H3C Routers

L2TP over IPsec Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring L2TP over IPsec· 1

Network configuration· 1

Software versions used· 1

Procedures· 1

Configuring the LNS· 1

Configuring the LAC· 3

Verifying the configuration· 4

Configuration files· 7

Related documentation· 9

 

Introduction

The following information provides L2TP over IPsec configuration examples.

Prerequisites

The following information applies to Comware 9-based routers. Procedures and information in the examples might be slightly different depending on the software or hardware version of the routers.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of L2TP and IPsec.

Example: Configuring L2TP over IPsec

Network configuration

As shown in Figure 1, Host accesses the LNS-side network through an L2TP tunnel. Configure the network to meet the following requirements:

·     The LAC and LNS automatically set up an L2TP tunnel.

·     The LAC and LNS use IKE to set up an IPsec security tunnel to encrypt the L2TP traffic.

Figure 1 Network diagram

‌

Software versions used

This configuration example was created and verified on R9141P16 of the MSR2630E-X1 device.

Procedures

Configuring the LNS

# Configure local user 1 with the password as 1234.

<LNS> system-view

[LNS] local-user 1 class network

[LNS-luser-network-1] password simple 1234

[LNS-luser-network-1] service-type ppp

[LNS-luser-network-1] quit

# Configure ISP domain system to perform local authentication for PPP users.

[LNS] domain system

[LNS-isp-system] authentication ppp local

[LNS-isp-system] quit

# Enable L2TP.

[LNS] l2tp enable

# Create VT interface 1, and assign IP address 192.168.0.1/24 to the VT interface. Configure the PPP authentication method as PAP on the VT interface, and specify the VT interface to allocate IP address 192.168.0.2 to the PPP client.

[LNS] interface virtual-template 1

[LNS-Virtual-Template1] ip address 192.168.0.1 24

[LNS-Virtual-Template1] ppp authentication-mode pap domain system

[LNS-Virtual-Template1] remote address 192.168.0.2

[LNS-Virtual-Template1] quit

# Create L2TP group 1 in LNS mode, configure the local tunnel name as lns, and specify VT interface 1 for receiving calls from the peer named lac.

[LNS] l2tp-group 1 mode lns

[LNS-l2tp1] tunnel name lns

[LNS-l2tp1] undo tunnel authentication

[LNS-l2tp1] allow l2tp virtual-template 1 remote lac

[LNS-l2tp1] quit

# Configure an ACL.

[LNS] acl number 3000

[LNS-acl-adv-3000] rule permit ip source 10.0.0.2 0 destination 10.0.0.1 0

[LNS-acl-adv-3000] quit

# Configure an IKE keychain.

[LNS] ike keychain l2tp

# Set the pre-shared key to be used for IKE negotiation with peer 10.0.0.1 to abcd.

[LNS-ike-keychain-l2tp] pre-shared-key address 10.0.0.1 key simple abcd

[LNS-ike-keychain-l2tp] quit

# Specify IKE keychain l2tp for IKE profile l2tp.

[LNS] ike profile l2tp

[LNS-ike-profile-l2tp] keychain l2tp

# Set the local ID to IP address 10.0.0.2.

[LNS-ike-profile-l2tp] local-identity address 10.0.0.2

# Configure a peer ID with the identity type of IP address and the value of 10.0.0.1.

[LNS-ike-profile-l2tp] match remote identity address 10.0.0.1

[LNS-ike-profile-l2tp] quit

# Configure an IPsec transform set named l2tp.

[LNS] ipsec transform-set l2tp

# Configure the IPsec transform set to use the 3DES algorithm in CBC mode as the ESP encryption algorithm.

[LNS-ipsec-transform-set-l2tp] esp encryption-algorithm 3des-cbc

# Configure the IPsec transform set to use the MD5 algorithm as the ESP authentication algorithm.

[LNS-ipsec-transform-set-l2tp] esp authentication-algorithm md5

[LNS-ipsec-transform-set-l2tp] quit

# Configure an IPsec policy to use ACL 3000 and IPsec transform set l2tp. Configure the remote IP address for the IPsec tunnel as 10.0.0.1.

