< Home

Web UI: Example for Configuring L2TP VPN (LDAP Authentication) in the Client-Initiated Scenario

This section provides an example for configuring L2TP VPN in the client-initiated scenario. In the client-initiated scenario, the LNS works with the LDAP server to perform identity authentication for mobile users.

Networking Requirements

On the enterprise network shown in Figure 1, mobile users access intranet resources through L2TP VPN tunnels. The enterprise deploys an LDAP server to perform identity authentication for the mobile users.
Figure 1 Networking where mobile users access intranet resources through L2TP VPN tunnels

Data Planning

Item

Data

LNS

Interface

Interface ID: GigabitEthernet 0/0/1

IP address: 1.1.1.1/24

Security zone: Untrust

Interface ID: GigabitEthernet 0/0/2

IP address: 10.1.1.1/24

Security zone: Trust

Interface ID: GigabitEthernet 0/0/3

IP address: 10.1.3.1/24

Security zone: DMZ

L2TP configuration

User name: user0001

Password: Password123

Peer tunnel name: client

Tunnel authentication password: Hello123

Address pool: 172.16.1.2 to 172.16.1.100

NOTE:

If the intranet server IP address and address pool addresses are on different network segments, configure a route on the intranet server to an address in the address pool.

Parameters for interconnection with the LDAP server

LDAP server address: 10.1.3.2/24

Administrator DN: uid=manager_user

Password: Admin123

Mobile user

User name: user0001

Password: Password123

Tunnel name: client

Tunnel authentication password: Hello123

Procedure

  1. Configure the LNS.
    1. Configure IP addresses for interfaces and assign the interfaces to security zones.

      1. Choose Network > Interface.

      2. Click of GE0/0/1 and set required parameters.

        Zone

        untrust

        IPv4

        IP Address

        1.1.1.1/24
      3. Click OK.

      4. Repeat the preceding steps to configure GE0/0/2 and GE0/0/3.

        Zone

        trust

        IPv4

        IP Address

        10.1.1.1/24

        Zone

        dmz

        IPv4

        IP Address

        10.1.3.1/24

    2. Choose Object > Authentication Server > LDAP and configure parameters for interconnecting the LNS and LDAP server.

      For the V600R007C20 version, whether to enable SSL for LDAP authentication cannot be configured on the web UI. When you configure the LDAP server on the web UI, no SSL (no-ssl) is enabled by default. To enable SSL (ssl), click CLI Console in the lower right corner of the web page. On the CLI configuration page that is displayed, run the ldap-server authentication 10.1.3.2 389 ssl command in the corresponding LDAP server template view. When ssl is deployed, it must also be enabled on the LDAP server. For details, see the operating system guide of the LDAP server. From V600R007C20SPC100, you can configure whether to enable SSL for LDAP authentication on the Web UI. The following uses no-ssl as an example.

      If you are not familiar with parameters of the LDAP server, such as the filter field, use the LDAP Browser/Editor software to connect to the LDAP server to view specific attributes. The LDAP Browser is used as an example. The LDAP server attributes and mappings between the server attributes and parameters on the LNS are as follows.

      Click Test. In the window that is displayed, click Start and then enter the test account and password. Then click Start Checking to check the connectivity to the LDAP server.

      The user name and password used for the test must be the same as those on the LDAP server.

    3. Choose Object > User > Authentication Domain and click Add to create an authentication domain.

      When the LNS uses LDAP server authentication, the authentication domain name configured on the LNS must be the same as that configured on the authentication server. In this example, the domain name on the LDAP server is cce.com. Therefore, the authentication domain name must be set to cce.com on the LNS.

    4. Choose Object > User > cce.com and configure LDAP server authentication. After the configuration is complete, click Apply.

    5. Configure L2TP VPN.

      1. Choose Network > L2TP > L2TP.

      2. In Configure L2TP, select Enable and click Apply.

      3. In L2TP Group List, click Add and set L2TP parameters.

        Set Password to Hello123 and the address range of Address/Address Pool to 172.16.1.2 to 172.16.1.100. Associated Zone indicates the security zone where the VT interface resides. Server Address/Subnet Mask is the address of the VT interface on the LNS side. It is recommended that the IP address be in the same network as the address pool.

