< Home

CLI: Example for Configuring L2TP VPN (Local Authentication) on Virtual Systems

This section provides an example for configuring L2TP VPN on virtual systems.

Networking Requirements

An enterprise needs to plan L2TP VPN access services on virtual systems to isolate these services from other services. As shown in Figure 1, GigabitEthernet0/0/1 and GigabitEthernet0/0/2 of the LNS belong to virtual system vsysa, and GigabitEthernet0/0/3 and GigabitEthernet0/0/4 of the LNS belong to virtual system vsysb. Mobile users access intranet resources through L2TP VPN tunnels.

Figure 1 Networking diagram for configuring L2TP VPN on virtual systems

Configuration Roadmap

  1. Create virtual systems vsysa and vsysb and assign resources to them.

    The procedures and methods of configuring vsysa and vsysb are the same. vsysa is used as an example.

  2. Configure user authentication services on the virtual systems.
  3. Configure L2TP VPN access services on the virtual systems.

Procedure

  1. Create virtual system vsysa and allocate resources to it as a root system administrator.

    # Use the root system administrator account to log in to the LNS and enable the virtual system function. 

    <sysname> system-view
[sysname] sysname LNS
[LNS] vsys enable
    # Create a VT interface.
    When configuring the VT interface, do not configure an IP address for it or assign it to a security zone. This is because the configurations of the VT interface will be cleared after the assign interface Virtual-Template 1 command is run in the next step. The VT interface will be configured later. You only need to create an empty VT interface here.
    [LNS] interface Virtual-Template 1
[LNS-Virtual-Template1] quit

    # Create a virtual system and allocate resources to it.

    [LNS] vsys name vsysa
[LNS-vsys-vsysa] assign interface GigabitEthernet 0/0/1
[LNS-vsys-vsysa] assign interface GigabitEthernet 0/0/2
[LNS-vsys-vsysa] assign interface Virtual-Template 1
[LNS-vsys-vsysa] quit

  2. Configure IP addresses for interfaces of vsysa and configure a security policy.

    # Configure interfaces of vsysa.

    [LNS] switch vsys vsysa
<LNS-vsysa> system-view
[LNS-vsysa] interface GigabitEthernet 0/0/1
[LNS-vsysa-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[LNS-vsysa-GigabitEthernet0/0/1] quit
[LNS-vsysa] interface GigabitEthernet 0/0/2
[LNS-vsysa-GigabitEthernet0/0/2] ip address 192.168.1.1 24
[LNS-vsysa-GigabitEthernet0/0/2] quit
[LNS-vsysa] firewall zone trust
[LNS-vsysa-zone-trust] add interface GigabitEthernet 0/0/2
[LNS-vsysa-zone-trust] quit
[LNS-vsysa] firewall zone untrust
[LNS-vsysa-zone-untrust] add interface GigabitEthernet 0/0/1
[LNS-vsysa-zone-untrust] quit

  3. Configure mobile user information. 

    [LNS-vsysa] user-manage group /default/part1
[LNS-vsysa-usergroup-/default/part1] quit
[LNS-vsysa] user-manage user user0001
[LNS-vsysa-localuser-user0001] parent-group /default/part1
[LNS-vsysa-localuser-user0001] password Password123
[LNS-vsysa-localuser-user0001] quit

  4. Configure address pools and authentication domains.
    1. Configure an address pool.

      You need to configure an address pool for the enterprise to assign IP addresses to their mobile employees.

      [LNS-vsysa] ip pool pool
[LNS-vsysa-ip-pool-pool] section 1 10.1.1.2 10.1.1.100
[LNS-vsysa-ip-pool-pool] quit
      A route to the address pool must be configured on the intranet server.

    2. Configure the authentication domain.

      Configure the service scheme used by mobile users.

      [LNS-vsysa] aaa
[LNS-vsysa-aaa] service-scheme scheme 
[LNS-vsysa-aaa-service-scheme] ip-pool pool
[LNS-vsysa-aaa-service-scheme] quit

      Set the user access type in the authentication domain.

      [LNS-vsysa-aaa] domain domain1
[LNS-vsysa-aaa-domain-domain1] service-type l2tp
[LNS-vsysa-aaa-domain-domain1] quit

      To implement user name-based policy control on VPN access users, you must specify the internetaccess parameter.

  5. Configure VT interfaces.

    The IP address of the VT interface must be different from other IP addresses in use. Usually, the IP address of the VT interface resides on the same network segment as the addresses in the address pool.

    [LNS-vsysa] interface Virtual-Template 1
[LNS-vsysa-Virtual-Template1] ip address 10.1.1.1 24
[LNS-vsysa-Virtual-Template1] ppp authentication-mode chap pap  //The system will display a message. Select yes upon receiving the message.
[LNS-vsysa-Virtual-Template1] remote service-scheme scheme
[LNS-vsysa-Virtual-Template1] quit
[LNS-vsysa] firewall zone dmz
[LNS-vsysa-zone-dmz] add interface Virtual-Template 1
[LNS-vsysa-zone-dmz] quit

  6. Configure an L2TP group. 

    [LNS-vsysa] l2tp enable
[LNS-vsysa] l2tp-group 1
[LNS-vsysa-l2tp-1] allow l2tp virtual-template 1 remote client //remote indicates the peer tunnel name. If you set the parameter to client, the tunnel name on the device of the mobile user needs to be set to client
[LNS-vsysa-l2tp-1] tunnel authentication
[LNS-vsysa-l2tp-1] tunnel password cipher Hello123
[LNS-vsysa-l2tp-1] quit

  7. Configure routes on the LNS.

    1. Configure a route between the LNS and mobile employees. It is assumed that the next-hop address of the route to the Internet is 1.1.1.2.
      [LNS-vsysa] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
    2. Configure a route from the LNS to the intranet. It is assumed that the next-hop address of the route is 192.168.1.2.
      [LNS-vsysa] ip route-static 192.168.2.0 255.255.255.0 192.168.1.2

  8. Configure a security policy.

    # Configure interzone security policies between the Trust zone and DMZ on vsysa to permit the traffic sent by mobile users to access the intranet and the traffic sent by devices on the intranet to mobile users. 

