< Home

CLI: Example for Configuring L2TP VPN (AD Authentication) in the Client-Initiated Scenario

This section provides an example for configuring L2TP VPN in the client-initiated scenario. In the client-initiated scenario, the LNS works with the AD server to perform identity authentication for mobile users.

Networking Requirements

On the enterprise network shown in Figure 1, mobile users access intranet resources through L2TP VPN tunnels. The enterprise deploys an AD server to perform identity authentication for the mobile users.
Figure 1 Networking where mobile users access intranet resources through L2TP VPN tunnels

Data Planning

Item

Data

LNS

Interface

Interface ID: GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: Untrust

Interface ID: GigabitEthernet 0/0/2

IP address: 10.1.1.1/24

Security zone: Trust

Interface ID: GigabitEthernet 0/0/3

IP address: 10.1.3.1/24

Security zone: DMZ

L2TP configuration

User name: user0001

Password: Password123

Peer tunnel name: client

Tunnel authentication password: Hello123

Address pool: 172.16.1.2 to 172.16.1.100

NOTE:

If the intranet server IP address and address pool addresses are on different network segments, configure a route on the intranet server to an address in the address pool.

Parameters for interconnection with the AD server

AD server address: 10.1.3.2/24

Administrator DN: cn=Administrator,cn=Users

Password: Admin123

Mobile user

User name: user0001

Password: Password123

Tunnel name: client

Tunnel authentication password: Hello123

Procedure

  1. Configure the LNS.
    1. Configure IP addresses for interfaces and assign the interfaces to security zones.

      # Configure IP addresses for interfaces.

      <LNS> system-view
[LNS] sysname LNS
[LNS] interface GigabitEthernet 0/0/1
[LNS-GigabitEthernet0/0/1] ip address 1.1.1.1 24 
[LNS-GigabitEthernet0/0/1] quit
[LNS] interface GigabitEthernet 0/0/2
[LNS-GigabitEthernet0/0/2] ip address 10.1.1.1 24
[LNS-GigabitEthernet0/0/2] quit
[LNS] interface GigabitEthernet 0/0/3
[LNS-GigabitEthernet0/0/3] ip address 10.1.3.1 24
[LNS-GigabitEthernet0/0/3] quit

      # Assign the interfaces to security zones.

      [LNS] firewall zone untrust
[LNS-zone-untrust] add interface GigabitEthernet 0/0/1
[LNS-zone-untrust] quit
[LNS] firewall zone trust 
[LNS-zone-trust] add interface GigabitEthernet 0/0/2
[LNS-zone-trust] quit
[LNS] firewall zone dmz 
[LNS-zone-dmz] add interface GigabitEthernet 0/0/3
[LNS-zone-dmz] quit

    2. Configure L2TP access users and an authentication policy on the LNS.

      1. Set parameters for interconnecting with the AD server.
        [LNS] ad-server template ad_server
[LNS-ad-ad_server] ad-server authentication 10.1.3.2 88 no-ssl
[LNS-ad-ad_server] ad-server authentication base-dn dc=cce,dc=com
[LNS-ad-ad_server] ad-server authentication manager cn=Administrator,cn=users Admin123 Admin123
[LNS-ad-ad_server] ad-server authentication host-name info-server.cce.com
[LNS-ad-ad_server] ad-server authentication ldap-port 389
[LNS-ad-ad_server] ad-server user-filter sAMAccountName
[LNS-ad-ad_server] ad-server group-filter ou

        If you are unfamiliar with the AD server and cannot provide the server name, Base DN, or filter field values, you can use the AD Explorer or LDAP Browser/Editor software to connect to the AD server to query the attribute values. The AD Explorer is used as an example. The AD server attributes and mappings between the server attributes and parameters on the LNS are as follows.