[LNS] ipsec policy l2tp 1 isakmp

[LNS-ipsec-policy-isakmp-l2tp-1] security acl 3000

[LNS-ipsec-policy-isakmp-l2tp-1] transform-set l2tp

[LNS-ipsec-policy-isakmp-l2tp-1] ike-profile l2tp

[LNS-ipsec-policy-isakmp-l2tp-1] remote-address 10.0.0.1

[LNS-ipsec-policy-isakmp-l2tp-1] quit

# Assign an IP address to interface GigabitEthernet 1/0/1, which connects to the LAC, and apply an IPsec policy to the interface.

[LNS] interface gigabitethernet 1/0/1

[LNS-GigabitEthernet1/0/1] ip address 10.0.0.2 24

[LNS-GigabitEthernet1/0/1] ipsec apply policy l2tp

[LNS-GigabitEthernet1/0/1] quit

# Assign an IP address to interface GigabitEthernet 1/0/2.

[LNS] interface gigabitethernet 1/0/2

[LNS-GigabitEthernet1/0/2] ip address 15.0.0.1 24

[LNS-GigabitEthernet1/0/2] quit

Configuring the LAC

# Enable L2TP.

<LAC> system-view

[LAC] l2tp enable

# Create L2TP group 1 in LAC mode.

[LAC] l2tp-group 1 mode lac

# Configure the local tunnel name as LAC, and specify LNS IP address 10.0.0.2.

[LAC-l2tp1] tunnel name lac

[LAC-l2tp1] lns-ip 10.0.0.2

[LAC-l2tp1] undo tunnel authentication

[LAC-l2tp1] quit

# Configure an ACL.

[LAC] acl number 3000

# Configure an ACL rule.

[LAC-acl-adv-3000] rule permit ip source 10.0.0.1 0 destination 10.0.0.2 0

[LAC-acl-adv-3000] quit

# Configure a virtual-PPP interface. On the interface, configure the PPP username as 1 and password as 1234, and configure the PPP authentication mode as PAP.

[LAC] interface virtual-PPP 1

[LAC-Virtual-PPP1] ip address ppp-negotiate

[LAC-Virtual-PPP1] ppp pap local-user 1 password simple 1234

[LAC-Virtual-PPP1] quit

# Configure a private network route, so that the packets to the HQ of the company are forwarded through an L2TP tunnel.

[LAC] ip route-static 15.0.0.1 24 Virtual-PPP 1

# Configure an IKE keychain.

[LAC] ike keychain l2tp

# Set the pre-shared key to be used for IKE negotiation with peer 10.0.0.2 to abcd.

[LAC-ike-keychain-l2tp] pre-shared-key address 10.0.0.2 key simple abcd

[LAC-ike-keychain-l2tp] quit

# Specify IKE keychain l2tp for IKE profile l2tp.

[LAC] ike profile l2tp

[LAC-ike-profile-l2tp] keychain l2tp

# Set the local ID to IP address 10.0.0.1.

[LAC-ike-profile-l2tp] local-identity address 10.0.0.1

# Configure a peer ID with the identity type of IP address and the value of 10.0.0.2.

[LAC-ike-profile-l2tp] match remote identity address 10.0.0.2

[LAC-ike-profile-l2tp] quit

# Configure an IPsec transform set named l2tp.

[LAC] ipsec transform-set l2tp

# Configure the IPsec transform set to use the 3DES algorithm in CBC mode as the ESP encryption algorithm.

[LAC-ipsec-transform-set-l2tp] esp encryption-algorithm 3des-cbc

# Configure the IPsec transform set to use the MD5 algorithm as the ESP authentication algorithm.

[LAC-ipsec-transform-set-l2tp] esp authentication-algorithm md5

[LAC-ipsec-transform-set-l2tp] quit

# Configure an IPsec policy to use ACL 3000 and IPsec transform set l2tp. Configure the remote IP address for the IPsec tunnel as 10.0.0.2.

