Multi-vendor*** Series 17: Huawei AR series routers realize l2tp over ipsec *** [including Huawei software

Master the goal

1. Implement L2TP over ipsec configuration by configuring the router [including the implementation of Microsoft and Huawei's own software client]
2. Master the settings of the client.
3. The configuration method of pure L2TP.

One, router configuration

1.l2tp address pool
#ip pool l2tp
gateway-list 192.168.222.1
network 192.168.222.0 mask 255.255.255.0

2.l2tp ***配置
#interface Virtual-Template0
ppp authentication-mode chap
remote address pool l2tp
ip address 192.168.222.1 255.255.255.0
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0

3.创建l2tp用户
#local-user test password cipher %$%$’iR,%phm-R~uA@8JW5m@3dt}%$%$
local-usertest privilege level 15
local-user test service-type ppp

4. Create an ACL user to encrypt the traffic with IPSEC
acl number 3001
rule 5 permit udp source-port eq 1701

5.ipsec 配置
#
ipsec proposal 1
#
ike proposal 1
#

Note: For ike peers, it is best to use the v1 version of the barbaric mode. The v2 version that I started to use, I found that the first phase of the ike sa protocol could not be established, and it is best to turn on the nat traversal function, because of the general reality Environment, computers are all nat Internet
configuration methods for Huawei client
ike peer xdhg2 v1
exchange-mode aggressive
pre-shared-key simple huawei
local-id-type name
nat traversal (nat traversal function enabled)

For the Microsoft client configuration method,
only pre-share-key simple huawei and nat traversal are required, because Microsoft itself is the main mode by default.
#
ipsec policy-template xdhg_t 1
security acl 3001
ike-peer xdhg2
proposal 1
#
ipsec policy xdhg 1 isakmp template xdhg_t
#
6. Apply ipsec policy
interface Ethernet0/0/8
tcp adjust-mss 1200
ip address XXXX 255.255.255.0
ipsec policy xdhg
nat outbound 2999

Two, customer service terminal configuration

The customer service terminal uses Huawei HUAWEI *** Client_V100R001C02SPC701.exe software

Fill in the ip address of LNS and the account password of L2TP ***

This authentication mode should correspond to #interface Virtual-Template0 # ppp authentication-mode chap here, check Enable IPSEC

The configuration here should be consistent with the ipsec proposal used. You can check the configuration first and fill in the
display ipsec proposal name 1
IPSec proposal name: 1
Encapsulation mode: Tunnel
Transform: esp-new
ESP protocol: Authentication MD5-HMAC-96
Encryption DES

The configuration here should be consistent with the configuration of using IKE proposal and ike peer, you can check the configuration first and fill in
display ike proposal number 1
——————————————-
IKE Proposal: 1
Authentication method: pre -shared
Authentication algorithm: SHA1
Encryption algorithm: DES-CBC
DH group: MODP-768
SA duration: 86400
PRF: PRF-HMAC-SHA
——————————————-
—————— ————————
Peer name: xdhg2
Exchange mode: aggressive on phase 1
Pre-shared-key: huawei
Local ID type: Name
DPD: Disable
DPD mode: Periodic
DPD idle time: 30
DPD retransmit interval: 15
DPD retry limit: 3
Host name:
Peer IP address:
*** name:
Local IP address:
Local name:
Remote name:
NAT-traversal: Enable
Configured IKE version: Version one
PKI realm: NULL
Inband OCSP: Disable
—————————————— After
setting, start dialing

Debug and check on the router, start to negotiate ike sa and ipsec sa

Haha, the 2 stages of ike sa are ok

ipsec sa is also ok, note that the nat traversal function is also enabled

ping the intranet ip, huh it works

I grabbed a packet and found that the message has been encapsulated and encrypted by esp, haha

Supplement to how to define the Microsoft client [Here is just to tell how to define, it has nothing to do with the configuration, you can modify the parameters that match the address key defined by yourself]