Answer the question
In order to leave comments, you need to log in
V
V
Viktor9972020-08-26 10:44:09
Viktor997, 2020-08-26 10:44:09
HUAWEI AR. L2TP OVER IPSEC VPN for remote users?
Good day. I ask for help in setting up Huawei AR2204XE. It is necessary to configure L2TP over IPsec for remote connection of company employees to the local network. I set up according to the instructions .
Question:
The problem is that L2TP works without IPsec, that is, remote users (Win10) connect even without and with incorrectly specified pre-shared-key. Although ipsec policy is configured on the incoming WAN interface.
How can I solve the connection problem for remote users?
CONFIG
login as: ---
Further authentication required
[Huawei]disp current-configuration
[V200R009C00SPC500]
#
drop illegal-mac alarm
#
clock timezone InternationalDateLineWest minus 12:00:00
#
l2tp enable
#
ipv6
#
vlan batch 4 88 100 103 to 104 108 to 110
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
#
ike local-name xp
#
dns resolve
dns proxy enable
#
poe-power utilization-threshold 80
#
dhcp enable
#
bridge 1
#
vlan 4
description uplink
vlan 108
description servers
vlan 109
description GUEST
vlan 110
description webcam
#
radius-server template default
#
pki realm default
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
acl name GigabitEthernet0/0/11 2999
#
acl number 3001
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.5.0 0.0.0.255
rule 50 permit ip source 192.168.100.0 0.0.1.255
rule 55 deny ip source 192.168.60.0 0.0.0.255
acl number 3002
rule 5 deny tcp destination-port eq 22
rule 15 deny tcp destination-port eq www
rule 35 deny tcp destination-port eq 443
acl number 3003
rule 5 deny udp destination-port eq 1701
rule 6 deny udp destination-port eq 4500
rule 7 deny udp destination-port eq 500
rule 10 permit ip
acl number 3007
rule 5 permit ip
rule 10 permit ip source 0.0.0.0 255.255.255.0
acl number 3008
rule 5 permit ip
acl number 3301
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ipsec proposal prop
encapsulation-mode transport
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer peer1
undo version 2
pre-shared-key cipher %^%#*e(7'!!yJ/4T=,KBJZxYyeZbQi6\((.[lKS7Sd.P%^%#
ike-proposal 5
ike peer xp
undo version 2
exchange-mode aggressive
pre-shared-key cipher %^%#De,;8d:+{:4B(!2WfI(Dn"0K='XH0Z5,+|,YK4%^%#
local-id-type fqdn
#
ipsec policy-template temp1 10
ike-peer peer1
proposal prop
ipsec policy-template xptemp 2
ike-peer xp
proposal 1
#
ipsec policy policy1 10 isakmp template temp1
ipsec policy xp 1 isakmp template xptemp
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool lns
gateway-list 192.168.60.1
network 192.168.60.0 mask 255.255.255.0
dns-list 8.8.8.8
#
firewall zone untrust
priority 1
#
firewall zone trust
priority 15
#
firewall zone Local
#
firewall interzone trust untrust
firewall enable
packet-filter 3003 inbound
#
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
interface Dialer1
link-protocol ppp
#
interface Vlanif108
#
interface Virtual-Template1
ppp authentication-mode chap domain l2tp
remote address pool lns
ip address 192.168.60.1 255.255.255.0
l2tp-auto-client enable
#
interface GigabitEthernet0/0/0
description LAN
#
interface GigabitEthernet0/0/0.88
ip address 192.168.88.254 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/0.100
description users
dot1q termination vid 100
ip address 192.168.100.1 255.255.254.0
traffic-filter inbound acl name vlan100
dhcp select interface
dhcp server lease day 10 hour 0 minute 0
dhcp server dns-list 192.168.0.100
#
interface GigabitEthernet0/0/0.103
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.100
#
#
interface GigabitEthernet0/0/10
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/11
tcp adjust-mss 1200
ip address 81.241.242.86 255.255.255.0
nat outbound 3001
zone untrust
ipsec policy policy1
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
poe legacy enable
poe force-power enable
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
#
info-center loghost 192.168.0.100
info-center timestamp log format-date
#
snmp-agent local-engineid 800007DB03F03F95D89D3B
#
stelnet server enable
#
http secure-server ssl-policy default_policy
http server enable
http secure-server enable
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/11 81.241.242.1
#
fib regularly-refresh disable
#
user-interface con 0
authentication-mode aaa
user-interface vty 0
authentication-mode aaa
user privilege level 15
user-interface vty 1 4
authentication-mode aaa