[LAC] ipsec policy l2tp 1 isakmp

[LAC-ipsec-policy-isakmp-l2tp-1] security acl 3000

[LAC-ipsec-policy-isakmp-l2tp-1] transform-set l2tp

[LAC-ipsec-policy-isakmp-l2tp-1] ike-profile l2tp

[LAC-ipsec-policy-isakmp-l2tp-1] remote-address 10.0.0.2

[LAC-ipsec-policy-isakmp-l2tp-1] quit

# Assign an IP address to interface GigabitEthernet 1/0/2.

[LAC] interface gigabitethernet 1/0/2

[LAC-GigabitEthernet1/0/2] ip address 14.0.0.1 24

[LAC-GigabitEthernet1/0/2] quit

# Assign an IP address to interface GigabitEthernet 1/0/1, which connects to the LNS, and apply an IPsec policy to the interface.

[LAC] interface gigabitethernet 1/0/1

[LAC-GigabitEthernet1/0/1] ip address 10.0.0.1 24

[LAC-GigabitEthernet1/0/1] ipsec apply policy l2tp

[LAC-GigabitEthernet1/0/1] quit

# Trigger the LAC to automatically establish an L2TP tunnel.

[LAC] interface virtual-PPP 1

[LAC-Virtual-PPP1] l2tp-auto-client l2tp-group 1

Verifying the configuration

# Display information about L2TP tunnels and sessions on the LAC.

[LAC] display l2tp tunnel

LocalTID RemoteTID State        Sessions RemoteAddress   RemotePort RemoteName

23561    63423     Established  1        10.0.0.2        1701       lns

 

[LAC] display l2tp session

LocalSID    RemoteSID    LocalTID    State

1538        2562         23561       Established

# Display information about L2TP tunnels and sessions on the LNS.

[LNS] display l2tp tunnel

LocalTID RemoteTID State        Sessions RemoteAddress   RemotePort RemoteName

63423    23561     Established  1        10.0.0.1        1701       lac

 

[LNS] display l2tp session

LocalSID    RemoteSID    LocalTID    State

2562        1538         63423       Established

# Display information about IKE SAs and IPsec SAs on the LAC.

[LAC] display ike sa

    Connection-ID   Remote                Flag         DOI

------------------------------------------------------------------

    5               10.0.0.2              RD           IPSEC

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

 

[LAC]display ipsec sa

-------------------------------

Interface: GigabitEthernet1/0/1

-------------------------------

 

  -----------------------------

  IPsec policy: l2tp

  Sequence number: 1

  Mode: isakmp

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect forward secrecy:

    Path MTU: 1443

    Tunnel:

        local  address: 10.0.0.1

        remote address: 10.0.0.2

    Flow:

    sour addr: 10.0.0.1/255.255.255.255  port: 0  protocol: ip

    dest addr: 10.0.0.2/255.255.255.255  port: 0  protocol: ip

 

    [Inbound ESP SAs]

      SPI: 987342280 (0x3ad9a5c8)

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843181/2339

      Max received sequence-number: 319

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for nat traversal: N

      Status: active

 

    [Outbound ESP SAs]

      SPI: 2705574035 (0xa143c893)

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843182/2339

      Max sent sequence-number: 301

      UDP encapsulation used for nat traversal: N

      Status: active

 

# Display information about IKE SAs and IPsec SAs on the LNS.

[LNS] display ike sa

    Connection-ID   Remote                Flag         DOI

------------------------------------------------------------------

    1               10.0.0.1              RD           IPSEC

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

 

[LNS] display ipsec sa

-------------------------------

Interface: GigabitEthernet1/0/1

-------------------------------

 

  -----------------------------

  IPsec policy: l2tp

  Sequence number: 1

  Mode: isakmp

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect forward secrecy:

    Path MTU: 1443

    Tunnel:

        local  address: 10.0.0.2

        remote address: 10.0.0.1

    Flow:

    sour addr: 10.0.0.2/255.255.255.255  port: 0  protocol: ip

    dest addr: 10.0.0.1/255.255.255.255  port: 0  protocol: ip

 

    [Inbound ESP SAs]

      SPI: 2705574035 (0xa143c893)

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843181/2300

      Max received sequence-number: 310

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for nat traversal: N

      Status: active

 

    [Outbound ESP SAs]

      SPI: 987342280 (0x3ad9a5c8)

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843180/2300

      Max sent sequence-number: 329

      UDP encapsulation used for nat traversal: N

      Status: active

# Verify that the subnet to which Host A belongs can access the external network through the L2TP tunnel.

[LAC] ping -a 14.0.0.1 15.0.0.1

Ping 15.0.0.1 (15.0.0.1) from 14.0.0.1: 56 data bytes, press escape sequence to break

