CLI: Example for Configuring L2TP VPN (Local Authentication) in Cross-VPN Instance Scenarios

This section provides an example for configuring L2TP VPN in cross-VPN instance scenarios.

Networking Requirements

Enterprise1 and Enterprise2 need to share one LNS to provide L2TP remote access services for mobile employees, as shown in Figure 1.

Figure 1 Networking diagram of configuring L2TP VPN in cross-VPN instance scenarios

Configuration Roadmap

The LNS needs to provide separate services for the enterprises:

The LNS uses GigabitEthernet0/0/2 to connect Enterprise1 and GigabitEthernet0/0/3 to connect Enterprise2. To prevent the enterprise networks from affecting one another, bind the two interfaces to different VPN instances.
Configure separate L2TP tunnels for each enterprise. For example, two virtual interface templates and two L2TP groups must be created. The virtual interfaces need to forward traffic to the enterprises in different VPN instances. Therefore, the virtual interface templates must be bound to different VPN instances.

Procedure

Configure VPN instances, interfaces, security zones, and interzone security policies on the LNS.

Configure VPN instance vpn1.

<sysname> system-view
[sysname] sysname LNS
[LNS] ip vpn-instance vpn1
[LNS-vpn-vpn1] route-distinguisher 100:1
[LNS-vpn-vpn1] quit

Configure VPN instance vpn2.

[LNS] ip vpn-instance vpn2
[LNS-vpn-vpn2] route-distinguisher 200:1
[LNS-vpn-vpn2] quit

Set an IP address for GigabitEthernet 0/0/1 and assign it to the Untrust zone.

[LNS] interface GigabitEthernet 0/0/1
[LNS-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[LNS-GigabitEthernet0/0/1] quit
[LNS] firewall zone untrust
[LNS-zone-untrust] add interface GigabitEthernet 0/0/1
[LNS-zone-untrust] quit

Set an IP address for GigabitEthernet 0/0/2 and assign it to the Trust zone.

[LNS] interface GigabitEthernet 0/0/2
[LNS-GigabitEthernet0/0/2] ip binding vpn-instance vpn1
[LNS-GigabitEthernet0/0/2] ip address 192.168.1.1 24
[LNS-GigabitEthernet0/0/2] quit
[LNS] firewall zone trust
[LNS-zone-trust] add interface GigabitEthernet 0/0/2
[LNS-zone-trust] quit

Set an IP address for GigabitEthernet 0/0/3 and assign it to the Trust zone.

[LNS] interface GigabitEthernet 0/0/3
[LNS-GigabitEthernet0/0/3] ip binding vpn-instance vpn2
[LNS-GigabitEthernet0/0/3] ip address 172.16.1.1 24
[LNS-GigabitEthernet0/0/3] quit
[LNS] firewall zone trust
[LNS-zone-trust] add interface GigabitEthernet 0/0/3
[LNS-zone-trust] quit

Create two VT interfaces and assign them to the DMZ.

[LNS] interface Virtual-Template 1
[LNS-Virtual-Template1] quit
[LNS] interface Virtual-Template 2
[LNS-Virtual-Template2] quit
[LNS] firewall zone dmz
[LNS-zone-dmz] add interface Virtual-Template 1
[LNS-zone-dmz] add interface Virtual-Template 2
[LNS-zone-dmz] quit

Configure mobile user information.

Configure mobile user information for Enterprise1.

[LNS] user-manage group /default/enterprise1
[LNS-usergroup-/default/enterprise1] quit
[LNS] user-manage user user0001
[LNS-localuser-user0001] parent-group /default/enterprise1
[LNS-localuser-user0001] password Password123
[LNS-localuser-user0001] quit

Configure mobile user information for Enterprise2.

[LNS] user-manage group /default/enterprise2
[LNS-usergroup-/default/enterprise2] quit
[LNS] user-manage user user0002
[LNS-localuser-user0002] parent-group /default/enterprise2
[LNS-localuser-user0002] password Password123
[LNS-localuser-user0002] quit

Configure address pools and authentication domains.

Configure address pools.
Address pools are used to assign private IP addresses to mobile employees. You need to configure two address pools for the enterprises to assign IP addresses to their mobile employees.
```
[LNS] ip pool enterprise1_pool
[LNS-ip-pool-enterprise1_pool] section 1 10.1.1.2 10.1.1.100
[LNS-ip-pool-enterprise1_pool] quit
[LNS] ip pool enterprise2_pool
[LNS-ip-pool-enterprise2_pool] section 1 10.1.2.2 10.1.2.100
[LNS-ip-pool-enterprise2_pool] quit
```
A route to the address pool must be configured on the intranet server.