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
undo ntp-service enable
#
ops
#
autostart
#
secelog
#
return
Further authentication required
[Huawei]disp current-configuration
[V200R009C00SPC500]
#
drop illegal-mac alarm
#
clock timezone InternationalDateLineWest minus 12:00:00
#
l2tp enable
#
ipv6
#
vlan batch 4 88 100 103 to 104 108 to 110
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
#
ike local-name xp
#
dns resolve
dns proxy enable
#
poe-power utilization-threshold 80
#
dhcp enable
#
bridge 1
#
vlan 4
description uplink
vlan 108
description servers
vlan 109
description GUEST
vlan 110
description webcam
#
radius-server template default
#
pki realm default
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
acl name GigabitEthernet0/0/11 2999
#
acl number 3001
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.5.0 0.0.0.255
rule 50 permit ip source 192.168.100.0 0.0.1.255
rule 55 deny ip source 192.168.60.0 0.0.0.255
acl number 3002
rule 5 deny tcp destination-port eq 22
rule 15 deny tcp destination-port eq www
rule 35 deny tcp destination-port eq 443
acl number 3003
rule 5 deny udp destination-port eq 1701
rule 6 deny udp destination-port eq 4500
rule 7 deny udp destination-port eq 500
rule 10 permit ip
acl number 3007
rule 5 permit ip
rule 10 permit ip source 0.0.0.0 255.255.255.0
acl number 3008
rule 5 permit ip
acl number 3301
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ipsec proposal prop
encapsulation-mode transport
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer peer1
undo version 2
pre-shared-key cipher %^%#*e(7'!!yJ/4T=,KBJZxYyeZbQi6\((.[lKS7Sd.P%^%#
ike-proposal 5
ike peer xp
undo version 2
exchange-mode aggressive
pre-shared-key cipher %^%#De,;8d:+{:4B(!2WfI(Dn"0K='XH0Z5,+|,YK4%^%#
local-id-type fqdn
#
ipsec policy-template temp1 10
ike-peer peer1
proposal prop
ipsec policy-template xptemp 2
ike-peer xp
proposal 1
#
ipsec policy policy1 10 isakmp template temp1
ipsec policy xp 1 isakmp template xptemp
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool lns
gateway-list 192.168.60.1
network 192.168.60.0 mask 255.255.255.0
dns-list 8.8.8.8
#
firewall zone untrust
priority 1
#
firewall zone trust
priority 15
#
firewall zone Local
#
firewall interzone trust untrust
firewall enable
packet-filter 3003 inbound
#
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
interface Dialer1
link-protocol ppp
#
interface Vlanif108
#
interface Virtual-Template1
ppp authentication-mode chap domain l2tp
remote address pool lns
ip address 192.168.60.1 255.255.255.0
l2tp-auto-client enable
#
interface GigabitEthernet0/0/0
description LAN
#
interface GigabitEthernet0/0/0.88
ip address 192.168.88.254 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/0.100
description users
dot1q termination vid 100
ip address 192.168.100.1 255.255.254.0
traffic-filter inbound acl name vlan100
dhcp select interface
dhcp server lease day 10 hour 0 minute 0
dhcp server dns-list 192.168.0.100
#
interface GigabitEthernet0/0/0.103
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.100
#
#
interface GigabitEthernet0/0/10
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/11
tcp adjust-mss 1200
ip address 81.241.242.86 255.255.255.0
nat outbound 3001
zone untrust
ipsec policy policy1
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
poe legacy enable
poe force-power enable
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
#
info-center loghost 192.168.0.100
info-center timestamp log format-date
#
snmp-agent local-engineid 800007DB03F03F95D89D3B
#
stelnet server enable
#
http secure-server ssl-policy default_policy
http server enable
http secure-server enable
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/11 81.241.242.1
#
fib regularly-refresh disable
#
user-interface con 0
authentication-mode aaa
user-interface vty 0
authentication-mode aaa
user privilege level 15
user-interface vty 1 4
authentication-mode aaa
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
undo ntp-service enable
#
ops
#
autostart
#
secelog
#
return
The scheme to be implemented.
1 answer(s)
@Viktor997
V
Viktor997, 2020-08-31 @Viktor997
Solved:
Fixed in
ike peer policy 1
exchange-mode main
in ike proposal 1
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
in ipsec proposal policy1
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm aes-256 added
mandatory-chap
to l2tp-group1
L2TP over IPSEC bundle worked on windows 10, IOS and Android.
Similar questions
U
F
G
A
Z
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question