56 bytes from 15.0.0.1: icmp_seq=0 ttl=255 time=0.462 ms

56 bytes from 15.0.0.1: icmp_seq=1 ttl=255 time=0.280 ms

56 bytes from 15.0.0.1: icmp_seq=2 ttl=255 time=0.276 ms

56 bytes from 15.0.0.1: icmp_seq=3 ttl=255 time=0.280 ms

56 bytes from 15.0.0.1: icmp_seq=4 ttl=255 time=0.280 ms

 

--- Ping statistics for 15.0.0.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.276/0.316/0.462/0.073 ms

[LAC]%Jul  3 14:01:16:689 2013 LAC PING/6/PING_STATIS_INFO: Ping statistics for 15.0.0.1: 5 packet(s) transmitted, 5 packet(

s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.276/0.316/0.462/0.073 ms.

Configuration files

·     LNS:

#

interface Virtual-Template1

 remote address 192.168.0.2

 ip address 192.168.0.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-mode route

 combo enable copper

 ip address 10.0.0.2 255.255.255.0

 ipsec apply policy l2tp

#

interface GigabitEthernet1/0/2

 port link-mode route

 ip address 15.0.0.1 255.255.255.0

#

ip route-static 14.0.0.0 24 192.168.0.2

#

acl number 3000

 rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0

#

domain system

 authentication ppp local

#

local-user 1 class network

 password cipher $c$3$1dZEFYrvdICeeFOnqOoFpzXF8G0dZ+4=

 service-type ppp

 authorization-attribute user-role network-operator

#

ipsec transform-set l2tp

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

ipsec policy l2tp 1 isakmp

 transform-set l2tp

 security acl 3000

 remote-address 10.0.0.1

 ike-profile l2tp

#

l2tp-group 1 mode lns

 allow l2tp virtual-template 1 remote lac

 undo tunnel authentication

 tunnel name lns

#

l2tp enable

#

ike profile l2tp

 keychain l2tp

 local-identity address 10.0.0.2

 match remote identity address 10.0.0.1 255.255.255.255

#

ike keychain l2tp

 pre-shared-key address 10.0.0.1 255.255.255.255 key cipher $c$3$7tvgEkFh6On3KIybUaywz5NDiHtwJqU=

#

·     LAC:

#

interface Virtual-PPP1

 ppp pap local-user 1 password cipher $c$3$i132FpC8DcHeIet4NXtmz6ot44xY8ts=

 ip address ppp-negotiate

 l2tp-auto-client l2tp-group 1

#

interface GigabitEthernet1/0/1

 port link-mode route

 ip address 10.0.0.1 255.255.255.0

 ipsec apply policy l2tp

#

interface GigabitEthernet1/0/2

 port link-mode route

 ip address 14.0.0.1 255.255.255.0

#

acl number 3000

 rule 0 permit ip source 10.0.0.1 0 destination 10.0.0.2 0

#

domain system

 authentication ppp local

#

ipsec transform-set l2tp

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm md5

#

ipsec policy l2tp 1 isakmp

 transform-set l2tp

 security acl 3000

 remote-address 10.0.0.2

 ike-profile l2tp

#

l2tp-group 1 mode lac

 lns-ip 10.0.0.2

 undo tunnel authentication

 tunnel name lac

#

l2tp enable

#

ike profile l2tp

 keychain l2tp

 local-identity address 10.0.0.1

 match remote identity address 10.0.0.2 255.255.255.255

#

ike keychain l2tp

 pre-shared-key address 10.0.0.2 255.255.255.255 key cipher $c$3$3ErJJ2M1lhES32CdsR3ofs5CdLvPJGk=

#

Related documentation

·     Layer 2—WAN Access Configuration Guide in H3C MSR1000[2600][3600] Routers Configuration Guides (V9)

·     Layer 2—WAN Access Command Reference in H3C MSR1000[2600][3600] Routers Command References (V9)

·     Security Configuration Guide in H3C MSR1000[2600][3600] Routers Configuration Guides (V9)

·     Security Command Reference in H3C MSR1000[2600][3600] Routers Command References (V9)