        # Test the connectivity of the link between the LNS and AD server. The user name and password used for the test must be the same as those on the AD server. 
        [LNS-ad-ad_server] test-aaa user0001 Password123 ad-template ad_server
[LNS-ad-ad_server] quit
      2. Use the AD server for user identity authentication.
        [LNS] aaa
[LNS-aaa] authentication-scheme authentication_ad
[LNS-aaa-authen-authentication_ad] authentication-mode ad
[LNS-aaa-authen-authentication_ad] quit
      3. Configure an address pool.

        If the actual address pool addresses and headquarters addresses reside on the same network segment, you must enable the proxy ARP function on the LNS interface connecting to the headquarters to ensure that the LNS can respond to the ARP requests from the servers at the headquarters.

        [LNS] ip pool pool
[LNS-ip-pool-pool] section 1 172.16.1.2 172.16.1.100
[LNS-ip-pool-pool] quit
      4. Configure the service scheme used by access users.
        [LNS] aaa
[LNS-aaa] service-scheme l2tp 
[LNS-aaa-service-l2tp] ip-pool pool
[LNS-aaa-service-l2tp] quit
      5. Configure the authentication domain and reference the AD server template and authentication scheme.
        [LNS-aaa] domain cce.com
[LNS-aaa-domain-cce.com] service-type l2tp
[LNS-aaa-domain-cce.com] authentication-scheme authentication_ad
[LNS-aaa-domain-cce.com] ad-server ad_server

        To implement user name-based policy control on VPN access users, you must specify the internetaccess parameter.

    3. Configure VT interfaces.

      [LNS] interface Virtual-Template 1
[LNS-Virtual-Template1] ip address 172.16.1.1 24
[LNS-Virtual-Template1] ppp authentication-mode pap
[LNS-Virtual-Template1] remote service-scheme l2tp
[LNS-Virtual-Template1] quit
[LNS] firewall zone dmz
[LNS-zone-dmz] add interface Virtual-Template 1
[LNS-zone-dmz] quit

    4. Configure an L2TP group.

      The tunnel authentication password on the LNS must be the same as that on the SecoClient.

      [LNS] l2tp enable
[LNS] l2tp-group 1
[LNS-l2tp-1] allow l2tp virtual-template 1 remote client domain cce.com
[LNS-l2tp-1] tunnel authentication
[LNS-l2tp-1] tunnel password cipher Hello123
[LNS-l2tp-1] quit

    5. Configure a default route to the Internet. It is assumed that the next-hop address of the route is 1.1.1.2.

      [LNS] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

    6. Configure interzone security policies on the LNS.

      # Configure interzone security policies between the Trust zone and DMZ to permit the traffic sent by mobile users to access the intranet of the headquarters and the traffic sent by devices on the intranet of the headquarters to mobile users.

      [LNS] security-policy
[LNS-policy-security] rule name service_td
[LNS-policy-security-rule-service_td] source-zone trust
[LNS-policy-security-rule-service_td] destination-zone dmz
[LNS-policy-security-rule-service_td] source-address 10.1.2.0 24
[LNS-policy-security-rule-service_td] destination-address 172.16.1.0 24
[LNS-policy-security-rule-service_td] action permit
[LNS-policy-security-rule-service_td] quit
[LNS-policy-security] rule name service_dt
[LNS-policy-security-rule-service_dt] source-zone dmz
[LNS-policy-security-rule-service_dt] destination-zone trust
[LNS-policy-security-rule-service_dt] source-address 172.16.1.0 24
[LNS-policy-security-rule-service_dt] destination-address 10.1.2.0 24
[LNS-policy-security-rule-service_dt] action permit
[LNS-policy-security-rule-service_dt] quit

      # Configure an interzone security policy from the Untrust zone to the Local zone to permit L2TP packets.

      [LNS-policy-security] rule name l2tp_ul
[LNS-policy-security-rule-l2tp_ul] source-zone untrust
[LNS-policy-security-rule-l2tp_ul] destination-zone local
[LNS-policy-security-rule-l2tp_ul] destination-address 1.1.1.0 24
[LNS-policy-security-rule-l2tp_ul] action permit
[LNS-policy-security-rule-l2tp_ul] quit

      # Configure a security policy for the communication between the LNS and AD server.

      [LNS-policy-security] rule name ad_ld
[LNS-policy-security-rule-ad_ld] source-zone local
[LNS-policy-security-rule-ad_ld] destination-zone dmz
[LNS-policy-security-rule-ad_ld] source-address 10.1.3.0 24
[LNS-policy-security-rule-ad_ld] action permit
[LNS-policy-security-rule-ad_ld] quit

  2. Configure the SecoClient at the mobile user side.
    1. Open the SecoClient and access the home page.

      Select New Connection from the Connect drop-down list.

    2. Set L2TP VPN connection parameters.

      In the New Connection navigation tree, select L2TP/IPSec. Set connection parameters and click OK.

      The tunnel authentication password is Hello123.

    3. Log in to the L2TP VPN gateway.

      1. Select the created L2TP VPN connection from the Connect drop-down list and click Connect.

      2. On the login page, enter the user name and password.

      3. Click Login to initiate a VPN connection request.

        A message on a VPN access success will be displayed on the web UI. After the connection is established, mobile users can access intranet resources as intranet users.

Verification

  1. Mobile users can properly access intranet servers of the headquarters.

  2. Check the L2TP tunnel establishment on the LNS.

    1. Run the display l2tp tunnel command to check L2TP tunnel information. According to the command output, an L2TP tunnel is established successfully.
      [LNS] display l2tp tunnel
L2TP::Total Tunnel: 1 
                      
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName  VpnInstance   
 ------------------------------------------------------------------------------
 2        1         2.2.2.2          61535   1         client                   
 ------------------------------------------------------------------------------
  Total 1, 1 printed

    2. Run the display l2tp session command to check L2TP session information. According to the command output, an L2TP session is established successfully.

      [LNS] display l2tp session
L2TP::Total Session: 1
                      
  LocalSID  RemoteSID  LocalTID   RemoteTID  UserID  UserName    VpnInstance   
 ------------------------------------------------------------------------------
  119       32         2           1         9689    user0001                     
 ------------------------------------------------------------------------------
  Total 1, 1 printed

Configuration Scripts

#
sysname LNS
#
 l2tp enable
 undo l2tp sendaccm enable
 l2tp domain suffix-separator @
#
ad-server template ad_server
 ad-server authentication 10.1.3.2 88 no-ssl
 ad-server authentication base-dn dc=cce,dc=com
 ad-server authentication manager cn=Administrator,cn=users %^%#,C)<BJ^0BH7p/A5cODX0k-%$,_MAC8*D]n-V_,6A%^%#
 ad-server authentication host-name info-server.cce.com
 ad-server authentication ldap-port 389
 ad-server user-filter sAMAccountName
 ad-server group-filter ou
#
ip pool pool
 section 0 172.16.1.2 172.16.1.100
#
aaa
 authentication-scheme authentication_ad
  authentication-mode ad
 service-scheme l2tp
  ip-pool pool
 domain cce.com
  authentication-scheme authentication_ad
  ad-server ad_server
  service-type l2tp
#
l2tp-group l2tpvpn
 tunnel password cipher %$%$(%J>Y.2ajQIcq@N6)$04859Z%$%$
 allow l2tp virtual-template 1 remote client domain cce.com
#
interface Virtual-Template1
 ppp authentication-mode pap
 remote service-scheme l2tp
 ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 undo shutdown
 ip address 10.1.3.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/3
 add interface Virtual-Template1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
security-policy
 rule name service_td
  source-zone trust
  destination-zone dmz
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 172.16.1.0 mask 255.255.255.0
  action permit
 rule name service_dt
  source-zone dmz
  destination-zone trust
  source-address 172.16.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name l2tp_ul
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name ad_ld
  source-zone local
  destination-zone dmz
  source-address 10.1.3.0 mask 255.255.255.0
  action permit
Parent Topic: L2TP
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >