    
    1.1.1.0/24
    
    Action
    
    Permit
Configure the SecoClient at the mobile user side.
1. Open the SecoClient and access the home page.
  Select New Connection from the Connect drop-down list.
2. Set L2TP VPN connection parameters.
  In the New Connection navigation tree, select L2TP/IPSec. Set connection parameters and click OK.
  The tunnel authentication password is Hello123.
3. Log in to the L2TP VPN gateway.
  1. Select the created L2TP VPN connection from the Connect drop-down list and click Connect.
  2. On the login page, enter the user name and password.
  3. Click Login to initiate a VPN connection request.
    A message on a VPN access success will be displayed on the web UI. After the connection is established, mobile users can access intranet resources as intranet users.

Zone	untrust
IPv4
IP Address	1.1.1.1/24

Zone	trust
IPv4
IP Address	10.1.1.1/24

Destination Address/Mask	0.0.0.0/0.0.0.0
Next Hop	1.1.1.2

Name	service_td
Source Zone	trust
Destination Zone	dmz
Source Address/Region	10.1.2.0/24
Destination Address/Region	172.16.1.0/24
Action	Permit

Name	service_dt
Source Zone	dmz
Destination Zone	trust
Source Address/Region	172.16.1.0/24
Destination Address/Region	10.1.2.0/24
Action	Permit

Name	l2tp_ul
Source Zone	untrust
Destination Zone	local
Destination Address/Region	1.1.1.0/24
Action	Permit

Verification

Log in to the LNS and choose Network > L2TP > Monitor to view the monitoring list. You can find that user user0001 has logged in to the device successfully.
Mobile users can access intranet resources properly.

Configuration Scripts

#
sysname LNS
#
 l2tp enable
 l2tp domain suffix-separator @
#
ip pool pool
 section 0 172.16.1.2 172.16.1.100
#
aaa
 service-scheme l2tpSScheme_1463215459486
  ip-pool pool
 domain default
  service-type l2tp
#
l2tp-group l2tp
 allow l2tp virtual-template 1 remote client domain default
 tunnel password cipher %$%$cgc'GPcWL#hp3EC;K[nM[QH~%$%$
#
interface Virtual-Template1
 ppp authentication-mode pap
 remote service-scheme l2tpSScheme_1463215459486
 ip address 172.16.1.1 255.255.255.0
 alias L2TP_LNS_1
 undo service-manage enable
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface Virtual-Template1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
security-policy
  rule name service_td
    source-zone trust
    destination-zone dmz
    source-address 10.1.2.0 24
    destination-address 172.16.1.0 24
    action permit
  rule name service_dt
    source-zone dmz
    destination-zone trust
    source-address 172.16.1.0 24
    destination-address 10.1.2.0 24
    action permit
  rule name l2tp_ul
    source-zone untrust
    destination-zone local
    destination-address 1.1.1.0 24
    action permit
# The following configurations for creating users are stored in the database, not described in the configuration file.
user-manage user user0001
 password **********
 undo multi-ip online enable