    [LNS-vsysa] security-policy
[LNS-vsysa-policy-security] rule name service_dt
[LNS-vsysa-policy-security-rule-service_dt] source-zone dmz
[LNS-vsysa-policy-security-rule-service_dt] destination-zone trust
[LNS-vsysa-policy-security-rule-service_dt] source-address 10.1.1.0 24
[LNS-vsysa-policy-security-rule-service_dt] destination-address 192.168.2.0 24
[LNS-vsysa-policy-security-rule-service_dt] action permit
[LNS-vsysa-policy-security-rule-service_dt] quit
[LNS-vsysa-policy-security] rule name service_td
[LNS-vsysa-policy-security-rule-service_td] source-zone trust
[LNS-vsysa-policy-security-rule-service_td] destination-zone dmz
[LNS-vsysa-policy-security-rule-service_td] source-address 192.168.2.0 24
[LNS-vsysa-policy-security-rule-service_td] destination-address 10.1.1.0 24
[LNS-vsysa-policy-security-rule-service_td] action permit
[LNS-vsysa-policy-security-rule-service_td] quit

    # Configure an interzone security policy between the Local and Untrust zones on vsysa to permit L2TP negotiation packets. 

    [LNS-vsysa] security-policy
[LNS-vsysa-policy-security] rule name l2tp_ul
[LNS-vsysa-policy-security-rule-l2tp_ul] source-zone untrust
[LNS-vsysa-policy-security-rule-l2tp_ul] destination-zone local
[LNS-vsysa-policy-security-rule-l2tp_ul] destination-address 1.1.1.0 24
[LNS-vsysa-policy-security-rule-l2tp_ul] action permit
[LNS-vsysa-policy-security-rule-l2tp_ul] quit

  9. Configure vsysb based on the preceding steps.
  10. Configure the SecoClient at the mobile user side.
    1. Open the SecoClient and access the home page.

      Select New Connection from the Connect drop-down list.

    2. Set L2TP VPN connection parameters.

      In the New Connection navigation tree, select L2TP/IPSec. Set connection parameters and click OK.

      The tunnel authentication password is Hello123.

    3. Log in to the L2TP VPN gateway.

      1. Select the created L2TP VPN connection from the Connect drop-down list and click Connect.

      2. On the login page, enter the user name and password.

      3. Click Login to initiate a VPN connection request.

        A message on a VPN access success will be displayed on the web UI. After the connection is established, mobile users can access intranet resources as intranet users.

Verification

  1. Run the display l2tp tunnel command on the LNS. A tunnel is established. In the following command output, only the data generated when mobile employees access the LNS.

    [LNS] display l2tp tunnel
L2TP::Total Tunnel: 1                                                                                                               
                                                                                                                                    
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance                                                        
 ------------------------------------------------------------------------------                                                     
 2        1         2.2.2.2          1701   1        client         vsysa                                                           
 ------------------------------------------------------------------------------                                                     
  Total 1, 1 printed
  2. The mobile employees can access intranet server resources, and their device are assigned with IP addresses in the address pool.

Configuration Scripts

Configuration script of the LNS

Configuration script of the root system
#
 sysname LNS
# 
 vsys enable 
#
interface Virtual-Template 1
 ip binding vpn-instance vsysa
#
vsys name vsysa 1
 assign interface GigabitEthernet0/0/1
 assign interface GigabitEthernet0/0/2
 assign interface Virtual-Template 1

Configuration script of vsysa

#
 l2tp enable
#
ip pool pool
 section 1 10.1.1.2 10.1.1.100
#
aaa
 service-scheme scheme
  ip-pool pool
 domain domain1
  service-type l2tp
#
l2tp-group 1
 allow l2tp virtual-template 1 remote client
 tunnel password cipher %$%$Gg)[J=_EM).Y2g@Lr8b@+S7=%$%$
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 192.168.1.1 255.255.255.0
#
interface virtual-template 1
 ip binding vpn-instance vsysa
 ip address 10.1.1.1 255.255.255.0
 ppp authentication-mode chap pap
 remote service-scheme scheme
#
firewall zone trust
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
  add interface GigabitEthernet0/0/1
#
firewall zone dmz
  add interface virtual-template 1
#
security-policy
 rule name service_dt
  source-zone dmz
  destination-zone trust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name service_td
  source-zone trust
  destination-zone dmz
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  action permit
 rule name l2tp_ul
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
# The following configurations for creating users are stored in the database, not described in the configuration file.
user-manage group /default/part1
user-manage user user0001
 parent-group /default/part1
 password *********
#
return
Parent Topic: L2TP
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >