Web UI: Example for Configuring L2TP VPN (AD Authentication) in the Client-Initiated Scenario

This section provides an example for configuring L2TP VPN in the client-initiated scenario. In the client-initiated scenario, the LNS works with the AD server to perform identity authentication for mobile users.

Networking Requirements

On the enterprise network shown in Figure 1, mobile users access intranet resources through L2TP VPN tunnels. The enterprise deploys an AD server to perform identity authentication for the mobile users.

Figure 1 Networking where mobile users access intranet resources through L2TP VPN tunnels

Data Planning

Item		Data
LNS	Interface	Interface ID: GigabitEthernet 0/0/1 IP address: 1.1.1.1/24 Security zone: Untrust Interface ID: GigabitEthernet 0/0/2 IP address: 10.1.1.1/24 Security zone: Trust Interface ID: GigabitEthernet 0/0/3 IP address: 10.1.3.1/24 Security zone: DMZ
	L2TP configuration	User name: user0001 Password: Password123 Peer tunnel name: client Tunnel authentication password: Hello123 Address pool: 172.16.1.2 to 172.16.1.100 NOTE: If the intranet server IP address and address pool addresses are on different network segments, configure a route on the intranet server to an address in the address pool.
	Parameters for interconnection with the AD server	AD server address: 10.1.3.2/24 Administrator DN: cn=Administrator,cn=Users Password: Admin123
Mobile user		User name: user0001 Password: Password123 Tunnel name: client Tunnel authentication password: Hello123

Procedure

Configure the LNS.
1. Configure IP addresses for interfaces and assign the interfaces to security zones.
  1. Choose Network > Interface.
  2. Click of GE0/0/1 and set required parameters.
    
    Zone
    
    untrust
    
    IPv4
    
    IP Address
    
    1.1.1.1/24
  3. Click OK.
  4. Repeat the preceding steps to configure GE0/0/2 and GE0/0/3.
    
    Zone
    
    trust
    
    IPv4
    
    IP Address
    
    10.1.1.1/24
    
    Zone
    
    dmz
    
    IPv4
    
    IP Address
    
    10.1.3.1/24
2. Choose Object > Authentication Server > AD and configure parameters for interconnecting the LNS and AD server.
  
  For the V600R007C20 version, whether to enable SSL for AD authentication cannot be configured on the web UI. When you configure the AD server on the web UI, SSL (ldap-over-ssl) is enabled by default. In this mode, LDAP over SSL must also be enabled on the AD server. For details, see the operating system guide of the AD server. To disable SSL (no-ssl), click CLI Console in the lower right corner of the web page. On the CLI configuration page that is displayed, run the ad-server authentication 10.1.3.2 88 no-ssl command in the corresponding AD server template view. From V600R007C20SPC100, you can configure whether to enable SSL for AD authentication on the Web UI. The following uses no-ssl as an example.
  
  If you are unfamiliar with the AD server and cannot provide the server name, Base DN, or filter field values, you can use the AD Explorer or LDAP Browser/Editor software to connect to the AD server to query the attribute values. The AD Explorer is used as an example. The AD server attributes and mappings between the server attributes and parameters on the LNS are as follows.
  
  Click Test. In the window that is displayed, click OK and then enter the test account and password. Click Start to check the connectivity to the AD server.
  
  The user name and password used for the test must be the same as those on the AD server.
3. Choose Object > User > default and click Add to create an authentication domain.
  
  When the LNS uses AD server authentication, the authentication domain name configured on the LNS must be the same as that configured on the authentication server. In this example, the domain name on the AS server is cce.com. Therefore, the authentication domain name must be set to cce.com on the LNS.
4. Choose Object > User > cce.com and configure AD server authentication. After completing the preceding configurations, click Apply.
5. Configure L2TP VPN.
  1. Choose Network > L2TP > L2TP.
  2. In Configure L2TP, select Enable and click Apply.
  3. In L2TP Group List, click Add and set L2TP parameters.
    
    Set Password to Hello123 and the address range of Address/Address Pool to 172.16.1.2 to 172.16.1.100. Associated Zone indicates the security zone where the VT interface resides. Server Address/Subnet Mask is the address of the VT interface on the LNS side. It is recommended that the IP address be in the same network as the address pool.
  4. Click OK.
6. Configure a route to the Internet. It is assumed that the next-hop address of the route from the LNS to the Internet is 1.1.1.2.
  1. Choose Network > Route > Static Route.
  2. Click Add and set required parameters.
    
    Destination Address/Mask
    
    0.0.0.0/0.0.0.0
    
    Next Hop
    
    1.1.1.2
  3. Click OK.
7. Configure a security policy.
  1. Choose Policy > Security Policy > Security Policy.
  2. Click Add. Configure interzone security policies between the Trust zone and DMZ to permit the traffic sent by mobile users to access the intranet of the headquarters and the traffic sent by devices on the intranet of the headquarters to mobile users. After the configuration is complete, click OK.
    
    Name
    
    service_td
    
    Source Zone
    
    trust
    
    Destination Zone
    
    dmz
    
    Source Address/Region
    
    10.1.2.0/24
    
    Destination Address/Region
    
    172.16.1.0/24
    
    Action
    
    Permit
    
    Name
    
    service_dt
    
    Source Zone
    
    dmz
    
    Destination Zone
    
    trust
    
    Source Address/Region
    
    172.16.1.0/24
    
    Destination Address/Region
    
    10.1.2.0/24
    
    Action
    
    Permit
  3. Click Add. Configure an interzone security policy from the Untrust zone to the Local zone to permit L2TP packets. After the configuration is complete, click OK.
    
    In this scenario, the LNS only receives L2TP negotiation packets and does not proactively send L2TP negotiation packets to mobile users. Therefore, only the interzone security policy from the Untrust zone to the Local zone needs to be configured.
    
    Name
    
    l2tp_ul
    
    Source Zone
    
    untrust
    
    Destination Zone
    
    local
    
    Destination Address/Region
    
    1.1.1.0/24
    
    Action
    
    Permit
  4. Configure an interzone security policy from the DMZ to the Local zone to permit packets exchanged between the LNS and AD server.
    Name
    
    ad_ld
    
    Source Zone
    
    local
    
    Destination Zone
    
    dmz
    
    Source Address/Region
    
    10.1.3.0/24
    
    Action
    
    Permit
Configure the SecoClient at the mobile user side.
1. Open the SecoClient and access the home page.
  Select New Connection from the Connect drop-down list.
2. Set L2TP VPN connection parameters.
  In the New Connection navigation tree, select L2TP/IPSec. Set connection parameters and click OK.
  
  The tunnel authentication password is Hello123.
3. Log in to the L2TP VPN gateway.
  1. Select the created L2TP VPN connection from the Connect drop-down list and click Connect.
  2. On the login page, enter the user name and password.
  3. Click Login to initiate a VPN connection request.
    A message on a VPN access success will be displayed on the web UI.
    
    After the connection is established, mobile users can access intranet resources as intranet users.

Zone	untrust
IPv4
IP Address	1.1.1.1/24

Zone	trust
IPv4
IP Address	10.1.1.1/24

Zone	dmz
IPv4
IP Address	10.1.3.1/24

Destination Address/Mask	0.0.0.0/0.0.0.0
Next Hop	1.1.1.2

Name	service_td
Source Zone	trust
Destination Zone	dmz
Source Address/Region	10.1.2.0/24
Destination Address/Region	172.16.1.0/24
Action	Permit

Name	service_dt
Source Zone	dmz
Destination Zone	trust
Source Address/Region	172.16.1.0/24
Destination Address/Region	10.1.2.0/24
Action	Permit

Name	l2tp_ul
Source Zone	untrust
Destination Zone	local
Destination Address/Region	1.1.1.0/24
Action	Permit

Name	ad_ld
Source Zone	local
Destination Zone	dmz
Source Address/Region	10.1.3.0/24
Action	Permit

Verification

Log in to the LNS and choose Network > L2TP > Monitor to view the monitoring list. You can find that user user0001 has logged in to the device successfully.
Mobile users can access intranet resources properly.

Configuration Scripts

#
sysname LNS
#
 l2tp enable
 undo l2tp sendaccm enable
 l2tp domain suffix-separator @
#
ad-server template AD_Server
 ad-server authentication 10.1.3.2 88 no-ssl
 ad-server authentication base-dn dc=cce,dc=com
 ad-server authentication manager cn=Administrator,cn=users %^%#,C)<BJ^0BH7p/A5cODX0k-%$,_MAC8*D]n-V_,6A%^%#
 ad-server authentication host-name info-server.cce.com
 ad-server authentication ldap-port 389
 ad-server user-filter sAMAccountName
 ad-server group-filter ou
 ad-server time-stamp-filter createTimeStamp
#
ip pool pool
 section 0 172.16.1.2 172.16.1.100
#
aaa
 authentication-scheme admin_ad
 service-scheme webServerScheme1499928213525
 service-scheme l2tpSScheme_1497877787064
  ip-pool pool
 domain cce.com
  authentication-scheme admin_ad
  service-scheme webServerScheme1499928213525
  ad-server AD_Server
  service-type l2tp
  internet-access mode password
  reference user current-domain
#
l2tp-group l2tpvpn
 tunnel password cipher %$%$(%J>Y.2ajQIcq@N6)$04859Z%$%$
 allow l2tp virtual-template 1 remote client domain cce.com
#
interface Virtual-Template1
 ppp authentication-mode pap
 remote service-scheme l2tpSScheme_1497877787064
 ip address 172.16.1.1 255.255.255.0
 alias L2TP_LNS_1
 undo service-manage enable
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 undo shutdown
 ip address 10.1.3.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/3
 add interface Virtual-Template1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
security-policy
 rule name service_td
  source-zone trust
  destination-zone dmz
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 172.16.1.0 mask 255.255.255.0
  action permit
 rule name service_dt
  source-zone dmz
  destination-zone trust
  source-address 172.16.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name l2tp_ul
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name ad_ld
  source-zone local
  destination-zone dmz
  source-address 10.1.3.0 mask 255.255.255.0
  action permit