      4. Click OK.

    6. Configure a route to the Internet. It is assumed that the next-hop address of the route is 1.1.1.2.

      1. Choose Network > Route > Static Route.

      2. Click Add and set required parameters.

        Destination Address/Mask

        0.0.0.0/0.0.0.0

        Next Hop

        1.1.1.2

      3. Click OK.

    7. Configure a security policy.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add. Configure interzone security policies between the Trust zone and DMZ to permit the traffic sent by mobile users to access the intranet of the headquarters and the traffic sent by devices on the intranet of the headquarters to mobile users. Click OK.

        Name

        service_td

        Source Zone

        trust

        Destination Zone

        dmz

        Source Address/Region

        10.1.2.0/24

        Destination Address/Region

        172.16.1.0/24

        Action

        Permit

        Name

        service_dt

        Source Zone

        dmz

        Destination Zone

        trust

        Source Address/Region

        172.16.1.0/24

        Destination Address/Region

        10.1.2.0/24

        Action

        Permit

      3. Click Add. Configure an interzone security policy from the Untrust zone to the Local zone to permit L2TP packets. Click OK.

        In this scenario, the LNS only receives L2TP negotiation packets and does not proactively send L2TP negotiation packets to mobile users. Therefore, only the interzone security policy from the Untrust zone to the Local zone needs to be configured.

        Name

        l2tp_ul

        Source Zone

        untrust

        Destination Zone

        local

        Destination Address/Region

        1.1.1.0/24

        Action

        Permit
      4. Configure an interzone security policy from the DMZ to the Local zone to permit packets exchanged between the LNS and LDAP server.

        Name

        ldap_ld

        Source Zone

        local

        Destination Zone

        dmz

        Source Address/Region

        10.1.3.0/24

        Action

        Permit

  2. Configure the SecoClient at the mobile user side.
    1. Open the SecoClient and access the home page.

      Select New Connection from the Connect drop-down list.

    2. Set L2TP VPN connection parameters.

      In the New Connection navigation tree, select L2TP/IPSec. Set connection parameters and click OK.

      The tunnel authentication password is Hello123.

    3. Log in to the L2TP VPN gateway.

      1. Select the created L2TP VPN connection from the Connect drop-down list and click Connect.

      2. On the login page, enter the user name and password.

      3. Click Login to initiate a VPN connection request.

        A message on a VPN access success will be displayed on the web UI. After the connection is established, mobile users can access intranet resources as intranet users.

Verification

  1. Log in to the LNS and choose Network > L2TP > Monitor to view the monitoring list. You can find that user user0001 has logged in to the device successfully.
  2. Mobile users can access intranet resources properly.

Configuration Scripts

#
sysname LNS
#
 l2tp enable
 undo l2tp sendaccm enable
 l2tp domain suffix-separator @
#
ldap-server template ldap_server
 ldap-server authentication 10.1.3.2 389 no-ssl
 ldap-server authentication manager uid=manager_user %^%#J~Mt<pLyG8m^"c%z_s9J35]4Y`d$JY95bB1M+>B#%^%#
 ldap-server authentication base-dn dc=cce,dc=com
 ldap-server server-type sun-one
 ldap-server group-filter ou
 ldap-server user-filter uid
 ldap-server time-stamp-filter createTimeStamp
#
ip pool pool
 section 0 172.16.1.2 172.16.1.100
#
aaa
 authentication-scheme ldap
  authentication-mode ldap
 service-scheme l2tpSScheme_1497877787064
  ip-pool pool
 domain cce.com
  authentication-scheme ldap
  ad-server ldap_server
  service-type l2tp
  internet-access mode password
  reference user current-domain
#
l2tp-group l2tpvpn
 tunnel password cipher %$%$(%J>Y.2ajQIcq@N6)$04859Z%$%$
 allow l2tp virtual-template 1 remote client domain cce.com
#
interface Virtual-Template1
 ppp authentication-mode pap
 remote service-scheme l2tpSScheme_1497877787064
 ip address 172.16.1.1 255.255.255.0
 alias L2TP_LNS_1
 undo service-manage enable
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 undo shutdown
 ip address 10.1.3.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/3
 add interface Virtual-Template1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
security-policy
 rule name service_td
  source-zone trust
  destination-zone dmz
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 172.16.1.0 mask 255.255.255.0
  action permit
 rule name service_dt
  source-zone dmz
  destination-zone trust
  source-address 172.16.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name l2tp_ul
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  action permit
 rule name ldap_ld
  source-zone local
  destination-zone dmz
  source-address 10.1.3.0 mask 255.255.255.0
  action permit
Parent Topic: L2TP
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >