Web UI: Example for Configuring L2TP VPN (Local Authentication) in the Call-LNS Scenario

This section provides an example for configuring L2TP VPN (local authentication) in the call-LNS scenario. In the scenario, the LAC and LNS establish a permanent L2TP VPN tunnel. Employees in the branch can access headquarters servers through the L2TP VPN tunnel.

Networking Requirements

As shown in Figure 1, the egress gateway of the branch is the LAC, and the egress gateway of the headquarters is the LNS. Employees in the branch need to access headquarters servers across the Internet. The enterprise needs to establish an L2TP VPN tunnel between the LAC and LNS so that employees in the branch can access headquarters servers through the L2TP VPN tunnel.

Figure 1 Networking diagram for configuring L2TP VPN in the call-LNS scenario

Data Planning

Item		Data
LAC	Interface	Interface ID: GigabitEthernet 0/0/1 IP address: 1.1.1.1/24 Security zone: Untrust Interface ID: GigabitEthernet 0/0/3 IP address: 192.168.1.1/24 Security zone: Trust
LAC	L2TP configuration	Server address configuration mode: IP address Server address: 1.2.1.1/24 LAC automatic dialup: enabled User name: user0001 Password: Password123 Local tunnel name: LAC Tunnel authentication password: Hello123
LNS	Interface	Interface ID: GigabitEthernet 0/0/1 IP address: 1.2.1.1/24 Security zone: Untrust Interface ID: GigabitEthernet 0/0/3 IP address: 10.1.1.1/24 Security zone: Trust
LNS	L2TP configuration	Peer tunnel name: LAC Tunnel authentication password: Hello123 User authentication name: user0001 Password: Password123 Server address: 10.2.1.1/24 User address pool: 10.2.1.2/24 to 10.2.1.100/24 NOTE: If the intranet server IP address and address pool addresses are on different network segments, configure a route on the intranet server to an address in the address pool.

Procedure

Configure the LAC.

Set IP addresses for interfaces and assign the interfaces to security zones.
1. Choose Network > Interface.
2. Click of GE0/0/1 and set required parameters.
  
  Zone
  
  untrust
  
  IPv4
  
  IP Address
  
  1.1.1.1/24
3. Click OK.
4. Configure GE0/0/3 based on the preceding step.
  
  Zone
  
  trust
  
  IPv4
  
  IP Address
  
  192.168.1.1/24
Configure L2TP parameters.
1. Choose Network > L2TP > L2TP.
2. In Configure L2TP, select Enable and click Apply.
3. In L2TP Group List, click Add.
4. Set Group Type to LAC and set required L2TP parameters.
  
  Server Address is the public IP address of the LNS. Fill in the network segment where headquarters servers reside in Tunnel Route. Set User to user0001, Password to Password123, and the tunnel password to Hello123.
5. Click OK.
Configure a default route to the Internet. It is assumed that the next-hop address of the route is 1.1.1.2.
1. Choose Network > Route > Static Route.
2. Click Add and set required parameters.
  
  Destination Address/Mask
  
  0.0.0.0/0.0.0.0
  
  Next Hop
  
  1.1.1.2
3. Click OK.
Configure a security policy.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add. Configure interzone security policies between the Trust zone and DMZ to permit the traffic sent by employees in the branch to access the intranet of the headquarters and the traffic sent by devices on the intranet of the headquarters to the employees. After the configuration is complete, click OK.
  
  Name
  
  service_td
  
  Source Zone
  
  trust
  
  Destination Zone
  
  dmz
  
  Source Address/Region
  
  192.168.1.0/24
  
  Destination Address/Region
  
  10.1.1.0/24
  
  Action
  
  Permit
  
  Name
  
  service_dt
  
  Source Zone
  
  dmz
  
  Destination Zone
  
  trust
  
  Source Address/Region
  
  10.1.1.0/24
  
  Destination Address/Region
  
  192.168.1.0/24
  
  Action
  
  Permit
3. Click Add. Configure an interzone security policy from the Local zone to the Untrust zone to permit L2TP packets. After the configuration is complete, click OK.
  
  In the scenario, L2TP negotiation packets are always initiated by the LAC. The LNS does not proactively send L2TP packets to the LAC. Therefore, only the interzone security policy from the Local zone to the Untrust zone needs to be configured.
  
  Name
  
  l2tp_lu
  
  Source Zone
  
  local
  
  Destination Zone
  
  untrust
  
  Source Address/Region
  
  1.1.1.0/24
  
  Destination Address/Region
  
  1.2.1.0/24
  
  Action
  
  Permit

Zone	untrust
IPv4
IP Address	1.1.1.1/24

Zone	trust
IPv4
IP Address	192.168.1.1/24

Destination Address/Mask	0.0.0.0/0.0.0.0
Next Hop	1.1.1.2

Name	service_td
Source Zone	trust
Destination Zone	dmz
Source Address/Region	192.168.1.0/24
Destination Address/Region	10.1.1.0/24
Action	Permit

Name	service_dt
Source Zone	dmz
Destination Zone	trust
Source Address/Region	10.1.1.0/24
Destination Address/Region	192.168.1.0/24
Action	Permit

Name	l2tp_lu
Source Zone	local
Destination Zone	untrust
Source Address/Region	1.1.1.0/24
Destination Address/Region	1.2.1.0/24
Action	Permit

Configure an outbound interface-based source NAT policy.

After the LAC dials up successfully, the LNS generates a route, with both the destination address and next-hop address being the IP address (allocated by the LNS from the address pool) of the LAC VT interface. The traffic sent by the LNS travels along this route to the L2TP tunnel. Therefore, the source IP addresses of packets sent by the LAC must be translated to the IP address of the LAC VT interface before they reach the LNS, so that the traffic sent by the LNS can be routed correctly. If source NAT is not implemented, services will be interrupted.

Choose Policy > NAT Policy > NAT Policy > Source Translation Address Pool.
Click Add in Source Translation Address Pool List.

Set required parameters.

Original Data Packet
Name	easy_ip
NAT Type	NAT
NAT Mode	Source address translation
Source Zone	trust
Destination Type	Outbound interface L2TP_LAC_0 (VT interface used by the LAC to establish an L2TP tunnel)
Source Address	192.168.1.0/24
Translated Data Packet
Source Address Translated To	Outbound Interface

Click OK.

Configure the LNS.
1. Set IP addresses for interfaces and assign the interfaces to security zones.
  1. Choose Network > Interface.
  2. Click of GE0/0/1 and set required parameters.
    
    Zone
    
    untrust
    
    IPv4
    
    IP Address
    
    1.2.1.1/24
  3. Click OK.
  4. Configure GE0/0/3 based on the preceding step.
    
    Zone
    
    trust
    
    IPv4
    
    IP Address
    
    10.1.1.1/24
2. Configure the authentication domain and L2TP user information.
  1. Choose Object > User.
  2. Select the default authentication domain and set required parameters. In User Management List, create a user whose name is user0001 and password is Password123.
  3. Click OK.
3. Configure L2TP parameters.
  1. Choose Network > L2TP > L2TP.
  2. In Configure L2TP, select Enable and click Apply.
  3. In L2TP Group List, click Add.
  4. Set Group Type to LNS and set required L2TP parameters.
    You are advised to set the server address to be on the same network segment as address pool addresses so that you do not need to configure a route. Peer Tunnel Name must be the same as Local Tunnel Name on the LAC. The range of addresses in the address pool is from 10.2.1.2/24 to 10.2.1.100/24. Server Address/Subnet Mask is the address of the VT interface on the LNS side. It is recommended that the IP address be in the same network as the address pool.
  5. Click OK.
4. Configure a default route to the Internet. It is assumed that the next-hop address of the route is 1.2.1.2.
  1. Choose Network > Route > Static Route.
  2. Click Add and set required parameters.
    
    Destination Address/Mask
    
    0.0.0.0/0.0.0.0
    
    Next Hop
    
    1.2.1.2
  3. Click OK.
5. Configure a security policy.
  1. Choose Policy > Security Policy > Security Policy.
  2. Click Add. Configure interzone security policies between the Trust zone and DMZ to permit the traffic sent by employees in the branch to access the intranet of the headquarters and the traffic sent by devices on the intranet of the headquarters to the employees. Click OK.
    
    Name
    
    service_td
    
    Source Zone
    
    trust
    
    Destination Zone
    
    dmz
    
    Source Address/Region
    
    10.1.1.0/24
    
    Destination Address/Region
    
    10.2.1.0/24
    
    Action
    
    Permit
    
    Name
    
    service_dt
    
    Source Zone
    
    dmz
    
    Destination Zone
    
    trust
    
    Source Address/Region
    
    10.2.1.0/24
    
    Destination Address/Region
    
    10.1.1.0/24
    
    Action
    
    Permit
  3. Click Add. Configure an interzone security policy from the Untrust zone to the Local zone to permit L2TP packets. After the configuration is complete, click OK.
    
    In this scenario, the LNS only receives L2TP negotiation packets and does not proactively send L2TP negotiation packets to the LAC. Therefore, only the interzone security policy from the Untrust zone to the Local zone needs to be configured.
    
    Name
    
    l2tp_ul
    
    Source Zone
    
    untrust
    
    Destination Zone
    
    local
    
    Source Address/Region
    
    1.1.1.0/24
    
    Destination Address/Region
    
    1.2.1.0/24
    
    Action
    
    Permit

Zone	untrust
IPv4
IP Address	1.2.1.1/24

Zone	trust
IPv4
IP Address	10.1.1.1/24

Destination Address/Mask	0.0.0.0/0.0.0.0
Next Hop	1.2.1.2

Name	service_td
Source Zone	trust
Destination Zone	dmz
Source Address/Region	10.1.1.0/24
Destination Address/Region	10.2.1.0/24
Action	Permit

Name	service_dt
Source Zone	dmz
Destination Zone	trust
Source Address/Region	10.2.1.0/24
Destination Address/Region	10.1.1.0/24
Action	Permit

Name	l2tp_ul
Source Zone	untrust
Destination Zone	local
Source Address/Region	1.1.1.0/24
Destination Address/Region	1.2.1.0/24
Action	Permit

Verification

Log in to the LNS and choose Network > L2TP > Monitor to view the monitoring list. You can find that the LAC dials up successfully.
Employees in the branch can access headquarters servers properly.

Configuration Scripts

Configuration script of the LAC

#
 l2tp enable
 l2tp domain suffix-separator @  
#
l2tp-group lac
 tunnel password cipher %$%$Sd2\*,\eT=XIuj1J`j36~K)_%$%$
 tunnel name LAC
 start l2tp ip 1.2.1.1 fullusername user0001
#
interface Virtual-Template1
 ppp authentication-mode chap pap
 ppp chap user user0001
 ppp chap password cipher %$%$>x{UJZIoJ>`<}u"b0!#%\pg^%$%$
 ppp pap local-user user0001 password cipher %$%$qTc=ESCX_M&3,Y-]$@}Q\aXO%$%$
 ip address ppp-negotiate
 call-lns local-user user0001 binding l2tp-group LAC
 alias L2TP_LAC_0
 undo service-manage enable
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 192.168.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5 
 add interface GigabitEthernet0/0/1
# 
firewall zone dmz
 set priority 50
 add interface Virtual-Template1
#
 ip route-static 10.1.1.0 255.255.255.0 Virtual-Template1
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#  
nat-policy 
 rule name easy_ip  
  source-zone trust  
  egress-interface Virtual-Template1
  source-address 192.168.1.0 24
  action source-nat easy-ip
#
security-policy
  rule name service_td
    source-zone trust
    destination-zone dmz
    source-address 192.168.1.0 24
    destination-address 10.1.1.0 24
    action permit
  rule name service_dt
    source-zone dmz
    destination-zone trust
    source-address 10.1.1.0 24
    destination-address 192.168.1.0 24
     action permit
  rule name l2tp_lu
    source-zone local
    destination-zone untrust
    source-address 1.1.1.0 24
    destination-address 1.2.1.0 24
    action permit

Configuration script of the LNS

#
l2tp enable
l2tp domain suffix-separator @
#
ip pool pool
 section 1 10.2.1.2 10.2.1.100
#
aaa  
 authentication-scheme default
#
 authorization-scheme default
#
accounting-scheme default
# 
 service-scheme l2tpSScheme_1498873877504
  ip-pool pool
#
 domain default
  service-type l2tp
  service-scheme l2tpSScheme_1498873877504
#
l2tp-group lns
 allow l2tp virtual-template 1 remote LAC domain default
 tunnel password cipher %$%$cgc'GPcWL#hp3EC;K[nM[QH~%$%$
#
interface Virtual-Template1
 ppp authentication-mode chap pap
 remote service-scheme l2tpSScheme_1498873877504
 ip address 10.2.1.1 255.255.255.0
 alias L2TP_LNS_1
 undo service-manage enable
#
interface GigabitEthernet0/0/1
 ip address 1.2.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5 
 add interface GigabitEthernet0/0/1
# 
firewall zone dmz
 set priority 50
 add interface Virtual-Template1
#
 ip route-static 0.0.0.0 0.0.0.0 1.2.1.2
#
security-policy
  rule name service_td
    source-zone trust
    destination-zone dmz
    source-address 10.1.1.0 24
    destination-address 10.2.1.0 24
    action permit
  rule name service_dt
    source-zone dmz
    destination-zone trust
    source-address 10.2.1.0 24
    destination-address 10.1.1.0 24
    action permit
  rule name l2tp_ul
    source-zone untrust
    destination-zone local
    source-address 1.1.1.0 24
    destination-address 1.2.1.0 24
    action permit
# The following configurations for creating users are stored in the database, not described in the configuration file.
user-manage user user0001
 parent-group /default
 password **********
 undo multi-ip online enable