@Viktor997

HUAWEI AR. L2TP OVER IPSEC VPN для удаленных пользователей?

Доброго времени суток. Прошу помощи в настройке Huawei AR2204XE. Необходимо настроить связку L2TP over IPsec для удаленного подключения сотрудников компании в локальную сеть. Настраиваю согласно инструкции.

Вопрос:
Проблема в том, что L2TP работает без IPsec, то есть удаленные пользователи(Win10) подключаются даже без и с неправильно указанным pre-shared-key. Хотя на входящем WAN интерфейсе настроен ipsec policy.
Как мне решить проблему с подключением удаленных пользователей?
КОНФИГ
login as: ---
Further authentication required

[Huawei]disp current-configuration
[V200R009C00SPC500]
#
drop illegal-mac alarm
#
clock timezone InternationalDateLineWest minus 12:00:00
#
l2tp enable
#
ipv6
#
vlan batch 4 88 100 103 to 104 108 to 110
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
#
ike local-name xp
#
dns resolve
dns proxy enable
#
poe-power utilization-threshold 80
#
dhcp enable
#
bridge 1
#
vlan 4
description uplink
vlan 108
description servers
vlan 109
description GUEST
vlan 110
description webcam
#
radius-server template default
#
pki realm default
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
acl name GigabitEthernet0/0/11 2999
#
acl number 3001
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.5.0 0.0.0.255

rule 50 permit ip source 192.168.100.0 0.0.1.255
rule 55 deny ip source 192.168.60.0 0.0.0.255
acl number 3002
rule 5 deny tcp destination-port eq 22
rule 15 deny tcp destination-port eq www
rule 35 deny tcp destination-port eq 443
acl number 3003
rule 5 deny udp destination-port eq 1701
rule 6 deny udp destination-port eq 4500
rule 7 deny udp destination-port eq 500
rule 10 permit ip
acl number 3007
rule 5 permit ip
rule 10 permit ip source 0.0.0.0 255.255.255.0
acl number 3008
rule 5 permit ip
acl number 3301

#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ipsec proposal prop
encapsulation-mode transport
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer peer1
undo version 2
pre-shared-key cipher %^%#*e(7'!!yJ/4T=,KBJZxYyeZbQi6\((.[lKS7Sd.P%^%#
ike-proposal 5
ike peer xp
undo version 2
exchange-mode aggressive
pre-shared-key cipher %^%#De,;8d:+{:4B(!2WfI(Dn"0K='XH0Z5,+|,YK4%^%#
local-id-type fqdn
#
ipsec policy-template temp1 10
ike-peer peer1
proposal prop
ipsec policy-template xptemp 2
ike-peer xp
proposal 1
#
ipsec policy policy1 10 isakmp template temp1
ipsec policy xp 1 isakmp template xptemp
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
ip pool lns
gateway-list 192.168.60.1
network 192.168.60.0 mask 255.255.255.0
dns-list 8.8.8.8

#
firewall zone untrust
priority 1
#
firewall zone trust
priority 15

#
firewall zone Local
#
firewall interzone trust untrust
firewall enable
packet-filter 3003 inbound
#
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
interface Dialer1
link-protocol ppp
#
interface Vlanif108
#
interface Virtual-Template1
ppp authentication-mode chap domain l2tp
remote address pool lns
ip address 192.168.60.1 255.255.255.0
l2tp-auto-client enable
#
interface GigabitEthernet0/0/0
description LAN
#
interface GigabitEthernet0/0/0.88
ip address 192.168.88.254 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/0.100
description users
dot1q termination vid 100
ip address 192.168.100.1 255.255.254.0
traffic-filter inbound acl name vlan100
dhcp select interface
dhcp server lease day 10 hour 0 minute 0
dhcp server dns-list 192.168.0.100
#
interface GigabitEthernet0/0/0.103

interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.100
#

#
interface GigabitEthernet0/0/10
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/11
tcp adjust-mss 1200
ip address 81.241.242.86 255.255.255.0
nat outbound 3001
zone untrust
ipsec policy policy1
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
poe legacy enable
poe force-power enable
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15

#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
#
info-center loghost 192.168.0.100
info-center timestamp log format-date
#
snmp-agent local-engineid 800007DB03F03F95D89D3B
#
stelnet server enable
#
http secure-server ssl-policy default_policy
http server enable
http secure-server enable
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/11 81.241.242.1

#
fib regularly-refresh disable
#
user-interface con 0
authentication-mode aaa
user-interface vty 0
authentication-mode aaa
user privilege level 15
user-interface vty 1 4
authentication-mode aaa

#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
undo ntp-service enable
#
ops
#
autostart
#
secelog
#
return

Схема, которую необходимо реализовать.5f4611517fcdb683573344.png
  • Вопрос задан
  • 65 просмотров
Решения вопроса 1
@Viktor997 Автор вопроса
Решено:
Исправил в
ike peer policy 1
exchange-mode main
в ike proposal 1
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
в ipsec proposal policy1
encapsulation-mode transport
esp authentication-algorithm sha1
esp encryption-algorithm aes-256
в l2tp-group1 добавил
mandatory-chap
Связка L2TP over IPSEC заработала на windows 10, IOS и Android.
Ответ написан
Пригласить эксперта
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Войти через центр авторизации
Похожие вопросы