Configure the authentication domain.

Configure the service scheme used by access users.

[LNS] aaa
[LNS-aaa] service-scheme scheme1 
[LNS-aaa-service-scheme1] ip-pool enterprise1_pool
[LNS-aaa-service-scheme1] quit 
[LNS] aaa
[LNS-aaa] service-scheme scheme2 
[LNS-aaa-service-scheme2] ip-pool enterprise2_pool
[LNS-aaa-service-scheme2] quit

Set the user access type in the authentication domain.

[LNS-aaa] domain domain1
[LNS-aaa-domain-domain1] service-type l2tp
[LNS-aaa-domain-domain1] quit
[LNS-aaa] domain domain2
[LNS-aaa-domain-domain2] service-type l2tp
[LNS-aaa-domain-domain2] quit

To implement user name-based policy control on VPN access users, you must specify the internetaccess parameter.

Configure VT interfaces.

Configure a VT interface for mobile employees of Enterprise1.

The IP address of the VT interface must be different from other IP addresses in use. Usually, the IP address of the VT interface resides on the same network segment as the addresses in the address pool.

[LNS] interface Virtual-Template 1
[LNS-Virtual-Template1] ip binding vpn-instance vpn1
[LNS-Virtual-Template1] ip address 10.1.1.1 24
[LNS-Virtual-Template1] ppp authentication-mode chap pap  //The system will display a message. Select yes upon receiving the message.
[LNS-Virtual-Template1] remote service-scheme scheme1
[LNS-Virtual-Template1] quit

Configure a VT interface for mobile employees of Enterprise2.

[LNS] interface Virtual-Template 2
[LNS-Virtual-Template2] ip binding vpn-instance vpn2
[LNS-Virtual-Template2] ip address 10.1.2.1 24
[LNS-Virtual-Template2] ppp authentication-mode chap pap  //The system will display a message. Select yes upon receiving the message.
[LNS-Virtual-Template2] remote service-scheme scheme2
[LNS-Virtual-Template2] quit

Configure an L2TP group.

Configure an L2TP group for Enterprise1.

[LNS] l2tp enable
[LNS] l2tp-group 1
[LNS-l2tp-1] allow l2tp virtual-template 1 remote client vpn-instance vpn1 //remote indicates the peer tunnel name. If you set the parameter to client, the tunnel name on the device of the mobile user needs to be set to client.
[LNS-l2tp-1] tunnel authentication
[LNS-l2tp-1] tunnel password cipher Hello123
[LNS-l2tp-1] quit

Configure an L2TP group for Enterprise2.

[LNS] l2tp-group 2
[LNS-l2tp-2] allow l2tp virtual-template 2 remote client2 vpn-instance vpn2 //remote indicates the peer tunnel name. If you set the parameter to client, the tunnel name on the device of the mobile user needs to be set to client.
[LNS-l2tp-2] tunnel authentication
[LNS-l2tp-2] tunnel password cipher Hello123
[LNS-l2tp-2] quit

Configure routes on the LNS.
1. Configure a route between the LNS and mobile employees.
  - Since both the LNS and mobile employees are accessible to the Internet, the public route between them is already reachable. Therefore, you do not need to configure the route.
  - When the LNS assigns IP addresses for mobile employees, it also pushes information about the route to the enterprise intranet. Therefore, you do not need to configure the route to the enterprise network on the devices used by mobile employees.
2. Configure a route from the LNS to the enterprise intranet.
```
[LNS] ip route-static 192.168.2.0 24 vpn-instance vpn1 192.168.1.2
[LNS] ip route-static 172.16.2.0 24 vpn-instance vpn2 172.16.1.2
```

Configure interzone security policies on the LNS.

Configure interzone security policies between the Trust zone and DMZ to permit the traffic sent by mobile users to access the intranet of the headquarters and the traffic sent by devices on the intranet of the headquarters to mobile users.

[LNS] security-policy
[LNS-policy-security] rule name service_dt
[LNS-policy-security-rule-service_dt] source-zone dmz
[LNS-policy-security-rule-service_dt] destination-zone trust
[LNS-policy-security-rule-service_dt] source-address 10.1.1.0 24
[LNS-policy-security-rule-service_dt] source-address 10.1.2.0 24
[LNS-policy-security-rule-service_dt] destination-address 192.168.2.0 24
[LNS-policy-security-rule-service_dt] destination-address 172.16.2.0 24
[LNS-policy-security-rule-service_dt] action permit
[LNS-policy-security-rule-service_dt] quit
[LNS-policy-security] rule name service_td
[LNS-policy-security-rule-service_td] source-zone trust
[LNS-policy-security-rule-service_td] destination-zone dmz
[LNS-policy-security-rule-service_td] source-address 192.168.2.0 24
[LNS-policy-security-rule-service_td] source-address 172.16.2.0 24
[LNS-policy-security-rule-service_td] destination-address 10.1.1.0 24
[LNS-policy-security-rule-service_td] destination-address 10.1.2.0 24
[LNS-policy-security-rule-service_td] action permit
[LNS-policy-security-rule-service_td] quit

Configure an interzone security policy between the Local and Untrust zones to permit L2TP packets.

[LNS-policy-security] rule name l2tp_ul
[LNS-policy-security-rule-l2tp_ul] source-zone untrust
[LNS-policy-security-rule-l2tp_ul] destination-zone local
[LNS-policy-security-rule-l2tp_ul] destination-address 1.1.1.0 24
[LNS-policy-security-rule-l2tp_ul] action permit
[LNS-policy-security-rule-l2tp_ul] quit

Configure the SecoClient at the mobile user side.
1. Open the SecoClient and access the home page.
  Select New Connection from the Connect drop-down list.
2. Set L2TP VPN connection parameters.
  In the New Connection navigation tree, select L2TP/IPSec. Set connection parameters and click OK.
  
  The tunnel authentication password is Hello123.
3. Log in to the L2TP VPN gateway.
  1. Select the created L2TP VPN connection from the Connect drop-down list and click Connect.
  2. On the login page, enter the user name and password.
  3. Click Login to initiate a VPN connection request.
    A message on a VPN access success will be displayed on the web UI. After the connection is established, mobile users can access intranet resources as intranet users.

Verification

Mobile users can properly access intranet servers of the headquarters.

Run the display l2tp tunnel command on the LNS. A tunnel is established. In the following command output, only the data generated when mobile employees of Enterprise1 access the LNS.

[LNS] display l2tp tunnel
 L2TP::Total Tunnel: 1                                                           
                                                                                
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance    
 ------------------------------------------------------------------------------ 
 1        1         2.2.2.2          1701    1                    vpn1           
 ------------------------------------------------------------------------------ 
  Total 1, 1 printed

Configuration Scripts

Configuration script of the LNS

sysname LNS
#
 l2tp enable
#
ip vpn-instance vpn1
  route-distinguisher 100:1
ip vpn-instance vpn2
  route-distinguisher 200:1
#
ip pool enterprise1_pool
 section 1 10.1.1.2 10.1.1.100
ip pool enterprise2_pool
 section 1 10.1.2.2 10.1.2.100
#
aaa
 service-scheme scheme1
  ip-pool enterprise1_pool
 service-scheme scheme2
  ip-pool enterprise2_pool
 domain domain1
  service-type l2tp
 domain domain2
  service-type l2tp
#
l2tp-group 1
 allow l2tp virtual-template 1 remote client vpn-instance vpn1
 tunnel password cipher %$%$Gg)[J=_EM).Y2g@Lr8b@+S7=%$%$
l2tp-group 2
 allow l2tp virtual-template 2 remote client2 vpn-instance vpn2
 tunnel password cipher %$%$Gg)[J=_EM).Y2g@Lr8b@+S7=%$%$
#
interface Virtual-Template1
 ppp authentication-mode chap pap
 remote service-scheme scheme1
 ip binding vpn-instance vpn1
 ip address 10.1.1.1 255.255.255.0
interface Virtual-Template2
 ppp authentication-mode chap pap
 remote service-scheme scheme2
 ip binding vpn-instance vpn2
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip binding vpn-instance vpn1
 ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance vpn2
 ip address 172.16.1.1 255.255.255.0
#
firewall zone trust
 add interface GigabitEthernet0/0/2
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
  add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface Virtual-Template1
 add interface Virtual-Template2
#
security-policy
 rule name rule name service_dt
  source-zone dmz
  destination-zone trust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  destination-address 172.16.2.0 mask 255.255.255.0
  action permit
 rule name service_td
  source-zone trust
  destination-zone dmz
  source-address 192.168.2.0 mask 255.255.255.0
  source-address 172.16.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name l2tp_ul
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
# The following configurations for creating users are stored in the database, not described in the configuration file.
user-manage group /default/enterprise1
user-manage group /default/enterprise2
user-manage user user0001
 parent-group /default/enterprise1
 password *********
user-manage user user0002
 parent-group /default/enterprise2
 password *********
#
return